Analysis Report

VTI Information

VTI Score 91 / 100
VTI Database Version	2.2
VTI Rule Match Count	13
VTI Rule Type	Default (PE, ...)

Detected Threats

	Anti Analysis	Illegitimate API usage
	Internal API "CreateProcessInternalA" was used to start "explorer.exe".
	Injection	Write into memory of an other process
	"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe"
	Anti Analysis	Try to detect virtual machine
	Readout system information, commonly used to detect VMs via registry. (Value "0" in key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum").
	Process	Allocate a page with write and execute permissions
	Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
	Process	Create process with hidden window
	The process "explorer.exe" starts with hidden window.
	Process	Read from memory of an other process
	"c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe" reads from "explorer.exe".
	Process	Create system object
	Create mutex with name "FCAA85F5B5437C4D7919D716988890AF30565E9E".
	Hide Tracks	Delete file after execution
	Delete executable "c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe".
	Persistence	Install system startup script or application
	Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe" to windows startup via registry.
	Network	Connect to remote host
	Outgoing TCP connection to host "www.msn.com:80".
	Outgoing TCP connection to host "104.84.181.107:80".
	Network	Download data
	Url "http://www.msn.com/".
	Url "http://go.microsoft.com/fwlink/?LinkId=133405".

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".