|
5/5
|
File System
|
Known malicious file
|
Trojan
|
|
-
File "C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe" is a known malicious file.
|
|
4/5
|
File System
|
Renames user files
|
Ransomware
|
|
-
Renames multiple user files. This is an indicator for an encryption attempt.
|
|
2/5
|
Anti Analysis
|
Resolves APIs dynamically to possibly evade static detection
|
-
|
|
-
Resolves an unusually high number of APIs.
|
|
2/5
|
Device
|
Sends control codes to connected devices
|
-
|
|
-
Controls device "C:\Documents and Settings" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvStream32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\C2R32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\client\C2R64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\Office16\AppvIsvStream64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\Office16\C2R64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvStream32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvStream64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvStream32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvStream32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll" through API DeviceIOControl.
|
|
-
Controls device "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll" through API DeviceIOControl.
|
|
1/5
|
Process
|
Creates process with hidden window
|
-
|
|
-
The process "C:\WINDOWS\system32\cmd.exe" starts with hidden window.
|
|
-
The process "C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe" starts with hidden window.
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
-
Creates mutex with name "MX-zzbdrimp".
|
|
1/5
|
File System
|
Modifies application directory
|
-
|
|
-
Modifies "\??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked".
|
|
-
Modifies "\??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\remsh.exe.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\rempl.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\Unlock.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked".
|
|
-
Modifies "\??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked".
|
|
-
Modifies "\??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked".
|
|
-
Modifies "\??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked".
|
|
1/5
|
Information Stealing
|
Possibly does reconnaissance
|
-
|
|
-
Possibly trying to gather information about application "Mozilla Firefox" by file.
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
-
|
|
-
Creates an unusually large number of files.
|