Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Kryptik.YFH

Trojan.Kryptik.YFH

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Kryptik.YFH
Signature status: Hash Mismatch

Known Samples

MD5: 0765bb25d622e5e67cc6b1d8663ee559
SHA1: 7bc6ff1d458d9974cf00a38b32fde78b91085f51
File Size: 5.02 MB, 5022496 bytes
MD5: b2ef8724ac686fe6d1a4087a339f8517
SHA1: 5df130f24e399aaf8f21b6ef06318b6dde76d802
File Size: 5.00 MB, 5000480 bytes
MD5: 1bc50842b2e0fe50a95deb643dd2412d
SHA1: f13bee29ce428446651512c7a68a4e81823c4fac
File Size: 5.02 MB, 5022496 bytes
MD5: 57b1e4da5857f676698eec1d9e7db2c8
SHA1: 8d7531de0da82213053f5289d2500c4a506866c3
File Size: 5.09 MB, 5088032 bytes
MD5: 7c05acfc493de694f718efe9c8e02a0d
SHA1: 3d922b92b3f8afab7555df952fef9e5cfa979f05
File Size: 5.43 MB, 5433120 bytes
Show More
MD5: c747f8fddc66d4980e5317f083005f33
SHA1: 090e08eeb889e68743282820148a2dff0002288b
File Size: 4.93 MB, 4931872 bytes
MD5: ce5c0406be7ad13835fd9cba5a84e8b1
SHA1: 4941233928d0b594bfdcd9791067e91e3f204711
File Size: 4.96 MB, 4955424 bytes
MD5: 14edb9d4c874d59bdf11bd0a2bf7e8b4
SHA1: 2fb77a32538b2f5d98eba41e9aed232662e3ef69
File Size: 4.96 MB, 4955424 bytes
MD5: f992854a7b9c6a3f08f22360b5c123e2
SHA1: 34ba8260aebe9968b0c8a3dd51306ba6c47dd1df
File Size: 5.02 MB, 5022496 bytes
MD5: d91ff2952797588959e7c70351a3a69b
SHA1: 832e7761df77bde96e2591fca710c53cadcfc002
File Size: 5.06 MB, 5064992 bytes
MD5: ab9196051319f596f19acc0301c8f753
SHA1: 404495e2abfaf3542075b40360efdeb00cacdffa
File Size: 5.14 MB, 5136672 bytes
MD5: 82530ee0068e4a7342d13e7e3c8e0ccf
SHA1: 38403293f28e0345a2a2f42e7415aadadfaa90bd
File Size: 5.14 MB, 5136672 bytes
MD5: 6350494383ac2a177cb65e96684d5202
SHA1: 6aa98dad4c76d8bc5714b056a17a214c3b834039
File Size: 5.09 MB, 5088032 bytes
MD5: 7d180791cf1e7b15fa6c9ea8beeefd65
SHA1: d3bdf3b99dbec1281df11a19fd6b93162d62a76c
File Size: 4.96 MB, 4955424 bytes
MD5: f4e7d6430d1730c50c7a45751ff52c3e
SHA1: 150d4349d1c5496f2706675b6715fc13b2a232b2
File Size: 4.95 MB, 4952352 bytes
MD5: 74f10d2f573b00b75e560c1ac52ab86e
SHA1: d1bb4a9e5302607ca3e285ee560a97163731eeae
File Size: 4.95 MB, 4952352 bytes
MD5: 31a36b33ef5616db01c2dace82389e09
SHA1: 9441c659c719483f9d79c3ea2e465bc32e71fff6
File Size: 4.95 MB, 4952352 bytes
MD5: 4e5bb5ca4e0d0c29ec98678b82721802
SHA1: 90a6d4ab1df41efe035277d3bfedb15625ddd7c8
File Size: 6.29 MB, 6286077 bytes
MD5: 4dc4b795ecaf237c23e6fcf76094145d
SHA1: 1ba1f5517838beffc66cb62d4f5d0cca72c3be25
File Size: 3.36 MB, 3364640 bytes
MD5: 789d917d99f94aac3460c04dea15ebfa
SHA1: aab9d1935667946e0d90d8713772ee3efd04b229
SHA256: 8C956F6EC00ECCB3512E92C0BFD28D9FF7E0FCDC9C7602B096686613AB235B1C
File Size: 3.37 MB, 3366176 bytes
MD5: 137c451230f444c9eda2c61c83d3daa8
SHA1: 97029f161140668d6ffd536c09fb954943c7dfd7
SHA256: AA17571FE8B830CAF2C7A7B220035D4D7503869E5DF18EDEEEDC91A0CE393A3A
File Size: 3.65 MB, 3648800 bytes
MD5: 90ae9ea4403cc0cf5c92af2d3d82c7e3
SHA1: c597515b70d6e9e0c9619b178e2d1d1dd103d23e
SHA256: 353BB7FF551CC81D11DD41B3AC03084AB2CE72A86099A6010A9AC5D6A67CC5D0
File Size: 3.53 MB, 3527968 bytes
MD5: 10422d2677e367748f4400658bb33b07
SHA1: cdb19fa7705b1f69ad026c39a201ea9d4ac081b6
SHA256: 182CABB9FB3A501120711B22EFFC1A8F859624E1861DFD2F5900EC39F9076D47
File Size: 3.65 MB, 3648800 bytes
MD5: 0f8d091e8245f53264858e4f0196c542
SHA1: 93841de69300c8280d35483d1672f8e35ba587a4
SHA256: 3BB2838F2D0E039529697D0F1D0A8915B62A676B2E2460FFEDECF4B230DE177A
File Size: 3.65 MB, 3653408 bytes
MD5: 88f53b6a8686b5389ce852ed714fe58b
SHA1: 7430ef976c16d5a3646773ff94bf11d09a70c4d4
SHA256: B05E9110E53373D9A619E933A68EF5D5F03446F7B0435DBE708836CF550B6C62
File Size: 5.09 MB, 5088032 bytes
MD5: 3288ced938a5ddab4258b72494893094
SHA1: 049c0a18f94715e332861ac5065efcf1f393264a
SHA256: DD717FCB7D845A4BB7E0380A9DF665219B9B2DE29CA8A12600C52F831069F1B3
File Size: 5.14 MB, 5136672 bytes
MD5: 5de20fb299d935ec1f4f9ca4e42bf2e1
SHA1: d893ea470afde96b96d67c04487d2e40cbfd300b
SHA256: E19D26C91D02DDF021ED5DCC087062685A8EA49778CFDE4876BC2489284E796F
File Size: 5.01 MB, 5014816 bytes
MD5: 976bbf5c29a4f2b2b1a30574fc8bd126
SHA1: 5a7e108ef9d5305277542363718c011f97d9e80c
SHA256: 6090CEAF893A4400B46EF355550F22C536060C26880263B70C428D49D9A46BF9
File Size: 4.93 MB, 4931872 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Version 1.0.0.0
Product Version 1.0.0.0

Digital Signatures

Signer Root Status
Corel Corporation VeriSign Class 3 Code Signing 2004 CA Hash Mismatch

File Traits

  • HighEntropy
  • x86

Block Information

Total Blocks: 1,938
Potentially Malicious Blocks: 2
Whitelisted Blocks: 1,936
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.GDFI
  • Agent.OGW
  • BHO.X
  • Banker.JBA
  • Banker.TH
Show More
  • Banload.XB
  • Banload.XG
  • Banload.XK
  • Brute.LBA
  • Chinflej.A
  • Dapato.ACB
  • Dapato.AG
  • Dapato.AH
  • Delf.UC
  • Delf.XA
  • Delf.XB
  • FareIt.AT
  • Graftor.BE
  • Graftor.BK
  • Injector.DFF
  • Injector.DGB
  • Injector.EU
  • Injector.FGGA
  • Injector.FGHA
  • Injector.FGSA
  • Injector.FHBA
  • Injector.FHBB
  • Injector.FHBC
  • Injector.FHBD
  • Injector.FHBE
  • Injector.FHE
  • Injector.GDSA
  • Injector.GSB
  • Injector.GSD
  • Injector.HDFB
  • Injector.KDF
  • Injector.KDG
  • Injector.KFF
  • Injector.KFR
  • Injector.KFZ
  • Injector.KI
  • Injector.KKC
  • Injector.KKF
  • Injector.KPA
  • Injector.KS
  • Injector.KZP
  • Injector.PMB
  • Kryptik.GSJ
  • Kryptik.YFH
  • Nanobot.FB
  • Nanocore.GA
  • Nussamoc.A
  • Sadenav.B
  • Sckeylog.C
  • StartPage.AJ
  • Startpage.GA
  • Startpage.LA
  • Stealer.JB
  • Stealer.MA

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0 Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_113062 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\mas_aio.cmd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\mas_aio.cmd Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\soft.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rarsfx0\soft.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\svc61e7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\svc856b.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\svchost015.exe Read Data,Read Attributes,Synchronize,Write Data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 봞꺹ﳖǛ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 傜꾐ﳖǛ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 侗꾯ﳖǛ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 掸꿂ﳖǛ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 꿋ﳖǛ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 佌꿎ﳖǛ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 혺꿶ﳖǛ RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetThreadExecutionState
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnlockFile
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject

161 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Process Manipulation Evasion
  • NtUnmapViewOfSection
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetReadFile
  • InternetSetOption
Network Winhttp
  • WinHttpOpen

Shell Command Execution

(NULL) C:\Users\Ljaunynt\AppData\Local\Temp\RarSFX0\Soft.exe
(NULL) C:\Users\Ljaunynt\AppData\Local\Temp\RarSFX0\MAS_AIO.cmd
C:\WINDOWS\System32\sc.exe sc query Null
C:\WINDOWS\System32\find.exe find /i "RUNNING"
WriteConsole: STATE
Show More
WriteConsole:
C:\WINDOWS\System32\findstr.exe findstr /v "$" "MAS_AIO.cmd"
C:\WINDOWS\System32\reg.exe reg query "HKCU\Console" /v ForceV2
C:\WINDOWS\System32\find.exe find /i "0x0"
C:\WINDOWS\System32\cmd.exe C:\WINDOWS\System32\cmd.exe /S /D /c" echo "AMD64 " "
C:\WINDOWS\System32\find.exe find /i "ARM64"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" echo prompt $E "
C:\WINDOWS\system32\cmd.exe cmd
C:\WINDOWS\System32\cmd.exe C:\WINDOWS\System32\cmd.exe /S /D /c" echo "C:\Users\Ljaunynt\appdata\local\temp\rarsfx0\MAS_AIO.cmd" "
C:\WINDOWS\System32\find.exe find /i "C:\Users\Ljaunynt\AppData\Local\Temp"
WriteConsole:
WriteConsole: 1b5b34313b39376d3d3d3d3d20455252
WriteConsole: The script was l
WriteConsole: You are most lik
WriteConsole: Extract the arch

Trending

Most Viewed

Loading...