Threat Database Trojans Trojan.Cerber.ID

Trojan.Cerber.ID

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 1,294
Threat Level: 80 % (High)
Infected Computers: 88,202
First Seen: January 16, 2013
Last Seen: March 15, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Cerber.ID
Packers: UPX
Signature status: No Signature

Known Samples

MD5: 89db928f6d9b8a90f1456939553e6f8b
SHA1: bfd31147e21735c491f9e2e9e55d81cd7419864c
File Size: 619.52 KB, 619520 bytes
MD5: 24bb6f64014d7b7341c80758b50391c9
SHA1: 14ddbbda19a21254a3830283edc00425f4b2c43b
File Size: 4.23 MB, 4232897 bytes
MD5: a97e20e7d63439951c053b567fa80938
SHA1: cdf1f9756b09b91147e4f0ac28d022259aa04f85
SHA256: AEBD3C3689E478EF93312DFA246AD1FFB769AC0AC6D5ED07A124180DE520C547
File Size: 3.12 MB, 3121570 bytes
MD5: 06149e55d5c102c186ff3a06906b10f3
SHA1: 8d1ae073c7fb16037a6f4bcbac5cd7c436cce32e
SHA256: 065FEB89745195F7B32AB255FC8F584C462E5BBD5D33BAF795D39B44C360ECCD
File Size: 2.83 MB, 2833924 bytes
MD5: 9dee7c447ad66ace7652c0f093d8a774
SHA1: 4f7d12ea6e0f8a5acbc94b0272329785c61fb042
SHA256: 66E4E3E0CE75AF068D70AEF574DA1DC708E0FFC94CC593CA1E1C8F68A70C75D3
File Size: 4.08 MB, 4083846 bytes
Show More
MD5: 72c0033684d10c2ee322a494d8abbbc9
SHA1: 61be2f052b5fdd5bbbf311494cb696cb4ce666b7
SHA256: 949EE66B7EC0776B6F96EB3DA94561DC53041BB12EBED52EEAA450584B898CEF
File Size: 3.12 MB, 3121570 bytes
MD5: e10d82d99e308e4348c92e24ff2a532b
SHA1: 0054e15104b15f4ee3912392f9118f53c229e88a
SHA256: E51DB4996CADDF78920737524085AF2E43386B652E7E130428B6F564B1CDB2DF
File Size: 4.16 MB, 4159448 bytes
MD5: 8f22a1892a209befb579ae39e39421e0
SHA1: 0a7d441dbfa225c3579e19bdaae406afb1cc4316
SHA256: DC3841B9AC364A9B4FD1E0E5A83FF5414647DF140E8785C6F060A2588FC76283
File Size: 3.82 MB, 3820438 bytes
MD5: 4806093a4207d612d444d3bbfbe1b7dd
SHA1: 4776c96e9d102e7d0f613abbc5a873b4490d5293
SHA256: DC154217754CFEA3F400ABE396B5F3005F0290A501C88966540E39292FECBE17
File Size: 1.56 MB, 1556639 bytes
MD5: a81ce5301d368326c231ecc866582e44
SHA1: 3bc1af88c3f10d079a6c97e0b1dc22cc9bb0b189
SHA256: 7DFA055A4B5E9C9DDE3411F13F9071C5B9158C8C5D410A5EDD5996E88CDBE920
File Size: 3.01 MB, 3014592 bytes
MD5: 7201630fc87f677a844f6b5c1c30453c
SHA1: b8e83c169560455620aded9ecf752dcd4fe585c8
SHA256: 78873A98B6C6451BF410DAA0121D28046C8E1CB1EEB231A5A6F5A6E43891E04C
File Size: 3.59 MB, 3589419 bytes
MD5: a3fcc371307a7f4e197bb2c3111e129a
SHA1: 81da3c4d845d6396de329a456a423d113be28e94
SHA256: 65E77AC2DD45ABC98B2457482D325EA2E8BD4D12F96AA0C281ECB39304B91092
File Size: 4.23 MB, 4233005 bytes
MD5: cee0634125d8c9b9feaf7b7b1dc73492
SHA1: 3d82112e33fbccabe82694cc636571a088646f46
SHA256: 334358B8B73D47F02B004507BA0BAA800BA954AC15874C5831A0DD5FC2C39EE5
File Size: 3.18 MB, 3176949 bytes
MD5: 97a2e2395d503fa0455aa82266938c2d
SHA1: d80fe569eff0d42230d7054ede56758e0c75a83e
SHA256: BFC9444AC9A7C7577FBC0FA5A324E42216F335FCB84F40137CC39350C1150C3E
File Size: 1.67 MB, 1665024 bytes
MD5: 19279205dcdaca40049370f788f29030
SHA1: 88ed88c1b09126e963070bf92e3375ff87f7d9ca
SHA256: 753C17FB8E15C445DA4DCA818FB402B67D5A09557125BB4B039E693266863C73
File Size: 1.67 MB, 1668304 bytes
MD5: 2f90c15fc02278ed3f6b9ab929938486
SHA1: 6230945153577759c61e925b85822efc1a8d7982
SHA256: E29E3DC72B0D9F2934C2F2D3ED6E5E9082591E9FD2F838B97379FEB9DF8F3A53
File Size: 3.95 MB, 3947037 bytes
MD5: 32bdb4c8472b0c5dc53f9138aeca3ba0
SHA1: f053ed9699f2f92fc3a0101aeec98e48a338daa1
SHA256: BDB686789C668F2D77CEB77207EA03EADE2F97BBA2306B149212EDD7543CDFC2
File Size: 3.48 MB, 3482893 bytes
MD5: c917a39187bf632d66d463e5029025b7
SHA1: 12a1c93398f4f0ebfacd3fc089e69c60ec76dda3
SHA256: C6DF287E6F251C5B27D8D1A271B9738EC88ECAB1F19C91A072AB2EAA09C74B1D
File Size: 2.42 MB, 2416506 bytes
MD5: 84867609cf0e898a4391d12aa741f8a3
SHA1: 89658bc0c54635d6630e2318d024ef0819d3e647
SHA256: C341FAB4DED7EA9D326C78C5D2806BA9F017FC62E9EEA939FA89EB0D10E3ED1D
File Size: 3.20 MB, 3195298 bytes
MD5: aba5f2f4b6b46b7dd2d32d2a3f24815c
SHA1: f13499f71c9ab09390219079b0b1f83ed8382aaf
SHA256: F3B7C2885AD8F4E93F66FD0092D2B9C233BCF21728EBF260CCF4399321E4E917
File Size: 3.66 MB, 3660572 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • ExploreDrive
  • Igor Pavlov
  • Microsoft
File Description 7z SFX
File Version
  • 9.20
  • 2.2.2.0
  • 2.2.1.0
  • 2.1.7.0
  • 2.0.9.0
  • 2.0.5.0
  • 1.9.3.0
  • 1.9.2.0
  • 1.9.1.0
  • 1.8.4.0
Show More
  • 1.7.7.0
  • 1.00
  • 1.0.0.0
Internal Name
  • 7z.sfx
  • ExploreDrive
  • TJprojMain
  • Win
Legal Copyright Copyright (c) 1999-2010 Igor Pavlov
Original Filename
  • 7z.sfx.exe
  • ExploreDrive.exe
  • TJprojMain.exe
  • Win.exe
  • Windows 7 Loader.exe
  • Windows Loader.exe
Product Name
  • 7-Zip
  • ExploreDrive
  • Project1
  • Win
Product Version
  • 9.20
  • 1.00
Release
  • Beta
  • Development
  • Final

File Traits

  • big overlay
  • HighEntropy
  • packed
  • x86

Block Information

Total Blocks: 6,766
Potentially Malicious Blocks: 0
Whitelisted Blocks: 6,766
Unknown Blocks: 0

Visual Map

1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • HackKMS.P

Files Modified

File Attributes
Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Generic Write,Read Attributes,Delete,LEFT 262144
Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\autorun.inf Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\autorun.inf Synchronize,Write Attributes
c:\users\user\appdata\local\temp\live Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2926109 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\rarsfx0\keys.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\keys.ini Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\microsoft.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\microsoft.txt Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\windows loader.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\windows loader.exe Synchronize,Write Attributes
c:\users\user\appdata\roaming\newe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\taskhost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\taskhost.exe Synchronize,Write Attributes
c:\viewdrive.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\viewdrive.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\viewdrive.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\viewdrive.exe Synchronize,Write Attributes
c:\windows\2ca439 Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\windowslive::version  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows task host C:\Users\Jamungsi\AppData\Roaming\taskhost.exe RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::windows task host C:\Users\Jamungsi\AppData\Roaming\taskhost.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317  RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324 # RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993 ǜ RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986 http://www.ledyazilim.com/logo.gifhttp://ksandrafashion.com/l RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331 RegNtPreCreateKey
HKCU\software\apcr::u1_0 䡴⬋ RegNtPreCreateKey
HKCU\software\apcr::u2_0 RegNtPreCreateKey
HKCU\software\apcr::u3_0 権ă RegNtPreCreateKey
HKCU\software\apcr::u4_0 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䗼䈈魌ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 毙䈏魌ǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
  • OpenClipboard
Network Winsock2
  • WSAStartup
Other Suspicious
  • SetWindowsHookEx
Keyboard Access
  • GetAsyncKeyState
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Network Winsock
  • connect
  • gethostbyname
  • getpeername
  • inet_addr
  • send
  • setsockopt
  • socket
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess

Shell Command Execution

C:\Users\Jamungsi\AppData\Roaming\taskhost.exe
(NULL) C:\Users\Wfbcqhkh\AppData\Local\Temp\RarSFX0\Windows Loader.exe
C:\Windows\system32\cscript.exe C:\Windows\system32\cscript.exe //nologo C:\Windows\system32\slmgr.vbs -dli

Trending

Most Viewed

Loading...