Trojan.Ransom.Loki.CQQ (file analysis)

Report context

What to verify before removal

Trojan.Ransom.Loki.CQQ (file analysis) should be handled as a recovery-sensitive report, not as a routine deletion task. Before removing files, isolate the affected system and compare the detection with the notes below so encrypted data, restore points, and backups are not damaged.

Start by comparing the local file name with B4F8AB8E00B348A1410D.mlw, then review the behavior notes for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file: B4F8AB8E00B348A1410D.mlw

Compare the suspicious file name with B4F8AB8E00B348A1410D.mlw.
Confirm the detection name matches Trojan.Ransom.Loki.CQQ (file analysis) before removing related files.
Review the report for file-encryption activity, ransom notes, renamed documents, and unexpected recovery blockers so the cleanup is based on observed behavior, not only the label.
Disconnect the machine from the network before recovery work and avoid deleting encrypted samples until backups are checked.

The Trojan.Ransom.Loki.CQQ is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Trojan.Ransom.Loki.CQQ virus can do?

Behavioural detection: Executable code extraction – unpacking
Reads data out of its own binary image
CAPE extracted potentially suspicious content
The binary likely contains encrypted or compressed data.
Authenticode signature is invalid
Uses Windows utilities to create a scheduled task
Behavioural detection: Injection (Process Hollowing)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
CAPE detected the NanoCore malware family
Creates a copy of itself
Deletes executed files from disk
Collects information to fingerprint the system
Yara detections observed in process dumps, payloads or dropped files

How to determine Trojan.Ransom.Loki.CQQ?


File Info:
name: B4F8AB8E00B348A1410D.mlw
path: /opt/CAPEv2/storage/binaries/c4a6245679676f18ab309dc7ca39ad7e70806bac16dd31af1f769bca84044f47
crc32: 5E36F294
md5: b4f8ab8e00b348a1410da17a685d2adb
sha1: 84197faccc0118fdbad851db3457fbfb034e206b
sha256: c4a6245679676f18ab309dc7ca39ad7e70806bac16dd31af1f769bca84044f47
sha512: 22e45f60e1da74b26d2899ce53974512b7c03d7f42e87bca4f20d42b9d4bf81dfa7f795fb65573b3e965e5622c0e14dbbf96da7bf35f6bed8a8b1c65d6666f17
ssdeep: 12288:qvXX2KJg+LHNR/4R7UMsZyAF59Rw3ATVlx7RUaa:7KnR/4lsv9Rw3An
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T14594BE1036BD1775E4BA8BF469A1A054CBB0726A78ADD36C8DC160CF1AE5F80CE15E37
sha3_384: e564fd9f78dca57d8621d90a2a0ade4c3b93539dc1c4280da849dbfad46d2a9f051c72271f6b271450b30da4841fd0ea
ep_bytes: ff250020400000ff55ff000000000800
timestamp: 2020-05-14 03:20:10

Version Info:
Translation: 0x0000 0x04b0
Comments: 
CompanyName: National Cancer Institute
FileDescription: Ultima3CharacterEditor
FileVersion: 1.0.0.0
InternalName: pyKCgxpcx.exe
LegalCopyright: Copyright © National Cancer Institute 2016
LegalTrademarks: 
OriginalFilename: pyKCgxpcx.exe
ProductName: Ultima3CharacterEditor
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

Trojan.Ransom.Loki.CQQ also known as:

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Loki.i!c
Elastic	malicious (high confidence)
ClamAV	Win.Trojan.Generickdz-9783886-0
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Generic.gc
ALYac	Spyware.AgentTesla
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Kryptik.Win32.2027482
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 00566b951 )
K7AntiVirus	Trojan ( 00566b951 )
VirIT	Trojan.Win32.GenusT.DPZJ
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of MSIL/Kryptik.WGR
APEX	Malicious
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.Ransom.Loki.CQQ
NANO-Antivirus	Trojan.Win32.Kryptik.hkiaux
MicroWorld-eScan	Trojan.Ransom.Loki.CQQ
Tencent	Msil.Trojan-QQPass.QQRob.Yylw
Emsisoft	Trojan.Ransom.Loki.CQQ (B)
F-Secure	Heuristic.HEUR/AGEN.1306836
DrWeb	Trojan.DownLoader33.41351
TrendMicro	Backdoor.MSIL.REMCOS.SM
FireEye	Generic.mg.b4f8ab8e00b348a1
Sophos	Troj/Krypt-ABH
SentinelOne	Static AI – Malicious PE
GData	Trojan.Ransom.Loki.CQQ
Jiangmin	Trojan.PSW.MSIL.adqt
Google	Detected
Avira	HEUR/AGEN.1306836
MAX	malware (ai score=100)
Antiy-AVL	Trojan[PSW]/MSIL.Agensla
Kingsoft	malware.kb.c.999
Arcabit	Trojan.Ransom.Loki.CQQ
ZoneAlarm	HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft	Trojan:MSIL/AgentTesla.PRB!MTB
Varist	W32/MSIL_Kryptik.ARY.gen!Eldorado
AhnLab-V3	Trojan/Win32.AgentTesla.R342452
McAfee	GenericRXKO-GP!B4F8AB8E00B3
DeepInstinct	MALICIOUS
VBA32	TScope.Trojan.MSIL
Cylance	unsafe
Panda	Trj/GdSda.A
TrendMicro-HouseCall	Backdoor.MSIL.REMCOS.SM
Rising	Malware.Obfus/MSIL@AI.100 (RDM.MSIL2:Im06aVWsX6JqZaD0+cSzIw)
Yandex	Trojan.Kryptik!jojib7N8mZY
Ikarus	Trojan.MSIL.Inject
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/GenKryptik.ELKP!tr
AVG	Win32:MalwareX-gen [Trj]
Avast	Win32:MalwareX-gen [Trj]
alibabacloud	Trojan[dropper]:MSIL/Kryptik.WGR

How to remove Trojan.Ransom.Loki.CQQ?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware

Download and install GridinSoft Anti-Malware.
Open GridinSoft Anti-Malware and perform a “Standard scan“.
“Move to quarantine” all items.
Open “Tools” tab – Press “Reset Browser Settings“.
Select proper browser and options – Click “Reset”.
Restart your computer.