Multi-License Discount Quote

Change Region

English
Threat Database Ransomware ABCLocker Ransomware

ABCLocker Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Popularity Rank: 24,400
Threat Level: 50 % (Medium)
Infected Computers: 171
First Seen: July 27, 2017
Last Seen: January 23, 2026
OS(es) Affected: Windows

The ABCLocker Ransomware is an encryption ransomware Trojan that was first observed on July 27, 2017. The ABCLocker Ransomware behaves very similarly to other ransomware Trojans released close to that date: the Matroska Ransomware and the Mole03 Ransomware. There is very little to differentiate the ABCLocker Ransomware from these or from the countless other encryption ransomware Trojans that are active currently. They all have the same basic goal; encrypt the victim's files and then demand a ransom payment in exchange for the decryption key necessary for recovering the affected files.

Prevention is the Key to Avoid the ABCLocker Ransomware Trojan

The ABCLocker Ransomware may be delivered to the victim using spam email attachments. This is a typical way of delivering encryption algorithm Trojans. Victims will receive an email message with an attached Microsoft Word document. This document will use corrupted macros to download and install the ABCLocker Ransomware onto the victim's computer. In consquence of this, the best protection against the ABCLocker Ransomware is to handle spam email messages correctly and disallow macros to run on Microsoft Word automatically. Once the ABCLocker Ransomware is installed on the infected computer, it will begin encrypting the victim's data.

How the ABCLocker Ransomware Carries out Its Attack

The ABCLocker Ransomware connects to Command and Control servers on the TOR network. The ABCLocker Ransomware's attack is typical of these infections: the ABCLocker Ransomware encrypts the victim's files using a strong encryption algorithm and then demands a ransom payment from the victim in exchange for the decryption key. In its attack, the ABCLocker Ransomware will encrypt a wide variety of file types, including the following:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

Once the ABCLocker Ransomware encrypts a file, it will no longer be readable and will appear as a blank icon in Windows Explorer. The ABCLocker Ransomware does not mark the affected files in any other way (unlike other ransomware Trojans, which add a new file extension to the encrypted files.) The ABCLocker Ransomware, apart from the encryption process, also will delete the Shadow Volume copies of affected files and the System Restore points, making it impossible for computer users to recover their data using these alternate means.

Dealing with the ABCLocker Ransomware

After the ABCLocker Ransomware attack, victims of the ABCLocker Ransomware infection are asked to contact its perpetrators via email and pay 0.5 BTC for the decryption application. The people responsible for the ABCLocker Ransomware use the email address 'abchelper@sigaint.org.' PC security analysts strongly advise computer users against doing this. Contacting the people responsible for these attacks rarely is a good idea; they may ignore any ransom payments, demand more money, or target the victim in future attacks specifically. Instead of paying, it is important to have protective measures against the ABCLocker Ransomware and other encryption ransomware Trojans. The best of these is to have file backups on a movable memory device or the cloud. Having the ability to replace the compromised files from a backup means that the people responsible for the ABCLocker Ransomware attack no longer have leverage over the victim; there is no longer any need to pay the ransom since the files affected by the ABCLocker Ransomware attack can be replaced easily. Apart from backups, a reliable security application and a good anti-spam filter are good options to prevent the ABCLocker Ransomware infections.

Analysis Report

General information

Family Name: Worm.Citeary.A
Signature status: No Signature

Known Samples

MD5: 87b9eab5b9e3d03b81a964d6851a26eb
SHA1: c8a929c471614e7881b4834e803d61ccaa2151e5
SHA256: 7CD2B42939BCA2C740516E5F3426095725FC6A41E926387D8BA8E7F7A4C8AC50
File Size: 139.93 KB, 139928 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Comments Flavor=Retail
Company Name Microsoft Corporation
File Description Microsoft .NET ClickOnce Launch Utility
File Version 2.0.50727.7905 (win9rel.050727-7900)
Internal Name applaunch.exe
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename applaunch.exe
Product Name Microsoft® .NET Framework
Product Version 2.0.50727.7905

File Traits

  • 00 section
  • 2+ executable sections
  • x86

Block Information

Total Blocks: 418
Potentially Malicious Blocks: 55
Whitelisted Blocks: 363
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 1 1 3 1 2 1 0 2 3 0 0 2 2 0 1 1 0 1 x x x x x x x x x x x 1 0 0 x x x x x x x 0 x x x x x x x x 0 x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2 3 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 0 1 0 0 0 1 0 0 0 2 2 0 0 0 0 1 0 0 2 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1 0 1 0 0 0 0 0 2 x x x x x x x x x x x x x x x x x x x 0 x x x x 0 0 0 1 1 2 0 0 0 0 0 0 x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\program files\kav\cdriver.sys Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\c180.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\c8a929c471614e7881b4834e803d61ccaa2151e5_0000139928 Generic Write,Read Attributes
c:\users\user\downloads\c8a929c471614e7881b4834e803d61ccaa2151e5_0000139928t Synchronize,Write Attributes
c:\users\user\downloads\c8a929c471614e7881b4834e803d61ccaa2151e5_0000139928t Synchronize,Write Data
c:\windows\syswow64\system.exe Generic Write,Read Attributes
c:\windows\syswow64\system.exe Synchronize,Write Data
c:\windows\syswow64\tvjkwv.dll Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\windows\syswow64\vjwjwv.dll Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 푩⹉趩ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ﭟ⹐趩ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::system C:\WINDOWS\system32\system.exe RegNtPreCreateKey

394 additional registry modifications are not displayed above.

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Service Control
  • OpenSCManager
  • OpenService
  • StartService
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
User Data Access
  • GetUserObjectInformation
Process Shell Execute
  • ShellExecute
  • WriteConsole
Process Terminate
  • TerminateProcess
Network Winhttp
  • WinHttpOpen

Shell Command Execution

WriteConsole: [SC] OpenService
open sc stop PolicyAgent
WriteConsole: [SC] OpenService

Trending

Most Viewed

Loading...