VMRay Analyzer Report
VTI Score 91 / 100 | |
| VTI Database Version | 2.2 |
| VTI Rule Match Count | 21 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Illegitimate API usage | |
Internal API "CreateProcessInternalA" was used to start ""C:\program files\internet explorer\IEXPLORE.EXE"". | ||
| Try to detect forensic tool | |
Search for the window class "FilemonClass" that is related to a forensic tool. | ||
Search for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | ||
Search for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool. | ||
Search for the window class "RegmonClass" that is related to a forensic tool. | ||
Search for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool. | ||
Search for the window class "18467-41" that is related to a forensic tool. | ||
| Try to detect debugger | |
Check via API "NtQueryInformationProcess". | ||
Find window class "OLLYDBG". | ||
Find window class "GBDYLLO". | ||
Find window class "pediy06". | ||
Check via API "CheckRemoteDebuggerPresent". | ||
| Try to detect virtual machine | |
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". | ||
Possibly trying to detect VM via rdtsc. | ||
| Injection | |
| Modify control flow of an other process | |
"c:\users\dssdpmx042\desktop\explorer pro.exe" alters context of "c:\program files\internet explorer\iexplore.exe" | ||
| PE | |
| PE file is packed | |
File "Explorer Pro.exe" is packed with "Themida/WinLicense V1.8.0.2 + -> Oreans Technologies". | ||
| Process | |
| Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
Change the protection of a page from writable ("PAGE_WRITECOPY") to executable ("PAGE_EXECUTE_READWRITE"). | ||
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
| Create process with hidden window | |
The process ""C:\program files\internet explorer\IEXPLORE.EXE"" starts with hidden window. | ||
| Obfuscate control flow | |
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). | ||
| - | Browser | |
| - | Device | |
| - | File System | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | Network | |
| - | OS | |
| - | Persistence | |
| - | VBA Macro | |
| - | YARA | |
