VMRay Analyzer Report
Try VMRay Analyzer
VTI Information
VTI Score
98 / 100
VTI Database Version 2.6
VTI Rule Match Count 62
VTI Rule Type Default (PE, ...)
Detected Threats
Arrow Anti Analysis
Arrow
Illegitimate API usage
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autofmt.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\msiexec.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmd.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\rdpclip.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autochk.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmstp.exe".
Arrow
Try to detect kernel debugger
Check via API "NtQuerySystemInformation".
Arrow
Dynamic API usage
Resolve above average number of APIs.
Arrow
Try to detect debugger
Check via API "NtQueryInformationProcess".
Arrow
Delay execution
One thread sleeps more than 5 minutes.
Arrow File System
Arrow
Handle with malicious files
File "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" is a known malicious file.
Arrow
Modify operating system directory
Create file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
Create file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory.
Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Create file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
Arrow
Create many files
Create above average number of files.
Arrow Injection
Arrow
Write into memory of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\windows\explorer.exe"
"c:\windows\syswow64\msiexec.exe" modifies memory of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\windows\syswow64\msiexec.exe"
"c:\windows\syswow64\msiexec.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\windows\explorer.exe"
"c:\windows\syswow64\cmstp.exe" modifies memory of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\windows\syswow64\cmstp.exe"
"c:\windows\syswow64\cmstp.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
Arrow
Modify control flow of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" alters context of "c:\windows\explorer.exe"
"c:\windows\syswow64\msiexec.exe" alters context of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" alters context of "c:\windows\explorer.exe"
"c:\windows\syswow64\cmstp.exe" alters context of "c:\windows\explorer.exe"
Arrow
Write into memory of a process running from a created or modified executable
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr"
Arrow
Modify control flow of a process running from a created or modified executable
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" alters context of "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" alters context of "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr"
Arrow Network
Arrow
Read network configuration
Read the current network configuration trough the host.conf file.
Arrow Persistence
Arrow
Install system startup script or application
Add "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" to windows startup via registry.
Arrow Process
Arrow
Create system object
Create nameless mutex.
Create mutex with name "L53886-WGVVJKAFC".
Create mutex with name "8Q-59UAVA1ZvGWMZ".
Create mutex with name "S-1-5-21-3388679-13801793209033".
Create mutex with name "S-1-5-21-3388679-8441793209033".
Arrow
Create process with hidden window
The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\autofmt.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\msiexec.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\cmd.exe" starts with hidden window.
The process "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" starts with hidden window.
The process "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" starts with hidden window.
The process "C:\Windows\SysWOW64\rdpclip.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\autochk.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\cmstp.exe" starts with hidden window.
Arrow
Create a page with write and execute permissions
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow
Read from memory of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\explorer.exe".
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\syswow64\msiexec.exe".
"c:\windows\syswow64\msiexec.exe" reads from "c:\windows\explorer.exe".
"c:\windows\syswow64\msiexec.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\windows\explorer.exe".
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\program files\windows nt\hungry sage sender.exe".
"c:\windows\syswow64\cmstp.exe" reads from "c:\windows\explorer.exe".
"c:\windows\syswow64\cmstp.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
- Browser
- Device
- OS
- Hide Tracks
- Information Stealing
- Kernel
- Masquerade
- PE
- User
- VBA Macro
- YARA
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image