Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 823e4c4e47e8dabe32fc700409a78537
 
  • Major Detection Name : Ransom.FileCryptor (Malwarebytes), Ransom.Win64.CRYTOX.C (Trend Micro)
 
  • Encrypted File Pattern : .<Original Extension> <Random>.waiting
 
  • Malicious File Creation Location :
     - C:\Windows\pghdn.txt
     - C:\Windows\rwjfk.bat
     - C:\Windows\utox.exe
     - C:\ReadMe.hta
 
  • Payment Instruction File : ReadMe.hta
 
  • Major Characteristics :
     - Offline Encryption
     - File encryption using system files "C:\Windows\explorer.exe" and "C:\Windows\System32\svchost.exe"
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet)
     - Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "Security", wevtutil.exe cl "Setup", wevtutil.exe cl "System", wevtutil.exe cl "WMPSyncEngine" etc.)
     - Displays ransom note (C:\Windows\System32\mshta.exe "C:\ReadMe.hta") when user executes encrypted file (.waiting)

List

위로