Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 00a50f67d713a45cea6dc956c30042c1
 
  • Major Detection Name : Ransomware/PowerShell.Lockbit.S1945 (AhnLab V3), Trojan:PowerShell/Obfuse!MSR (Microsoft)
 
  • Encrypted File Pattern : <Random>.19MqZqZ0s
 
  • Malicious File Creation Location :
     - C:\ProgramData\19MqZqZ0s.ico
     - C:\ProgramData\<Random>.tmp
 
  • Message File : 19MqZqZ0s.README.txt
 
  • Major Characteristics :
     - Offline Encryption
     - File encryption using Windows PowerShell (C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe)
     - Delete multi services (EventLog, vmvss, VSS, WdBoot, WdFilter, WdNisDrv etc.)
     - Change encrypted file (<Random>.19MqZqZ0s) icon (HKEY_CLASSES_ROOT\19MqZqZ0s)
     - Changes desktop background (C:\ProgramData\19MqZqZ0s.bmp)

List

위로