Jump to content

RichCopy64.exe detected as ransomware


laterdaze

Recommended Posts

I was using RichCopy64 to move files from a usb disk to a network share.  It seemed to be running ok for several minutes when it was detected as ransomware.  RichCopy64 is a gui frontend for robocopy, a Microsoft copy utility that comes with win 10.  This is the first time I've used it. This is probably just a false positive, but it gave me pause that the usb drive being used as the source had been on another system which was exposed to the Locky ransomware exploit.  As far as I can tell none of the files on the drive has been encrypted but one never knows what else lurks there...

 I tried to remove the file from quarantine to forward it as an attachment but got this: "The Restore operation could not be performed due to an error".  I attached, in a zip file, the win32 cabinet self-extractor that I used to install RichCopy.  Hope this helps,

laterdaze

Malwarebytes Anti-Ransomware.zip

logs.zip

ransomware.JPG

HoffmanUtilitySpotlight2009_04.zip

Link to post
Share on other sites

Reference: https://www.virustotal.com/en/file/8e401b7524fe29ff58ea4da7ac05cf2abd5455b264a7fdebc1e22fb13f2c7bf6/analysis/

Hello laterdaze and welcome:

Available data does suggest a false positive and you may wish to make the following temporary full pathname file entry in MBARW GUI Dashboard -> Exclusions:

C:\Program Files (x86)\Microsoft Rich Tools\RichCopy 4.0\RichCopy64.exe

Thank you for beta testing MBARW and your valuable feedback.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.