Search
Keyword: usojan.ps1.powload.jkp
\Software\ShinoLocker PS = "%User Temp%\{random filename2}.exe" HKEY_CURRENT_USER\Software\ShinoLocker FL = "C:\Users\dyituser_732\AppData\Local\Temp\{random filename 4}.lst" HKEY_CURRENT_USER\Software
pps ppsm ppsx ppt pptm pptx prf ps psafe3 psd psk pst ptx py qba qbb qbm qbr qbw qbx qby qdf qic r3d ra2 raf rar raw rb rdb re4 rgss3a rim rm rofl rtf rw2 rwl rwz s3db sas7bdat sav sb sd0 sd1 sda sdf
This Trojan modifies the following registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\SystemRestore DisableSR = "1" Dropping Routine This Trojan drops the following files:
This backdoor may be dropped by other malware. It executes commands from a remote malicious user, effectively compromising the affected system. Arrival Details This backdoor may be dropped by the
This Trojan may be downloaded by other malware/grayware from remote sites. It connects to certain websites to send and receive information. Arrival Details This Trojan may be downloaded by the
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It is capable of encrypting files in the affected
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It drops files as ransom note. Arrival Details This
\Software\Microsoft\ RestartManager\Session0000 Sequence = "1" HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Shell Extensions\ Cached {random string} = "\x01\x00\x00\x00\x00\x00\x00\x00M\xdfa
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It drops files as ransom note. Arrival Details This
and filename) If the value for "-h" is not specified, "ps x" is used. By default, it connects to the following pool for coinmining: exploiter-v4.pwndns.pw (monerohash.com) A dummy string [fbi.gov:80] is
" HKEY_CURRENT_USER\Software\Microsoft\ RestartManager\Session0000 Sequence = "1" HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Shell Extensions\ Cached {random string} = "\x01\x00\x00\x00\x00\x00\x00
" HKEY_CURRENT_USER\Software\Microsoft\ RestartManager\Session0000 SessionHash = "{random characters}" HKEY_CURRENT_USER\Software\Microsoft\ RestartManager\Session0000 Sequence = "1" HKEY_CURRENT_USER\Software
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive
= "0" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\WCEUSBSH Start = "1" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ services\NSCIRDA Start = "3" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Arrival Details This
\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f cmd.exe /c
This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. Arrival Details This Trojan Spy arrives on a system
HKEY_CURRENT_USER\Software\Microsoft\ RestartManager\Session0000 Sequence = 1 → Deletes afterwards HKEY_CURRENT_USER\Software\Microsoft\ RestartManager\Session0000 RegFiles0000 = {FilePath\{FileName} → Deletes
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It drops files as ransom note. It avoids encrypting