VMRay Analyzer Report
Severity Score
Total Score
Artifacts Database Version1.09
Artifacts Severity Rule TypePE32 (gui)
Detected Behavior
ArrowAnti Analysis
Arrow
Illegitimate API usage
Internal API "CreateProcessInternalW" used to start ""
ArrowDevice
Arrow
Write master boot record (MBR)
ArrowFile System
Arrow
Create many files
Create more than 50 files
ArrowInjection
Arrow
Write into memory of an other process
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wininit.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\services.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\lsass.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\svchost.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winlogon.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\wallpaperhost.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\winpeshl.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe
\device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\windows\system32\csrss.exe modifies memory of \device\ramdisk{d9b257fc-684e-4dcb-ab79-03cfa2f6b750}\sources\recovery\recenv.exe
ArrowKernel
Arrow
Execute code with kernel privileges
See kernel behavior tab for detailed information
ArrowProcess
Arrow
Create system object
Creates nameless mutex
Creates mutex with name "Global\{A3BD3259-3E4F-428a-84C8-F0463A9D3EB5}"
Creates mutex with name "WinPEProfilingMutex"
-Hide Tracks
-Information Stealing
-Masquerade
-Misc
-Network
-OS
-Persistence
-Static
-VBA Macro
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 
































Screenshot



Expand-Icon


Exit-Icon






icon_left




icon_left








image