Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Coinminer.GQ

Trojan.Coinminer.GQ

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 5,763
Threat Level: 80 % (High)
Infected Computers: 5,269
First Seen: September 3, 2021
Last Seen: April 13, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Coinminer.GQ
Signature status: No Signature

Known Samples

MD5: e1f45c54111a4593371c1d56a0e256fd
SHA1: 00149ae29e2a67d46db39185f29d6000a2761680
File Size: 159.74 KB, 159744 bytes
MD5: 0c7d0f0c88ee79d4ef5b7de840b1914e
SHA1: 4a2319b72bbb5d0fa8d6c711df29696743ee6713
File Size: 159.23 KB, 159232 bytes
MD5: 2deba8988326e7ce2671a8a1acadddc4
SHA1: ab836c1c9f19b9703fe6bcd4b185078f089c56fe
File Size: 144.90 KB, 144896 bytes
MD5: 31f70ef11d84155de959224ab09f803a
SHA1: 4f7c178a458a8bacb45289b2c6ef8f3933289efb
SHA256: F4CAFB0690A34B3AE1B8AA45C06933951B524B5623A0C0018F71269F4331B0CF
File Size: 168.96 KB, 168960 bytes
MD5: 922b4fc67052a03d72492caae2b8a1b0
SHA1: a20c416f6436fe5b8c10eee95b018c786dae7d16
SHA256: 7A6B7682A1B6F8ED93FBD22965C84012FC0D36AABEA1DD590987057465B8365A
File Size: 161.79 KB, 161792 bytes
Show More
MD5: 159fd44d2295135dfd7b7d3260ab274c
SHA1: 4bda58f81364d526d0644a8640cbe3e474aed039
SHA256: 614393462F76BC91C324FD770776F4DA4F5C76E71F5D2CFC6ACF7DA5E9204F95
File Size: 160.77 KB, 160768 bytes
MD5: 7349546c112da6e0a5c26df480804090
SHA1: 5dceecf961e80cefc8c7761662b8025671895185
SHA256: 350218BEFF126F230A3B8F8111B016AB593913FC6B3932D56E1F76A8989C61FF
File Size: 160.26 KB, 160256 bytes
MD5: 7368f9d1351dbd88884769a9e1591d58
SHA1: 2b5f466fd47ee9405a22059dd2885e5cb827027b
SHA256: 398F86519E5CCFC875EEFF3B8BC6DC7678D62A952AFAFC77A545BF4243621BF5
File Size: 158.21 KB, 158208 bytes
MD5: 78d89c701d2ba3cd90083280fc1fc696
SHA1: 509ecf8013f055c8b79c034be7f03ef9b3a2783e
SHA256: B319A4C8455BFDE9CA05342F35842C0AFC4AF016B9552D458B5AF76F8E51321B
File Size: 158.21 KB, 158208 bytes
MD5: 15807623d3273fe368fffb85d6128e73
SHA1: 255d31822d031be2ccbc45a0f22ec2f9787e746c
SHA256: DF1DA6BF58171512023D8CAA06271A8B00339D9FD108B9112CD3BDFB8AD7881F
File Size: 160.26 KB, 160256 bytes
MD5: 0f44f00339fa9293e84f6b34fca7359d
SHA1: 75cd6fe5fa5bfd477bcd6473eb71edd013643366
SHA256: B130341B32EE6551581D33A7A01D4D25B59725FEF7FB5D821EE46FE72081C141
File Size: 158.21 KB, 158208 bytes
MD5: 0705de62402bf0936f08c0f14bb26539
SHA1: 456af6759e1072e999b8d5fbadc2153d1ece771d
SHA256: D986700EBC8388B4715CC6767E0B550860B110A6DA21B841CD647BDF5FED2CA2
File Size: 100.35 KB, 100352 bytes
MD5: 60db68e1d9365eef18636cb2d7b6ec6d
SHA1: 2b76d353a5c4d2ba2ae5f25a6c0d02a268302956
SHA256: D09188841F6166DBE35457D288060AD22B44E930F33AB49DDE045DE805756B8A
File Size: 159.74 KB, 159744 bytes
MD5: d95b92dec1b0bfbcf980c2f0aa4b0ad5
SHA1: 2f310a58a25f3cb191b5913d091ffc59ab15ed65
SHA256: 26F1F1A85F33F8D0E15FB86DA996997AB5E92C2D49A95B1299680B53FD4A2EF5
File Size: 168.96 KB, 168960 bytes
MD5: fd0e99a46948a805968aebece667ba8b
SHA1: ad453ec37da0fefee71381f8f0ba166ed275acb4
SHA256: 08FD7E9D9EF526807CACA0F83C33C1B60CB7781630F81015F59F947D6A8BB5D5
File Size: 157.70 KB, 157696 bytes
MD5: e01385a5a35922814336b6c1d1288a2b
SHA1: 6a3ff72c508fd988b8e4bf8e0ce702875e66c9a6
SHA256: A0EABC8450DBB16AD25E3C54327E63404916FA66D2F1D4E5CFCCA44962F59C19
File Size: 151.55 KB, 151552 bytes
MD5: 0e492c70df68405f39cffc91aa21dce9
SHA1: 73c2d71db0182b9230617d6edc1d8b0b82fdc28e
SHA256: BD7531CE57D96813FC8EC1F1AA7ACADE3FCB7F73B1421CF70073B34343EEE310
File Size: 162.30 KB, 162304 bytes
MD5: e8bd24b22cf13350b7c054da1ae042bd
SHA1: 6b69046f29332d67c10f5d7731e7e280f190f862
SHA256: C3B429E5558450AED6ADA2C2AC93B1823165B3A294C100F1348BF403210997E2
File Size: 171.01 KB, 171008 bytes
MD5: b7c385a103e12cea18597d2c2166930f
SHA1: 66d233da8a0abb5d7ab46446311043d0bbfa5029
SHA256: CAD229D80F942BB08D3F685A0BA4FE980A74AC25FEF7F823C2D8DDC1246E4042
File Size: 157.70 KB, 157696 bytes
MD5: 99c904a4f5a0d0cb499ae22966ab628e
SHA1: fc9d12ed1151a23f30986fe6252310bc0719ae8a
SHA256: 2161C02F3B88DAC5F40EFAF8611BACE456667CBB9501CD85C13A2F020BB24D1C
File Size: 97.79 KB, 97792 bytes
MD5: ddb23408c7c2c26921f9195c423d9f83
SHA1: 22c80e7c94212e40da07d3f25bcfe529d7dd03d3
SHA256: 6C7FEDA7C6BB1A0334C4C8FD980B1CBA7A08F17F2BB36EBF10F631C54B645BC7
File Size: 160.26 KB, 160256 bytes
MD5: 4f59d00ab6df9067678d8a316d5d6d66
SHA1: c237bb01a35c78bfdcbeb63f04ce6219662fc9a5
SHA256: CEC6F9755671683CD5A6188CB49485E01690A158726DADF2E72FFC7BED68F512
File Size: 171.01 KB, 171008 bytes
MD5: cb409a68f6db64bec452a0ebeed0f6cd
SHA1: ccaa9cdbef020d15f420e39c53fe019a2734df24
SHA256: 7DF11DCBC322F8F7C81BD3A8657E12425FB595984232EB37B52B0212FE14B85A
File Size: 162.30 KB, 162304 bytes
MD5: 8860d9357c4a4ef7f1717d37f95c84a2
SHA1: 6974efbd7784ede95449ce015eef3096dd1b198f
SHA256: 0A46FFE1D88386D2355799132C5C917A6D2D047210BDB360F65D556AD455A898
File Size: 157.70 KB, 157696 bytes
MD5: a9136991afb2167fc14cdd2a8129852d
SHA1: 31302fbfd3d3b8ad8ea37bbfbe4507334e3b429d
SHA256: EC8054ACE4BE98668F143E0E996E323ADFB535030E7B65BA65627A3991DD49D0
File Size: 160.26 KB, 160256 bytes
MD5: e85cd300ab009899f2edb817d88c9a7b
SHA1: 101e5e8e289bb0f6b11fbaa53fb59beb6c6a5d2a
SHA256: C2763351E28291394605E1643C3828632F7E9D2D513A0B182FCC151FD8B1E286
File Size: 158.21 KB, 158208 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • @danielbranco.vm
  • Microsoft Corporation
Company Short Name Microsoft
File Description
  • Archivo autoextractor de archivos CAB de Win32
  • Autoextrator de arquivo de gabinete Win32
  • Microsoft Edge
  • Samorozpakowujący się plik typu .cab Win32
  • Win32 Cabinet Self-Extractor
  • Win32 Kabin Ayıklayıcısı
  • Windows Media Player from Windows Vista
  • Самоизвлечение CAB-файлов Win32
File Version
  • 103.0.1264.71
  • 11.00.19041.4522 (WinBuild.160101.0800)
  • 11.00.19041.4165 (WinBuild.160101.0800)
  • 11.00.19041.3691 (WinBuild.160101.0800)
  • 11.00.19041.3203 (WinBuild.160101.0800)
  • 11.00.19041.2486 (WinBuild.160101.0800)
  • 11.00.19041.320 (WinBuild.160101.0800)
  • 11.00.19041.1 (WinBuild.160101.0800)
  • 11.0.6002.18005 (lh_sp2rtm.090410-1830)
Internal Name
  • msedge_exe
  • Wextract
Last Change 1f7a1d165042010b399db54bd56390dd47e15013
Legal Copyright
  • Copyright Microsoft Corporation. All rights reserved.
  • © Daniel Branco. All rights reserved.
  • © Microsoft Corporation. Alle Rechte vorbehalten.
  • © Microsoft Corporation. All rights reserved.
  • © Microsoft Corporation. Todos los derechos reservados.
  • © Microsoft Corporation. Todos os direitos reservados.
  • © Microsoft Corporation. Tüm hakları saklıdır.
  • © Microsoft Corporation. Wszelkie prawa zastrzeżone.
  • © Microsoft Corporation. Με επιφύλαξη κάθε νόμιμου δικαιώματος.
  • © Корпорация Майкрософт. Все права защищены.
Official Build 1
Original Filename
  • msedge.exe
  • WEXTRACT.EXE
  • WEXTRACT.EXE .MUI
Product Name
  • Internet Explorer
  • Microsoft Edge
  • Windows Media Player
Product Short Name Microsoft Edge
Product Version
  • 103.0.1264.71
  • 11.00.19041.4522
  • 11.00.19041.4165
  • 11.00.19041.3691
  • 11.00.19041.3203
  • 11.00.19041.2486
  • 11.00.19041.320
  • 11.00.19041.1
  • 11.0.6002.18005

File Traits

  • CAB SFX
  • Wextract
  • x64

Block Information

Total Blocks: 92
Potentially Malicious Blocks: 38
Whitelisted Blocks: 54
Unknown Blocks: 0

Visual Map

0 0 0 0 0 x 1 x 0 x x 0 x 0 0 x 0 x 0 0 x x 0 0 x x x x 0 x 0 x x x x 0 x x 1 x x x 0 0 x x x x 0 x x x x 1 x x x x x 0 0 0 0 0 0 0 x 0 x 0 0 1 0 0 2 0 0 0 0 0 0 0 0 1 1 0 0 2 0 0 0 1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Coinminer.GQ

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.133968238621902896.4288.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134068534055850207.1864.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134205720658483254.7736.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_3vr221as.udu.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4rdkcnyp.h2t.psm1 Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\__psscriptpolicytest_b2ieakdb.wwq.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_etitmhro.03w.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_gwxwqslz.pu4.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_od325ckn.0fn.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_svrfd35s.au2.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_szdwsbid.bh5.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\2nd keyboard delay.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\2nd keyboard delay.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\amir.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\amir.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\amir.bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\anything - copy (2).bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\anything - copy (2).bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\anything - copy (2).bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\bypass 077.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\bypass 077.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\change~1.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\change~1.ps1 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\change~1.ps1_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\father.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\firewall.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\firewall.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\firewall.bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\limpiador.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\limpiador.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\limpiador.bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\makefiles.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\makefiles.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\makefiles.bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\modular.ps1 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\plus.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\plus.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\prohackerterminal.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\prohackerterminal.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\roblox - copy - copy.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\roblox - copy - copy.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\roblox - copy - copy.bat_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\selecto.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\selecto.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\test - copy (37) - copy.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\test - copy (37) - copy.vbs Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\test - copy (37) - copy.vbs_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tmp4351$.tmp Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\ixp000.tmp\tweaks hub bloom reducer.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\tweaks hub bloom reducer.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\updatenxlicense.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ixp000.tmp\updatenxlicense.ps1 Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Saauwwqn\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蹲㧛Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㧝Ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Mzcanjjd\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 뤈鋉Ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\applicationassociationtoasts::cplfile_.cpl RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\control.exe.friendlyappname Windows Control Panel RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\control.exe.applicationcompany Microsoft Corporation RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count::zvpebfbsg.jvaqbjf.rkcybere %Ĵ銅¹뾀뾀뾀뾀뾀뾀뾀뾀뾀뾀￿￿䠀鑂Ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\userassist\{cebff5cd-ace2-4f4f-9178-9926f41749ea}\count::hrzr_pgyfrffvba ǐ؃罿ѻ|Microsoft.XboxGamingOverlay_8wekyb3d8bbwe!App RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Zqppfewu\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 媖䇑ᝆǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Mngkdvyj\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 湫⛋ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ‬灲⛋ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Clxnptqo\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Ekiywvap\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ⽡짰䵼ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⽡짰䵼ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Gvmpsikw\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쌴᏶亟ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Rlmtbysr\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䊷䐒烪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꏆ䐔烪ǜ RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\ndfapi.dll,-40001 Windows Network Diagnostics RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Legawaha\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 괧沨紵ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 玶沭紵ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Rsmrzxsy\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Iifoerna\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 鱸赻鞦ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ﺴ赽鞦ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 澠跰鞦ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Ubcerfsq\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ళ铝ꌸǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 灂铟ꌸǜ RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\runonce::wextract_cleanup0 rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\Gewgvuwd\AppData\Local\Temp\IXP000.TMP\" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ↙剓쭤ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 莱剕쭤ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
Show More
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelIoFileEx
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile

202 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Network Info Queried
  • GetAdaptersAddresses
Network Winsock2
  • WSAStartup
Network Winsock
  • freeaddrinfo
  • getaddrinfo
Network Icmp
  • Icmp6SendEcho2

Shell Command Execution

cmd.exe /c father.bat
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process -WindowStyle Hidden -FilePath powershell -Verb RunAs -ArgumentList '-NoProfile -Command Add-MpPreference -ExclusionPath \"C:\Users\Saauwwqn\*\"
cmd /c "firewall.bat"
WriteConsole:
WriteConsole: C:\Users\Mzcanjj
Show More
WriteConsole: start
WriteConsole: C:\Windows\Syst
C:\Windows\System32\Firewall.cpl C:\Windows\System32\firewall.cpl
open %SystemRoot%\system32\rundll32.exe Shell32.dll,Control_RunDLL "C:\Windows\System32\Firewall.cpl",
C:\Users\Zqppfewu\AppData\Local\Temp\IXP000.TMP\Plus.cmd
C:\WINDOWS\system32\taskkill.exe taskkill /IM "Consult4.exe" /IM "MCD3 Diagnostic Tool.exe" /IM "ErrorReportingTool.exe" /F
WriteConsole: ERROR: CoInitial
C:\WINDOWS\system32\regsvr32.exe regsvr32 /u /s "C:\CONSULT-III_plus\System\Middleware\Nissan\DDriver\Bin\D-Driver.dll"
cmd /c amir.bat
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell -NoProfile -ExecutionPolicy Bypass -File "ChangeWallpaperAndIcons.ps1"
WriteConsole: The argument 'Ch
WriteConsole:
WriteConsole: Windows PowerShe
cmd /c ChangeWallpapersAndIcons.ps1
WriteConsole: 'ChangeWallpaper
Command.com /c C:\Users\Clxnptqo\AppData\Local\Temp\IXP000.TMP\Limpiador.bat
cmd /c "Tweaks Hub Bloom Reducer.bat"
WriteConsole: Tweaks Hub Bloom
WriteConsole: ================
WriteConsole: 1. Toggle Bloom
WriteConsole: 2. Toggle Privat
WriteConsole: 3. Toggle BCD Tw
WriteConsole: 4. Toggle FPS Ca
WriteConsole: 5. Toggle Input
WriteConsole: 6. Toggle Mouse
WriteConsole: 7. Toggle Fast M
WriteConsole: 8. Exit
WriteConsole: Choose an option
powershell.exe -ExecutionPolicy Bypass -File "UpdateNXLicense.ps1"
cmd /c "Roblox - Copy - Copy.bat"
WriteConsole: C:\Users\Rlmtbys
WriteConsole: for
WriteConsole: /
WriteConsole: %a in
WriteConsole: ("D:\Onlinegames
WriteConsole: set
WriteConsole: "rootdir=%a"
WriteConsole: /d "" RobloxPla
WriteConsole: The system canno
cmd /c makefiles.bat
WriteConsole: C:\Users\Legawah
WriteConsole: beamng:zeitScre
C:\Users\Legawaha\AppData\Local\Temp\IXP000.TMP\beamng:\zeitScreenBuild:zeit_zeitScreenUtils.beginTimer() beamng:zeitScreenBuild:zeit_zeitScreenUtils.beginTimer()
WriteConsole: Access is denied
C:\Users\Legawaha\AppData\Local\Temp\IXP000.TMP\beamng:\zeitScreenBuild:zeit_zeitScreenUtils.endTimer([[TOOK]]) beamng:zeitScreenBuild:zeit_zeitScreenUtils.endTimer([[TOOK]])
Command.com /c C:\Users\Rsmrzxsy\AppData\Local\Temp\IXP000.TMP\anything - Copy (2).bat
cmd /c "ProHackerTerminal.bat"
C:\WINDOWS\system32\mode.com mode 120,40
C:\WINDOWS\system32\ipconfig.exe ipconfig
C:\WINDOWS\system32\findstr.exe findstr /i "IPv4"
WriteConsole: Initializing Hac
C:\WINDOWS\system32\PING.EXE ping localhost -n 2
WriteConsole: ce93c3bbc3aace93c3bbc3aace93c3bb
C:\WINDOWS\system32\PING.EXE ping localhost -n 1
WriteConsole: ce93c3bbc3aace93c3bbc3aace93c3b2
WriteConsole: ce93c3b2c39cce93c3b2c389ce93c3b2
WriteConsole: WELCOME,
WriteConsole: Local IP
C:\WINDOWS\system32\PING.EXE ping localhost -n 3
WriteConsole: [*] Connecting t
WriteConsole: [*] Bypassing fi
WriteConsole: [*] Exploiting p
WriteConsole: [*] Injecting pa
WriteConsole: [*] Access Grant
WriteConsole: ----------------
WriteConsole: [1] Show System
WriteConsole: [2] Show Network
WriteConsole: [3] Show Active
WriteConsole: [4] Ping Google
WriteConsole: [5] Show Folder
WriteConsole: [6] Matrix Effec
WriteConsole: [7] Fake Virus S
WriteConsole: [8] Fake Hacking
WriteConsole: [0] Exit
WriteConsole: Enter your choic
cmd /c "bypass 077.bat"
WriteConsole:
WriteConsole: :
WriteConsole: . ::
WriteConsole: .-''---
WriteConsole: '. ..-::
WriteConsole: '.' :::
WriteConsole: ::
WriteConsole: Press any key to
WriteConsole: +--------------
WriteConsole: "
WriteConsole: "
WriteConsole: CHOOSE AN OPTION
cmd /c "2nd Keyboard Delay.bat"
WriteConsole: C:\Users\Gewgvuw
WriteConsole: by
WriteConsole: SWA Tweaks
WriteConsole: 'by' is not reco
C:\WINDOWS\system32\net.exe NET SESSION
WriteConsole: Requesting admin
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Start-Process 'C:\WINDOWS\system32\cmd.exe' -ArgumentList '/c "2nd Keyboard Delay.bat"' -Verb RunAs"

Trending

Most Viewed

Loading...