|
5/5
|
Reputation
|
Known malicious file
|
1
|
Trojan
|
|
-
File "C:\Users\FD1HVy\Desktop\Pg.exe" is a known malicious file.
|
|
4/5
|
File System
|
Deletes user files
|
1
|
Wiper
|
|
-
Deletes multiple user files. This is an indicator for ransomware or wiper malware.
|
|
4/5
|
File System
|
Modifies content of user files
|
1
|
Ransomware
|
|
-
Modifies the content of multiple user files. This is an indicator for an encryption attempt.
|
|
4/5
|
OS
|
Modifies Windows automatic backups
|
1
|
-
|
|
-
Deletes Windows volume shadow copies.
|
|
2/5
|
Anti Analysis
|
Tries to detect virtual machine
|
1
|
-
|
|
-
Possibly trying to detect VM via rdtsc.
|
|
1/5
|
Process
|
Creates system object
|
2
|
-
|
|
-
Creates mutex with name "Global\syncronize_N7AZK6A".
|
|
-
Creates mutex with name "Global\syncronize_N7AZK6U".
|
|
1/5
|
File System
|
Modifies operating system directory
|
1
|
-
|
|
-
Creates file "C:\WINDOWS\System32\Pg.exe" in the OS directory.
|
|
1/5
|
Persistence
|
Installs system startup script or application
|
3
|
-
|
|
-
Adds "C:\WINDOWS\System32\Pg.exe" to Windows startup via registry.
|
|
-
Adds "c:\users\fd1hvy\appdata\roaming\microsoft\windows\start menu\programs\startup\pg.exe" to Windows startup folder.
|
|
-
Adds "c:\programdata\microsoft\windows\start menu\programs\startup\pg.exe" to Windows startup folder.
|
|
1/5
|
Process
|
Creates process with hidden window
|
1
|
-
|
|
-
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window.
|
|
1/5
|
Masquerade
|
Changes folder appearance
|
4
|
-
|
|
-
Folder "c:\$recycle.bin\s-1-5-18" has a changed appearance.
|
|
-
Folder "c:\$recycle.bin\s-1-5-21-1051304884-625712362-2192934891-1000" has a changed appearance.
|
|
-
Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
|
|
-
Folder "c:\program files" has a changed appearance.
|
|
1/5
|
File System
|
Modifies application directory
|
109
|
-
|
|
-
Modifies "c:\program files\common files\microsoft shared\clicktorun\officeupdateschedule.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\common files\microsoft shared\clicktorun\servicewatcherschedule.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\common files\microsoft shared\ink\en-us\boxed-join.avi".
|
|
-
Modifies "c:\program files\common files\microsoft shared\stationery\desktop.ini.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\desktop.ini.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash@2x.gif".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\bin\server\xusage.txt.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash_11-lic.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\invalid32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\splash@2x.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\deploy\ffjcext.zip.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_copydrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_linkdrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_linknodrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_movedrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_copynodrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\jvm.hprof.txt.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\tzdb.dat.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\readme.txt.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\thirdpartylicensereadme-javafx.txt.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\thirdpartylicensereadme.txt.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\welcome.html.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\filesystemmetadata.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\java\jre1.8.0_144\lib\images\cursors\win32_movenodrop32x32.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\office16\ospp.htm.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\office16\ospp.vbs.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\office16\slerror.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\appxmanifest.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\authoredextensions.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00004_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifestloc.en-us.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00037_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00011_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00021_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00052_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00040_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00038_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00057_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\packagemanifests\appxmanifest.common.xml.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00090_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00092_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00103_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00126_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00129_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00120_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00130_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00135_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00139_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00158_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00154_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00161_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00160_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00157_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00142_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00164_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00163_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00167_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00170_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00169_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00172_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00175_.gif".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00171_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00174_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00176_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\an00015_.wmf.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\an00853_.wmf.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\an00790_.wmf.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\ag00175_.gif.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\an00010_.wmf.id-b4197730.[lockhelp@qq.com].jack".
|
|
-
Modifies "c:\program files\microsoft office\root\clipart\pub60cor\an00914_.wmf.id-b4197730.[lockhelp@qq.com].jack".
|
|
1/5
|
Process
|
Reads from memory of another process
|
2
|
-
|
|
-
"c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\system32\mode.com".
|
|
-
"c:\windows\system32\cmd.exe" reads from "C:\WINDOWS\system32\vssadmin.exe".
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
1
|
-
|
|
-
Creates an unusually large number of files.
|
|
0/5
|
Process
|
Enumerates running processes
|
1
|
-
|
|
-
Enumerates running processes.
|
|