user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Ransom:Win32/Genasom!rfn
Ransom:Win32/Genasom!rfn - Windows Defender threat signature analysis

Ransom:Win32/Genasom!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Ransom:Win32/Genasom!rfn
Classification:
Type:Ransom
Platform:Win32
Family:Genasom
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Ransomware - Encrypts files and demands payment for 32-bit Windows platform, family Genasom

Summary:

Ransom:Win32/Genasom!rfn is a concrete detection for the Genasom ransomware family. This threat encrypts user files, disrupts system interaction by disabling input (mouse, keyboard, Ctrl+Alt+Del), terminates processes, establishes persistence through startup links and registry modifications, and displays a ransom note demanding payment to "unlock your computer." It communicates with command-and-control servers for payment instructions and potentially other malicious activities.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - wl.exe CADOff KeysOff MouseOff (PEHSTR)
 - http://www.backdoor-guard.com/index.php?module=pay&msg=win&uid= (PEHSTR)
 - pskill.exe /accepteula wl.exe (PEHSTR)
 - pskill.exe /accepteula iexplore.exe (PEHSTR)
 - otstuk.bat (PEHSTR)
 - locker.exe (PEHSTR)
 - "Software\KJ\Share\DateInfo\Wareki\ (PEHSTR)
 - \amvbak.lnk (FILEPATH)
 - \amediaview.lnk (FILEPATH)
 - \startup\amvbak.lnk (FILEPATH)
 - \startup\amediaview.lnk (FILEPATH)
 - Software\AMediaView (REGKEY)
 - %http://adultfake.ru/members.php (PEHSTR)
 - unixtime.dat (PEHSTR)
 - lnk.lnk (PEHSTR)
 - activate.exe (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - DllGetClassObject (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - DllUnregisterServer (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - C:\WINDOWS\xstopit (PEHSTR_EXT)
 - IEDataFeeder.dll (PEHSTR_EXT)
 - )http://gw.netlinkinvest.com/checkcode.php (PEHSTR)
 - &document=openoffice.2010-fr. (PEHSTR)
 - unlock your computer (PEHSTR_EXT)
 - YOUR COMPUTER IS INFECTED BY SPYWARE !!! (PEHSTR_EXT)
 - firefox.exe" (PEHSTR)
 - opera.exe" (PEHSTR)
 - Jreg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run"  (PEHSTR)
 - Software\WebMoney\path (PEHSTR)
 - http://%s/_req/?type=%c&sid=%d&sw= (PEHSTR_EXT)
 - avastsvc.exe (PEHSTR_EXT)
 - support.kaspersky.ru/viruses/deblocker (PEHSTR_EXT)
 - attrib +H "C:\Documents and Settings\All Users\ (PEHSTR_EXT)
 - reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run" /v Shell /t REG_SZ /d (PEHSTR_EXT)
 - mover.bat (PEHSTR_EXT)
 - config.bat (PEHSTR_EXT)
 - hide.bat (PEHSTR_EXT)
 - moving.bat (PEHSTR_EXT)
 - prefetching.txt (PEHSTR_EXT)
 - delock.txt (PEHSTR_EXT)
 - pornhub.com (PEHSTR_EXT)
 - Scr (PEHSTR_EXT)
 - een.jpg (PEHSTR_EXT)
 - r http:/ (PEHSTR_EXT)
 - .Pnet (PEHSTR_EXT)
 - tempsys.exe (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\WINDOWS\system32\xxx_video.exe (PEHSTR_EXT)
 - C:\windows\system32\taskmgr.exe (PEHSTR_EXT)
 - =ADEBITATO UN IMPORTO DI SEIS E DIVIANNOVE EURO (IVA INCLUSA). (PEHSTR)
 -  www.netlinkinvest.com/support/it (PEHSTR)
 -  0H0 >?5@0F8>==0O A8AB5<0 701;>:8@>20=0 70 =0@CH5=85 8A?>;L7>20=8O A5B8 8=B5@=5B. (PEHSTR_EXT)
 - System\ControlSet001\Control\SafeBoot\fuck (PEHSTR_EXT)
 - System\ControlSet001\Control\SafeBoot\you (PEHSTR_EXT)
 - HOW TO DECRYPT FILES. (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Internet Explorer\startingp (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PEHSTR_EXT)
 - Software\Microsoft\Licenser\aasum (PEHSTR_EXT)
 - taskkill /im (PEHSTR_EXT)
 - \System\DisableTaskMgr (PEHSTR_EXT)
 - \System\DisableRegistryTools (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Internet Explorer (PEHSTR_EXT)
 - Software\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - System\CurrentControlSet\Control\SafeBoot (PEHSTR_EXT)
 - delete.bat (PEHSTR)
 - "http://%s/_req/?type=%c&sid=%d&sw= (PEHSTR)
 - avastsvc.exe (PEHSTR)
 - real-goodporno.info (PEHSTR)
 - \Sound.exe (PEHSTR_EXT)
 - System\CurrentControlSet\Control\SafeBoot\ (PEHSTR_EXT)
 - \taskmgr.exe (PEHSTR_EXT)
 - \del.bat (PEHSTR_EXT)
 - %userprofilE%\ (PEHSTR_EXT)
 - \ound (PEHSTR_EXT)
 - HTTP/1.0 (PEHSTR_EXT)
 - /locker.php (PEHSTR_EXT)
 - /f /im explorer.exe (PEHSTR_EXT)
 - taskkill.exe (PEHSTR_EXT)
 - %WinDir%\Win32.exe (PEHSTR_EXT)
 - Now your computer is blocked by newly installed software (PEHSTR_EXT)
 - %s\Identities\%s\svghost.exe (PEHSTR_EXT)
 - \winlock.pdb (PEHSTR_EXT)
 - decodersoft@Safe-mail.net (PEHSTR_EXT)
 - taskkill /F /IM explorer.exe (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (PEHSTR_EXT)
 - Silence_lock_bot.pdb (PEHSTR_EXT)
 - /n/get.php?pin= (PEHSTR_EXT)
 - /n/get.php?ot= (PEHSTR_EXT)
 - We are processing your payment. (PEHSTR_EXT)
 - \Silence_lock_bot\Release\Silence_lock_bot.pdb (PEHSTR_EXT)
 - the1024rsa@i2pmail.org (PEHSTR_EXT)
 - (photos,documents etc.) (PEHSTR_EXT)
 - HOW TO DECRYPT FILES.txt  (PEHSTR_EXT)
 - bat.bat (PEHSTR_EXT)
 - key.reg (PEHSTR_EXT)
 - AdobeReader.exe (PEHSTR_EXT)
 - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] (PEHSTR_EXT)
 - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] (PEHSTR_EXT)
 - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] (PEHSTR_EXT)
 - bootstat.dat (PEHSTR_EXT)
 - netsh.exe (PEHSTR_EXT)
 - C:\Serl_log.txt (PEHSTR_EXT)
 - http:// (PEHSTR_EXT)
 - dll (PEHSTR_EXT)
 - \\.\PHYSICALDRIVE0 (PEHSTR_EXT)
 - jsj (PEHSTR_EXT)
 - /konu.php?hwid= (PEHSTR_EXT)
 - \stnenopmoC dellatsnI\puteS evitcA\tfosorciM\ERAWTFOS (PEHSTR_EXT)
 - \nuR\noisreVtnerruC\swodniW\tfosorciM\ERAWTFOS (PEHSTR_EXT)
 - Page is loading, please wait. This may take up to 30 seconds. (PEHSTR_EXT)
 - dfrg.msc- (PEHSTR_EXT)
 - net share c$ /del (PEHSTR_EXT)
 - net localgroup Administrators Forbidden /add (PEHSTR_EXT)
 - net user Administrator /active:no (PEHSTR_EXT)
 - Fire-toll For SEO Masters.exe (PEHSTR_EXT)
 - system32\lsassw86s.exe -i (PEHSTR_EXT)
 - exeName (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PEHSTR_EXT)
 -  /add (PEHSTR_EXT)
 - @/add (PEHSTR_EXT)
 - @/active:yes (PEHSTR_EXT)
 - Ransom.BL (PEHSTR_EXT)
 - Ransom.PL (PEHSTR_EXT)
 - Ransomware.resources (PEHSTR_EXT)
 - \ransomware_sample\obj\ (PEHSTR_EXT)
 - \ransomware_sample.pdb (PEHSTR_EXT)
 - >C:\Users\ElPro\source\repos\ransom\ransom\obj\Debug\ransom.pdb (PEHSTR)
 - http://b2xhIG0zbiB4ZA.onion (PEHSTR)
 -  http://4kx812nk2SZ93cKz290.onion (PEHSTR)
 - C:\Users\mvj\Music\mehdi ransomware\mehdi update (PEHSTR_EXT)
 - Ransom\Exe\Statik Version\CrypterLastVersion\CrypterLastVersion\obj\Release\JavaEmbededLibrary.pdb (PEHSTR_EXT)
 - -Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
 - taskkill /f /im explorer.exe (PEHSTR)
 - \SystemProcess.exe (PEHSTR)
 - jackpot@jabber.cd ( (PEHSTR)
 - INSTRUCTION.txt (PEHSTR)
 - vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
 - bcdedit.exe /set {default} recoveryenabled no (PEHSTR_EXT)
 - bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
 - avp.exe (PEHSTR_EXT)
 - \FILES.txt (PEHSTR_EXT)
 - \\.\pipe\turum (PEHSTR_EXT)
 - avpui.exe (PEHSTR_EXT)
 - main.encrypt (PEHSTR)
 - 3C:/Users/windows/go/src/VashRansomwarev2/Encrypt.go (PEHSTR)
 - .decrypt all your files after paying the ransom (PEHSTR)
 - \GOMER-README.txt (PEHSTR_EXT)
 - \encryptFiles.pdb (PEHSTR_EXT)
 - gomer.ini (PEHSTR_EXT)
 - .gomer (PEHSTR_EXT)
 - readme.txt (PEHSTR_EXT)
 - C:\Users\john\Documents\Visual Studio 2008\Projects\EncryptFile -svcV2\Release\EncryptFile.exe.pdb (PEHSTR_EXT)
 - vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
 - bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
 - bcdedit /set {default} bootstatuspolicy ignoreallfailures (PEHSTR_EXT)
 - .?AV?$clone_im (PEHSTR_EXT)
 - Your purchase is not complete. Please reattempt payment (PEHSTR_EXT)
 - Your system has been corrected. (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 3.exe
1a6474f6e3976c8b8b97743ef09d4d7fb6aeb1b04ca8ad4a33b758ada0eacb24
29/01/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected machine from the network. Perform a full system scan with updated antimalware software to ensure complete removal. Restore encrypted files from clean, offline backups. Investigate the initial compromise vector (e.g., phishing, unpatched software) and implement preventative measures.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 29/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$