Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 92117db6e028061b49507c9538a19a79
 
  • Major Detection Name : Ransom:Win32/HiddenTear.gen (Microsoft), Ransom_HIDDENTERONION.A (Trend Micro)
 
  • Encrypted File Pattern : .onion3cry-open-DECRYPTMYFILES
 
  • Malicious File Creation Location :
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\### DECRYPT MY FILES ###.exe.lnk
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\goupdate.exe.lnk
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\### DECRYPT MY FILES ###<Number>.exe.lnk
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\dez.exe.lnk
         - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\winupdate.exe.lnk
         - C:\Users\Public\Desktop\### DECRYPT MY FILES ###.exe
         - C:\Users\Public\Documents\### DECRYPT MY FILES ###<Number>.exe
         - C:\Users\Public\### DECRYPT MY FILES ###<Number>.exe
         - C:\Users\Public\dez.exe
         - C:\Users\%UserName%\AppData\Roaming\Local
         - C:\Users\%UserName%\AppData\Roaming\Local\Gogle
         - C:\Users\%UserName%\AppData\Roaming\Local\Gogle\update
         - C:\Users\%UserName%\AppData\Roaming\Local\Gogle\update\goupdate.exe
         - C:\Users\%UserName%\AppData\Roaming\Local\Gogle\update\winupdate.exe
         - C:\Users\%UserName%\AppData\Roaming\### DECRYPT MY FILES ###<Number>.exe
         - C:\### DECRYPT MY FILES ###<Number>.exe
 
  • Major Characteristics :
         - Offline Encryption
         - The English and Portuguese users targeted
         - Disable Task Manager (Taskmgr.exe / DisableTaskMgr)
         - Create a fake update windows (winupdate.exe) during file encryption

List

위로