This is just one reason why I like G DATA (this is pretty awesome):
Behavior Monitoring of the Philadelphia Ransomware sample just posted to the MT Malware Hub a few minutes ago
Start time Type Header Status
2017-07-21 03:18:37 Behavior monitoring Unknown threat Done
AVA 25.13476
GD 25.10046
*** Process ***
Process: 11500
File name: Philadelphia_latest.exe
Path: c:\users\lockdown\desktop\philadelphia_latest\philadelphia_latest.exe
Publisher: Unknown publisher
Creation date: Friday, July 21, 2017 3:15:45 AM
Modification date: Friday, July 21, 2017 9:03:02 AM
Started by: Philadelphia_latest.exe
Publisher: Unknown publisher
*** Actions ***
A packer was run on the program file, possibly to conceal malicious content.
The program has created files and folders that can be used to endanger the system.
The program establishes a network connection.
The program has created or manipulated an executable file.
The program has read data from its own program file.
The program created a copy of itself.
An executable file was stored in a suspicious location.
*** Quarantine ***
The following files were moved into quarantine:
C:\Users\Lockdown\AppData\Local\Microsoft\Windows\INetCache\IE\57CHPOZI\BIKSR0B0.htm
C:\Users\Lockdown\AppData\Local\Microsoft\Windows\INetCache\IE\AAKDF6IH\LYJNXLPA.htm
C:\Users\Lockdown\AppData\Local\Microsoft\Windows\INetCookies\TT1PK6YC.cookie
C:\Users\Lockdown\AppData\Local\Temp\
aut3019.tmp
C:\Users\Lockdown\AppData\Local\Temp\
aut302A.tmp
C:\Users\Lockdown\AppData\Local\Temp\
aut302B.tmp
C:\Users\Lockdown\AppData\Local\Temp\
aut303B.tmp
C:\Users\Lockdown\AppData\Local\Temp\
aut3086.tmp
C:\Users\Lockdown\AppData\Local\Temp\
delph1.bin
C:\Users\Lockdown\AppData\Local\Temp\
delph1.dat
C:\Users\Lockdown\AppData\Local\Temp\
delphi.au3.509
C:\Users\Lockdown\AppData\Local\Temp\pd4ta.bin
C:\Users\Lockdown\AppData\Local\Temp\pd4ta.dat
C:\Users\Lockdown\AppData\Roaming\40E49DE9CC2B41610C9D2F936CBBFC74
C:\Users\Lockdown\AppData\Roaming\Isass.exe
C:\Users\Lockdown\Desktop\Philadelphia_latest\Philadelphia_latest.exe
C:\Windows\Temp\avkhttp_030847454_067c33b9.tmp
C:\Windows\Temp\avkhttp_031523918_0b3c9d19.tmp
The following registry entries were deleted:
YGLxqHIOLSctJy0mBi4nJycnJgZncoJygmJicCp0gkInKCYGt3KCcoJiYnAsJygnKCYGmXJykCsWjypooC0nKCcoJgbbcnJycmJiwC8nJycnJgZtcoJygmJi4C0WKAiPcvJy8mJi8CknJycnJgbPcnJycmJicLZycnJyYmJwqHKCcoJiYnC4ctJy0mJicOhycnJyYmJwusJhXmO2csJhXmO2cmJicNtycnJyYmJwnXKCcoJiYnCOcnIJ5yonJycnJgb3KScoJygmBugqJwfoKycnJiYnBwA
Rules version: 5.0.148
OS: Windows 10.0 Service Pack 0.0 Build: 15063 - Workstation 64bit OS
dll version: 70613
C:\Users\Lockdown\Desktop\Philadelphia_latest\Philadelphia_latest.exe /
AutoIt3ExecuteScript "C:\Users\Lockdown\AppData\Local\Temp\delph1.dat"
MD5: ED0F05CAED1D5DBD129B6E49F0337725
"C:\Users\Lockdown\Desktop\Philadelphia_latest\Philadelphia_latest.exe"
MD5: ED0F05CAED1D5DBD129B6E49F0337725