VTI Score 75 / 100 | |
VTI Database Version | 2.2 |
VTI Rule Match Count | 30 |
VTI Rule Type | Default (PE, ...) |
Anti Analysis | Try to detect virtual machine | ||
Possibly trying to detect VMware via registry "HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools". | |||
Possibly trying to detect VirtualBox via registry "HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions". | |||
Possibly trying to detect VirtualBox via registry "HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__". | |||
Readout system information, commonly used to detect VMs via registry. (Value "SystemBiosVersion" in key "HKEY_LOCAL_MACHINE\HARDWARE\Description\System"). | |||
Anti Analysis | Try to detect application sandbox | ||
Possibly trying to detect "wine" by GetProcAddress(). | |||
Injection | Write into memory of an other process | ||
"c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe" modifies memory of "c:\windows\syswow64\svchost.exe" | |||
Injection | Modify control flow of an other process | ||
"c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe" creates thread in "c:\windows\syswow64\svchost.exe" | |||
Process | Create system object | ||
Create mutex with name "8A000000B7496798F6145935AA3E2760". | |||
Create mutex with name "MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex". | |||
Create mutex with name "Sandboxie_SingleInstanceMutex_Control". | |||
Create mutex with name "Frz_State". | |||
Create mutex with name "4B000000D586D2D8AB6E07EC44CC9183". | |||
Create mutex with name "9C0000002CCF1F00ECD770C403E9DE7B". | |||
Create mutex with name "54000000F61A7DE2C294AD9653CFD4FD". | |||
Create mutex with name "D20000002A14C6E52964F51932B9F49F". | |||
Create mutex with name "AD0000002B4477546D3A308A977C30F1". | |||
Create mutex with name "A1000000DA6AF38235D35BF570C2C4E9". | |||
Create mutex with name "D9000000F219E1C779E2E7AC08DFD815". | |||
Create mutex with name "7D0000008AA73D983C6DEAFF4C3848A7". | |||
Create mutex with name "3B000000F5DFE9C2D11C32931F7D5BB4". | |||
Create mutex with name "C0000000844EE6C40648470D345E7B65". | |||
Create mutex with name "4A000000AF17366BF4960AE62A76878C". | |||
Create mutex with name "D5000000C70E48D5408251026F4BDA97". | |||
OS | Enable process privileges | ||
Enable privilege "SeSecurityPrivilege". | |||
Process | Create process with hidden window | ||
The process ""C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"" starts with hidden window. | |||
The process "C:\Windows\SysWOW64\svchost.exe -k netsvcs" starts with hidden window. | |||
The process ""C:\Windows\system32\cmd.exe" \c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat"" starts with hidden window. | |||
Process | Allocate a page with write and execute permissions | ||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
Persistence | Install system startup script or application | ||
Add ""C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"" to windows startup via registry. |