Analysis Report

VTI Information

VTI Score 75 / 100
VTI Database Version	2.2
VTI Rule Match Count	23
VTI Rule Type	Default (PE, ...)

Detected Threats

	Anti Analysis
	Try to detect virtual machine
	Possibly trying to detect VM via rdtsc.
	OS
	Modify system configuration
	Disable the display of hidden files and folders.
	Modify system security configuration
	Disable UAC notification.
	PE
	Drop PE file
	Drop file "c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe".
	Drop file "c:\programdata\vmymsigm\yoummieo.exe".
	Drop file "c:\programdata\baieaacu\xuaecwog.exe".
	Execute dropped PE file
	Execute dropped file "c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe".
	Execute dropped file "c:\programdata\vmymsigm\yoummieo.exe".
	Execute dropped file "c:\programdata\baieaacu\xuaecwog.exe".
	Persistence
	Install system startup script or application
	Add "C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe" to windows startup via registry.
	Add "C:\ProgramData\VmYMsIgM\YOUMMIEo.exe" to windows startup via registry.
	Add "C:\Windows\system32\userinit.exe,C:\ProgramData\VmYMsIgM\YOUMMIEo.exe," to windows startup via registry.
	Add "C:\ProgramData\VmYMsIgM\YOUMMIEo.exe," to windows startup via registry.
	Install system service
	Install service "cEMAEwpb" by CreateServiceW.
	Process
	Allocate a page with write and execute permissions
	Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
	Create system object
	Create mutex with name "AsEwIwsA".
	Create mutex with name "TYAckMgs".
	Create process with hidden window
	The process "C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe" starts with hidden window.
	The process "C:\ProgramData\VmYMsIgM\YOUMMIEo.exe" starts with hidden window.
	The process "C:\Users\WI2YHM~1\AppData\Local\Temp\dWAAskwo.bat" starts with hidden window.
	The process "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1" starts with hidden window.
	The process "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2" starts with hidden window.
	The process "reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f" starts with hidden window.
-	Browser
-	Device
-	File System
-	Hide Tracks
-	Information Stealing
-	Injection
-	Kernel
-	Masquerade
-	Network
-	VBA Macro
-	YARA