Troj/Ransom-FMU

Category: Viruses and SpywareProtection available since:30 Jun 2019 17:46:22 (GMT)
Type: TrojanLast Updated:30 Jun 2019 17:46:22 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Ransom-FMU exhibits the following characteristics:

File Information

Size
4.5M
SHA-1
057ce5d68142f9c744a20c01c8fa69b85af318f6
MD5
6917c566fbe300441bd9ab2d435e52cf
CRC-32
f73d789e
File type
Windows executable
First seen
2017-04-14

Runtime Analysis

Modified Files
  • %SYSTEM%\wbem\Repository\$WinMgmt.CFG
  • %PROFILE%\Cookies\index.dat
  • %SYSTEM%\wbem\Repository\FS\MAPPING1.MAP
  • %SYSTEM%\wbem\Repository\FS\OBJECTS.MAP
  • %PROFILE%\NTUSER.DAT.LOG
  • %SYSTEM%\wbem\Repository\FS\INDEX.BTR
  • %SYSTEM%\wbem\Repository\FS\INDEX.MAP
  • %SYSTEM%\wbem\Repository\FS\OBJECTS.DATA
  • %SYSTEM%\wbem\Logs\wbemcore.log
    • Changed the file contents
  • %SYSTEM%\config\system.LOG
  • C:\Documents and Settings\LocalService\ntuser.dat.LOG
  • %INTERNET_CACHE%
    • Set the hidden and system flags
  • %SYSTEM%\config\software.LOG
    • Changed the file contents
  • %SYSTEM%\wbem\Repository\FS\MAPPING.VER
  • %SYSTEM%\wbem\Logs\wbemess.log
    • Changed the file contents
  • %SYSTEM%\config\SAM.LOG
  • C:\KMDhips.txt
    • Changed the file contents
  • %SYSTEM%\wbem\Repository\FS\MAPPING2.MAP
  • %PROFILE%\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
  • %HISTORY%
    • Set the hidden and system flags
Registry Keys Created
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAVSERVICE\0000\Control
    ActiveService
    SAVService
Registry Keys Modified
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5B3B929D6C65CC643B3A1A7A48BC8B4E\Usage
    SAVService
    0x4c2609c1
  • HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    MRUListEx
    01 00 00 00 00 00 00 00 02 00 00 00 03 00 00 00 06 00 00 00 05 00 00 00 04 00 00 00 ff ff ff ff
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
    Time
    e2 07 01 00 06 00 06 00 09 00 28 00 3b 00 0b 03
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
    Time
    e2 07 01 00 06 00 06 00 09 00 28 00 3b 00 0b 03
  • HKCU\Software\Microsoft\Internet Explorer\Main
    Window_Placement
    2c 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 42 00 00 00 42 00 00 00 7c 03 00 00 52 02 00 00
  • HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    (Default)
    0x0000000e
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
    Time
    e2 07 01 00 06 00 06 00 09 00 28 00 3a 00 17 01
  • HKLM\SOFTWARE\Sophos\SAVService\Status
    UpToDateState
    0x00000002
  • HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
    ActiveTimeBias
    0x00000000
  • HKLM\SOFTWARE\Sophos\SAVService\Status\Infected
    SuspiciousBehaviorDetected
    0x00000001
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
    Time
    e2 07 01 00 06 00 06 00 09 00 28 00 39 00 a8 03
  • HKLM\SOFTWARE\Sophos\SAVService\Status\LastScan
    NormalScan
    0x5a509a2c
  • HKCU\SessionInformation
    ProgramCount
    0x0000000a
  • HKLM\SOFTWARE\Microsoft\Cryptography\RNG
    Seed
    1b d9 c5 59 1c ce bd e9 9b 72 b2 25 a3 68 49 90 ba 94 7e 9e 8c cd 07 26 dc 00 03 be 0c 6c 05 83 09 86 e6 26 d0 8c 4d b1 c7 6b f8 07 36 cc 03 ff 57 af 6c 5f 15 bc df 56 32 7b 6c f9 b0 98 22 5e 28 8e f5 c2 f9 09 cf 29 ad e0 a2 e3 4e fd bf af