Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 14 subscribers
  • Views 7008 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard detected ransomware in C:\Windows\explorer.exe

Minad Miah

Hi, We have had 2 of these notifications over the past week on two computers days apart. Can somebody please help me to understand this. Many thanks in advance.

Endpoint Type:

Computer

OS:

Windows

Device:

Ransomware:

  • uid: ce7d755d-ebf9-e9b8-f1e8-2795b504799f
  • family_id: 9b1f12fe-330a-f940-ecd5-e1417332e656
  • process_alias_path: $windows\explorer.exe
  • process_name: Windows Explorer
  • process_version: 10
  • thumbprint: 20f00333e19359ac81a0ac9dd49f7dd31533f3379a6e57f78bada98b0b7c64cf
  • details: Mitigation CryptoGuard V5 Timestamp 2022-07-21T11:53:31 Platform 10.0.19043/x64 v37 06_a5 PID 30568 Enabled 007D2E3000800104 Silent 0020000000000100 Application C:\Windows\explorer.exe Created 2022-07-13T13:19:11 Modified 2022-07-13T13:19:11 Description Windows Explorer 10 Filename C:\Windows\explorer.exe Detection Generic.Ransom.C 1*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.MOV Created L0, Read T3584, Write T3702272 H24576|^234 #1,2 2*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG Opened L2059264, Read T4096|0% H4096|^61978 #2,1 3 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG Created L0, Read T3072, Write T2059264 H32768|^89937 #3 4 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG Opened L1831723, Read T4096|0% H4096|^62923 #14 5 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG Created L0, Read T1024, Write T1831936 H32768|^94646 #17,18 6 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV Opened L4066639, Read T4096|0% H4096|^229 #18,17 7 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV Created L0, Read T3584, Write T4066816 H32768|^239 #19 8 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV Opened L3828357, Read T4096|0% H4096|^228 #20 9*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV Created L0, Read T3072, Write T3828736 H32768|^239 #21,22 10*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG Opened L2000986, Read T4096|0% H4096|^62147 #22,21 11 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG Created L0, Read T2560, Write T2001408 H32768|^111735 #23 12 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.MOV Opened L3327233, Read T4096|0% H4096|^261 #24 13*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.MOV Created L0, Read T1536, Write T3327488 H28672|^252 #25,26 14*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.JPG Opened L1593359, Read T4096|0% H4096|^61925 #26,25 15 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.JPG Created L0, Read T512, Write T1593856 H32768|^131537 #27 16 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3370.JPG Opened L1821811, Read T4096|0% H4096|^61686 #28 21*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3369.MOV Created L0, Read T512, Write T3101184 H32768|^246 #45,46 22*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3369.JPG Opened L1645581, Read T4096|0% H4096|^60876 #46,45 25*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3368.MOV Created L0, Read T3584, Write T2960896 H32768|^246 #49,50 26*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3368.JPG Opened L1877805, Read T4096|0% H4096|^62019 #50,49 Dropped Files 1 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\FYQA2120.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 2 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3276.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 3 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3278.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 4 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3279.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 5 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3280.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 6 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3281.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 7 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3282.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 8 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3283.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 9 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3284.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 10 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3285.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 11 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3286.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 12 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3287.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 13 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3288.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 14 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3289.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 15 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3290.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 16 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3291.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 17 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3292.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 18 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3293.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 19 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3294.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 20 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3295.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 21 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3296.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 22 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3297.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 23 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3298.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 24 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3299.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 25 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3300.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 26 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3301.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 27 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3302.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 28 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3303.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 29 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3304.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 30 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3305.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 31 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3306.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 32 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3307.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 33 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3308.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 34 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3309.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 35 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3310.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 36 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3311.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 37 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3312.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 38 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3313.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 39 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3314.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 40 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3315.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 41 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3316.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 42 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3317.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 43 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3318.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 44 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3319.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 45 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3320.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 46 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3321.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 47 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3322.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 48 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3323.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 49 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3324.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 50 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3325.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 51 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3326.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 52 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3327.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 53 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3328.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 54 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3329.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 55 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3330.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 56 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3331.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 57 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3332.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 58 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3333.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 59 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3334.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 60 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3335.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 61 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3336.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 62 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3337.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 63 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3338.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 64 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3339.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 65 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3340.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 66 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3341.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 67 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3342.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 68 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3343.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 69 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3344.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 70 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3345.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 71 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3346.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 72 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3347.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 73 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3348.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 74 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3349.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 75 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3349.AAE Dropped by C:\Windows\explorer.exe [30568] 76 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3350.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 77 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3351.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 78 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3352.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 79 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3353.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 80 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3354.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 81 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3355.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 82 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3356.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 83 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3357.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 84 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3358.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 85 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3358.AAE Dropped by C:\Windows\explorer.exe [30568] 86 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3359.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 87 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3360.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 88 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3361.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 89 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3362.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 90 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3362.AAE Dropped by C:\Windows\explorer.exe [30568] 91 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3363.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 92 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3363.AAE Dropped by C:\Windows\explorer.exe [30568] 93 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3364.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 94 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3365.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 95 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3366.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 96 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3367.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 97 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3368.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 98 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3368.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 99 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3369.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 100 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3369.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 101 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3370.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 102 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3370.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 103 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 104 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3371.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 105 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 106 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 107 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 108 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 109 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG Dropped by C:\Windows\explorer.exe [30568] Read by C:\Windows\explorer.exe [30568] 110 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.MOV Dropped by C:\Windows\explorer.exe [30568] Thumbprint 20f00333e19359ac81a0ac9dd49f7dd31533f3379a6e57f78bada98b0b7c64cf Digital signature certificate based thumbprint 40ad6e387a9a0c90bfdc2c0fa9c3c7569bb1023b92dcb06ab3b9f2d28728ab3a Cryptoguard algorithm based thumbprint b0547770c4df4bbefcb7612cead06683ea8282889cd377945054a8f0d3529189
  • process_path: C:\Windows\explorer.exe
  • type: CryptoGuard
  • process_pid: 30568
  • version: 3.8.4.37


This thread was automatically locked due to age.
Parents
  • 0

    Looking at a subset of the file paths referenced.


    1*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.MOV
    Created L0, Read T3584, Write T3702272 H24576|^234 #1,2

    2*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG
    Opened L2059264, Read T4096|0% H4096|^61978 #2,1

    3 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG
    Created L0, Read T3072, Write T2059264 H32768|^89937 #3

    ----

    4 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG
    Opened L1831723, Read T4096|0% H4096|^62923 #14

    5 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG
    Created L0, Read T1024,
    Write T1831936 H32768|^94646 #17,18

    6 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV
    Opened L4066639,
    Read T4096|0% H4096|^229 #18,17

    7 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV
    Created L0, Read T3584,
    Write T4066816 H32768|^239 #19

    ---

    8 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV
    Opened L3828357,
    Read T4096|0% H4096|^228 #20

    9*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV
    Created L0,
    Read T3072,
    Write T3828736 H32768|^239 #21,22

    10*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG
    Opened L2000986,
    Read T4096|0% H4096|^62147 #22,21

    11 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG
    Created L0, Read T2560,
    Write T2001408 H32768|^111735 #23 12

    ...

    It seems there are a number if operations per file. 

    Cryptoguard is a behavioural based feature, i.e. if it seems a number of files opened for write in quick succession and the file changes its entropy to the point where it looks like it's being encrypted it will declare something odd is happening that looks a bit like ransomware.

    Given LamanRedirector is in the path, was there a mapped drive with the drive letter W containing a bunch of files from an ipad?

    Did Explorer open a move file and a still image (thumbnail for the movie, based on the jpg having the same name as mov file?), then update meta data about the file, such that each file was changing?

    From the detection name: Detection Generic.Ransom.C it is really just generic behaviour.  Do you recall what was taking place?  If you can re-create the behaviour.  A Process Monitor log of file activity would indicate what was happening.

    Seems likely to be a false positive.  

Reply
  • 0

    Looking at a subset of the file paths referenced.


    1*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.MOV
    Created L0, Read T3584, Write T3702272 H24576|^234 #1,2

    2*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG
    Opened L2059264, Read T4096|0% H4096|^61978 #2,1

    3 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3374.JPG
    Created L0, Read T3072, Write T2059264 H32768|^89937 #3

    ----

    4 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG
    Opened L1831723, Read T4096|0% H4096|^62923 #14

    5 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.JPG
    Created L0, Read T1024,
    Write T1831936 H32768|^94646 #17,18

    6 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV
    Opened L4066639,
    Read T4096|0% H4096|^229 #18,17

    7 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3373.MOV
    Created L0, Read T3584,
    Write T4066816 H32768|^239 #19

    ---

    8 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV
    Opened L3828357,
    Read T4096|0% H4096|^228 #20

    9*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.MOV
    Created L0,
    Read T3072,
    Write T3828736 H32768|^239 #21,22

    10*\Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG
    Opened L2000986,
    Read T4096|0% H4096|^62147 #22,21

    11 \Device\Mup\;LanmanRedirector\;W:000000002891e726\GGL-DC01\Workspace\ALL PHOTOS and VIDEOS\From Helena's ipad\IMG_3372.JPG
    Created L0, Read T2560,
    Write T2001408 H32768|^111735 #23 12

    ...

    It seems there are a number if operations per file. 

    Cryptoguard is a behavioural based feature, i.e. if it seems a number of files opened for write in quick succession and the file changes its entropy to the point where it looks like it's being encrypted it will declare something odd is happening that looks a bit like ransomware.

    Given LamanRedirector is in the path, was there a mapped drive with the drive letter W containing a bunch of files from an ipad?

    Did Explorer open a move file and a still image (thumbnail for the movie, based on the jpg having the same name as mov file?), then update meta data about the file, such that each file was changing?

    From the detection name: Detection Generic.Ransom.C it is really just generic behaviour.  Do you recall what was taking place?  If you can re-create the behaviour.  A Process Monitor log of file activity would indicate what was happening.

    Seems likely to be a false positive.  

Children
No Data
Unfiltered HTML