Multi-License Discount Quote

Change Region

English
Threat Database Trojans HEUR.Trojan.Injector.MSIL.Generic

HEUR.Trojan.Injector.MSIL.Generic

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 4,074
Threat Level: 90 % (High)
Infected Computers: 19,317
First Seen: July 23, 2019
Last Seen: April 10, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: HEUR.Trojan.Injector.MSIL.Generic
Signature status: No Signature

Known Samples

MD5: c76dc7eaf5e5ad33a58f8b06eed46e9c
SHA1: bce25ac8928817b5bcbd3df40b597cc1b4d8ada9
File Size: 2.19 MB, 2189312 bytes
MD5: 6f5b940b9184520ca75c669720b593d9
SHA1: c5e3926d02c5219aae961b777f27eb97de4c973f
SHA256: 20633373276E03C5C3F2DB213251221357EB02E04B3A74FCE33E025F9695314D
File Size: 9.73 KB, 9728 bytes
MD5: 9ba605b6e8b21b7f2b7e9000d3f66c29
SHA1: 3d89dda2bf1c9e2c89ac37ed22f7a358ae4e466f
SHA256: 31797DFA534FA140C3BF37699CFF76992898BA86932F6BFB42D06C6652E9D76E
File Size: 5.63 KB, 5632 bytes
MD5: edc8c7e04b1ae1372e8ce41437431dc0
SHA1: 50575778fe2303477708a7bf45704ea3a7c0ae65
SHA256: 74A8A1193C1D574F3543F563700CE981D8CE8309F9F5B7A506797F7CF4ADF8CC
File Size: 961.54 KB, 961536 bytes
MD5: d26b5e95062602dd9075720c1ea5fbfd
SHA1: fa59b3fb0f9843193505d05007f0f625dfc61ca5
SHA256: D778D0AAF40B5799D3666AE629879CC8F37FF855FE50E7E87FDE569F89A99C26
File Size: 2.18 MB, 2178560 bytes
Show More
MD5: 0a7b10d92d94ccec0939a8c7b8691ea7
SHA1: 2418f4ddea60af4048b43628f8a9ee328e0bee1b
SHA256: 76F2E42CEF383294A84AC3EE0352A0886E3AFB6138C52F687E1295C7DBE33518
File Size: 54.27 KB, 54272 bytes
MD5: f0ea56cbfe555c250685f6379a1c21f7
SHA1: 7c09b16970e44f85433861b714a1aaaaa1ccdd9a
SHA256: 9806A319E8B98A73384F3BB50875D4E17645097FAB1D75B68BD1D7BCEC28717E
File Size: 8.56 MB, 8561152 bytes
MD5: 060d0612f6a13073366a442ba81cc01e
SHA1: aef609aa0d5f3a319a923db17fe080d7dad80485
SHA256: 60357B0351B9D063D65F1A4321910404E5A9C691DCEF45A3255C31242A9977C4
File Size: 2.27 MB, 2272768 bytes
MD5: 6fdff0b8e00500a51f736a1e11f15509
SHA1: aa85c919976b4b649823fd86066c2f8e85600254
SHA256: EF9DAFA976814AC6A831A0F48EF345E5015CB011B0D90A8AECDBF148C596BAB1
File Size: 2.56 MB, 2556928 bytes
MD5: 18d7b3491eb8190860a3d78b8c07c225
SHA1: 6591d89a9abf5574a04204e72795a51f5707f89b
SHA256: 9F914392570B45E54110C11A9550CF4B5FC9B04CFAC770DCD86D6540CCD39C1E
File Size: 5.63 KB, 5632 bytes
MD5: 3d2cadbacd122b59a134652dfc27a550
SHA1: e72c018e6821c6b37503165d63869ee2aa3fae75
SHA256: 61D59FA581B5BDD8C068B07BC878B2ACE91B0BCDBD11406D8E1631238E8944CD
File Size: 987.65 KB, 987648 bytes
MD5: 410b74658f9d7c5ab2af9efbbf5e7730
SHA1: e0780243f7d7468d8d6e0a510bf31d509827e705
SHA256: A0B5A99D3046A6F0857599511A70C92924118049C63C05F08BB99C7D55B96A45
File Size: 5.63 KB, 5632 bytes
MD5: 35a1876736317ac3f4c950624de24b5c
SHA1: a3ef1e0c341d99597fe7a79a20562579b5b8af99
SHA256: 237A64781E0FBB27B291660CC4AC6B59913BA40194B18C1835C9E386C9681D98
File Size: 54.27 KB, 54272 bytes
MD5: 9c1f30f561ba6e819e4d107216571e86
SHA1: 2fce420db519d190e19b4f37969eb276e4661c3b
SHA256: 0A611497C065448E67F5CDEB9B6A8EBEC3B5FF5FD3E3ECBF4F56389E678134B6
File Size: 387.07 KB, 387072 bytes
MD5: f0b229499089fd28141a011b9b2b419b
SHA1: da205eafaf3885ddca57e23ac48720699afff47e
SHA256: 8E488303D62FBCEB3C48BEA4BFF9E793D6840BFB1484671A9DD5976321BAE181
File Size: 5.63 KB, 5632 bytes
MD5: 17688f1e904e956f2d0f1c1b593fe48c
SHA1: 366ce445f9f53e82432dc7f9d0c210b4ea8ed76d
SHA256: 849353406D69C1808F9D5EC492EF54E0397F7B84CBEEDB0CAB094EF952D9968D
File Size: 520.92 KB, 520925 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 4.0.0.0
  • 2.8.5498.20660
  • 1.6.0.1
  • 1.0.0.0
  • 0.0.0.0
Comments
  • Acts as RSBot Library- includes all neccessary logic that the bot and 3rd party applications require.
  • dllhost.scr
  • Launcher for TeknoMW3 Client
  • NLog is a logging platform for .NET with rich log routing and management capabilities. NLog supports traditional logging, structured logging and the combination of both. Supported platforms: - .NET 5 and 6 - .NET Core 1, 2 and 3 - .NET Standard 1.3+ and 2.0+; - .NET Framework 3.5, 4, 4.5, 4.6, 4.7 & 4.8 - .NET Framework 4 client profile - Xamarin Android, Xamarin iOS - UWP - Windows Phone 8 - Silverlight 4 and 5 - Mono 4 For ASP.NET Core, check: https://www.nuget.org/packages/NLog.Web.AspNetCore
  • ProxyChecker
Company Name
  • Microsoft Corporation
  • NLog
  • ReviOS 10 24.12
  • RSBot.Core
  • TeknoGods
  • ZennoProxyChecker
File Description
  • Crysome.Client
  • dllhost.exe
  • FZZNLibrary1
  • HVNC
  • NLog for .NET Framework 4.5
  • ProxyChecker2.exe
  • RSBot.Core
  • TeknoMW3
  • TeknoMW3 Client Launcher
File Version
  • 65.1.30.17
  • 4.7.14.740
  • 3.8.2.0
  • 2.8.5498.20660
  • 1.6.0.1
  • 1.0.0.0
  • 0.0.0.0
Internal Name
  • Crysome.Client.exe
  • dllhost-64.exe
  • FZZNLibrary1.dll
  • gruzi.exe
  • HVNC.dll
  • NLog.dll
  • RSBot.Core.dll
  • share_ex2_loader.exe
  • TeknoMW3.exe
  • TeknoMW3_Client_Launcher.exe
Show More
  • VanuriClient.exe
Legal Copyright
  • Copyright (c) 2004-2022 NLog Project - https://nlog-project.org/
  • Copyright ZennoLab.com © 2022
  • Copyright © 2014
  • Copyright © 2018
  • Copyright © 2018 - 2024, RSBot Team
  • Copyright © 2021
  • Copyright © 2025
  • Copyright © ReviOS 10 24.12 2025
  • Microsoft Corporation 2022. All rights reserved.
Legal Trademarks ZennoLab.com
Original Filename
  • Crysome.Client.exe
  • dllhost-64.exe
  • FZZNLibrary1.dll
  • gruzi.exe
  • HVNC.dll
  • NLog.dll
  • RSBot.Core.dll
  • share_ex2_loader.exe
  • TeknoMW3.exe
  • TeknoMW3_Client_Launcher.exe
Show More
  • VanuriClient.exe
Product Name
  • Crysome.Client
  • FUTURE TECHNOLOGIES GROUP LLC
  • FZZNLibrary1
  • HVNC
  • Microsoft Corporation
  • NLog v4.7.14
  • RSBot.Core
  • TeknoMW3
  • TeknoMW3 Client Launcher
Product Version
  • 65.1.30.17
  • 4.7.14+7b0baf946c6c5541cbd0dc523d2e9e7a582209ba
  • 3.8.2.0
  • 2.8.5498.20660
  • 1.6.0.1
  • 1.0.0.0
  • 1.0.0+ad81c42c51c0ae5ee62dba7ead9fae82b9edcfd7
  • 0.0.0.0

File Traits

  • .NET
  • Agile.net
  • dll
  • Fody
  • GenKrypt
  • HighEntropy
  • ntdll
  • Reflective
  • RijndaelManaged
  • WriteProcessMemory
Show More
  • x64
  • x86
  • Yano

Block Information

Total Blocks: 481
Potentially Malicious Blocks: 76
Whitelisted Blocks: 190
Unknown Blocks: 215

Visual Map

0 0 0 0 x x 0 0 0 x x x x x x 0 ? x 0 ? 0 x x 0 x 0 0 x 0 0 x 0 0 x x 0 x 0 0 0 ? ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? 0 0 ? 0 ? ? 0 0 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? 0 ? ? x 0 ? ? ? 0 ? ? x 0 ? ? 0 ? 0 x 0 0 ? ? 0 ? ? 0 x 0 0 x 0 x x 0 x x ? 0 ? ? 0 x 0 0 ? ? 0 ? x 0 0 x 0 0 0 0 0 x x 0 0 ? ? 0 ? ? 0 0 0 0 x 0 0 ? ? ? 0 x x 0 0 0 0 x 0 0 0 ? ? ? ? 0 ? ? x ? ? ? 0 x x x 0 0 0 x 0 x x x 0 0 x x x 0 x x x 0 x x ? ? ? ? ? 0 ? 0 x 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 0 x x x x ? ? ? ? ? ? 0 0 x x x x x ? x 0 x x ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? x ? ? x 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 0 ? 0 ? ? x ? x ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 ? ? ? ? 0 ? ? ? ? ? ? x ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 x x ? ? ? ? ? ? ? ? ? ? ? ? ? ? x ? 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.OAAK
  • MSIL.Agent.OAAU
  • MSIL.AgentTesla.PH
  • MSIL.BypassUAC.K
  • MSIL.Downloader.CAYD
Show More
  • MSIL.Gamehack.OS
  • MSIL.Kryptik.AR
  • MSIL.Kryptik.SA
  • MSIL.Remcos.LFA
  • MSIL.Rozena.GG
  • MSIL.Ursu.TJG

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\pshost.133965431090688149.3844.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
c:\recovery\oem\hhkqot263c83.exe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr Synchronize,Write Attributes
c:\users\user\appdata\local\microsoft\clr\conhost.exe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr\conhost.exe Synchronize,Write Attributes
c:\users\user\appdata\local\sentry\2e9351451048d334247b84c664ae66f154c5ddd8\.installation Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_hnvyhdc3.5mh.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_u2a1cego.lxc.ps1 Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\crysome_debug.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\libs\wr64.sys Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ﱒ调Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 平谆Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㧷豁Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㧷豁Ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 沉䠱O噀ñ᝹ʁ뽹ɞ傄ë駃óߙĤÉ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\runonce::runtimebroker "C:\Users\Yepeqhcs\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 次噛옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 簂嚍옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쬊嚺옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 닥囥옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鵺圐옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 혖坉옯ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject

78 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Process Shell Execute
  • CreateProcess
  • WriteConsole
Other Suspicious
  • AdjustTokenPrivileges
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Terminate
  • TerminateProcess
Network Info Queried
  • GetNetworkParams
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • getpeername
  • setsockopt
Network Winhttp
  • WinHttpOpen
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\WINDOWS\system32\services64.exe"
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path
C:\WINDOWS\system32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\WINDOWS\system32\services64.exe"
WriteConsole: Access is denied
Show More
share.exe (NULL)
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2fce420db519d190e19b4f37969eb276e4661c3b_0000387072.,LiQMAxHB
"C:\Users\Yepeqhcs\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe"
"C:\Users\Yepeqhcs\AppData\Local\Microsoft\CLR\conhost.exe" --watcher 6300
"sc" query "WindowsHealthMonitor"
"sc" create "WindowsHealthMonitor" binPath= "C:\Users\Yepeqhcs\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" start= auto DisplayName= "Windows System Health Monitor"
WriteConsole: [SC] CreateServi
"sc" description "WindowsHealthMonitor" "Monitors system health and performance diagnostics."
WriteConsole: [SC] ChangeServi
"sc" failure "WindowsHealthMonitor" reset= 0 actions= restart/60000/restart/60000/restart/60000
"sc" start "WindowsHealthMonitor"
WriteConsole: [SC] StartServic
"schtasks.exe" /create /tn "CrysomeLoader" /tr "C:\Users\Yepeqhcs\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" /sc minute /mo 5 /f

Trending

Most Viewed

Loading...