Multi-License Discount Quote

Change Region

English
Threat Database Ransomware 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Popularity Rank: 1,026
Threat Level: 10 % (Normal)
Infected Computers: 92,695
First Seen: March 15, 2016
Last Seen: February 7, 2026
OS(es) Affected: Windows

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is a threat that has been very active in February and March of 2016. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is one of the many known variants of the infamous TeslaCrypt ransomware Trojan. This threat has been used to attack computers since 2014. Although PC security researchers had been able to help computer users recover from TeslaCrypt infections, it seems that the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware and new TeslaCrypt variants are no longer susceptible to the same fix as before. This is because the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware and other new variants of this threat are the version 3.0 of this threat, which has eliminated the loophole that had allowed the recovery of encrypted files previously. If your files have been encrypted by the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware, then you will need to restore them from an external backup or obtain the decryption key.

What a Threat Like the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware may Cause to a Computer User

Ransomware Trojans like the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware are fairly predictable and designed to assume the control of a computer and encrypt the victim's files, holding them for ransom until the affected computer user pays a large amount using Bitcoin or a similar payment method. PC security analysts have determined that the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware, like other new variants of TeslaCrypt 3.0, may be spread using corrupted email attachments. As soon as the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware enters a computer, it searches the user's computer for files that match file extensions in its configuration file. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware encrypts the following types of files (with new extensions being added to this list in new updates to this threat):

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt.

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware will take all files with the above extension and use an AES encryption algorithm to make them inaccessible. As part of its attack, the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware will change the files' extension to ReCoVeRy and a string of random letters. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware also drops ransom notes in the form of text, image, or HTML files in directories where it has encrypted the victim's files. These ransom notes tell the computer user to pay a large amount of money in BitCoin to recover the encrypted files.

Recovering from the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

PC security researchers strongly advise that computer users abstain from paying the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware ransomware since there is no guarantee that the people responsible for this attack will restore the encrypted files once the amount is paid. Paying this ransom further finances these attacks, allowing the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware to go on to infect additional computers. Instead, computer users should make sure that all files are properly backed up in an external device or location.

File System Details

'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. poclbm.exe 472279a849d0e4423f4c7d70844315c4 8
2. svchost.exe 4155fc2722b435e1510b44f8f0a413b5 5

Analysis Report

General information

Family Name: PUP.CoinMiner
Signature status: No Signature

Known Samples

MD5: 6fece7850314487da3485777a13ac3ee
SHA1: 4bc53ff0a25e4af59ad46440ac315e2a31d9eb76
File Size: 342.46 KB, 342456 bytes
MD5: bed3afc7649f449b92116ab20bd3a503
SHA1: 3e2db7379de45a02ee9543d08e74a3eeb8521abb
File Size: 4.98 MB, 4980736 bytes
MD5: d2758395e132cee0eb1fa2c86481f6ff
SHA1: 63d24c93837351a5210dcd709535acb9be399079
File Size: 6.66 KB, 6656 bytes
MD5: 285a8c066e1594efde8c714b169bd4b6
SHA1: 9278aad91a9016f420c61ba0e4625caf403360f1
SHA256: 53C134DC371E68D066ADDB0EBEFE465EB1F5D8865C3EDBC4E2AF1588E3D88558
File Size: 2.67 MB, 2673568 bytes
MD5: b8f78c7a2be7a755594266733ab1ebd1
SHA1: e58e6b32e8ff7443777ad823d4ddf8a2a15ae8ed
SHA256: 237CD4DB39732920F6BA916DDEA5C24DA00BAC1176920689C33A8968DEA93F7F
File Size: 845.82 KB, 845824 bytes
Show More
MD5: aa90decb93b9d6cc50b2b0589c0634ac
SHA1: e5e9af22dce887091071e81b1049b659c4ffeaf9
SHA256: 012E8C2D9F802BF2BAD5CD21FB2E656C3C9D1F8E13CDD37240801A3B6CFB83A8
File Size: 4.71 MB, 4705792 bytes
MD5: ac83dde329e9f07621ee4545774bcba1
SHA1: e57fab810f323e4232fc2835e4c964e42fbd1815
SHA256: 45D951391F204A20803C5E249D7F43FEC0ACBF320F5CF6C3E42CCCCFE778CEA3
File Size: 846.85 KB, 846848 bytes
MD5: aaa829fb997782c905d4e43a0863edde
SHA1: e666933d021c64075133ffe413e4a22bac542560
SHA256: 1B4E6E64D5074BC32166BF2367E0FB18AEAFC2CB7562BB4642F6F660515B5F13
File Size: 2.69 MB, 2692096 bytes
MD5: 1cc592fe0de5547e45583f80c2afc5d1
SHA1: bc18ca930764e53dbe24392a1fe1a469eefa0e90
SHA256: 6E3200BAB2F7012E373DD383C84E7B9A02FE65EABD62AB24B0AE2E79DDD1A2BE
File Size: 1.60 MB, 1595624 bytes
MD5: 1347c3fe1701f111e2908b8eca8f9c01
SHA1: a7d953da1fdc4148caee13cac517c4f99c489f05
SHA256: E3E4CB63E8782ECC3B36B3872DEE947795681B6F7121CF74FB7DF99B87A39119
File Size: 135.68 KB, 135680 bytes
MD5: 6274a8d2632a792a3193de82187f6e43
SHA1: d7064c692487177a5bcc18fa4de0835a7e94bfbf
SHA256: F583ED317F61217E33C9BFDCE41456DD4B03C447C95C3F5B77CDF2C49395E8C2
File Size: 5.09 MB, 5087744 bytes
MD5: f61e712fb0831953d3db7e34dd13e114
SHA1: 6763aae6db7069aed2962ec0134fc9fb7fdb2a21
SHA256: 7A1E4F70EEE2E623E59867467B1E9174FAEC5731D6E598A921F838D97F31677E
File Size: 6.18 MB, 6177792 bytes
MD5: 3c7c13a976e455256254b5921e12aab5
SHA1: b65902ac640f18a232f5f4937893a0249eac78f4
SHA256: CE49BEFB88317C929087B48A7A965F24B56712D8CA19FFFFB620FE799806F2CF
File Size: 6.17 MB, 6172160 bytes
MD5: 6ffb332772b7b73da8b177bfceccf96c
SHA1: 530ad87e942d6fce3b42aa7a060f3efb450b8946
SHA256: A5AF9F37E91922304044BA5EB4BE05303AC5998A50DC49B109A824D9B823CA01
File Size: 446.80 KB, 446800 bytes
MD5: 291ee88a4ec791df7fda10960beb2543
SHA1: f3c76912458c5349ab796b81dfbbf5fb47c2439e
SHA256: 21FD21787B139B7C6ECB91D66FDB3CE759AA4163EAAF82CC4E6EFF4CD7F448BC
File Size: 574.98 KB, 574976 bytes
MD5: 673b6923d3ccaf423b3bc4798d7b9263
SHA1: 0a27d6a1d7492a2acf90b9c42069a30158f3009a
SHA256: E8C770FB64D1A1C61887C631667C059A143F9340D916BDDB1854DD51ADAB1535
File Size: 9.16 MB, 9156096 bytes
MD5: d8effca8cc96eab4de6a8af123a3deac
SHA1: 03aa19c5cdfd1e046c68c64bf8e51352854053ab
SHA256: 18B66593DB886B5C1B02C47A2727A3476752A27B40706DA47C6BE087F282E331
File Size: 5.21 MB, 5207040 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.0.0.0
Comments Service Host: Local System
Company Name
  • Bitcoin Core project
  • DigitalDNA Games
  • EpicScale Inc.
  • HP Inc.
  • Lingon Studios
  • MagicSoft
  • Microsoft Corporation
Company Website https://bitcoincore.org/
File Description
  • CastleMiner Z
  • Data Miner Installer
  • Diamond Miner 8-3
  • EpicScale module
  • Installer for Bitcoin Core
  • MagicMinerMonitor
  • ScheduleTaskCreater
  • ServiceHostApp
  • TonMiner
File Version
  • 2024.0.0.1
  • 28.1.0
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.0.0.0
Internal Name
  • CastleMinerZ.exe
  • Data Miner Installer.exe
  • Diamond Miner 8-3.exe
  • EpicScale.exe
  • MagicMinerMonitor.exe
  • ScheduleTaskCreater.exe
  • ServiceHostApp.dll
  • TonMiner.exe
Legal Copyright
  • (c) 2023-2024 Lingon Studios. All rights reserved.
  • (c) EpicScale Inc. All rights reserved.
  • Copyright (C) 2009-2024 The Bitcoin Core developers
  • Copyright © 2018
  • Copyright © 2021
  • Copyright © 2024
  • Copyright © DigitalDNA Games 2011
  • Copyright © HP Inc. 2019
  • Copyright © MagicSoft 2024
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • CastleMinerZ.exe
  • Data Miner Installer.exe
  • Diamond Miner 8-3.exe
  • EpicScale.exe
  • MagicMinerMonitor.exe
  • Moose Miners
  • ScheduleTaskCreater.exe
  • ServiceHostApp.dll
  • TonMiner.exe
Product Name
  • Bitcoin Core
  • CastleMiner Z
  • Data Miner Installer
  • Diamond Miner 8-3
  • EpicScale
  • MagicMinerMonitor
  • Microsoft® Windows® Operating System
  • Moose Miners
  • ScheduleTaskCreater
  • TonMiner
Product Version
  • 2024.0.0.1
  • 28.1.0
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.0.0.0

Digital Signatures

Signer Root Status
METADADOS\starteam METADADOS\starteam Self Signed
Yury Nagolov SSL.com Code Signing Intermediate CA ECC R2 Self Signed
Epic Scale, Inc. VeriSign Class 3 Public Primary Certification Authority - G5 Root Not Trusted
foobar foobar Self Signed

File Traits

  • .NET
  • 2+ executable sections
  • fptable
  • HighEntropy
  • imgui
  • Installer Manifest
  • Installer Version
  • NewLateBinding
  • nosig nsis
  • No Version Info
Show More
  • Nullsoft Installer
  • RijndaelManaged
  • VirtualAllocExNuma
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 13,281
Potentially Malicious Blocks: 5
Whitelisted Blocks: 12,906
Unknown Blocks: 370

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 ? 0 0 0 0 ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 ? 0 0 0 ? 0 0 0 ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? ? ? ? ? ? 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 0 ? ? ? ? 0 ? ? ? ? 0 ? 0 ? 0 ? 0 ? ? ? ? 0 ? ? 0 0 ? ? ? ? ? 0 0 ? ? ? 0 ? ? ? ? ? 0 0 0 ? ? 0 ? ? ? ? ? ? ? 0 ? ? 0 ? ? 0 0 0 0 0 ? ? ? 0 ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 ? 0 ? ? 0 ? ? 0 0 0 0 0 ? ? 0 0 0 ? ? ? ? ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? ? ? ? 0 ? ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 ? ? ? ? ? ? 0 0 0 0 0 ? 0 ? 0 ? ? ? 0 0 ? 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DFD
  • Agent.DFE
  • DiscordStealer.Q
  • Kryptik.OIB
  • MSIL.Agent.YCDA
Show More
  • MSIL.Bladabindi.AC
  • MSIL.Krypt.JKB
  • MSIL.Krypt.ZADY
  • MSIL.Krypt.ZAEC
  • MSIL.Stealer.XE
  • Mikey.W
  • XLoader.A

Files Modified

File Attributes
c:\programdata\epicscale\epicscale.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
Show More
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSystemInformation
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUpdateWnfStateData
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady

17 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Encryption Used
  • BCryptOpenAlgorithmProvider
Keyboard Access
  • GetKeyState

Shell Command Execution

open C:\ProgramData\EpicScale\EpicScale.exe
C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll

Trending

Most Viewed

Loading...