VMRay Analyzer Report
VTI Information
VTI Score
91 / 100
VTI Database Version2.2
VTI Rule Match Count13
VTI Rule TypeDefault (PE, ...)
Detected Threats
ArrowAnti Analysis
Arrow
Illegitimate API usage
Internal API "CreateProcessInternalA" was used to start "explorer.exe".
Arrow
Try to detect virtual machine
Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum").
ArrowHide Tracks
Arrow
Delete file after execution
Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe".
ArrowInjection
Arrow
Write into memory of an other process
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe"
ArrowNetwork
Arrow
Connect to remote host
Outgoing TCP connection to host "www.msn.com:80".
Outgoing TCP connection to host "104.84.181.107:80".
Arrow
Download data
Url "http://www.msn.com/".
Url "http://go.microsoft.com/fwlink/?LinkId=133405".
ArrowPersistence
Arrow
Install system startup script or application
Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry.
ArrowProcess
Arrow
Allocate a page with write and execute permissions
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow
Create process with hidden window
The process "explorer.exe" starts with hidden window.
Arrow
Read from memory of an other process
"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe".
Arrow
Create system object
Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E".
-Browser
-Device
-File System
-Information Stealing
-Kernel
-Masquerade
-OS
-PE
-VBA Macro
-YARA
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image