Multi-License Discount Quote

Change Region

English
Threat Database Ransomware 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Popularity Rank: 921
Threat Level: 10 % (Normal)
Infected Computers: 92,971
First Seen: March 15, 2016
Last Seen: April 5, 2026
OS(es) Affected: Windows

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is a threat that has been very active in February and March of 2016. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware is one of the many known variants of the infamous TeslaCrypt ransomware Trojan. This threat has been used to attack computers since 2014. Although PC security researchers had been able to help computer users recover from TeslaCrypt infections, it seems that the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware and new TeslaCrypt variants are no longer susceptible to the same fix as before. This is because the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware and other new variants of this threat are the version 3.0 of this threat, which has eliminated the loophole that had allowed the recovery of encrypted files previously. If your files have been encrypted by the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware, then you will need to restore them from an external backup or obtain the decryption key.

What a Threat Like the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware may Cause to a Computer User

Ransomware Trojans like the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware are fairly predictable and designed to assume the control of a computer and encrypt the victim's files, holding them for ransom until the affected computer user pays a large amount using Bitcoin or a similar payment method. PC security analysts have determined that the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware, like other new variants of TeslaCrypt 3.0, may be spread using corrupted email attachments. As soon as the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware enters a computer, it searches the user's computer for files that match file extensions in its configuration file. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware encrypts the following types of files (with new extensions being added to this list in new updates to this threat):

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt.

The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware will take all files with the above extension and use an AES encryption algorithm to make them inaccessible. As part of its attack, the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware will change the files' extension to ReCoVeRy and a string of random letters. The 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware also drops ransom notes in the form of text, image, or HTML files in directories where it has encrypted the victim's files. These ransom notes tell the computer user to pay a large amount of money in BitCoin to recover the encrypted files.

Recovering from the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware

PC security researchers strongly advise that computer users abstain from paying the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware ransomware since there is no guarantee that the people responsible for this attack will restore the encrypted files once the amount is paid. Paying this ransom further finances these attacks, allowing the 'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware to go on to infect additional computers. Instead, computer users should make sure that all files are properly backed up in an external device or location.

File System Details

'ReCoVeRy+[RANDOM LETTERS] File Extension' Ransomware may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. poclbm.exe 472279a849d0e4423f4c7d70844315c4 8
2. svchost.exe 4155fc2722b435e1510b44f8f0a413b5 5

Analysis Report

General information

Family Name: PUP.CoinMiner
Signature status: No Signature

Known Samples

MD5: 6fece7850314487da3485777a13ac3ee
SHA1: 4bc53ff0a25e4af59ad46440ac315e2a31d9eb76
File Size: 342.46 KB, 342456 bytes
MD5: bed3afc7649f449b92116ab20bd3a503
SHA1: 3e2db7379de45a02ee9543d08e74a3eeb8521abb
File Size: 4.98 MB, 4980736 bytes
MD5: d2758395e132cee0eb1fa2c86481f6ff
SHA1: 63d24c93837351a5210dcd709535acb9be399079
File Size: 6.66 KB, 6656 bytes
MD5: 285a8c066e1594efde8c714b169bd4b6
SHA1: 9278aad91a9016f420c61ba0e4625caf403360f1
SHA256: 53C134DC371E68D066ADDB0EBEFE465EB1F5D8865C3EDBC4E2AF1588E3D88558
File Size: 2.67 MB, 2673568 bytes
MD5: b8f78c7a2be7a755594266733ab1ebd1
SHA1: e58e6b32e8ff7443777ad823d4ddf8a2a15ae8ed
SHA256: 237CD4DB39732920F6BA916DDEA5C24DA00BAC1176920689C33A8968DEA93F7F
File Size: 845.82 KB, 845824 bytes
Show More
MD5: aa90decb93b9d6cc50b2b0589c0634ac
SHA1: e5e9af22dce887091071e81b1049b659c4ffeaf9
SHA256: 012E8C2D9F802BF2BAD5CD21FB2E656C3C9D1F8E13CDD37240801A3B6CFB83A8
File Size: 4.71 MB, 4705792 bytes
MD5: ac83dde329e9f07621ee4545774bcba1
SHA1: e57fab810f323e4232fc2835e4c964e42fbd1815
SHA256: 45D951391F204A20803C5E249D7F43FEC0ACBF320F5CF6C3E42CCCCFE778CEA3
File Size: 846.85 KB, 846848 bytes
MD5: aaa829fb997782c905d4e43a0863edde
SHA1: e666933d021c64075133ffe413e4a22bac542560
SHA256: 1B4E6E64D5074BC32166BF2367E0FB18AEAFC2CB7562BB4642F6F660515B5F13
File Size: 2.69 MB, 2692096 bytes
MD5: 1cc592fe0de5547e45583f80c2afc5d1
SHA1: bc18ca930764e53dbe24392a1fe1a469eefa0e90
SHA256: 6E3200BAB2F7012E373DD383C84E7B9A02FE65EABD62AB24B0AE2E79DDD1A2BE
File Size: 1.60 MB, 1595624 bytes
MD5: 1347c3fe1701f111e2908b8eca8f9c01
SHA1: a7d953da1fdc4148caee13cac517c4f99c489f05
SHA256: E3E4CB63E8782ECC3B36B3872DEE947795681B6F7121CF74FB7DF99B87A39119
File Size: 135.68 KB, 135680 bytes
MD5: 6274a8d2632a792a3193de82187f6e43
SHA1: d7064c692487177a5bcc18fa4de0835a7e94bfbf
SHA256: F583ED317F61217E33C9BFDCE41456DD4B03C447C95C3F5B77CDF2C49395E8C2
File Size: 5.09 MB, 5087744 bytes
MD5: f61e712fb0831953d3db7e34dd13e114
SHA1: 6763aae6db7069aed2962ec0134fc9fb7fdb2a21
SHA256: 7A1E4F70EEE2E623E59867467B1E9174FAEC5731D6E598A921F838D97F31677E
File Size: 6.18 MB, 6177792 bytes
MD5: 3c7c13a976e455256254b5921e12aab5
SHA1: b65902ac640f18a232f5f4937893a0249eac78f4
SHA256: CE49BEFB88317C929087B48A7A965F24B56712D8CA19FFFFB620FE799806F2CF
File Size: 6.17 MB, 6172160 bytes
MD5: 6ffb332772b7b73da8b177bfceccf96c
SHA1: 530ad87e942d6fce3b42aa7a060f3efb450b8946
SHA256: A5AF9F37E91922304044BA5EB4BE05303AC5998A50DC49B109A824D9B823CA01
File Size: 446.80 KB, 446800 bytes
MD5: 291ee88a4ec791df7fda10960beb2543
SHA1: f3c76912458c5349ab796b81dfbbf5fb47c2439e
SHA256: 21FD21787B139B7C6ECB91D66FDB3CE759AA4163EAAF82CC4E6EFF4CD7F448BC
File Size: 574.98 KB, 574976 bytes
MD5: 673b6923d3ccaf423b3bc4798d7b9263
SHA1: 0a27d6a1d7492a2acf90b9c42069a30158f3009a
SHA256: E8C770FB64D1A1C61887C631667C059A143F9340D916BDDB1854DD51ADAB1535
File Size: 9.16 MB, 9156096 bytes
MD5: d8effca8cc96eab4de6a8af123a3deac
SHA1: 03aa19c5cdfd1e046c68c64bf8e51352854053ab
SHA256: 18B66593DB886B5C1B02C47A2727A3476752A27B40706DA47C6BE087F282E331
File Size: 5.21 MB, 5207040 bytes
MD5: a2d10e6cccedcaaf2ebbc2693d95bc13
SHA1: fda24be08d4487cf6d1a74e1ddea40707ed3fd5b
SHA256: B372BBCB9FBAA1828FAE36BDD78E5F671237E4CE55D62D53EA504ACF4F7C4F54
File Size: 210.43 KB, 210432 bytes
MD5: a2d2038bd10d53289be97b6016511380
SHA1: c1aa6cc3a2ef4edb5d0ecf9dc5bff914a92aaba9
SHA256: 90487A97405670DC143ED24CDD79801627466E1CB145C21423D410F05398280E
File Size: 55.81 KB, 55808 bytes
MD5: 5e282f31200af69d1a349dee2e11ba56
SHA1: 19c39befbb4e12a1ccdd48e36b9a93f30bf5e739
SHA256: 59E537F5CE8BE429EB8F6EF2934702347608601E1A29B4FC49474E2E760324FA
File Size: 261.38 KB, 261384 bytes
MD5: 86fc38c9c2b5402be365e5698f02e357
SHA1: e26dd6a3f77a725c3e6009f53530ddd53cd09f2d
SHA256: 1CAC69032CF7F33A87EB573A544D79B67CFD62D8BB1724C07EEFE2B8556CE002
File Size: 5.38 MB, 5377112 bytes
MD5: d178b37438de72570b1b66e3d2464e8d
SHA1: 90c44debcb1d881afc1ca7226e67e54714ff5625
SHA256: 1E498780554CFF7AE541AD8678E68284F8E2A8427697F2017FAEF4B953136B3B
File Size: 1.86 MB, 1859280 bytes
MD5: 8bf0a4f28a742b69ae2627396dea3671
SHA1: 4f09d85c13372a69144be0b054e34aae2eb4c4c5
SHA256: AE5220978F912C5431E461A4189C4FFA0D8A394B2574B56F6CE69EF8AC131A15
File Size: 1.91 MB, 1906688 bytes
MD5: 94d0f7f46039384a77e93d84cd957eac
SHA1: 8ab1f2619f1a0b9db534426bddb328e23afb6bf1
SHA256: F970BC16D697FEBC6EBBFE8CC650011D5B6DCBAD1B4E5D1E8C603F1B7DE35FEE
File Size: 874.50 KB, 874496 bytes
MD5: 25a0981fcce9ee36b7e54f4f75623838
SHA1: 31bfe0aa8b94e4e4adda13db4b111d67ae64dd08
SHA256: 8743A07BE2D666AAF692F217B68BB02753696C7835C592AB45D4A11602A967A2
File Size: 410.62 KB, 410624 bytes
MD5: 1908ef90269c3c7815776ea3e2712d45
SHA1: b98b18eec77c00d12a84c331ab6ebb9acee5809c
SHA256: B2D4CBBB5DF792EC33FD6074ACA9AC34037C2891CBC99F9053B0CB8CBF5242F9
File Size: 9.73 KB, 9728 bytes
MD5: fe04b3859465617d219584854cc25c52
SHA1: ab75bbd0713d9f3a6ce555fde70beb79d6043375
SHA256: AFED4EB33A98521A8B8E19958A375DD00C11AF3A2D63F3D69C4DDA4A9698F8C3
File Size: 407.55 KB, 407552 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.4.3.0
  • 1.1.0.0
  • 1.0.0.0
  • 0.6.13.0
  • 0.0.0.0
Comments
  • MRT is a free reporting template provided by the DMIRS
  • NiceHash QuickMiner
  • Service Host: Local System
Company Name
  • Bitcoin Core project
  • Department of Mines, Industry Regulation and Safety
  • DigitalDNA Games
  • DigitalDNA Games | skyH4PPY
  • EpicScale Inc.
  • HP Inc.
  • Lingon Studios
  • MagicSoft
  • Microsoft Corporation
  • NiceHash
Show More
  • PCI Geomatics
  • SimLab Studios, LLC
Company Website https://bitcoincore.org/
File Description
  • Camera Launcher
  • CastleMiner Z
  • CATALYST Professional Toolbar
  • CpMinerva
  • Data Miner Installer
  • Diamond Miner 8-3
  • EpicScale module
  • Installer for Bitcoin Core
  • MagicMinerMonitor
  • Mineral Exploration Reporting Templates
Show More
  • NiceHash QuickMiner
  • ScheduleTaskCreater
  • ServiceHostApp
  • TonMiner
File Version
  • 2024.0.0.1
  • 28.1.0
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.4.3
  • 1.1.0.0
  • 1.0.3.0
  • 1.0.0.0
  • 0.6.13.0
Show More
  • 0.0.0.0
Internal Name
  • CameraLauncher.exe
  • CastleMinerZ.exe
  • catalystpro
  • CpMinerva.exe
  • Data Miner Installer.exe
  • Diamond Miner 8-3.exe
  • EpicScale.exe
  • MagicMinerMonitor.exe
  • MRT.exe
  • NiceHashQuickMiner.exe
Show More
  • RuntimeBroker.dll
  • ScheduleTaskCreater.exe
  • ServiceHostApp.dll
  • TonMiner.exe
Legal Copyright
  • (c) 2023-2024 Lingon Studios. All rights reserved.
  • (c) EpicScale Inc. All rights reserved.
  • Copyright (C) 2009-2024 The Bitcoin Core developers
  • Copyright (c) 2023
  • Copyright (C) 2023
  • Copyright © 2018
  • Copyright © 2021
  • Copyright © 2022
  • Copyright © 2023
  • Copyright © 2024
Show More
  • Copyright © Department of Mines, Industry Regulation and Safety 2018
  • Copyright © DigitalDNA Games 2011
  • Copyright © HP Inc. 2019
  • Copyright © MagicSoft 2024
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • CameraLauncher.exe
  • CastleMinerZ.exe
  • catalystpro.exe
  • CpMinerva.exe
  • Data Miner Installer.exe
  • Diamond Miner 8-3.exe
  • EpicScale.exe
  • MagicMinerMonitor.exe
  • Moose Miners
  • MRT.exe
Show More
  • NiceHashQuickMiner.exe
  • RuntimeBroker.dll
  • ScheduleTaskCreater.exe
  • ServiceHostApp.dll
  • TonMiner.exe
Product Name
  • Bitcoin Core
  • Camera Launcher
  • CastleMiner Z
  • CastleMiner Z [OpenClassic]
  • CATALYST Professional
  • CpMinerva
  • Data Miner Installer
  • Diamond Miner 8-3
  • EpicScale
  • MagicMinerMonitor
Show More
  • Microsoft® Windows® Operating System
  • Moose Miners
  • MRT
  • NiceHash QuickMiner
  • ScheduleTaskCreater
  • TonMiner
Product Version
  • 2223.0.1
  • 2024.0.0.1
  • 28.1.0
  • 10.0.19041.3636
  • 1.24.0.0
  • 1.9.9.8
  • 1.4.3
  • 1.1.0.0
  • 1.0.3.0
  • 1.0.0.0
Show More
  • 0.6.13.0
  • 0.0.0.0

Digital Signatures

Signer Root Status
AKTN7z6t AKTN7z6t Self Signed
METADADOS\starteam METADADOS\starteam Self Signed
Microsoft Corporation Microsoft Corporation Self Signed
Yury Nagolov SSL.com Code Signing Intermediate CA ECC R2 Self Signed
H-Bit d.o.o. Sectigo Public Code Signing Root R46 Hash Mismatch
Show More
Epic Scale, Inc. VeriSign Class 3 Public Primary Certification Authority - G5 Root Not Trusted
foobar foobar Self Signed

File Traits

  • .NET
  • 2+ executable sections
  • big overlay
  • CryptUnprotectData
  • fptable
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • Installer Manifest
  • Installer Version
Show More
  • MZ (In Overlay)
  • NewLateBinding
  • nosig nsis
  • No Version Info
  • ntdll
  • Nullsoft Installer
  • packed
  • RijndaelManaged
  • VirtualAllocExNuma
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 1,328
Potentially Malicious Blocks: 21
Whitelisted Blocks: 1,251
Unknown Blocks: 56

Visual Map

0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x x x 0 x x x x x x x x 0 x x 0 ? ? ? ? ? ? 0 ? ? ? 0 ? 0 0 0 ? ? ? 0 0 0 0 x 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? 0 0 0 ? ? ? 0 ? ? ? ? x 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DFD
  • Agent.DFE
  • Agent.IRB
  • DiscordStealer.Q
  • Kryptik.KOE
Show More
  • Kryptik.OIB
  • Kryptik.OID
  • MSIL.Agent.YCDA
  • MSIL.Bladabindi.AC
  • MSIL.Krypt.JKB
  • MSIL.Krypt.ZADY
  • MSIL.Krypt.ZAEC
  • MSIL.Stealer.XE
  • Mikey.W
  • PSW.Discord.M
  • ShellcodeRunner.RDD
  • Trojan.Agent.Gen.ATA
  • Trojan.Agent.Gen.ATI
  • Trojan.Agent.Gen.ATZ
  • XLoader.A

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134180995335387612.1508.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\epicscale\epicscale.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_gjsx0ddo.r2j.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_h4qey2ma.41t.ps1 Generic Write,Read Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\18e6b4a57a6bc7ec9b861cdf2d6d0d02_c3b142d2c5374581dc2fdffdedbdeddb Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\aeaccda8653dd8d7b2ea32f21d15d44f_cea5e1fddbfc4886e06b57aacf74b6b6 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\b2faf7692fd9ffbd64ede317e42334ba_93702e680a5530c052c8d2ba33a2225f Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\18e6b4a57a6bc7ec9b861cdf2d6d0d02_c3b142d2c5374581dc2fdffdedbdeddb Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\aeaccda8653dd8d7b2ea32f21d15d44f_cea5e1fddbfc4886e06b57aacf74b6b6 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\b2faf7692fd9ffbd64ede317e42334ba_93702e680a5530c052c8d2ba33a2225f Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob RegNtPreCreateKey
Show More
HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 睿芒듧ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
Show More
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcDisconnectPort
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore

47 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Encryption Used
  • BCryptOpenAlgorithmProvider
Keyboard Access
  • GetKeyState
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams

Shell Command Execution

open C:\ProgramData\EpicScale\EpicScale.exe
C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
powershell -Command "Add-MpPreference -ExclusionProcess 'powershell.exe'"

Trending

Most Viewed

Loading...