4deff7d8...399c

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
5/5	Device	Writes to Master Boot Record (MBR)	-
Writes 512 bytes to master boot record (MBR). ... VTI Actions Go to MBR Modification
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to Process
3/5	Kernel	Executes code with kernel privileges	-
Executes code with kernel privileges to perform system level actions. This can sometimes be used to perform malicious actions and to avoid detection. ... VTI Actions Go to Kernel Tab
1/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to Function Call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\sous.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\cmd.exe /C title 7652158\|vssadmin.exe Delete Shadows /All /Quiet" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\cmd.exe /C title 3988795\|bcdedit /set {default} recoveryenabled No" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\cmd.exe /C title 9579842\|bcdedit /set {default} bootstatuspolicy ignoreallfailures" starts with hidden window. ... VTI Actions Go to Function Call
1/5	Anti Analysis	Resolves APIs dynamically to possibly evade static detection	-
Resolves an unusually high number of APIs. ... VTI Actions Go to Function Call
1/5	Masquerade	Changes folder appearance	Riskware
Folder "c:\users\5jghkoaofdp\contacts" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\desktop" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\documents" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\documents\my shapes" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\downloads" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\favorites" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\favorites\links" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\links" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\music" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\pictures" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\saved games" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\searches" has a changed appearance. ... VTI Actions Go to Function Call
Folder "c:\users\5jghkoaofdp\videos" has a changed appearance. ... VTI Actions Go to Function Call
1/5	Device	Monitors mouse movements and clicks	-
Frequently reads the state of a mouse button by API. ... VTI Actions Go to Function Call
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to File Details
1/5	Network	Downloads data	Downloader
URL "blockchain.info/tobtc?currency=USD&value=1000". ... VTI Actions Go to Function Call
1/5	Network	Connects to HTTP server	-
URL "blockchain.info/tobtc?currency=USD&value=1000". ... VTI Actions Go to Function Call
1/5	Persistence	Installs system service	-
Installs service "3123635631" by using the sc.exe utility. ... VTI Actions Go to Function Call

Notifications (2/2)

Before

After