VMRay Analyzer Report for Sample #625263
VMRay Analyzer
1.11.0
Process
1300
explorer pro.exe
1136
explorer pro.exe
"C:\Users\DSsDPMx042\Desktop\Explorer Pro.exe"
C:\Users\DSsDPMx042\Desktop
c:\users\dssdpmx042\desktop\explorer pro.exe
Opened
Created
Created
Created
Created
Created
Created
Created
Opened
Process
1300
explorer pro.exe
1136
explorer pro.exe
"C:\Users\DSsDPMx042\Desktop\Explorer Pro.exe"
C:\Users\DSsDPMx042\Desktop
c:\users\dssdpmx042\desktop\explorer pro.exe
Process
1400
iexplore.exe
1300
iexplore.exe
"C:\program files\internet explorer\IEXPLORE.EXE"
C:\Users\DSsDPMx042\Desktop
c:\program files\internet explorer\iexplore.exe
File
sice
File
siwvid
File
ntice
File
program files\common files\microsoft shared\msinfo\fieleway.txt
program files\common files\microsoft shared\msinfo\fieleway.txt
c:\
c:\program files\common files\microsoft shared\msinfo\fieleway.txt
txt
MD5
5718f05d3bdebb944ec1c02d56ff3a63
SHA1
035e87a09dad57fd972df857579fdb65f36a1395
SHA256
444ea6025185bf690be65b937723cd74ec2cf1030fc42f7a8f191ff6a238a5d6
File
users\dssdpmx042\desktop\explorer pro.exe
users\dssdpmx042\desktop\explorer pro.exe
c:\
c:\users\dssdpmx042\desktop\explorer pro.exe
exe
WinRegistryKey
Software\WinLicense
HKEY_LOCAL_MACHINE
CheckIN
1
REG_DWORD_LITTLE_ENDIAN
File
Users\DSsDPMx042\Desktop\Explorer Pro.exe
Users\DSsDPMx042\Desktop\Explorer Pro.exe
C:\
C:\Users\DSsDPMx042\Desktop\Explorer Pro.exe
exe
File
sice
Process
1400
iexplore.exe
1300
iexplore.exe
"C:\program files\internet explorer\IEXPLORE.EXE"
C:\Users\DSsDPMx042\Desktop
c:\program files\internet explorer\iexplore.exe
Created
Created
Created
Created
File
siwvid
File
ntice
WinRegistryKey
Software\WinLicense
HKEY_LOCAL_MACHINE
CheckIN
1
REG_DWORD_LITTLE_ENDIAN
Analyzed Sample #625263
Malware Artifacts
625263
Sample-ID: #625263
Job-ID: #676568
Detect Virtualization / Hypervisor
This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 7 system
91
VTI Score based on VTI Database Version 2.2
Metadata of Sample File #625263
Submission-ID: #625263
C:\Users\DSsDPMx042\Desktop\Explorer Pro.exe
exe
MD5
be66787e9a1933b319e3694b4c348e38
SHA1
05ed9e77fc98cfce1bb9e4acad1b95f4167c5129
SHA256
ce7ddc6318d4e76ef0ad3d9b1a8f8ad90eb77a0bf53ab49e8440a0fb0b67aa39
Opened_By
VMRay Analyzer
Process
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Allocate a page with write and execute permissions
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_window
Find window class "OLLYDBG".
Try to detect debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_window
Find window class "GBDYLLO".
Try to detect debugger
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_window
Find window class "pediy06".
Try to detect debugger
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window class "FilemonClass" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_debugger_by_api
Check via API "NtQueryInformationProcess".
Try to detect debugger
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window class "RegmonClass" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_forensic_tool_by_window
Search for the window class "18467-41" that is related to a forensic tool.
Try to detect forensic tool
Anti Analysis
VTI rule match with VTI rule score 2/5
vmray_detect_debugger_by_api
Check via API "CheckRemoteDebuggerPresent".
Try to detect debugger
Process
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Change the protection of a page from writable ("PAGE_WRITECOPY") to executable ("PAGE_EXECUTE_READWRITE").
Allocate a page with write and execute permissions
Anti Analysis
VTI rule match with VTI rule score 4/5
vmray_illegitimate_api_usage_by_create_process_internal
Internal API "CreateProcessInternalA" was used to start ""C:\program files\internet explorer\IEXPLORE.EXE"".
Illegitimate API usage
Process
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process ""C:\program files\internet explorer\IEXPLORE.EXE"" starts with hidden window.
Create process with hidden window
Process
VTI rule match with VTI rule score 1/5
vmray_allocate_wx_page
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Allocate a page with write and execute permissions
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_virtualpc_by_vpcext
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f".
Try to detect virtual machine
Anti Analysis
VTI rule match with VTI rule score 3/5
vmray_detect_vm_by_rdtsc
Possibly trying to detect VM via rdtsc.
Try to detect virtual machine
Injection
VTI rule match with VTI rule score 3/5
vmray_modify_control_flow
"c:\users\dssdpmx042\desktop\explorer pro.exe" alters context of "c:\program files\internet explorer\iexplore.exe"
Modify control flow of an other process
PE
VTI rule match with VTI rule score 1/5
vmray_check_for_packed_pe_file
File "Explorer Pro.exe" is packed with "Themida/WinLicense V1.8.0.2 + -> Oreans Technologies".
PE file is packed
Process
VTI rule match with VTI rule score 1/5
vmray_control_flow_obfuscation
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter).
Obfuscate control flow