VMRay Analyzer Report
VTI Information
VTI Score
91 / 100
VTI Database Version2.2
VTI Rule Match Count21
VTI Rule TypeDefault (PE, ...)
Detected Threats
ArrowAnti Analysis
Arrow
Illegitimate API usage
Internal API "CreateProcessInternalA" was used to start ""C:\program files\internet explorer\IEXPLORE.EXE"".
Arrow
Try to detect forensic tool
Search for the window class "FilemonClass" that is related to a forensic tool.
Search for the window "File Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Search for the window class "PROCMON_WINDOW_CLASS" that is related to a forensic tool.
Search for the window class "RegmonClass" that is related to a forensic tool.
Search for the window "Registry Monitor - Sysinternals: www.sysinternals.com" that is related to a forensic tool.
Search for the window class "18467-41" that is related to a forensic tool.
Arrow
Try to detect debugger
Check via API "NtQueryInformationProcess".
Find window class "OLLYDBG".
Find window class "GBDYLLO".
Find window class "pediy06".
Check via API "CheckRemoteDebuggerPresent".
Arrow
Try to detect virtual machine
Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f".
Possibly trying to detect VM via rdtsc.
ArrowInjection
Arrow
Modify control flow of an other process
"c:\users\dssdpmx042\desktop\explorer pro.exe" alters context of "c:\program files\internet explorer\iexplore.exe"
ArrowPE
Arrow
PE file is packed
File "Explorer Pro.exe" is packed with "Themida/WinLicense V1.8.0.2 + -> Oreans Technologies".
ArrowProcess
Arrow
Allocate a page with write and execute permissions
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Change the protection of a page from writable ("PAGE_WRITECOPY") to executable ("PAGE_EXECUTE_READWRITE").
Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
Arrow
Create process with hidden window
The process ""C:\program files\internet explorer\IEXPLORE.EXE"" starts with hidden window.
Arrow
Obfuscate control flow
Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter).
-Browser
-Device
-File System
-Hide Tracks
-Information Stealing
-Kernel
-Masquerade
-Network
-OS
-Persistence
-VBA Macro
-YARA
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image