Facebook-f Linkedin-in Instagram Tiktok Youtube
Become An Affiliate
05
Aug

Uncovering a Link to the SharePoint Vulnerability Attacks | #ransomware | #cybercrime

0


Executive Summary

Unit 42 observed notable overlaps between Microsoft’s reporting on ToolShell activity (an exploit chain affecting SharePoint vulnerabilities) and activity that we have been separately tracking. The activity, which we track as CL-CRI-1040, caught our attention by deploying a tool set that we call Project AK47, which includes a backdoor, ransomware and loaders.

Microsoft’s report named a suspected China-based threat actor, Storm-2603. Based on our analysis of host- and network-based artifacts, we assess with high confidence that Storm-2603 is related to the activity cluster that we track as CL-CRI-1040. We initially noted this in our threat brief covering exploitation of recent SharePoint vulnerabilities, and here further expand on our observations. (See Table 1 in the body of this article for clarification of the connection.)

Our key findings are:

  • CL-CRI-1040 is a cluster of financially motivated activity involving the ToolShell exploit chain
  • CL-CRI-1040 involves a custom tool set called Project AK47
  • Project AK47 includes:
    • A backdoor nicknamed AK47C2 that supports multiple protocols
    • Ransomware nicknamed AK47/X2ANYLOCK
    • Loaders abusing DLL side-loading
  • CL-CRI-1040 was formerly identified as activity from a LockBit 3.0 affiliate and has recently been linked to a double-extortion site operating under the name Warlock Client

This threat research article includes both findings we can confidently attribute to CL-CRI-1040 and observations that remain at lower levels of certainty.

Palo Alto Networks customers are better protected from the threats discussed in this article through:

For more information about protection against the ToolShell exploit chain, please see our threat brief on active exploitation of recent SharePoint vulnerabilities.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

CL-CRI-1040

CL-CRI-1040 has been active since at least March 2025. Based on overlaps in host- and network-based artifacts from the Microsoft report, we have high confidence that the CL-CRI-1040 activity cluster represents the same threat actor nicknamed Storm-2603, that Microsoft observed exploiting recent vulnerabilities in SharePoint through the ToolShell exploit chain. The recent SharePoint vulnerabilities are designated CVE-2025-49704, ​​CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771.

Microsoft assessed Storm-2603 as a China-based threat actor, as of late July, but we do not have enough direct evidence to confidently attribute CL-CRI-1040 to any nation-state or cybercriminal entity. Prior to the SharePoint ToolShell exploitation campaign, however, we had already observed malicious activity from this cluster using a tool set we call Project AK47.

We have also observed in CL-CRI-1040 deployment of an IIS backdoor that a Chinese-speaking community commonly misuses, which might be a potential connection to the Chinese nexus.

Retrospective investigation of CL-CRI-1040 revealed several pieces of evidence to support our assessment of this activity cluster as financially motivated. We confirmed that CL-CRI-1040 was formerly associated with a LockBit 3.0-affiliate and has recently been operating a double-extortion data leak site known as Warlock Client Leaked Data Show. However, considering that CL-CRI-1040 activity appeared alongside espionage-motivated actors in Microsoft’s report, we cannot entirely rule out the possibility of nation-state motivation or cooperation between threat actors.

While we further describe the connections throughout this article, Figure 1 below illustrates an overview of the overlaps between Storm-2603 and CL-CRI-1040. Table 1 details how this discussion relates to the Microsoft report.

Figure 1. An overview of indicators of compromise (IoC) overlaps between Storm-2603 and CL-CRI-1040.
Research Origin  Cluster/Group  Activity  Tools  Significance 
Unit 42  CL-CRI-1040 Financially motivated activity involving the ToolShell exploit chain Project AK47: backdoor, ransomware, loaders  Based on our analysis of host and network-based artifacts, we assess with high confidence that Storm-2603 is identical to the activity cluster that we track as CL-CRI-1040.
Microsoft Storm-2603 Exploiting SharePoint vulnerabilities to deploy ransomware Microsoft “has observed this threat actor deploying Warlock and Lockbit ransomware in the past”

Table 1. Microsoft’s report covers the activity of several threat actors. In this article, we detail our observations of CL-CRI-1040, which we assess with high confidence represents the activity of the same threat actor as Storm-2603.

Project AK47

Project AK47 is a collection of malware used in CL-CRI-1040 that has likely been under development since at least March 2025. Project AK47 consists of several sub-projects, including the following:

  • A multi-protocol supporting backdoor named AK47C2
  • Custom ransomware named AK47 ransomware (also known as X2ANYLOCK)
  • A set of other supporting tools

We named this tool set based on its common PDB (Program Database) filepath names, as shown below in Figure 2.

Screenshot of four computer file paths in a list highlighting the ak47c2 portion of each patch.
Figure 2. Examples of PDB filepaths of Project AK47.

According to the PDB filepath, Project AK47 can be divided into two main sub-projects:

  • AK47C2
    • This sub-project contains tools named dnsclient and httpclient
  • AK47
    • This sub-project contains tools named writenull, encrypt, 7zdllhijacked and dll_hijacked, shown in Figure 3 below
Diagram titled "Project AK47" showing two branches. The first branch, labeled "AK47C2," includes details of a DNS-based backdoor and an HTTP-based backdoor. The second branch, labeled "AK47," lists a prototype of AK47/XANLYLOCK ransomware, an encrypt tool, and a loader of AK47/XANLYLOCK ransomware.
Figure 3. The structure of Project AK47.

AK47C2

AK47C2 is designed as a multi-protocol supporting backdoor. The protocols supported include DNS and HTTP, referred to as dnsclient and httpclient respectively, based on their PDBs. These two backdoor instances share the following functionality:

  • Commands
  • Command and control (C2) communication request and response format
  • Encryption algorithm
  • XOR key

The capability of these backdoors is straightforward, supporting the following features:

  • Setting sleep duration
  • Executing an arbitrary command

According to IoCs shared by Microsoft, attackers deployed both the dnsclient and httpclient components of AK47C2 as payloads for the ToolShell exploits.

Dnsclient

The dnsclient has been under development since at least early March 2025. The current variant uses DNS to communicate with the C2 server, as its PDB name indicates.

  • C:\Users\Administrator\Desktop\work\tools\ak47c2\dnsclinet-c\dnsclient\x64\Release\dnsclient.pdb

The method of C2 communication varies depending on the date of the sample. An early stage of dnsclient that we have called version 202503 was packed using UPX. Version 202503 was likely a test build because it contains several verbose error messages and uses a private IP address as its DNS server, as noted in the code snippet shown below in Figure 4.

Image displaying a segment of computer code in a programming language, featuring function calls. The code includes conditional checks and error log messages related to memory allocation and DNS server IP validation.
Figure 4. Code snippet from version 2025-03 of dnsclient showing a private IP address of 10.7.66[.]10 as its DNS server.

Version 202503 of dnsclient communicates with the C2 server by XOR-encoding JSON data, converting it into a hexadecimal string and then sending it as a subdomain of the hard-coded server at update.updatemicfosoft[.]com. The XOR key (VHBD@H) is hard-coded in the binary and is shared among other AK47C2 samples.

Figure 5 below illustrates the encoding algorithm to generate subdomains on the initial C2 check-in to receive a backdoor command.

Illustration demonstrating the process of DNS exfiltration using randomized characters and the XOR operation, concluding with a conversion to hexadecimal and alignment with DNS subdomain mask length.
Figure 5. The encoding algorithm of the dnsclient version 202503.

The response of the C2 server is contained in a DNS TXT record encoded by the same algorithm. The decoded response uses the following format in JSON:

Version 202503 of dnsclient supports multiple arbitrary command execution but does not support sleep duration management. The command execution result is sent in the following JSON format encoded with the same algorithm:

However, this implementation might generate a subdomain longer than the maximum length of a DNS query (255 bytes). To avoid this, dnsclient fragments the request data and sends it in multiple queries. It prepends s to the domain name in the DNS query to indicate the query represents fragmented data.

In early April 2025, the developer updated the protocol of the dnsclient to simplify and support more reliability, which we have named version 202504. In this version, the initial request to receive a backdoor command during C2 check-in generates a slightly different DNS subdomain, as shown below in Figure 6. The notable changes are that it doesn’t use JSON anymore and prepends 1 to a random five-character session key to tell the C2 server that it is a task request.

Image showing a diagram explaining a process to generate a unique subdomain using random characters, XOR operations, hostname, and conversion to hexadecimal.
Figure 6. The encoding algorithm of dnsclient version 202504.

The TXT record in the DNS response is also encoded by the same algorithm, but the decoded data differs from the version 202503 of dnsclient as follows:

Version 202504 of dnsclient verifies the session key on the client side and performs a backdoor routine based on the received command. On the response request, similar to version 202503, version 202504 fragments the execution results if the encoded data is too long and prepends s to the random session key. To finalize the message, it prepends 2 to the first substring session key and a to the second substring session key.

Httpclient

The httpclient has been under development since at least late March 2025 and supports HTTP communication with the C2 server, as its PDB name indicates.

  • C:\Users\Administrator\Desktop\work\tools\ak47c2\httpclient-cpp\x64\Release\httpclient-cpp.pdb

The encoding algorithm and XOR key are the same ones used in dnsclient version 202503, because httpclient also uses JSON to send and receive messages. The original message of the C2 check-in appears as follows:

The encoded hexadecimal string is stored in the HTTP body and sent to the C2 server using the POST method. The httpclient uses curl for network communication, as noted in the curl options (CURLOPT) shown in the code snippet in Figure 7 below.

A screenshot of computer code in an editor, displaying functions and commands primarily related to the curl library for handling internet protocols. Text is in shades of blue, green, and grey.
Figure 7. Code snippet of httpclient indicating the use of curl to communicate over HTTP.

AK47 Ransomware (Aka X2ANYLOCK Ransomware)

While analyzing AK47C2, we found an interesting PDB, indicating possible ransomware as a sub-project of Project AK47:

  • C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\encrypt\encrypt\x64\Release\encrypt.pdb

The use of encrypt in the PDB filepath name was not a coincidence, and our investigation revealed a ransomware written in C++ that we dubbed AK47 ransomware. However, due to the .x2anylock file extension added to encrypted files, this malware is publicly referred to as X2ANYLOCK ransomware. Although we found several reports of victims and auto-generated pages related to this ransomware, at the time of writing we had seen no technical analysis on AK47/X2ANYLOCK ransomware.

The earliest version of AK47 ransomware was observed in early April 2025, which has a slightly different PDB, using writenull instead of encrypt in the file path name:

  • C:\Users\Administrator\Desktop\work\tools\ai\ak47\writenull\x64\Release\writenull.pdb

This PDB didn’t implement file encryption capability, but only implemented ransom note creation. The associated sample was likely a prototype of AK47 ransomware.

Based on its compilation time, a sample of the fully implemented AK47 ransomware might have been compiled a few days after the likely prototype. The capabilities of this ransomware are typical of other ransomware families. AK47 ransomware can perform the following actions:

  • Terminating several applications
  • Enumerating all possible logical drives and network shares
  • Encrypting specific types of files using a combination of AES and RSA, while excluding specified directories and files
  • Dropping ransom notes (How to decrypt my data.txt or How to decrypt my data.log)

To potentially evade detection, the ransomware checks the Data Modified timestamp of specific objects. If the timestamp is on or after June 6, 2026, the ransomware terminates itself, as the code snippet in Figure 8 below shows.

A screenshot displaying a segment of computer code in a text editor, including file paths, system time function, and conditional statements. The code involves file operations and system time checks in a programming environment.
Figure 8. Code snippet of AK47 ransomware showing the timestamp check routine.

The ransom note is embedded in the AK47 ransomware binary without encryption or encoding. Figure 9 below shows an example of the ransom note. The decrypt ID differs with each binary, but the Tox ID to communicate with the threat actor is the same across all AK47 ransomware variants.

The image shows text providing contact information, listing both a QTox ID and an Email Support address, with email hosted at Proton.me. The decryption ID is redacted.
Figure 9. Example of a ransom note generated by AK47 ransomware.

Is This Warlock Ransomware?

According to the Microsoft report, Storm-2603 has previously deployed ransomware named Warlock. However, since we have not found any common indicators between AK47/X2ANYLOCK ransomware from CL-CRI-1040 and Warlock ransomware from Microsoft’s article, we cannot conclusively determine the relationship between these two ransomware families.

Loaders

In addition to the AK47C2 backdoor and AK47/X2ANYLOCK ransomware, we found other sub-projects that support executing the payload via DLL side-loading, as the following PDB shows.

  • C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\dll_hijacked\dll_hijacked\x64\Release\dllhijacked.pdb
  • C:\Users\Administrator\Desktop\work\tools\ai\ak47\cpp\7zdllhijacked\7zdllhijacked\x64\Release\My7zdllhijacked.pdb

These loaders are designed to be loaded via a legitimate executable (7z.exe in this case) and invoke the entrypoint of the AK47 ransomware DLL, as shown below in Figure 10.

Screenshot of a computer screen displaying a list of function names and memory addresses, highlighting "GetModuleProp" and "DllEntryPoint," with the first marked as the main entry point of the malicious routine and the latter marked as the main entry.
Figure 10. Entrypoint of AK47 ransomware.

Other Tools

During our investigation, we encountered a RAR archive named Evidencia.rar containing the following:

  • A copy of the AK47C2 dnsclient
  • AK47 ransomware
  • Several hacking tools

While the source is unknown, the directory structure (Evidencia.rar\Directorio_Public) and included files indicate this RAR archive is possibly a package of the Public directory from a victim machine. If so, the hacking tools in this archive may be part of the arsenal for CL-CRI-1040. Table 2 below shows notable files from Evidencia.rar.

Filename SHA256 Hash File Description
nxc.exe 0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22 PyPyKatz
SharpHostInfo.x64.exe d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d SharpHostInfo
7z.exe e7a7cd756dfeacbdc8caa0d431f9192cb10d62da119b138fca65276ff4ab6958 A legitimate executable
7z.dll abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1 Loader for AK47 ransomware
masscan_1.3.0.exe 5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e masscan
sd.exe f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574 SharpAdidnsdump
PsExec64.exe edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef PsExec
PsExec.exe 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b PsExec
ip.exe f185c91e62ca38494d7f125492058028028769a86ed169bd2fb051e43fd9fb70 A CSV file
clink_x86.exe 011b31d7e12a2403507a71deb33335d0e81f626d08ff68575a298edac45df4cb A legitimate executable
bbb.msi 3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550 LockBit 3.0 ransomware dropper
clink_dll_x86.dll dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de Loader for LockBit 3.0 ransomware

Table 2. Notable files from the Evidencia.rar archive.

Of note, the LockBit 3.0 ransomware files in Table 2 are important evidence for our attribution.

Retrospective Investigation

Our investigation of CL-CRI-1040 attacks revealed evidence of previous ransomware activities, including LockBit 3.0 and Warlock Client ransomware. This evidence led us to assess with high confidence that CL-CRI-1040 is financially motivated. Figure 11 provides an overview of the activities we’ve attributed to CL-CRI-1040.

Diagram illustrating the LockBit 3.0 ransomware's use by CL-CRI-1040 and Storm-2603. It shows connections and interactions, such as 'use' and 'grant access', between various elements and entities.
Figure 11. An overview of the activities we attribute to CL-CRI-1040.

Alleged LockBit 3.0 Affiliate

During our investigation on the Tox ID (3DCE1C43491FC92EA7010322040B254FDD2731001C2DDC2B9E819F0C946BDC3CD251FA3B694A) from the AK47 ransomware note, we discovered a database dump file associated with LockBit 3.0 ransomware.

In May 2025, an unknown actor compromised LockBit 3.0 infrastructure and leaked a database dump of the ransomware’s operations. This leaked dump file contains:

  • Negotiation messages
  • Bitcoin wallet addresses
  • Affiliated user information
  • Operational details

In this LockBit 3.0 dump file a username wlteaml has the same Tox ID as used in the AK47 ransomware note. The username wlteaml was registered as a LockBit 3.0 user on April 22, 2025, as shown in Figure 12.

Screenshot of computer code displayed in a text editor with a black background and white text. The code includes functions and variable declarations written in Python. A Tox ID is highlighted in red on the second line.
Figure 12. Same Tox ID in the LockBit dumped database.

The database indicates that the wlteaml is the last user registered as a LockBit 3.0 affiliate before the data leak. We believe the letters in the username wlteaml might stand for warlock team LockBit and indicate a tie to Warlock Client ransomware.

Let’s revisit the LockBit 3.0 ransomware files contained in the above-mentioned RAR archive (Evidencia.rar).

Bbb.msi is a malicious installer that works as a dropper of LockBit 3.0 ransomware loader. This MSI file drops two components:

  • clink_x86.exe – This is a legitimate application misused to sideload the latter malicious DLL.
  • clink_dll_x86.dll – This DLL is completely different from any other sub-projects of Project AK47. It performs several known anti-analysis and anti-debugging techniques, decrypts a shellcode and runs it within a legitimate DLL (d3dl1.dll) by using the DLL hollowing technique.

The final payload executed by the in-memory shellcode is explicitly LockBit 3.0. Figure 13 shows the disassembled code of a unique entrypoint from the Lockbit 3.0 ransomware sample. This code invokes ransomware behavior, associated functions and meaningless Windows API calls, as ​​an analysis report on LockBit 3.0 previously described.

A screenshot showing a portion of code in a programming environment, with numerous "call" statements invoking functions. The top section with a red background is the ransomeware behavior functions. The section below it with the green background shows meaningless Windows API calls.
Figure 13. Disassembled code snippet from the LockBit 3.0 ransomware sample entrypoint.

The timeline for this sample is unusual, because the first submission date of this sample to VirusTotal was April 16, 2025, but the associated wlteaml user registration on the LockBit 3.0 portal was April 22, 2025. While we cannot yet explain this timeline gap, the inclusion of the LockBit 3.0 instance in the same archive as Project AK47 components does not seem to be a mere coincidence.

Warlock Client Leaked Data Show

The AK47 ransomware Tox ID shows another link to the Warlock ransomware group, which emerged in June 2025. The ransomware’s leak site on the dark web is named Warlock Client Leaked Data Show, and it displays the same Tox ID as AK47 ransomware for negotiation with its victims.

While the website is inaccessible as of late July, we confirmed the same Tox ID from a publicly available screenshot. However, we haven’t yet observed any actual ransomware used by the threat actor behind this leak site. Therefore, we lack any evidence to determine whether the AK47 ransomware has been used by the Warlock ransomware group.

On the other hand, Microsoft mentioned that Storm-2603 has previously deployed Warlock ransomware. However, since the report shares no indicators of Warlock ransomware binaries, we cannot confirm if the Warlock mentioned by Microsoft is identical to that used by the Warlock Client Leaked Data Show.

Conclusion

Our analysis reveals overlaps between recent ToolShell exploit activity and the activity of a cluster that we track as CL-CRI-1040. This article also covers the Project AK47 tool set in detail and describes the considerations behind our attribution. This information reveals a continuously evolving threat and a complex situation behind the attacks.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • ​​TheAdvanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • Cortex XDR and XSIAM combine several layers of protection to prevent both known and unknown malware from causing harm to endpoints, including those mentioned in this article.

For more information about protection against the ToolShell exploit chain, please see our threat brief on active exploitation of recent SharePoint vulnerabilities.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 Hash Malware Description
ceec1a2df81905f68c7ebe986e378fec0805aebdc13de09a4033be48ba66da8b AK47C2: dnsclient
24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf AK47C2: httpclient
1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192 AK47C2: dnsclient
257fed1516ae5fe1b63eae55389e8464f47172154297496e6f4ef13c19a26505 AK47C2: dnsclient
b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0 AK47C2: dnsclient
c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94 AK47C2: dnsclient
4147a1c7084357463b35071eab6f4525a94476b40336ebbf8a4e54eb9b51917f AK47 Ransomware
79bef5da8af21f97e8d4e609389c28e0646ef81a6944e329330c716e19f33c73 AK47 Ransomware
55a246576af6f6212c26ef78be5dd8f83e78dd45aea97bb505d8cee1aeef6f17 AK47 Ransomware
a919844f8f5e6655fd465be0cc0223946807dd324fcfe4ee93e9f0e6d607061e AK47 Ransomware
f711b14efb7792033b7ac954ebcfaec8141eb0abafef9c17e769ff96e8fecdf3 AK47 Ransomware
1d85b18034dc6c2e9d1f7c982a39ca0d4209eb6c48ace89014924eae6532e6bc Loader
7e9632ab1898c47c46d68b66c3a987a0e28052f3b59d51c16a8e8bb11e386ce8 Loader
7c31d43b30bda3a891f0332ee5b1cf610cdc9ecf772cea9b073ac905d886990d Loader
0f4b0d65468fe3e5c8fb4bb07ed75d4762e722a60136e377bdad7ef06d9d7c22 PyPyKatz
d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d SharpHostInfo
abb0fa128d3a75e69b59fe0391c1158eb84a799ddb0abc55d2d6be3511ef0ea1 AK47 Ransomware
5cc047a9c5bb2aa6a9581942b9d2d185815aefea06296c8195ca2f18f2680b3e masscan
f01675f9ca00da067bdb1812bf829f09ccf5658b87d3326d6fddd773df352574 SharpAdidnsdump
edfae1a69522f87b12c6dac3225d930e4848832e3c551ee1e7d31736bf4525ef PsExec
078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b PsExec
dbf5ee8d232ebce4cd25c0574d3a1ab3aa7c9caf9709047a6790e94d810377de LockBit 3.0
3b013d5aec75bf8aab2423d0f56605c3860a8fbd4f343089a9a8813b15ecc550 LockBit 3.0 Dropper
7638069eeccf3cd7026723d794a7fd181c9fe02cecc1d1a98cf79b8228132ef5 IIS_backdoor
6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619 IIS_backdoor

Appendix A: List of Objects Checked by AK47 Ransomware

  • C:\Windows\System32\perfc009.dat
  • C:\Windows\System32\perfh009.dat
  • C:\Windows\System32\PerfStringBackup.ini
  • C:\Windows\bootstat.dat
  • C:\Windows\WindowsUpdate.log
  • C:\Windows\Temp\
  • C:\Users\*\AppData\Local\Temp\
  • C:\Users\*\Local\Temp\

Appendix B: List of Objects Ignored by AK47 Ransomware

  • autorun.inf
  • boot.ini
  • bootfont.bin
  • bootsect.bak
  • bootmgr
  • bootmgr.efi
  • bootmgfw.efi
  • desktop.ini
  • iconcache.db
  • ntldr
  • ntuser.dat
  • ntuser.dat.log
  • ntuser.ini
  • thumbs.db
  • Program Files
  • Program Files (x86)
  • #recycle
  • How to decrypt my data.txt
  • decryptiondescription.pdf
  • config.json
  • Important!!!.pdf

Appendix C: List of File Extensions Ignored by AK47 Ransomware

  • .x2anylock
  • .386
  • .adv
  • .ani
  • .bat
  • .bin
  • .cab
  • .cmd
  • .com
  • .cpl
  • .cur
  • .deskthemepack
  • .diagcab
  • .diagcfg
  • .diagpkg
  • .dll
  • .drv
  • .exe
  • .hlp
  • .icl
  • .icns
  • .ico
  • .ics
  • .idx
  • .ldf
  • .lnk
  • .mod
  • .mpa
  • .msc
  • .msp
  • .msstyles
  • .msu
  • .nls
  • .nomedia
  • .ocx
  • .prf
  • .ps1
  • .rom
  • .rtp
  • .scr
  • .shs
  • .spl
  • .sys
  • .theme
  • .themepack
  • .wpx
  • .lock
  • .key
  • .hta
  • .msi
  • .pdb
  • .search-ms



Source link

.........................

Facebook-f Linkedin-in Instagram Tiktok Youtube
Our Products
Company
Other Links

Copyright 2005 – 2025 National Cyber Security

National Cyber Security

FREE
VIEW