VMRay Analyzer Report
Try VMRay Analyzer
VTI Information
VTI Score
98 / 100
VTI Database Version 2.6
VTI Rule Match Count 62
VTI Rule Type Default (PE, ...)
Detected Threats
Arrow File System Handle with malicious files
File "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" is a known malicious file.
Arrow Injection Write into memory of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\windows\explorer.exe"
"c:\windows\syswow64\msiexec.exe" modifies memory of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\windows\syswow64\msiexec.exe"
"c:\windows\syswow64\msiexec.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\windows\explorer.exe"
"c:\windows\syswow64\cmstp.exe" modifies memory of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\windows\syswow64\cmstp.exe"
"c:\windows\syswow64\cmstp.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
Arrow Injection Modify control flow of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" alters context of "c:\windows\explorer.exe"
"c:\windows\syswow64\msiexec.exe" alters context of "c:\windows\explorer.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" alters context of "c:\windows\explorer.exe"
"c:\windows\syswow64\cmstp.exe" alters context of "c:\windows\explorer.exe"
Arrow Anti Analysis Illegitimate API usage
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autofmt.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\msiexec.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmd.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\rdpclip.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\autochk.exe".
Internal API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmstp.exe".
Arrow Network Read network configuration
Read the current network configuration trough the host.conf file.
Arrow Anti Analysis Try to detect kernel debugger
Check via API "NtQuerySystemInformation".
Arrow Process Create system object
Create nameless mutex.
Create mutex with name "L53886-WGVVJKAFC".
Create mutex with name "8Q-59UAVA1ZvGWMZ".
Create mutex with name "S-1-5-21-3388679-13801793209033".
Create mutex with name "S-1-5-21-3388679-8441793209033".
Arrow Anti Analysis Dynamic API usage
Resolve above average number of APIs.
Arrow Process Create process with hidden window
The process "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\autofmt.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\msiexec.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\cmd.exe" starts with hidden window.
The process "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" starts with hidden window.
The process "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" starts with hidden window.
The process "C:\Windows\SysWOW64\rdpclip.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\autochk.exe" starts with hidden window.
The process "C:\Windows\SysWOW64\cmstp.exe" starts with hidden window.
Arrow Process Create a page with write and execute permissions
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow File System Modify operating system directory
Create file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
Create file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\msiexec.exe" in the OS directory.
Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
Create file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
Modify file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
Arrow Anti Analysis Try to detect debugger
Check via API "NtQueryInformationProcess".
Arrow Process Read from memory of another process
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\explorer.exe".
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" reads from "c:\windows\syswow64\msiexec.exe".
"c:\windows\syswow64\msiexec.exe" reads from "c:\windows\explorer.exe".
"c:\windows\syswow64\msiexec.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\windows\explorer.exe".
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" reads from "c:\program files\windows nt\hungry sage sender.exe".
"c:\windows\syswow64\cmstp.exe" reads from "c:\windows\explorer.exe".
"c:\windows\syswow64\cmstp.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
Arrow Anti Analysis Delay execution
One thread sleeps more than 5 minutes.
Arrow Persistence Install system startup script or application
Add "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" to windows startup via registry.
Arrow File System Create many files
Create above average number of files.
Arrow Injection Write into memory of a process running from a created or modified executable
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" modifies memory of "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" modifies memory of "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr"
Arrow Injection Modify control flow of a process running from a created or modified executable
"c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe" alters context of "c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe"
"c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr" alters context of "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr"
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image