Troj/Ransom-LI exhibits the following characteristics:
File Information
- Size
- 175K
- SHA-1
- e2b2e7c82510d98c140c6a9de4af0c807f3f3229
- MD5
- ca8cc80c7590d1d06c33b77792044b27
- CRC-32
- 509ad52c
- File type
- Windows executable
- First seen
- 2012-12-05
Runtime Analysis
Copies Itself To
- C:\Documents and Settings\All Users\Application Data\yvyq8TUV.exe
Dropped Files
- C:\Documents and Settings\All Users\Application Data\yvyq8TUV.exe.b
- C:\Documents and Settings\All Users\Application Data\yvyq8TUV.exe_.b
- c:\Documents and Settings\test user\Local Settings\Temp\7787Fstu.dat
- Size
- 79K
- SHA-1
- 6eee986827988f7b6f2c1e22630da056ad113406
- MD5
- b2f21d488e0999fac853e19616baee11
- CRC-32
- b28f7931
- File type
- Unspecified binary - probably data
- First seen
- 2012-12-05
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 2500
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- WarnOnZoneCrossing
- 0x00000000
- HKCU\Software\Microsoft\Internet Explorer\Main
- NoProtectedModeBanner
- 0x00000001
- HKLM\SOFTWARE\Microsoft\Direct3D
- LA
- 0x00000075
Processes Created
- c:\documents and settings\all users\application data\yvyq8tuv.exe
HTTP Requests
- http://188.190.98.22/0xabad1dea.php
IP Connections
- 188.190.98.22:53
- 188.190.98.22:80
DNS Requests
- 117.2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.pfif3.hfuidhfd.jp
- 2.0.0.117.4242497517.3397364156.0.536870976.2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.hfuidhfd.jp
- 2246d083104beddd4574a5ea39638c6b641783aeab8f70e509.fc.trafforder.com
- cc.hfuidhfd.jp
- cf.trafforder.com
- pcc.hfuidhfd.jp