|
5/5
|
File System
|
Encrypts content of user files
|
Ransomware
|
|
-
Encrypts the content of multiple user files. This is an indicator for ransomware.
|
|
5/5
|
Device
|
Writes to Master Boot Record (MBR)
|
-
|
|
-
Writes 512 bytes to master boot record (MBR).
|
|
4/5
|
OS
|
Modifies Windows automatic backups
|
-
|
|
-
Deletes Windows volume shadow copies.
|
|
4/5
|
File System
|
Associated with malicious files
|
Trojan
|
|
-
File "c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe" is a known malicious file.
|
|
2/5
|
Hide Tracks
|
Uses Alternate Data Stream (ADS) for interprocess communication
|
-
|
|
-
Uses alternate data stream in "vqbkvy~1:bin".
|
|
-
Uses alternate data stream in "mscorsvw.exe:0".
|
|
-
Uses alternate data stream in "v5hw0h~1:bin".
|
|
2/5
|
Device
|
Sends control codes to connected devices
|
-
|
|
-
Controls device "C:\$Recycle.Bin" through API DeviceIOControl.
|
|
-
Controls device "C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\cs-CZ" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\da-DK" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\de-DE" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\el-GR" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\en-US" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\es-ES" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\fi-FI" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\Fonts" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\fr-FR" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\hu-HU" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\it-IT" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\ja-JP" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\ko-KR" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\nb-NO" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\nl-NL" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\pl-PL" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\pt-BR" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\pt-PT" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\ru-RU" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\sv-SE" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\tr-TR" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\zh-CN" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\zh-HK" through API DeviceIOControl.
|
|
-
Controls device "C:\Boot\zh-TW" through API DeviceIOControl.
|
|
-
Controls device "C:\Config.Msi" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
-
Controls device "C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C" through API DeviceIOControl.
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
|
-
Creates mutex with name "Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}".
|
|
1/5
|
Process
|
Creates process with hidden window
|
-
|
|
-
The process "C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin" starts with hidden window.
|
|
-
The process "C:\Windows\system32\vssadmin.exe" starts with hidden window.
|
|
-
The process "C:\Windows\system32\diskshadow.exe" starts with hidden window.
|
|
-
The process "C:\Windows\system32\icacls.exe" starts with hidden window.
|
|
-
The process "C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin" starts with hidden window.
|
|
-
The process "C:\Windows\system32\arp.exe" starts with hidden window.
|
|
-
The process "C:\Windows\system32\nslookup.exe" starts with hidden window.
|
|
-
The process "C:\Windows\system32\net.exe" starts with hidden window.
|
|
1/5
|
File System
|
Modifies operating system directory
|
-
|
|
-
Modifies file "C:\Windows\servicing\TrustedInstaller.exe" in the OS directory.
|
|
-
Modifies file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" in the OS directory.
|
|
-
Creates file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:0" in the OS directory.
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
-
|
|
-
Creates an unusually large number of files.
|
|
1/5
|
PE
|
Drops PE file
|
Dropper
|
|
-
Drops file "c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1".
|
|
-
Drops file "c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe:0".
|
|
-
Drops file "c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1".
|