Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.MSIL.TelegramBot

PUP.MSIL.TelegramBot

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.MSIL.TelegramBot
Signature status: No Signature

Known Samples

MD5: 023fe20df32b5284505e866d831f1e49
SHA1: 45ecb33cee7f45ef2f4f5eef24888f7546ed0569
File Size: 572.42 KB, 572416 bytes
MD5: 64cdd68f5c4819196892855caf32d749
SHA1: bd44b1d96a5eb73278994069872cee5e5a798c67
File Size: 2.28 MB, 2277888 bytes
MD5: 35022b33e1bdbbce4eb89b00a7d5a3b9
SHA1: 36ee1b4b1ae20843d443c21ace9dac22cadd420b
File Size: 1.47 MB, 1465856 bytes
MD5: 4fb8d1fb3cc998e29e57a1cd17e1911e
SHA1: d7e52f398c31622834423b1d5911027dc06107c9
File Size: 956.93 KB, 956928 bytes
MD5: d0369e9eae7586daec801bdfd874271e
SHA1: 5da4985338507d5fe6bf9c3f0c98871d21aebd41
SHA256: 2E0B07ABBC7325812F5438B345EF31A84481FFD4D74F0E7D5CC07E1C27D0C46F
File Size: 146.43 KB, 146432 bytes
Show More
MD5: bba2b5bdfacf566f362d1d2459651dc5
SHA1: 670d85524f6327c705ed3bde1ba18f8683a18a74
SHA256: BF5B967E006A34A93535D8F1FBBA216861AD71CB5825C637620F986780623E31
File Size: 7.51 MB, 7508992 bytes
MD5: caacb16dbc66029a1116d1cfbe313795
SHA1: e9317bc7b9ec8073ae16c7dfebbb07d4f7cd7db8
SHA256: 8C60C79BA7460914C6AE6E683333A459897961312EAE85CE59EB74B949FD2BEE
File Size: 908.80 KB, 908800 bytes
MD5: aaf01e620cfffa5b22721e853ea073f3
SHA1: 5c1ffa7b88cc30937f0104f479684fe0a9acdea0
SHA256: D039A5936BBD1C0AB5F91F2FB1578445FC6B07DBB80137C7735BC40FA0FE3D3E
File Size: 113.66 KB, 113664 bytes
MD5: eb36783b3d956ed8795b2cc0302541bb
SHA1: 5341a0b1272a87e3b85e55462688e64e99e7d190
SHA256: 3509B8624E584781D2C570362D1903B066DAFF7B882F1F197A25444C659E7934
File Size: 146.43 KB, 146432 bytes
MD5: 8cf36d6595aee3846104d6f2e128e259
SHA1: 8f9e48086c496fa39c63f944a49d50b5e0268336
SHA256: 9868DE72EDA076E3E2253CC24007010A03BD89B046656AA9D38D79D888E5491F
File Size: 499.71 KB, 499712 bytes
MD5: ff39289d7237b5e4e49b1fb127355f44
SHA1: 4b6376d4dc19d0ac4d79b8e4ebd9afb2f9f1e325
SHA256: 0CD4CB3313B0ACF34DCC4978CE3C755FF626C90DCB7B1A726C3C83A8D75E04C3
File Size: 539.65 KB, 539648 bytes
MD5: 3536e795fb901b5795b65766f19f2165
SHA1: 087fe59b2034a0f560832d8b982d897808b00b8d
SHA256: 59271062084592308BE7B72E32C2EB50656D1D1405F09201DFAEB612CDABA17D
File Size: 87.55 KB, 87552 bytes
MD5: bad5edb954884a5d0402fb46c1ce636c
SHA1: 0c9cc3fedddff17776a7949c91fa14dda0607aca
SHA256: CC95FC16B937048543926B30B6158DC84C4F7D596691C4C243541197AF332E38
File Size: 9.08 MB, 9076224 bytes
MD5: 61c20cdd5528062e80bb5d7c25b5eac5
SHA1: e57df994d59bcdb67242ba8892d1edcc20915eef
SHA256: 0D180A4DF0E2DB8C00A45B2D1564497BFAAD53B279ECB3908DA8B01AC8B135B9
File Size: 60.93 KB, 60928 bytes
MD5: e96800a395a6eacabd0b16812a95691a
SHA1: 204470441756bd2e8ed800236e6d9a50746c3f45
SHA256: 7ED1C6EEA03F79277553A4C77B94FF94E51AF1B9BF785D7D29BFC3DCC4DADC4E
File Size: 228.35 KB, 228352 bytes
MD5: ced516928767324d8f44e7f369912f52
SHA1: c07ef6a5d65b98cf7f94ffb6282d14b10ccdd80e
SHA256: A4BA4976A0F02FAF2E0F5339A5B16373441308464EA709B1462894E094E0FE4C
File Size: 901.63 KB, 901632 bytes
MD5: 6bccb953431c3bb607ec8e57f8e6786e
SHA1: d5f59799b47415e372c552f2d906c2faf606f696
SHA256: 40DC9B1B3D2FD225A020C90C09899E131351C03D619B24B0C5943F1838C99979
File Size: 7.90 MB, 7900754 bytes
MD5: db23692019e59acd9e729cac8864baae
SHA1: 571d60abcc665377f52fbe51079e9b6b8250017d
SHA256: 1E505D579C0A1634270945D17380EA95F5C3F9E92A00C3DCF02892A59BD8EC21
File Size: 7.28 MB, 7281152 bytes
MD5: 2edbb9b78c31227533c6301239abb135
SHA1: 8ec974d68a2279eccb27827d7479592c9a560e13
SHA256: F499FF53B30D7D8015AFC24AC9B1AC1B93553FA82E0164FD7D4E6FE4674A1372
File Size: 12.80 KB, 12800 bytes
MD5: 3e2115c30afed03381b14b78fadeaf22
SHA1: 2bfc5685ad1e235904349cc809426407edde8d0f
SHA256: E7EF7E912D0F773CE305F9EF32FF5581BD7306AE06C9DBB4433A802B0694F42C
File Size: 1.19 MB, 1187840 bytes
MD5: 1b0eba204e4a3fc41e1deb247b4c3131
SHA1: 3474b02d48f23bb78d4891d7a7e33edd1887b327
SHA256: 9D291DCD01692E9AD9C6910FFB3C3E7BBA9D6B6D5BE1EC822BE3A681E7C6072F
File Size: 2.10 MB, 2104320 bytes
MD5: e756cf58bd7b77a7efe1f7c34da81ceb
SHA1: 9f9167a7e61cea0884c66bb3047eeabd0f9a5271
SHA256: 55598A1099C57B39F0379A71C9EB06D72DF93A2C14A87F88CA8E95825A87BE08
File Size: 150.53 KB, 150528 bytes
MD5: e5bc1c910af84fe237803f14ed60d451
SHA1: 812f4781e81195c1b8c99803e73508432dfefbd0
SHA256: 9A066A6ADE9754567C0F97B8F9965F2B3D7F8CCD3749CB8FA041269268D70659
File Size: 1.21 MB, 1207808 bytes
MD5: 885d9ee0e8a343510e51ce47210882a7
SHA1: 0da4315419d87e7170ee2170f86aceffae615463
SHA256: 3B77009061AADA5FCEA6264F5BCEAA6EBCA439FC24F771C6676B896F3F85F303
File Size: 293.38 KB, 293376 bytes
MD5: 7c2418e934f126075c6b5d50138db82b
SHA1: 459e42998c15d13247eb833466b9b1394beacfaf
SHA256: 2D8EF16FA6E8C38600CE1CC65A84527475DF785D3A047B464037BCE022F7679D
File Size: 2.83 MB, 2831872 bytes
MD5: 152d1f656f389663e450fec4fef6b014
SHA1: 1f84613f108781c3a437b578b8d4400199e69dc4
SHA256: 86F71C081E208F7B4546463265B4730D187CE973B8060B2B6570DB112EA4497D
File Size: 901.63 KB, 901632 bytes
MD5: 98905f1e588b42443f60506d28a610c8
SHA1: cf5d87721d4da6dd86ec74d6d25b932aba0814c2
SHA256: D6C1961F037F5C168DF20B82C3A79157B7361D6E3248502BF081E24EB9347458
File Size: 140.80 KB, 140800 bytes
MD5: 3899c31572a13e95b08befa3f711845d
SHA1: 7d480b994974cb642a7ab45e01b444bb7c045327
SHA256: 66776A17BB01DF581DFAF98317C69773994CC8E5B38DFFDB7F40AB9DBA9FE08D
File Size: 895.49 KB, 895488 bytes
MD5: 56f5ded4ed0113cfcc8555140bdbb011
SHA1: 76d4a8b4079c5ef78e73ae992bc5eb10f54e741b
SHA256: 7D18E096A64D0ADE0C0D36D5555532E482873AD7F6A5535178546E675B777A7E
File Size: 73.73 KB, 73728 bytes
MD5: 1326d19669e26dde652e7f681d216082
SHA1: dda704702938804e76cecbdd29d6318c35bb31b2
SHA256: F8B95D4A2DC8CD31412EEDBB98BF21B6A4D55B66CF5528A36FB4475975CD35C2
File Size: 585.73 KB, 585728 bytes
MD5: 421528d7d5df56b459c79c00236f387d
SHA1: cf20cf14401ff2e2329e4c5d7ed4bb0faa30d964
SHA256: 962834438C9BCA7FDD60F7D79BC0C634736C437CC33D1A6DBCAE7B753EA79320
File Size: 64.00 KB, 64000 bytes
MD5: 9d6dbfb04d6cc126b2342145d74fc933
SHA1: bea2fe7f01e1cb00fe739ca63b120a752dfdfb69
SHA256: A812FEBCD7900E247E7A8964CFCF50D4172B3E66C961A1C7EAF48C09F82A176A
File Size: 826.88 KB, 826880 bytes
MD5: 4d5e26b7639a1ae4fe73949a3dc9d24b
SHA1: a4545194fa432c508702d6213e94a7ead944129b
SHA256: 375EEA942495CD6B3F4B982D24540168C1C18281F1AECDD8DE4DF2DA300C03FF
File Size: 4.13 MB, 4129280 bytes
MD5: bc93a376292d3622a3d9dd75918198a5
SHA1: 76cd93500fc1ecd93308e390a5564e1b406c7059
SHA256: 86135566F4EFA46FE5232D5B1427251B94A0F4625E509F53BBB8156F0CDC82F4
File Size: 2.69 MB, 2685952 bytes
MD5: 2fdab31daa9aadb87e9b55b1f9fb7676
SHA1: cd9b1ba48896b1d020cb90c3ed706188261d93fc
SHA256: A20E9CC654FAA02B19AB3CC1E4304A9BE8EA26E008CF48EAB03E3BD5D6268EEA
File Size: 799.74 KB, 799744 bytes
MD5: 8fbfd084ec313991d372e613201580e2
SHA1: bee73e2662afe6c8f94d60f8c5cc4593376cc1d4
SHA256: 9D8E1DACCFF1717A567F6258CA00482B1B4DCA9A2166DD413545C5C5BC2F044C
File Size: 2.83 MB, 2830336 bytes
MD5: 7e9e6e4e5e463542e1947d229d859b4d
SHA1: 8cec282f61c0088066eae13102b820088621ebb8
SHA256: EDED78BF477A1603987F36EE18DD109D32F97A951DCCDDA231AB70CF510FB9F4
File Size: 164.34 KB, 164336 bytes
MD5: 41348d1959e50b93eb8e4510518bc49f
SHA1: 526a123c80a5fd46048ebbd82222ff421363cd15
SHA256: C196260902D3AAAFE1D44A1B4E54A049D5FA7300A7C7991C5766C7D99B0E317C
File Size: 1.72 MB, 1717760 bytes
MD5: 9bad89a7ea4688573c65b5fdcbf8c2a4
SHA1: 3a14af0965ba88be929af2283a2f4ca08d7f60bd
SHA256: EB423674D37546BF2ABCF7DE428EED290BBB5D52EF2F275A6B6F793EA85C2CDF
File Size: 2.81 MB, 2806272 bytes
MD5: 76d6ab5b2bacd8a5493c4ab3d9c58c47
SHA1: edfaa6b7be7d2e460f05a8a0a5274f1980c14ca1
SHA256: 5A3984296CE870B88AB835368111919F5CC179B4B94B6D66C184DD9A34DC1490
File Size: 2.98 MB, 2982400 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version
  • 134.0.3124.72
  • 25.3.23.97
  • 15.0.1.2
  • 6.5.0.0
  • 6.2.3.0
  • 3.4.0.0
  • 2.3.1.0
  • 2.0.0.1
  • 2.0.0.0
  • 1.5.1.0
Show More
  • 1.4.1224.0
  • 1.2.10.0
  • 1.1.0.0
  • 1.0.2.1
  • 1.0.0.0
  • 0.9.2.9
  • 0.8.1.0
  • 0.0.0.0
Comments
  • A Centralized Software Timer
  • Desktop implementation of Steam's mobile authenticator app
  • https://docs.maa.plus/
  • https://github.com/hronoas/SiteWatcher
  • iFactory system hello wifi for 5s-16 pro max
  • Powered by @ToolsKiemTrieuDo
  • Remote Administration Tool
  • Sandbox32
  • SetupWindows64
Company Name
  • adblogin.com
  • Anton Pryzhanov
  • AVISNet.Web
  • BuilderGUI
  • FACEIT Anti_Cheat
  • Firefly Studios
  • FTECH
  • iFactory Softwares
  • kanye4king
  • MAA Team
Show More
  • MagicSound
  • Microsoft Corporation
  • SearhBotTG
  • steam
  • Steam2
  • VirtualHere Loader
  • © Microsoft Corporation
File Description
  • ADBLogin - Manage And Create Profiles
  • AVISNet.Web
  • BuilderGUI
  • check
  • Crypto Box
  • DricaDesktop
  • FACEIT Anti_Cheat
  • FTECH_SOCKET
  • iFactoryTeam Hello Wifi
  • kanye4king
Show More
  • Ledger
  • MAA
  • Microsoft Edge WebView2
  • MultiWalletApp
  • NecroBot Client for Pokémon GO
  • Pulsar Server
  • Sandbox32
  • SearhBotTG
  • SetupWin64
  • SiteWatcher
  • steam
  • Steam2
  • Steam Desktop Authenticator
  • StormProject
  • Stronghold Kingdoms
  • UpdateApps
  • UprichTradingBot
  • VirtualHere Loader
  • VortexDrop
  • web-cam-bruteforcer
  • WindowsFormsApp1
  • WindowsFormsApp5
  • WindowsFormsApp35
File Version
  • 134.0.3124.72
  • 25.3.23.97
  • 15.0.1.3
  • 6.5.0
  • 6.2.3
  • 3.4.0.0
  • 2.3.1.0
  • 2.0.0.1
  • 2.0.0.0
  • 1.5.1
Show More
  • 1.4.1224.0
  • 1.4.3.1
  • 1.2.10
  • 1.1.0.0
  • 1.0.0.0
  • 0.9.2.9
  • 0.0.0.0
Internal Name
  • ADBLogin_ManageAndCreateProfiles.exe
  • AVISNet.Web.dll
  • BuilderGUI.dll
  • check.exe
  • Chrome.exe
  • cryptobox.dll
  • Drica.exe
  • FACEIT Anti_Cheat.dll
  • FTECH_SOCKET.exe
  • GPO fishing macro 8.3.exe
Show More
  • iFactoryTeam Hello Wifi.exe
  • kanye4king.dll
  • Ledger.exe
  • MAA.dll
  • msedgewebview2_exe
  • MultiWalletApp.exe
  • NecroBot.exe
  • Pulsar.exe
  • SearhBotTG.dll
  • SetupWin64.dll
  • shaderlibrary.exe
  • SiteWatcher.dll
  • steam.dll
  • Steam2.dll
  • Steam Desktop Authenticator.exe
  • StormProject.exe
  • StromDrop.exe
  • StrongholdKingdoms.exe
  • TelgaGrub.exe
  • Update.exe
  • UpdateDrica.exe
  • UprichTradingBot.exe
  • VirtualHere Loader.dll
  • web-cam-bruteforcer.exe
  • WindowsFormsApp1.exe
  • WindowsFormsApp35.exe
Legal Copyright
  • CCQ Collobaration
  • Copyright (c) 2021-2025 MAA Team
  • Copyright 2017
  • Copyright iFactory Softwares © 2025
  • Copyright Microsoft Corporation. All rights reserved.
  • Copyright © 2010
  • Copyright © 2016
  • Copyright © 2020
  • Copyright © 2023
  • Copyright © 2023
Show More
  • Copyright © 2024
  • Copyright © 2025
  • Copyright © MaxXor 2023
  • Frago9876543210 © 2017
  • Microsoft © 2025
Legal Trademarks
  • adblogin.com
  • iFactory Softwares
  • © Microsoft Corporation
Original Filename
  • ADBLogin_ManageAndCreateProfiles.exe
  • AVISNet.Web.dll
  • BuilderGUI.dll
  • check.exe
  • Chrome.exe
  • cryptobox.dll
  • Drica.exe
  • FACEIT Anti_Cheat.dll
  • FTECH_SOCKET.exe
  • GPO fishing macro 8.3.exe
Show More
  • iFactoryTeam Hello Wifi.exe
  • kanye4king.dll
  • Ledger.exe
  • MAA.dll
  • msedgewebview2_exe
  • MultiWalletApp.exe
  • NecroBot.exe
  • Pulsar.exe
  • SearhBotTG.dll
  • SetupWin64.dll
  • shaderlibrary.exe
  • SiteWatcher.dll
  • steam.dll
  • Steam2.dll
  • Steam Desktop Authenticator.exe
  • StormProject.exe
  • StromDrop.exe
  • StrongholdKingdoms.exe
  • TelgaGrub.exe
  • Update.exe
  • UpdateDrica.exe
  • UprichTradingBot.exe
  • VirtualHere Loader.dll
  • web-cam-bruteforcer.exe
  • WindowsFormsApp1.exe
  • WindowsFormsApp35.exe
Product Name
  • AVISNet.Web
  • BuilderGUI
  • check
  • Crypto Box
  • DricaDesktop
  • FACEIT Anti_Cheat
  • FTECH_SOCKET
  • iFactoryTeam Hello Wifi
  • kanye4king
  • Ledger
Show More
  • MAA
  • Manage And Create Profiles
  • Microsoft Edge WebView2
  • MultiWalletApp
  • PoGo.NecroBot.CLI
  • Pulsar
  • Sandbox32
  • SearhBotTG
  • SetupWindows64
  • SiteWatcher
  • steam
  • Steam2
  • Steam Desktop Authenticator
  • StormProject
  • Stronghold Kingdoms
  • UpdateApps
  • UprichTradingBot
  • VirtualHere Loader
  • VortexDrop
  • web-cam-bruteforcer
  • WindowsFormsApp1
  • WindowsFormsApp5
  • WindowsFormsApp35
Product Version
  • v6.5.0+adaef54e9d2e8813b6ed0813cf581ee30e490c5f
  • v6.2.3+4ef45c056abfe18edd1422252aaa0d9c0a2c058c
  • 134.0.3124.72
  • 25.3.23.97
  • 15.0.1.3
  • 3.4.0.0
  • 2.3.1.0
  • 2.0.0.0
  • 1.5.1
  • 1.4.1224
Show More
  • 1.2.10
  • 1.1.0.0
  • 1.0.0.0
  • 1.0.0+114780a5b9756437dbe605263acc860873c0a50f
  • 1.0.0+93a5023ced94b3d55f65a997b9b6970df0f0f573
  • 1.0.0+7d088711d750c4ba414541c94da96f4383a29816
  • 1.0.0+4a7f9b319a53ffa96e1afa58447305083287c73c
  • 1.0.0+034fa9cc3367ff8e5d148dcbb0fa8a0f4fb8d7f3
  • 1.0.0+0caf36f62feff72952aaafa3972272885d7d6308
  • 1.0.0
  • 0.9.2.9
  • 0.0.0.0

File Traits

  • .NET
  • Agile.net
  • Fody
  • HighEntropy
  • Installer Version
  • NewLateBinding
  • ntdll
  • RijndaelManaged
  • Run
  • SmartAssembly
Show More
  • Stealer
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 3,636
Potentially Malicious Blocks: 28
Whitelisted Blocks: 1,719
Unknown Blocks: 1,889

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 ? ? 0 0 0 0 ? ? 0 ? 0 ? 0 0 0 ? ? 0 ? 0 ? ? ? 0 ? 0 ? ? ? 0 ? 0 ? 0 0 0 0 0 ? ? 0 ? 0 ? ? ? 0 ? 0 ? ? ? 0 ? 0 0 0 0 ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? 0 ? ? ? 0 ? 0 ? ? ? 0 ? 0 ? ? ? 0 ? 0 ? ? ? ? ? ? ? 0 ? ? ? 0 ? 0 ? ? 0 ? 0 0 ? 0 ? 0 0 ? 0 ? 0 0 ? 0 ? 0 0 ? ? ? 0 ? 0 0 ? ? ? ? ? ? ? ? ? 0 ? 0 0 ? ? ? ? ? ? ? ? ? 0 ? 0 0 ? ? ? ? ? ? ? ? 0 0 ? 0 ? 0 0 ? ? ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 0 ? 0 ? 0 0 0 ? 0 ? 0 0 0 ? ? 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 ? ? 0 0 ? ? ? ? ? ? ? ? 0 x ? ? ? ? 0 ? 0 0 ? 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 ? ? 0 0 0 ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? 0 0 ? 0 ? 0 ? ? ? 0 ? ? ? ? ? 0 0 0 ? ? 0 ? ? ? 0 ? 0 ? ? 0 ? ? ? ? ? 0 0 ? 0 x ? 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 0 0 x 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 0 0 ? x 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? ? ? 0 0 0 ? 0 ? 0 ? 0 ? ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 ? ? 0 0 ? ? ? ? 0 0 ? ? 0 ? 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 0 ? ? ? ? ? ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 ? 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? 0 ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 0 ? ? ? ? ? ? 0 0 ? ? ? ? ? ? x ? ? 0 x ? ? ? ? ? ? 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 0 0 ? 0 ? ? 0 0 ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 ? 0 0 0 ? 0 ? 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x 0 0 0 0 0 x ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 x ? ? ? ? ? ? ? ? ? ? ? ? 0 0 x ? ? x x 0 ? ? ? 0 ? ? ? ? ? 0 0 0 0 ? ? ? 0 0 ? ? ? ? 0 ? ? 0 0 ? ? ? 0 ? 0 ? 0 ? 0 0 ? ? 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 ? ? ? 0 ? ? 0 ? ? 0 ? 0 ? ? ? ? ? ? 0 0 0 ? ? 0 0 0 0 ? 0 ? ? 0 ? 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 ? 0 ? 0 0 0 ? ? ? ? ? 0 ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 ? ? 0 0 ? 0 ? 0 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 ? 0 ? 0 ? ? ? ? ? 0 ? 0 ? 0 0 0 ? 0 0 0 0 x 0 ? ? ? ? ? ? 0 ? 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 ? 0 ? 0 ? x 0 0 ? 0 ? 0 ? ? 0 ? ? 0 ? 0 0 0 ? 0 0 ? 0 ? ? 0 0 x ? ? ? 0 ? 0 0 ? 0 ? ? 0 0 ? ? ? 0 ? ? 0 0 ? ? ? ? ? 0 0 0 0 0 ? ? ? 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 ? 0 0 ? ? ? ? ? 0 ? ? ? 0 0 0 0 ? ? 0 0 0 ? ? ? ? 0 0 0 0 0 0 ? 0 0 ? ? 0 0 ? 0 ? 0 ? 0 ? 0 0 ? 0 0 ? 0 ? ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 0 0 0 ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? ? 0 ? ? 0 0 ? x 0 ? ? ? ? ? ? ? 0 ? ? 0 0 0 0 ? 0 0 ? 0 ? ? ? 0 ? 0 0 0 ? 0 ? 0 ? ? ? ? 0 0 ? 0 0 0 0 ? ? ? 0 0 ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? 0 ? ? 0 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 0 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 0 ? ? 0 ? ? 0 0 ? ? 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 0 0 0 ? 0 0 0 0 0 ? ? ? 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.DGY
  • MSIL.Agent.FGI
  • MSIL.Agent.KS
  • MSIL.Agent.SFT
  • MSIL.Agent.XX
Show More
  • MSIL.HackAgent.XD
  • MSIL.Spy.DC
  • MSIL.TelegramBot.O
  • MSIL.TelegramBot.U
  • MSIL.TelegramBot.UA
  • RatSharp.B

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134062039633893394.5564.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\update.exe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_3t2md4gk.eqn.ps1 Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\__psscriptpolicytest_qph34dip.xrb.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\edgewebview\drpsm5ta-qnkxcajh.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\edgewebview\msedgewebview2.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\edgewebview\msedgewebview2.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\tmp5262.tmp.cmd Generic Write,Read Attributes
c:\users\user\downloads\5c1ffa7b88cc30937f0104f479684fe0a9acdea0_0000113664 Synchronize,Write Attributes
c:\users\user\downloads\config\translations\translation.en.json Generic Write,Read Attributes
c:\users\user\downloads\logs\necrobot-2025-12-13-21.txt Generic Write,Read Attributes
c:\users\user\downloads\logupdate.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\logupdate.txt Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뱦䁾⡡ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::updatedrica c:\users\user\downloads\4b6376d4dc19d0ac4d79b8e4ebd9afb2f9f1e325_0000539648 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::updatedrica c:\users\user\downloads\4b6376d4dc19d0ac4d79b8e4ebd9afb2f9f1e325_0000539648 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㫚海䢶ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN

25 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Keyboard Access
  • GetKeyState
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Network Winsock2
  • WSAConnect
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • getsockname
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen

Shell Command Execution

"C:\Users\Gmvwsama\AppData\Local\Temp\EdgeWebView\msedgewebview2.exe"
"C:\Users\Gmvwsama\AppData\Local\Temp\tmp5262.tmp.cmd"
"schtasks.exe" /create /tn "msedgewebview2" /tr "C:\Users\Gmvwsama\AppData\Local\Temp\EdgeWebView\msedgewebview2.exe" /st 22:59 /du 23:59 /sc daily /ri 1 /rl HIGHEST /f
C:\WINDOWS\system32\timeout.exe timeout 6
"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "\r\nGet-ScheduledTask -TaskPath '\' | Where-Object { $_.TaskName -match '^OneDriveReportingTask-[a-zA-Z0-9]{1,15}$' } | Select-Object -ExpandProperty TaskName\r\n"

Related Posts

Trending

Most Viewed

Loading...