Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : ec517204fbcf7a980d137b116afa946d
- Major Detection Name : TR/Ransom.MBRlock.nwhir (Avira), Trojan-Ransom.Win32.Coronavi.a (Kaspersky)
- Encrypted File Pattern : coronaVi2022@protonmail.ch___<Original Filename>.<Original Extension>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\<Random>.exe
- C:\Users\%UserName%\AppData\Local\Temp\CoronaVirus.txt
- Payment Instruction File : CoronaVirus.txt
- Major Characteristics :
- Offline Encryption
- Change a disk name (CoronaVirus)
- Modifying the MBR & Automatically reboot Windows after file encryption is complete.
- Disable system restore (VSSADMIN.EXE Delete Shadows /All /Quiet, wbadmin.exe delete backup -keepVersions:0 -quiet, wbadmin.exe delete systemstatebackup -keepVersions:0 -quiet)
- Creating boot message by modifying the default values of the registry entry "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute"