c04c541f...d341

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to Function Call
5/5	Device	Writes to Master Boot Record (MBR)	-
Writes 512 bytes to master boot record (MBR). ... VTI Actions Go to MBR Modification
4/5	OS	Modifies Windows automatic backups	-
Deletes Windows volume shadow copies. ... VTI Actions Go to Process
4/5	File System	Associated with malicious files	Trojan
File "c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe" is a known malicious file. ... VTI Actions Go to File Details Go to Function Call
2/5	Hide Tracks	Uses Alternate Data Stream (ADS) for interprocess communication	-
Uses alternate data stream in "vqbkvy~1:bin". ... VTI Actions Go to Function Call
Uses alternate data stream in "mscorsvw.exe:0". ... VTI Actions Go to Function Call
Uses alternate data stream in "v5hw0h~1:bin". ... VTI Actions Go to Function Call
2/5	Device	Sends control codes to connected devices	-
Controls device "C:\$Recycle.Bin" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\cs-CZ" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\da-DK" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\de-DE" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\el-GR" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\en-US" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\es-ES" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\fi-FI" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\Fonts" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\fr-FR" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\hu-HU" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\it-IT" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\ja-JP" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\ko-KR" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\nb-NO" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\nl-NL" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\pl-PL" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\pt-BR" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\pt-PT" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\ru-RU" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\sv-SE" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\tr-TR" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\zh-CN" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\zh-HK" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Boot\zh-TW" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\Config.Msi" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
Controls device "C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C" through API DeviceIOControl. ... VTI Actions Go to Function Call
1/5	Process	Creates system object	-
Creates nameless mutex. ... VTI Actions Go to Function Call
Creates mutex with name "Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}". ... VTI Actions Go to Function Call
1/5	Process	Creates process with hidden window	-
The process "C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\vssadmin.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\diskshadow.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\icacls.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\arp.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\nslookup.exe" starts with hidden window. ... VTI Actions Go to Function Call
The process "C:\Windows\system32\net.exe" starts with hidden window. ... VTI Actions Go to Function Call
1/5	File System	Modifies operating system directory	-
Modifies file "C:\Windows\servicing\TrustedInstaller.exe" in the OS directory. ... VTI Actions Go to Function Call
Modifies file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" in the OS directory. ... VTI Actions Go to Function Call
Creates file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:0" in the OS directory. ... VTI Actions Go to Function Call
1/5	File System	Creates an unusually large number of files	-
Creates an unusually large number of files. ... VTI Actions Go to Function Call
1/5	PE	Drops PE file	Dropper
Drops file "c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe:0". ... VTI Actions Go to File Details Go to Function Call
Drops file "c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1". ... VTI Actions Go to File Details Go to Function Call

Notifications (1/1)

Before

After