Blackhole which is distributing this ransom moved to new host, also ransom was redesigned, renamed (LokoMoTO) and got fresh refined crypter. Be aware this trojan trashes Windows SafeMode by renaming corresponding root keys.

Runs from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
In attach todays 3 binaries extracted from BH EK + unpacked one.
					
										Runs from
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
In attach todays 3 binaries extracted from BH EK + unpacked one.
Attachments
			
			 pass: malware
(294.71 KiB) Downloaded 88 times
		
								(294.71 KiB) Downloaded 88 times
Ring0 - the source of inspiration
					 						
            
 
										
