Trojan.VMDetector.A

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	14,048
Threat Level:	80 % (High)
Infected Computers:	178

First Seen:	September 1, 2021
Last Seen:	January 1, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.VMDetector.A
Signature status:	No Signature

Known Samples

MD5: adfe6a9cb1505936c10a420290e17cea

SHA1: 2c57f56705e49472893be48c57b2ff00f49e9e27

SHA256: 9D9B4844EBA67DD184BC2D32F82778554861E6F6CCA231BF96A8FE262D36D790

File Size: 750.59 KB, 750592 bytes

MD5: 1aee0385397ecfa0d662cd6981921da9

SHA1: 6e3b2017180d29356e1a1d85a99a75c4f1df92bf

SHA256: 3C2DC771758EF8BA07B5C0FE8022CA4D303D276027CD17B14BC35C5D1906E72C

File Size: 369.05 KB, 369047 bytes

MD5: d56577031921e047b0cdaea61f9298e5

SHA1: b761f912e0ec556d8e22679bb1b938e6c953344d

SHA256: 02E9ED2221BAA31FD3B7A0FFFDCDBD616401398857494D4CD22CA950FB5E135E

File Size: 457.20 KB, 457204 bytes

MD5: d08d8dfdc5a0da4e8bb9505762720785

SHA1: e6729c250d98be14871c2c55734b66333686f1d3

SHA256: 1CEA9C144AACC6341C754B09064CE75D715F6A5414F8596EA4B3F9CF6292D7FE

File Size: 787.97 KB, 787968 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has exports table
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application

File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Lyrics Mein Gutscheincode GmbH
File Description	Allyrics-1 Installer Mein Gutscheincode Installer
File Version	1.28.153.3 1.28.153.1
Legal Copyright	Copyright Lyrics Copyright Mein Gutscheincode GmbH
Product Name	Allyrics-1 Mein Gutscheincode

File Traits

dll
HighEntropy
x86

Block Information

Total Blocks:	1,307
Potentially Malicious Blocks:	89
Whitelisted Blocks:	1,137
Unknown Blocks:	81

Visual Map

0 0 0 0 0 0 0 0 0 x 0 ? x 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 1 0 ? ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? 0 0 x x x x x ? x 0 x ? ? ? ? ? x ? x 0 0 0 ? ? 0 0 ? x x x x x x x x x x ? x x ? x x x x x ? ? x ? ? x x x ? ? ? x x ? ? ? ? ? ? x x ? ? ? ? ? 0 ? ? ? ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 1 1 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? ? ? ? ? ? ? ? 1 0 1 x x ? x x x x ? ? ? ? ? ? ? x ? x x x x 0 0 0 x x 0 0 0 0 0 ? ? 0 x ? x x ? ? ? 0 0 0 ? ? x ? x x x x ? x x 0 0 ? x ? ? x ? ? ? x 0 0 0 0 x x x x x x ? x x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 2 0 3 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 1 0 0 0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 1 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 1 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\allyrics-1uninstaller_1759242272.log	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\allyrics-1uninstaller_1759242272.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa3942.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsa4beb.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\installerutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\installerutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\nsislog.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\nsislog.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\nsisos.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\nsisos.dll	Synchronize,Write Attributes

c:\users\user\appdata\local\temp\nsa4beb.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\userinfo.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa4beb.tmp\userinfo.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf4b1f.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl4bdb.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsp372f.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq3953.tmp\nsislog.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq3953.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp\??\C:\Users\Qxgnv	RegNtPreCreateKey

HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e41\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtProtectVirtualMemory Show More ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2c57f56705e49472893be48c57b2ff00f49e9e27_0000750592.,LiQMAxHB


							"C:\Users\Qxgnvyjg\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


							"C:\Users\Hezkzrlh\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e6729c250d98be14871c2c55734b66333686f1d3_0000787968.,LiQMAxHB

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.VMDetector.A

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Tratbc.com

1bit.space

Trojan Downloader.Win32.Devsog!k

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

Discord Is Stuck on Gray Screen