PUP.MSIL.Gamehack.O
Table of Contents
Analysis Report
General information
| Family Name: | PUP.MSIL.Gamehack.O |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
7cbee7e66403c4e02a739c639ee2a5c5
SHA1:
58c4c8754a0cd92b2430333c8024656b0689432c
File Size:
296.45 KB, 296448 bytes
|
|
MD5:
38ef4ee67e0430567477fbf88120d1f6
SHA1:
0f56da503e0177875878c04ef496070126436a59
File Size:
69.63 KB, 69632 bytes
|
|
MD5:
c636248449b825f188efae247466fc5e
SHA1:
026fc4c0973f267808bbbec0b1fb3752380684b0
File Size:
45.57 KB, 45568 bytes
|
|
MD5:
e121187649f1e472f5656d2087689231
SHA1:
f1e041d3b5ca0b34ebc699d3d7e6a226973d84d3
File Size:
3.29 MB, 3289737 bytes
|
|
MD5:
e24093138b03f0aebc1e8b0830785b3b
SHA1:
f47b806057f945d89396a09552ec2376ead8730c
File Size:
102.40 KB, 102400 bytes
|
Show More
|
MD5:
899c51e7d03792562ecf05d6f7ecfc3d
SHA1:
eaa839534f442366c8d40d2be2a26159c3b78fd8
SHA256:
6B81A16E869D14FBBEB3CFB83487B7181B1206B2E111209FF196AD040A5F312B
File Size:
138.24 KB, 138240 bytes
|
|
MD5:
84aa4478535deaeb6f1aa5db5775f404
SHA1:
d3d087e2f0563a0e81ee4e1be4f55f5259f668e8
SHA256:
4814033D71CC1096BD9E04EC4A54F79111978FCBB182EC46E15EB5781AEF3239
File Size:
34.30 KB, 34304 bytes
|
|
MD5:
665d37c04e5d66e7c53ac2cf518d8fc7
SHA1:
9eb1c73a8b7102be59c315b4e79f7953364b8bd5
SHA256:
578773699002EEF5360ADA61C361A32105F5EDF84FEF429966121AE5F2AC6D13
File Size:
34.82 KB, 34816 bytes
|
|
MD5:
77d7acf7ce8b0627008e800c24e4aade
SHA1:
c8bcbe06a72c6512b4fc65258c7e6b16600a3667
SHA256:
15CC08C599CA7761C37F926B5D95B7F801E6C5D7511BF64799A99997DBE8B474
File Size:
152.06 KB, 152064 bytes
|
|
MD5:
b2a373b38d04676cc1d69c99c5ecf8a9
SHA1:
d344980e3d6a0005a4b2567170246e471ac1b1f1
SHA256:
7D39B03D1B2E0EABEB0EF989667FE333E611D65F29348E539DE7936DF6FBE72F
File Size:
34.82 KB, 34816 bytes
|
|
MD5:
87f6ae41b630e32b0d50ad16f2e9da8a
SHA1:
7a580699de053ea2df06197db6c57cb3d80d4fcf
SHA256:
8DAD583A6A57AFE20F0EE0D8E48998257ED54A656971D580F17E6A0227302D0A
File Size:
36.35 KB, 36352 bytes
|
|
MD5:
eb10dd03127b09ee4b6a4812779b9671
SHA1:
b5e841f2c82e78d76bd4768ef08812d3a3e6c109
SHA256:
D029797B4179DE8BA30F1D5CB552CBBE8965A50B1E9A96EADE82EDC61079B356
File Size:
36.86 KB, 36864 bytes
|
|
MD5:
eb65935d2edb8fb3fdca54064ac91c25
SHA1:
1f4cd61a6f1c39fe6f21e630abe110e6e0ef01d3
SHA256:
AFFDF4EE3353DEBE4413000087DC63514D7260187E48B89AB489B6E6B45A8F86
File Size:
121.86 KB, 121856 bytes
|
|
MD5:
586d316955b38dd8595c4cd428c0dc53
SHA1:
ee423bb280e1b8f90b2364d9ed5c9f91e54af014
SHA256:
69617EA96B5E95F8A36659BA06708367C32CE1F24EC86A909FD88316CE35E6DC
File Size:
37.89 KB, 37888 bytes
|
|
MD5:
aaf1953e85c3819bf32a3074ade63e61
SHA1:
d873d908ad19f57b2f7b6da034f00a677a9bc37d
SHA256:
281D1B1B38354F5D553ED62EC00E9826D7E09D61414FEF41FD9D404700326C79
File Size:
135.68 KB, 135680 bytes
|
|
MD5:
5767be225db0240eb96274fdfb7d0c81
SHA1:
6eae1b808adf6730b129363b7fc0de9dd1965954
SHA256:
15585CEF571C11F12903A6BD6961037DBB09DFEDDF6CB92103772950CF06D033
File Size:
39.94 KB, 39936 bytes
|
|
MD5:
86e923a5ee3baa1e843d1eeda186ce4b
SHA1:
adadf486f5761a014f2c6913bfed82a746dbcf32
SHA256:
AC268025932C4E7BBD1C35B3D2255F7810D9AE5BAA1387C10DC63DAEFECE0EC3
File Size:
42.50 KB, 42496 bytes
|
|
MD5:
417709ffea74558eb2eb4839d05759f0
SHA1:
2e33714691c972c4b222074e2057735bd0504b10
SHA256:
8AA6842C690BB9BEF6E02625E5BE25FD23C32A3530FEEE58611C826E53F6C478
File Size:
36.86 KB, 36864 bytes
|
|
MD5:
e70545161e0684f3fb340850f2b92c33
SHA1:
3c6d1366d581cb5f9483ea065f5528bb5aa47bfc
SHA256:
69D45CF31D58E1CB09648BF087A57CB41E6F166C70BFB2E9A5BD815200806812
File Size:
86.02 KB, 86016 bytes
|
|
MD5:
209225f55f3833ae439cb74dd15adf84
SHA1:
d1ca9a26de42be6387289c8338196b3e554d7b9b
SHA256:
3080166FAB3F2EDDE8D81427AE7D4FF954BB5DD3CEFAFBEB772EE70EF82BA5DC
File Size:
45.06 KB, 45056 bytes
|
|
MD5:
a1879c79bb0cd3159ed11bfc8a28e411
SHA1:
4c752cf488e316aa8bf4954bcb56089061edb18c
SHA256:
BDB901BA22E4F6DF2E72E798199D650BBAFFC5A6C258CA54A4BF137ED12000ED
File Size:
66.56 KB, 66560 bytes
|
|
MD5:
79018d53943154cda5061ed9a6ed581f
SHA1:
f10411ae8f014b60001e2ff60e5be352b7ece73b
SHA256:
8BE35062195038E135DD146DB9E2CF8C07FE4404AB32A0712BAC9AD4CF54597E
File Size:
129.02 KB, 129024 bytes
|
|
MD5:
3f1af616caf25e4a9e2ab34ff3406f9d
SHA1:
829b347d4063146d2c1d5d7997bc2eb345fd50ca
SHA256:
B7F15B9EC1B0098CF55D0ECCCBFC9228371419A8133A84CC54CF28556087F1A5
File Size:
235.70 KB, 235704 bytes
|
|
MD5:
77d092730bc5e0258945f7bc40a9b0ae
SHA1:
70eff82bc85f7b0d775b3a76545529216669c5d6
SHA256:
952D87B6B5279E8135E37B3AD68AD69EACFD5110DD06BB4BDB0BF6DD0B96B8E0
File Size:
126.98 KB, 126976 bytes
|
|
MD5:
261f8beafc8340759d355c163e4b73e6
SHA1:
2a1d5460b83c1f110350b5a89d8cc68b2d96a052
SHA256:
2751023E3EBE89C0B1E4E132A043E85228B3236C374DB1CCFE5769A6870818F6
File Size:
71.17 KB, 71168 bytes
|
|
MD5:
b7afa876ed79f3511f97ade40c899d96
SHA1:
d2392b9a6bed50bf9351fcb533e17828db23c6d5
SHA256:
CA8329A3417FE828AA6F60BA98A192C5A982DD5C676F241BD571D27625117751
File Size:
49.66 KB, 49664 bytes
|
|
MD5:
f87f3ca652352f7c249528d7544e331e
SHA1:
7915bca862fea0759d3741f5acdc51d8c5b3ebf2
SHA256:
66A574A6906E0703A81092344BA7CD6DDA8115496D001CFF37937B433943D47D
File Size:
33.79 KB, 33792 bytes
|
|
MD5:
4c251359ffb84f2962f03eaa2fa69ddf
SHA1:
cd726681ab07a57b308569e86c7c0cb397db28c6
SHA256:
73AA24505A5D76AEE8FCEDFA5E0D98FD7B4B5768529C3945FA9D9B793DCEC48B
File Size:
99.84 KB, 99840 bytes
|
|
MD5:
9a1bd5039a955204b6b0c74f46c80725
SHA1:
eea038d48040b3ad1e1d58582720e92bfbd80e74
SHA256:
C6C570A553D17FC441E857F501EBD88CEC36DAB593AB3C3A7EFCAE20563E673C
File Size:
101.38 KB, 101376 bytes
|
|
MD5:
e347f09ffe592d87dbef85d2fbfcf0b2
SHA1:
171f1e0629eb2ea3054d3c75ffe4b8a6c251265e
SHA256:
6A93C104E056397EFF8CA49BF18202A7C2F6FFCD50B8B4A34F495B3B6BED281C
File Size:
34.82 KB, 34816 bytes
|
|
MD5:
6ec146db50a5939a351e2889069d5894
SHA1:
0f2fbac3863984584586a34d5270448b079da60c
SHA256:
1DE6912E179AE6FF0BF320FEF9E1EBFB4B6192E377649F40D8AB49359C3DF484
File Size:
36.35 KB, 36352 bytes
|
|
MD5:
c15db16098e72f950985e737c0a9ac84
SHA1:
4ec52d6907054b39b62af0543ec6b0402f82552a
SHA256:
C7C91DE1665325FC617F7D3D558BB0F7EAD53D3175212206BCC6D588FE8DB0E3
File Size:
35.84 KB, 35840 bytes
|
|
MD5:
280793d8d867edd1315f7e1cf3d92944
SHA1:
3d313da32261aa1b97b87da323f2817adfde5eb5
SHA256:
6FB5085C48159174AF132145BC3B8DE711B9EBCEF601E8EBBE8D1450185C7BB2
File Size:
107.01 KB, 107008 bytes
|
|
MD5:
5a429367b952aef56082aaf6e699b92c
SHA1:
bd92b54ee8476f1906829dc366a245211fe39869
SHA256:
07F44E6A70FCEF2DA176AB651AAE49B7662FA10D7F20B3D75A924B3F450B1F2C
File Size:
56.32 KB, 56320 bytes
|
|
MD5:
38039cf0b5a7c8333dec6534b109951c
SHA1:
998d60635b935a9d2cfc38a297a17a3c7e1adfba
SHA256:
5ED360C9D199E6C6D0C6DAF831B11BB29D1991140D0A1F7D648C4F2CE05A0BAD
File Size:
265.22 KB, 265216 bytes
|
|
MD5:
621505f372b9b4b6620a6fe0d882cb2f
SHA1:
9c70e25c60d9ab3cc3d01a9877549a03617244c8
SHA256:
949642C2F2A45D0A0A8FCB24643027C2FE664E9048615F8E8115338B1F0A09DB
File Size:
38.91 KB, 38912 bytes
|
|
MD5:
87d6fa8fc7a16294299e95c947284f0f
SHA1:
0ba2d281018661de2720cd3d97baabd3215c4dd0
SHA256:
C0813F07CAC506794B9CDF95E526F9F4ABD97F336EF19727F6E1AD8957BCB167
File Size:
37.38 KB, 37376 bytes
|
|
MD5:
4f147c01a880ce1c659adf0d9ba2970c
SHA1:
27f2fb1e142a56763de4acbe5416e12434a12e77
SHA256:
521CFD7768EA2E47583EEE8E6944FB3EB8C9D8481C1511827E2B186D43923E44
File Size:
111.10 KB, 111104 bytes
|
|
MD5:
5aa7042dc12b896a171a22291a881691
SHA1:
d209cd761bba133c57f0ffa2e23f65ebae9b1c65
SHA256:
8AC733277014DBA43467E3CFFF9D4E97957F33FDC1D277F2D946470632EC89FB
File Size:
45.06 KB, 45056 bytes
|
|
MD5:
6c66029bcab695b1ebf7c3b29d726fa1
SHA1:
03b26c921feb490de6e33843a8b2991cc342a1a3
SHA256:
869742F8E03634377A677FB46682908676AF34B55DD81C2884923AABCE5D08E9
File Size:
282.45 KB, 282448 bytes
|
|
MD5:
bfdd9c6be02c0e2b0ce2ffe7537e71b7
SHA1:
fa1e17334e4c9f5c251d34607b247365b521b471
SHA256:
0E19121752124C467F1DCB645D6204B424EF29ECDD68CC3871E7030BC5E1FE9D
File Size:
163.33 KB, 163328 bytes
|
|
MD5:
8fe7ee8dc6b73c9177be8f970f7b0cca
SHA1:
378358fe53ee81c30868442ac2b2d56bf174b1fa
SHA256:
17B5071FA7B3D60BF830FA951189EB3646AA5D758C99850FBCA402280EC001B5
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
be6f4db44a27b3e49714a412ccfee19c
SHA1:
4ddf5a0c36aa92816b3011b1a0cb4e4f8e8ecde9
SHA256:
57EBCC2274280970F15E4F603BA746ED1901E0F62DFB3634E231526AA325080A
File Size:
35.33 KB, 35328 bytes
|
|
MD5:
ba2c7650531af79c9840befa65c47141
SHA1:
eecbcb9ada04583eb6d49be5881e053a7e77bc8a
SHA256:
B41E4DCDFA3587822770A2A46490EB4265AB9CE10095F4AC8952F321528DC5F4
File Size:
79.36 KB, 79360 bytes
|
|
MD5:
3d699ba78eaf8fd907000dc5ae85e862
SHA1:
9ef108595c37e7ba00819c21e685a9cd4de44260
SHA256:
EE622D4DE79AFDE932BB8E3B881B7E588798B886B460C78BBF7401A6B785730D
File Size:
35.33 KB, 35328 bytes
|
|
MD5:
48f4464115e7af9f77a51e7e5fc55195
SHA1:
b218e9320981b14106e26b15bdd8a1de3def641f
SHA256:
1449F7640926B39538AA710C3B2BA4C193E8D6DC2A54FF43447FD63B0B2D7BD3
File Size:
53.76 KB, 53760 bytes
|
|
MD5:
5b6a85ed39a8adb7937f9a43ac59c6bf
SHA1:
8f3a4d461e805f35b180be21d521d33fa6f87fbd
SHA256:
698B160631E7BA73D2962D6F96EB5B81FCB16B90F34385DAA4E95F3B70730E84
File Size:
34.30 KB, 34304 bytes
|
|
MD5:
6945fece7b0027829193e3599ceaf6e2
SHA1:
88ea17b3c56cc86470421134cfec6a139e2f1cb9
SHA256:
A258822B46862B67D3F5348E93A56001BE847D4A8C4537305FA79C995CC67725
File Size:
39.42 KB, 39424 bytes
|
|
MD5:
dbd38efde4850d9c9e6e9195f630d7c1
SHA1:
5fbf7e492a6e130b59de83c3e2b5263676abdd6e
SHA256:
DBD764ACE47A10CB8A78F7DFACE24B67AC2BDB2267C8B9169BCC3F48A78332FD
File Size:
54.78 KB, 54784 bytes
|
|
MD5:
686424e7766a110267af4f5cf0b9a860
SHA1:
4cde2cf4624296d24ab3097dc7ae8ca2a41f271a
SHA256:
A9005F076E8563BE66A0189DA35E56C6222CEDBD1E8DB6FFB71248CF0CDD187D
File Size:
63.49 KB, 63488 bytes
|
|
MD5:
2d00870a909bceb76f708cb475ad6e80
SHA1:
105e8248f93301b12b948dfee610b9a27ad9da57
SHA256:
8CBD2E011FD107396DF2E7D59C4520858E8BE7BCA72B6662E875D8729158CE1E
File Size:
71.68 KB, 71680 bytes
|
|
MD5:
fcadbe338bb9ba37da44a118d3af87ed
SHA1:
33af3f42aeba3f816f896454f473dc28be311472
SHA256:
9A8C06D691C4C05A13B70F64321B0049442BF7F2813D7B6D3780DED456F86E3F
File Size:
50.18 KB, 50176 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has TLS information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Show More
5 additional icons are not displayed above.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
Show More
|
| Comments |
|
| Company Name |
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
Show More
|
| Legal Copyright |
Show More
|
| Legal Trademarks | Royal FloraHolland 2024 |
| Original Filename |
Show More
|
| Product Name |
Show More
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Sysadmin Automacao | Sysadmin Automacao | Self Signed |
| ft250v | ft250v | Self Signed |
File Traits
- .NET
- HighEntropy
- Installer Version
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 65 |
|---|---|
| Potentially Malicious Blocks: | 21 |
| Whitelisted Blocks: | 44 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
x
0
0
x
x
0
0
0
x
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
x
0
x
x
x
x
x
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.DllInject.MDA
- MSIL.FakeMS.F
- MSIL.FakeMS.FA
- MSIL.FakeMS.L
- MSIL.Gamehack.BAVB
Show More
- MSIL.Gamehack.BAVG
- MSIL.Gamehack.BAVH
- MSIL.Gamehack.BAVI
- MSIL.Gamehack.BOWG
- MSIL.Gamehack.HM
- MSIL.Gamehack.O
- MSIL.Gamehack.OI
- MSIL.Gamehack.OIA
- MSIL.Gamehack.VA
- MSIL.Marsilia.AE
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
| \device\namedpipe\dav rpc service | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\pshost.133971986701310799.6140.defaultappdomain.58c4c8754a0cd92b2430333c8024656b0689432c_0000296448 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.133972604501641146.4612.defaultappdomain.0f56da503e0177875878c04ef496070126436a59_0000069632 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.133972712487467569.4252.defaultappdomain.026fc4c0973f267808bbbec0b1fb3752380684b0_0000045568 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.133990218170884239.5868.defaultappdomain.f47b806057f945d89396a09552ec2376ead8730c_0000102400 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.133997503409530534.5880.defaultappdomain.eaa839534f442366c8d40d2be2a26159c3b78fd8_0000138240 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134004720232992731.3728.defaultappdomain.d3d087e2f0563a0e81ee4e1be4f55f5259f668e8_0000034304 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134005292652818864.5912.defaultappdomain.9eb1c73a8b7102be59c315b4e79f7953364b8bd5_0000034816 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
Show More
| \device\namedpipe\pshost.134005332230129105.5784.defaultappdomain.c8bcbe06a72c6512b4fc65258c7e6b16600a3667_0000152064 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134005793027650976.5004.defaultappdomain.d344980e3d6a0005a4b2567170246e471ac1b1f1_0000034816 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134010348721063971.4120.defaultappdomain.7a580699de053ea2df06197db6c57cb3d80d4fcf_0000036352 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134024258391085759.5728.defaultappdomain.b5e841f2c82e78d76bd4768ef08812d3a3e6c109_0000036864 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134024386930414574.164.defaultappdomain.1f4cd61a6f1c39fe6f21e630abe110e6e0ef01d3_0000121856 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134024617182773502.5432.defaultappdomain.ee423bb280e1b8f90b2364d9ed5c9f91e54af014_0000037888 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134025827072599471.1964.defaultappdomain.6eae1b808adf6730b129363b7fc0de9dd1965954_0000039936 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134035033465143817.1320.defaultappdomain.adadf486f5761a014f2c6913bfed82a746dbcf32_0000042496 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134038669471419804.3092.defaultappdomain.2e33714691c972c4b222074e2057735bd0504b10_0000036864 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134059027658718555.8064.defaultappdomain.3c6d1366d581cb5f9483ea065f5528bb5aa47bfc_0000086016 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134061028023348239.5340.defaultappdomain.d1ca9a26de42be6387289c8338196b3e554d7b9b_0000045056 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134065493232228491.2400.defaultappdomain.4c752cf488e316aa8bf4954bcb56089061edb18c_0000066560 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134076271646598602.3452.defaultappdomain.f10411ae8f014b60001e2ff60e5be352b7ece73b_0000129024 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134077868857434831.8120.defaultappdomain.829b347d4063146d2c1d5d7997bc2eb345fd50ca_0000235704 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134079536539410155.8416.defaultappdomain.70eff82bc85f7b0d775b3a76545529216669c5d6_0000126976 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134091376789094327.6472.defaultappdomain.2a1d5460b83c1f110350b5a89d8cc68b2d96a052_0000071168 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134091456484226799.5716.defaultappdomain.d2392b9a6bed50bf9351fcb533e17828db23c6d5_0000049664 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134100192252137884.4204.defaultappdomain.7915bca862fea0759d3741f5acdc51d8c5b3ebf2_0000033792 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134100769996534135.8480.defaultappdomain.cd726681ab07a57b308569e86c7c0cb397db28c6_0000099840 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134110039870356445.7668.defaultappdomain.171f1e0629eb2ea3054d3c75ffe4b8a6c251265e_0000034816 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134112349464355822.4164.defaultappdomain.0f2fbac3863984584586a34d5270448b079da60c_0000036352 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134133330246340927.504.defaultappdomain.bd92b54ee8476f1906829dc366a245211fe39869_0000056320 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134133645947856260.596.defaultappdomain.998d60635b935a9d2cfc38a297a17a3c7e1adfba_0000265216 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134147346574949390.8556.defaultappdomain.9c70e25c60d9ab3cc3d01a9877549a03617244c8_0000038912 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134148199918060199.5464.defaultappdomain.0ba2d281018661de2720cd3d97baabd3215c4dd0_0000037376 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134163952819598463.1048.defaultappdomain.27f2fb1e142a56763de4acbe5416e12434a12e77_0000111104 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134164246522542451.5280.defaultappdomain.d209cd761bba133c57f0ffa2e23f65ebae9b1c65_0000045056 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134167876113196995.7548.defaultappdomain.fa1e17334e4c9f5c251d34607b247365b521b471_0000163328 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134172115811885130.4696.defaultappdomain.4ddf5a0c36aa92816b3011b1a0cb4e4f8e8ecde9_0000035328 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134173173014981564.8120.defaultappdomain.eecbcb9ada04583eb6d49be5881e053a7e77bc8a_0000079360 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134175970216844558.3536.defaultappdomain.9ef108595c37e7ba00819c21e685a9cd4de44260_0000035328 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134181814356635631.4484.defaultappdomain.b218e9320981b14106e26b15bdd8a1de3def641f_0000053760 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134183434229269860.3552.defaultappdomain.8f3a4d461e805f35b180be21d521d33fa6f87fbd_0000034304 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134201860169622299.4620.defaultappdomain.88ea17b3c56cc86470421134cfec6a139e2f1cb9_0000039424 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134205720681241116.7888.defaultappdomain.5fbf7e492a6e130b59de83c3e2b5263676abdd6e_0000054784 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134207991147691566.732.defaultappdomain.4cde2cf4624296d24ab3097dc7ae8ca2a41f271a_0000063488 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134210461870143746.8660.defaultappdomain.105e8248f93301b12b948dfee610b9a27ad9da57_0000071680 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134213004689828534.7344.defaultappdomain.33af3f42aeba3f816f896454f473dc28be311472_0000050176 | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\wkssvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\logs\checklist-resultado.txt | Generic Write,Read Attributes |
| c:\logs\setup-posformatacao.log | Generic Write,Read Attributes |
| c:\temp\rustdesk_combined.log | Generic Write,Read Attributes |
| c:\users\administrator\desktop\testformtool\states.cgg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\microsoft\windows\powershell\startupprofiledata-interactive | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_0xds0zdd.h3t.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_0yggjt11.mxk.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_0zpeooyu.knz.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_1b2wubcw.4fq.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_1tpnowkv.xh0.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_1zuqdehd.bmw.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_2y5cetde.bep.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3bds500t.fjr.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3bnkrwca.ceg.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3gfulxyl.vmw.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3jpmmaqc.ame.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3op5p2ek.0eu.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_40wexx4n.zro.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_4iigb5d2.05w.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_4rvvh21e.z5p.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_4weoa543.mhs.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_5qauq10m.vuv.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_aoala5g2.hfg.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_atddqe4h.qxx.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_b120bsmp.gqf.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bdrxvw3b.wy4.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bgkswxpp.onx.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bhwmu4hv.x52.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bzfvkkh5.qog.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bzssrurd.2i4.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_cfy0io1k.uhs.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_cmfkjhbm.gfk.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_cmil40ch.y3z.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_cpn40xth.hi4.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ddqifo2z.b3j.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_df0lejoy.3xn.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_di30cikr.w3g.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_dubvjmfq.uhn.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_efo4wkko.hxc.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_eiug3v5c.e1e.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ez5nmxj4.yoh.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ftscgson.0n0.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_g4crspts.o1h.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_harzapv5.rbk.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_hrfgq3gs.2j4.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_izzrsf5v.eak.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_jn3512ec.mqy.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_jsxwulj2.wgp.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_jtjlh4af.uiw.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_jvsmgsk1.umk.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_jxtdizno.qff.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_liw52eh1.z5w.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_lkxbtgnf.bcm.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_lzndah2r.clc.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_lzyrekst.2qf.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_mcc3ifcv.jc5.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_mj2fb5w5.nz5.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_mypxzf0f.14k.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_n1jo0lro.5ku.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_n1mfq2nk.sch.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ncxwb2lq.jqx.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_nf2gem0i.g3x.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_nsvlx243.dze.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_o2kii15g.miq.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_o3xsgkzj.bkj.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_odem31hp.kah.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_oibluc4z.kpn.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_orb3skmb.gmk.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_otvghtkl.ihw.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_oy5iellr.lqx.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_p045qdrx.duu.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_pdy3aaix.slz.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_pnirs5og.205.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_pytkcrl2.uoi.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_pzeaodn5.oui.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_quxh2n00.tb5.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_qwppfsfo.kbq.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_rg5s32jl.xkp.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_rho32mi3.ueo.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_sctyq14f.zi4.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_uirf1kx4.rhy.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_uuze50e1.ckl.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_uwkj4ppy.drd.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_uwlky4vz.mbn.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vpdf3aq2.af4.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vsqxhhup.dbh.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vuufinkw.om0.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vwmtsvdp.3tz.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_wcuvqmy0.pz1.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_wh1ke51h.hru.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_wuakaazo.eqh.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_xvexofwi.3ol.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_yncoc1e5.squ.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_zndjgumx.sfo.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_zw2pbsjk.s0n.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.0.cs | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.cmdline | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.err | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.out | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\cn4egsqv\cn4egsqv.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.0.cs | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.cmdline | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.err | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.out | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\etwiipby\etwiipby.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.0.cs | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.cmdline | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.err | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.out | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\jbhur5bf\jbhur5bf.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\payload.hta | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.0.cs | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.cmdline | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.err | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.out | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\sg4fukkg\sg4fukkg.tmp | Generic Write,Read Attributes |
| c:\users\user\desktop\defenderexclusiontool\defendermenutool.ps1 | Generic Write,Read Attributes |
| c:\users\user\downloads\dumper_log.txt | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 썢쇀ᦳǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\tracing\rasapi32::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::consoletracingmask | RegNtPreCreateKey |
Show More
| HKLM\software\microsoft\tracing\rasapi32::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\software\microsoft\tracing\rasmancs::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::consoletracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 驯瑞ǜ | RegNtPreCreateKey |
| HKLM\software\policies\microsoft\windows\windowsupdate\au::noautoupdate | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 땛ꖫǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | য়꣸ǜ | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 蚘囀쭤ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 俩쵴ǜ | RegNtPreCreateKey |
| HKLM\system\setup::respecializecmdline | RegNtPreCreateKey | |
| HKLM\system\setup::workingdirectory | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\setup\sysprep\settings\sppnp::donotcleanupnonpresentdevices | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows\currentversion\setup\sysprep\settings\sppnp::persistalldeviceinstalls | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
154 additional items are not displayed above. |
| User Data Access |
|
| Encryption Used |
|
| Anti Debug |
|
| Other Suspicious |
|
| Process Shell Execute |
|
| Network Winsock2 |
|
| Network Info Queried |
|
| Network Winsock |
|
| Network Winhttp |
|
| Process Manipulation Evasion |
|
| Service Control |
|
| Process Terminate |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\WINDOWS\system32\HOSTNAME.EXE"
|
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand
|
"C:\WINDOWS\system32\reg.exe" add HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /t REG_DWORD /d 1 /f
|
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Bsjdvude\AppData\Local\Temp\etwiipby\etwiipby.cmdline"
|
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Bdgrvxzt\AppData\Local\Temp\cn4egsqv\cn4egsqv.cmdline"
|
Show More
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Ocfgwpyr\AppData\Local\Temp\sg4fukkg\sg4fukkg.cmdline"
|
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Wtocxonf\AppData\Local\Temp\jbhur5bf\jbhur5bf.cmdline"
|