VMRay Analyzer Report for Sample #1145164
VMRay Analyzer
3.2.2
Process
1
1404
payload.exe
1108
payload.exe
"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\payload.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\users\5p5nrgjn0js halpmcxz\desktop\payload.exe
Child_Of
Created
Opened
Opened
Created
Created
Opened
Opened
Opened
Opened
Process
2
348
cmd.exe
1404
cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\system32\cmd.exe
Child_Of
Child_Of
Created
Opened
Opened
Opened
Process
3
1168
mode.com
348
mode.com
mode con cp select=1251
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\system32\mode.com
Process
4
1380
vssadmin.exe
348
vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
c:\windows\system32\vssadmin.exe
Child_Of
Process
5
2156
vssvc.exe
472
vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\
c:\windows\system32\vssvc.exe
Mutex
Global\syncronize_JNA9TRA
Mutex
Global\syncronize_JNA9TRU
Mutex
Global\syncronize_JNA9TRA
Mutex
Global\syncronize_JNA9TRU
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE
payload.exe
C:\Windows\System32\payload.exe
REG_SZ
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE
Startup
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER
Startup
WinRegistryKey
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE
Common Startup
WinRegistryKey
Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
WinRegistryKey
Software\Microsoft\Command Processor
HKEY_CURRENT_USER
DisableUNCCheck
EnableExtensions
DelayedExpansion
DefaultColor
CompletionChar
PathCompletionChar
AutoRun
Analyzed Sample #1145164
Malware Artifacts
1145164
Sample-ID: #1145164
Job-ID: #3214121
This sample was analyzed by VMRay Analyzer 3.2.2 on a Windows 7 system
100
VTI Score based on VTI Database Version 3.6
Metadata of Sample File #1145164
Submission-ID: #4735597
efb0259e622d73c1d946689b619e6fbeebeac1d59a021bc68e5f64f6c18a3947exe
MD5
9292471ed7464442e95ff7fbc3028334
SHA1
ea09c5926e14cdd52fee8a82976f3ffa8a597591
SHA256
efb0259e622d73c1d946689b619e6fbeebeac1d59a021bc68e5f64f6c18a3947
Opened_By
Metadata of Analysis for Job-ID #3214121
True
Timeout
True
240.011
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Obfuscation
VTI rule match with VTI rule score 2/5
vmray_dynamic_api_usage_by_api
Resolves an unusually high number of APIs.
Resolves APIs dynamically to possibly evade static detection
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "Global\syncronize_JNA9TRA".
Creates mutex
Mutex
VTI rule match with VTI rule score 1/5
vmray_create_named_mutex
Creates mutex with name "Global\syncronize_JNA9TRU".
Creates mutex
Discovery
VTI rule match with VTI rule score 0/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_file_in_os_dir
Creates file "C:\Windows\System32\payload.exe" in the OS directory.
Modifies operating system directory
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_registry
Adds "C:\Windows\System32\payload.exe" to Windows startup via registry.
Installs system startup script or application
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\start menu\programs\startup\payload.exe" to Windows startup folder.
Installs system startup script or application
Persistence
VTI rule match with VTI rule score 1/5
vmray_install_startup_script_by_file
Adds "c:\programdata\microsoft\windows\start menu\programs\startup\payload.exe" to Windows startup folder.
Installs system startup script or application
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_create_process_with_hidden_window
The process "C:\Windows\system32\cmd.exe" starts with hidden window.
Creates process with hidden window
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\system32\cmd.exe" reads from "C:\Windows\system32\mode.com".
Reads from memory of another process
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\$recycle.bin\s-1-5-21-3388679973-3930757225-3770151564-1000" has a changed appearance.
Changes folder appearance
Obfuscation
VTI rule match with VTI rule score 1/5
vmray_read_from_remote_process
"c:\windows\system32\cmd.exe" reads from "C:\Windows\system32\vssadmin.exe".
Reads from memory of another process
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\grphflt\ms.jpg.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\ink\flickanimation.avi.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\grphflt\ms.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\grphflt\ms.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\grphflt\ms.eps.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\ink\hwruklm.dat.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\ink\hwruksh.dat.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\ink\hwrusalm.dat.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\ink\hwrusash.dat.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\1033\ado210.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\access.en-us\accessmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\access.en-us\accessmuiset.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\1033\readme.htm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\excel.en-us\excelmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\excel.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\groove.en-us\groovemui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\access.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\infopath.en-us\infopathmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\infopath.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\groove.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\officemui.xml".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\officemui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\psconfig.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\pss10o.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\branding.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\officemuiset.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\setup.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\oct.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\pss10r.chm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office32.ww\office32ww.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office32.en-us\office32mui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\office32.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\onenote.en-us\onenotemui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\outlook.en-us\outlookmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\onenote.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\powerpoint.en-us\powerpointmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\prjpror\prjprorww.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\prjpror\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\powerpoint.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\project.en-us\projectmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\outlook.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proof.en\proof.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proof.es\proof.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\project.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proof.fr\proof.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proofing.en-us\proofing.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proofing.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proplusr\proplusrww.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\proplusr\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\publisher.en-us\publishermui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\publisher.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\visio.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\visio.en-us\visiomui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\visior\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\visior\visiorww.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\visior\visiorww.xml".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\1033\mcabout.htm.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\1033\dates.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\1033\phone.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\1033\stocks.dat.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\1033\stocks.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\1033\time.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\lists\basmla.xsl.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\smart tag\metconv.txt.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\word.en-us\setup.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\office14\office setup controller\word.en-us\wordmui.xml.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\stationery\cave_drawings.gif".
Modifies application directory
Hide Tracks
VTI rule match with VTI rule score 1/5
vmray_change_folder_appearance
Folder "c:\program files\common files\microsoft shared\stationery" has a changed appearance.
Changes folder appearance
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\stationery\desktop.ini.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\stationery\genko_2.emf".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\stationery\genko_1.emf".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\aftrnoon\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\aftrnoon\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\axis\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\arctic\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\blends\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\blends\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\arctic\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\bluecalm\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\bluecalm\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\blueprnt\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\blueprnt\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\boldstri\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\axis\thmbnail.png".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\boldstri\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\breeze\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\axis\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\breeze\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\canyon\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\canyon\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\boldstri\preview.gif".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\capsules\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\capsules\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\compass\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\compass\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\concrete\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\cascade\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\cascade\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\concrete\thmbnail.png".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\deepblue\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\deepblue\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\echo\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\concrete\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\echo\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\echo\thmbnail.png".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\edge\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\edge\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\evrgreen\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\eclipse\preview.gif".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\eclipse\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\expeditn\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\expeditn\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ice\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ice\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\eclipse\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\indust\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\indust\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\evrgreen\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\iris\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\journal\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\journal\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\layers\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\layers\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\level\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\iris\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\network\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\network\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\papyrus\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\level\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\pixel\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\profile\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\profile\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\quad\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\papyrus\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\pixel\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\quad\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\refined\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\radial\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ricepapr\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ricepapr\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\radial\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ripple\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\ripple\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\rmnsque\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\satin\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\satin\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\refined\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\sky\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\sky\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\slate\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\slate\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\sonora\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\sonora\thmbnail.png.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_modify_application_dir_by_file
Modifies "c:\program files\common files\microsoft shared\themes14\spring\preview.gif.id-9c354b42.[pvphlp@tutanota.com].pphl".
Modifies application directory
System Modification
VTI rule match with VTI rule score 1/5
vmray_create_many_files
Creates above average number of files.
Creates an unusually large number of files
User Data Modification
VTI rule match with VTI rule score 4/5
vmray_modify_windows_backup_settings
Deletes Windows volume shadow copies.
Modifies Windows automatic backups
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected the sample itself as "Trojan.Ransom.Crysis.E".
Malicious content was detected by heuristic scan
Antivirus
VTI rule match with VTI rule score 5/5
vmray_av_malicious_match
Local AV detected a memory dump of process "payload.exe" as "Trojan.Ransom.Crysis.E".
Malicious content was detected by heuristic scan
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Boot\BOOTSTAT.DAT.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\BOOTSECT.BAK.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\PrjProrWW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\VisiorWW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Setup.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Office32WW.xml.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.GIF.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\README.HTM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Access.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPathMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\BRANDING.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.WW\Office32WW.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office32.en-us\Office32MUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPointMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "DharmaEncryptedFile" from ruleset "Ransomware" has matched on the dropped file "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PRJPROR\PrjProrWW.XML.id-9C354B42.[pvphlp@tutanota.com].PPHL".
Malicious content matched by YARA rules
YARA
VTI rule match with VTI rule score 5/5
vmray_yara_match_high
Rule "Dharma_Based" from ruleset "Ransomware" has matched on the extracted function string file "function_strings_process_1.txt".
Malicious content matched by YARA rules