Trojan.Ransomcrypt.D

By Domesticus in Trojans

Threat Scorecard

Threat Level:	90 % (High)
Infected Computers:	2

First Seen:	July 15, 2013
Last Seen:	March 15, 2022
OS(es) Affected:	Windows

Trojan.Ransomcrypt.D is a Trojan that encrypts particular documents on the targeted PC and blocks the desktop. Once run, Trojan.Ransomcrypt.D replicates itself to the particular locations. Trojan.Ransomcrypt.D creates the infected files. Trojan.Ransomcrypt.D then creates the file so that it can launch automatically whenever you start Windows. Trojan.Ransomcrypt.D then creates and modifies the Windows Registry so that it can launch automatically whenever you start Windows. Trojan.Ransomcrypt.D creates and modifies the Windows Registry in an attempt to reduce security settings. Trojan.Ransomcrypt.D then creates other registry entries. Trojan.Ransomcrypt.D may block the corrupted PC and show an image/warning message that reads 'DIRTY ALERT'. Trojan.Ransomcrypt.D will ask the target computer user for a fine to restore access to the victimized PC using one of the payment systems PaySafeCard, Ukash or MoneyPak. Trojan.Ransomcrypt.D may also encrypt files on the infected computer. In order to disguise the infection, Trojan.Ransomcrypt.D may kill the processes used to keep track of system behavior. Trojan.Ransomcrypt.D may then connect to different URLs.

File System Details

Trojan.Ransomcrypt.D may create the following file(s):

Expand All | Collapse All

#	File Name	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	%Temp%\[RANDOM CHARACTERS].exe
Name: %Temp%\[RANDOM CHARACTERS].exe Type: Executable File Group: Malware file
2.	%UserProfile%\Local Settings\Application Data\Dirty\DirtyDecrypt.exe
Name: %UserProfile%\Local Settings\Application Data\Dirty\DirtyDecrypt.exe Type: Executable File Group: Malware file
3.	%ProgramFiles%\Dirty\DirtyDecrypt.exe
Name: %ProgramFiles%\Dirty\DirtyDecrypt.exe Type: Executable File Group: Malware file
4.	%UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe
Name: %UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe Type: Executable File Group: Malware file
5.	%ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe
Name: %ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe Type: Executable File Group: Malware file
6.	%UserProfile%\Application Data\Dirty\DirtyDecrypt.exe
Name: %UserProfile%\Application Data\Dirty\DirtyDecrypt.exe Type: Executable File Group: Malware file
7.	%UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe
Name: %UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe Type: Executable File Group: Malware file
8.	%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516
Name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516 Group: Malware file
9.	%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
Name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516 Group: Malware file
10.	%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
Name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516 Group: Malware file
11.	%UserProfile%\Application Data\Dirty\alertwall.jpg
Name: %UserProfile%\Application Data\Dirty\alertwall.jpg Group: Malware file
12.	%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
Name: %UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516 Group: Malware file

Registry Details

Trojan.Ransomcrypt.D may create the following registry entry or registry entries:

HKEY..\..\..\..{RegistryKeys}

HKEY_LOCAL_MACHINE\SOFTWARE\{GUID}\"ID" = "[BINARY DATA]"

HKEY_CURRENT_USER\Software\{GUID}\"PeriodDisabed" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\"C" = "[BINARY DATA]"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "%UserProfile%\Local Settings\Application Data\Identities\[RANDOM CHARACTERS].exe"

HKEY_CURRENT_USER\Software\{GUID}\"ID" = "[BINARY DATA]"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\"F" = "[BINARY DATA]"

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\[SID]\000003ED\"(Default)" = "?\00?"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"DirtyDecrypt" = "\"\\?\%UserProfile%\Application Data\Dirty\DirtyDecrypt.exe\" \hide"

HKEY_LOCAL_MACHINE\SOFTWARE\{GUID}\"PeriodDisabed" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UacDisableNotify" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%System%\userinit.exe,,%ProgramFiles%\Adobe\[RANDOM CHARACTERS].exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\"Start" = "4"

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

Trojan.Ransomcrypt.D

Threat Scorecard

EnigmaSoft Threat Scorecard

File System Details

Registry Details

Submit Comment

Trending

Rzfu Ransomware

'YouPorn' Email Scam

Rzkd Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen