|
5/5
|
File System
|
Encrypts content of user files
|
Ransomware
|
|
-
Encrypts the content of multiple user files. This is an indicator for ransomware.
|
|
4/5
|
File System
|
Known malicious file
|
Trojan
|
|
-
File "C:\Users\CIiHmnxMn6Ps\Desktop\CRYPT.EXE" is a known malicious file.
|
|
1/5
|
Anti Analysis
|
Resolves APIs dynamically
|
-
|
|
-
Resolves an unusually high number of APIs.
|
|
1/5
|
Persistence
|
Installs system startup script or application
|
-
|
|
-
Adds ""c:\How To Restore Files.hta"" to Windows startup via registry.
|
|
-
Adds "C:\windows\searchfiles.exe" to Windows startup via registry.
|
|
1/5
|
File System
|
Modifies operating system directory
|
-
|
|
-
Creates file "C:\windows\searchfiles.exe" in the OS directory.
|
|
1/5
|
Hide Tracks
|
Writes an unually large amount of data to the registry
|
-
|
|
-
Hides 1280 byte in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\\rsa".
|
|
1/5
|
Process
|
Creates process with hidden window
|
-
|
|
-
The process "C:\Windows\system32\cmd.exe" starts with hidden window.
|
|
1/5
|
Masquerade
|
Changes folder appearance
|
Riskware
|
|
-
Folder "c:\$recycle.bin\s-1-5-21-1462094071-1423818996-289466292-1000" has a changed appearance.
|
|
-
Folder "c:\$recycle.bin\s-1-5-18" has a changed appearance.
|
|
-
Folder "c:\program files" has a changed appearance.
|
|
-
Folder "c:\program files (x86)" has a changed appearance.
|
|
-
Folder "c:\users" has a changed appearance.
|
|
-
Folder "c:\users\public" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\music" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\onedrive" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\pictures" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\searches" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\videos" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\saved games" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\links" has a changed appearance.
|
|
-
Folder "c:\users\public\downloads" has a changed appearance.
|
|
-
Folder "c:\users\public\documents" has a changed appearance.
|
|
-
Folder "c:\users\public\pictures" has a changed appearance.
|
|
-
Folder "c:\users\public\music" has a changed appearance.
|
|
-
Folder "c:\users\public\videos" has a changed appearance.
|
|
-
Folder "c:\users\ciihmnxmn6ps\favorites" has a changed appearance.
|
|
-
Folder "c:\users\public\accountpictures" has a changed appearance.
|
|
-
Folder "c:\users\public\libraries" has a changed appearance.
|
|
-
Folder "c:\program files (x86)\common files\microsoft shared\stationery" has a changed appearance.
|
|
-
Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
|
|
1/5
|
File System
|
Modifies application directory
|
-
|
|
-
Modifies "c:\program files\how to restore files.hta".
|
|
-
Modifies "c:\program files\desktop.ini id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\desktop.ini id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\common files\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\extensiveadvertisement.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\internet explorer\how to restore files.hta".
|
|
-
Modifies "c:\program files\microsoft office\how to restore files.hta".
|
|
-
Modifies "c:\program files\microsoft office 15\charity.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\microsoft office\appxmanifest.xml id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\reference assemblies\how to restore files.hta".
|
|
-
Modifies "c:\program files\reference assemblies\commands.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\uninstall information\how to restore files.hta".
|
|
-
Modifies "c:\program files\uninstall information\just_instant_bulgaria.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\uninstall information\lined-tex.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows nt\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows journal\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows nt\lowest forwarding sitemap.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows mail\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows journal\orders oxide shift.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows portable devices\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows photo viewer\collecting_vb_les.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows media player\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows media player\affected.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows multimedia platform\freeware.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows mail\tr_wireless.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\microsoft office\filesystemmetadata.xml id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\common files\designer\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\services\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\system\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\adobe\acrobat reader dc\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\services\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\designer\msaddndr.olb id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\windows photo viewer\runtime recommendation.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\internet explorer\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\microsoft.net\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\microsoft.net\flavor.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\mozilla maintenance service\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows media player\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows media player\kg_tools_them.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\windows multimedia platform\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows mail\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows portable devices\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows photo viewer\limousines.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\internet explorer\reveal_medicare_ebay.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\internet explorer\en-us\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows media player\en-us\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows defender\en-us\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows nt\accessories\how to restore files.hta".
|
|
-
Modifies "c:\program files\java\jre1.8.0_131\copyright id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\java\jre1.8.0_131\license id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\java\jre1.8.0_131\readme.txt id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\java\jre1.8.0_131\release id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\common files\system\how to restore files.hta".
|
|
-
Modifies "c:\program files\internet explorer\signup\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\java\java update\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows mail\en-us\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows journal\en-us\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows portable devices\semiconductor phys.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\windows multimedia platform\pump.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files (x86)\adobe\acrobat reader dc\readme.htm id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\microsoft office 15\clientx64\integratedoffice.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\common files\microsoft shared\source engine\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\system\ado\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\microsoft shared\msinfo\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\microsoft shared\dao\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\microsoft shared\ink\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\windows portable devices\slightly.exe id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\internet explorer\signup\install.ins id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\java\jre1.8.0_131\thirdpartylicensereadme-javafx.txt id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\common files\microsoft shared\vsto\how to restore files.hta".
|
|
-
Modifies "c:\program files\windows media player\media renderer\how to restore files.hta".
|
|
-
Modifies "c:\program files\common files\microsoft shared\stationery\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\microsoft shared\stationery\desktop.ini id-br3n0g72wub8cejt.lyas".
|
|
-
Modifies "c:\program files\microsoft office\root\flattener\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\common files\system\ado\how to restore files.hta".
|
|
-
Modifies "c:\program files (x86)\mozilla firefox\accessible.tlb id-br3n0g72wub8cejt.lyas".
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
-
|
|
-
Creates an unusually large number of files.
|
|
1/5
|
Static
|
Unparsable sections in file
|
-
|
|
-
Static analyzer was unable to completely parse the analyzed file: \\?\C:\ProgramData\Oracle\Java\javapath_target_5923062\java.exe id-Br3n0G72wUb8CejT.LyaS.
|
|
1/5
|
PE
|
The PE file was created with a packer
|
-
|
|
-
File "C:\Users\CIiHmnxMn6Ps\Desktop\CRYPT.EXE" is packed with "ASPack v2.12 -> Alexey Solodovnikov".
|
|
1/5
|
PE
|
Drops PE file
|
Dropper
|
|
-
Drops file "\\?\C:\ProgramData\Package Cache\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\VC_redist.x86.exe id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\ProgramData\Oracle\Java\javapath_target_5923062\java.exe id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Users\CIiHmnxMn6Ps\Downloads\ChromeSetup.exe id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE id-Br3n0G72wUb8CejT.LyaS".
|
|
-
Drops file "\\?\C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe id-Br3n0G72wUb8CejT.LyaS".
|