Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.FakeMS.LA

Trojan.MSIL.FakeMS.LA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 7,548
Threat Level: 80 % (High)
Infected Computers: 245
First Seen: October 5, 2023
Last Seen: April 22, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.FakeMS.LA
Signature status: No Signature

Known Samples

MD5: 705c8df36786b6f626b0dcb3b43f43b9
SHA1: 75cdb86457cbb612981da841951a1d6184af2bc9
File Size: 27.14 KB, 27136 bytes
MD5: bbb99cf31fe22f16fec8c9fd816556f4
SHA1: cdf72ca4238691cfb66b96d06b73954ff4a6814e
SHA256: 9B165D663325A8964D7D8150A09D34F711C53CAF794B2C2830323360399658F6
File Size: 40.45 KB, 40448 bytes
MD5: 685786fe7c12d2c7d5bb9c47a419d784
SHA1: 3921f367f310f57cef37f8a91df276e445a8a77d
SHA256: 29705F2BE5BB8FD94B35C8A3CEED36735C1657A46311D64411A79A08E4C28C24
File Size: 26.11 KB, 26112 bytes
MD5: aaff3a8594ab4bb3f17e67ecd1898ce0
SHA1: 76713e947079f6fe52f129d8b7c69cac2f605b39
SHA256: E3396E27164A8A1BBEA588D3470D0C77AEFDBD3F7479DDE3D9D24004EB2E016C
File Size: 26.62 KB, 26624 bytes
MD5: cffe7079fd66c9c641a8395c74a7e1e6
SHA1: bd11a2ab6f3d6faf4bb1d6258a66d2a55c2cbe9c
SHA256: 3D32652226CF0177C3CDB031856FD867BDDEDF2A261C2E6A1D620B8C17365062
File Size: 52.74 KB, 52736 bytes
Show More
MD5: dbd367f5dac281366ebf8d2c6afbfe71
SHA1: b1e368d3f04cbd88a5490ae0ec38bc98f3e925ce
SHA256: CD811AE4C38103603BE19E44F21974FE192A04B66352901A8A3118B3F32CB7CE
File Size: 33.28 KB, 33280 bytes
MD5: b935f5eacf271722c54f35c35b131733
SHA1: a15f5e7b3a81923aaa5dbb9dc5998eb3f84d8a9b
SHA256: 75FCDB8C4573BDAD978E9EAE5254EEAD21FF5489BAF9F98E35FE1DCA0C8E0C5E
File Size: 27.65 KB, 27648 bytes
MD5: fe22ebdf4085a7ea0102918629772759
SHA1: e8c68ea6a993d911301116157100227014d8a0e0
SHA256: CDACC759A856C645DF6D276412EAFB7A436AF494287D5DF308EDDBD0CC99E3E0
File Size: 588.29 KB, 588288 bytes
MD5: 383e33802feb9044055832207645deaf
SHA1: 00582bfe616c20176117f9a72b040b29e5e02a18
SHA256: 010FCE8997B5A0817D3F557F0D65906B26A724860F111E1232541E6E579E6943
File Size: 34.30 KB, 34304 bytes
MD5: 7d503b981d51d26ad5c8c1a0c3bd86c4
SHA1: f4b30d247ae20cb21c5ad7d11e0ab3fc54cda795
SHA256: AA4254DEB76DC8F1760A4868C65EBF255B859875EB3582BF55C0C6BFA42C4808
File Size: 26.62 KB, 26624 bytes
MD5: b559ed1c15fd02eebb1a2c28d2a81d26
SHA1: f547ffbc7999f17394514f78294c6dc1d3a11442
SHA256: 7062296225352C3FBCF4F8A548F1AB772A46BEE34C00C7667559BBA21B957C1D
File Size: 174.08 KB, 174080 bytes
MD5: 58692c0e5283cc7a07e2af0141d647ec
SHA1: dbee2e11df08cc80407c234f9916462ddea121b5
SHA256: 10DE2512B87A5AAF92532A60629EC513346A282857BDE66FE75A9F61B9441602
File Size: 6.57 MB, 6571706 bytes
MD5: ff1b523090a219e917ec26223a8a2250
SHA1: 3cece8113b8919826b4859a4a58f3f1055ef7c5c
SHA256: 6A7941E0C364BBCF29E1534C7F4B6A16E3D17A90F17B592A868470E712B92E46
File Size: 83.97 KB, 83968 bytes
MD5: 30b0f87791c5b372f94da081bc2e253d
SHA1: 52b09d907705ede98971fb7a89320cf703007ee3
SHA256: 0F52E8CE285FE1262A034756923102A02B9442B33F0676CE3C3B5A1C76742332
File Size: 34.82 KB, 34816 bytes
MD5: 6199b03f49eb85da0239d9fc22a60127
SHA1: 75bf3f59c1ff489ae6aa51556578db9f2279e633
SHA256: B0CA5B7962DC08B21C8AC3A9BDF793879172D210C9D9A54CA71926A9CF1B01E9
File Size: 546.30 KB, 546304 bytes
MD5: d246a0604a9193ca75e12fa0d090cbab
SHA1: 60bdcbc93a81f508fe927d1708dcd45bd27a77a7
SHA256: E06558F88EB44BE08C547B437FEED7E88E8D0F3E2456E7D4ACF581A9F28F6D4E
File Size: 101.38 KB, 101376 bytes
MD5: 1a25365962bd83e3156dea335ad78454
SHA1: e5aca6e1ede1f868b165298c7fbcf1415416d7f4
SHA256: CB02F10D9D3ED2E0EF02555F3A3D66F415B982B2685BFA3D34BA49066D6EC336
File Size: 27.14 KB, 27136 bytes
MD5: 462392003ee1778b92825796c68f763f
SHA1: 252fb0b79ab34c72fed5c9a38ed33992e9877cf6
SHA256: CB61C2F3F76A0B164C2C640ABED7CB6243E70FD8844760428B4564003EB67CB5
File Size: 437.76 KB, 437760 bytes
MD5: 6c3a0e61301f59e30317b53b07992875
SHA1: b2f90c3ac09516fa0fadc296f1891f7e873f47d7
SHA256: 4924AA21FC8C4A89EBADE3A44D55E011F204C29C938AFDDF48C5C46FD3B386AE
File Size: 326.66 KB, 326656 bytes
MD5: bec747800b76a781b35db75f98edcdc0
SHA1: 96603ced3bab90197c596bb66173cc9fb5624c12
SHA256: E9E259F57002989AB6EC214B33A28EE2EA6393C4117E27F35CA9DE0D6D9BDA87
File Size: 129.54 KB, 129536 bytes
MD5: a367bea51801368baf26eb6f17e306a8
SHA1: 19e255d5c0887efb67a37e25357cfd048fc17c3c
SHA256: 46C2AEE4E11017A3A404A41153B219322A1AA3350E0E3A7986839DDE2506BA72
File Size: 322.56 KB, 322560 bytes
MD5: 1c6e865dce1d8d853e0d0be3a51718e7
SHA1: 2eda397c63fd9bbea9191ae0f92a514637ff8335
SHA256: 80DFF662C1BEF50078C4EF29EB8755DCE25F7864A95FDC852B77808B1C046072
File Size: 138.75 KB, 138752 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 3.63.0.0
  • 3.3.1.1
  • 2.0.0.0
  • 1.3.0.0
  • 1.1.0.0
  • 1.0.0.0
  • 0.0.0.0
Comments
  • Interactive Digital Twin installer
  • Viyona Tool Suite
Company Name
  • BitTorrent Inc.
  • KION
  • Viyona
  • XLST Only!
File Description
  • Displays Bios Info
  • For Troubleshooting HD2 Issues
  • Inštalátor tlačiarní TCP/IP - len pre: Rozvojová Agentúra BBSK
  • KMA Digital Twin Installer
  • ON1 Photo RAW MAX 2025 Fix
  • Troubleshoots HD2 Issues
  • uTorrent v3.6.0.47044
  • Viyona Tool
  • Winhance汉化版-XLST
File Version
  • 3.63
  • 3.6.0.47044
  • 3.3.1.1
  • 2.0
  • 1.3
  • 1.1.0.0
  • 1.0.0
  • 1.0
  • 0.0.0.0
Internal Name
  • 23H2up2.exe
  • AnyDesk.exe
  • ASC.exe
  • Ativar_Office2021.exe
  • CMR-DiRT-MTFix.exe
  • Get-BIOSInfo.exe
  • Hellbomb Script.exe
  • InteractiveInstaller.exe
  • nas.exe
  • on1photorawmax2025fix.exe
Show More
  • PCInfo_Startup.exe
  • ps3dec_gui.exe
  • q.exe
  • setreg.exe
  • Tlačiarne.exe
  • ToolSupportDV.exe
  • ViyonaTool.exe
  • WindowsDefenderManager.exe
  • Winhance-zh_CN-v2.0-XLST.exe
  • ОтКонкурнетов.exe
Legal Copyright
  • (c) 2024
  • 2025
  • discord.gg/zwiftservices
  • FlashTech
  • xanax
  • XLST
  • © BitTorrent Inc.
  • © ~2025 ~Patrik Dianiška
Original Filename
  • 23H2up2.exe
  • AnyDesk.exe
  • ASC.exe
  • Ativar_Office2021.exe
  • CMR-DiRT-MTFix.exe
  • Get-BIOSInfo.exe
  • Hellbomb Script.exe
  • InteractiveInstaller.exe
  • nas.exe
  • on1photorawmax2025fix.exe
Show More
  • PCInfo_Startup.exe
  • ps3dec_gui.exe
  • q.exe
  • setreg.exe
  • Tlačiarne.exe
  • ToolSupportDV.exe
  • ViyonaTool.exe
  • WindowsDefenderManager.exe
  • Winhance-zh_CN-v2.0-XLST.exe
  • ОтКонкурнетов.exe
Product Name
  • BiosInfo
  • Hellbomb Script
  • KMA Digital Twin Installer
  • ON1 Photo RAW MAX 2025
  • Tlačiarne
  • Tool Support
  • uTorrent v3.6.0.47044
  • Viyona Tool
  • Winhance汉化版
Product Version
  • 3.63
  • 3.3.1.1
  • 2.0
  • 1.3
  • 1.1.0.0
  • 1.0.0
  • 1.0
  • 0.0.0.0

File Traits

  • .NET
  • HighEntropy
  • Installer Version
  • x64
  • x86

Block Information

Total Blocks: 52
Potentially Malicious Blocks: 0
Whitelisted Blocks: 52
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.FSDA
  • MSIL.FakeMS.HG
  • MSIL.FakeMS.HK
  • MSIL.FakeMS.LA
  • MSIL.FakeMS.QA
Show More
  • MSIL.FakeMS.QF
  • MSIL.FakeMS.QH
  • MSIL.FakeMS.QL
  • MSIL.FakeMS.QN
  • MSIL.FakeMS.SA
  • MSIL.FakeMS.SC
  • MSIL.FakeMS.TQ

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.133963328285050569.3524.defaultappdomain.75cdb86457cbb612981da841951a1d6184af2bc9_0000027136 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133999763033761670.3676.defaultappdomain.cdf72ca4238691cfb66b96d06b73954ff4a6814e_0000040448 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134005291884792767.5980.defaultappdomain.3921f367f310f57cef37f8a91df276e445a8a77d_0000026112 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134005793038190569.3892.defaultappdomain.76713e947079f6fe52f129d8b7c69cac2f605b39_0000026624 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134009199829916850.5484.defaultappdomain.bd11a2ab6f3d6faf4bb1d6258a66d2a55c2cbe9c_0000052736 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134009789055019624.2656.defaultappdomain.b1e368d3f04cbd88a5490ae0ec38bc98f3e925ce_0000033280 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134063765224554601.5824.defaultappdomain.a15f5e7b3a81923aaa5dbb9dc5998eb3f84d8a9b_0000027648 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
Show More
\device\namedpipe\pshost.134076727726139287.6440.defaultappdomain.e8c68ea6a993d911301116157100227014d8a0e0_0000588288 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134100771080867073.688.defaultappdomain.f4b30d247ae20cb21c5ad7d11e0ab3fc54cda795_0000026624 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134105932302514630.6448.defaultappdomain.f547ffbc7999f17394514f78294c6dc1d3a11442_0000174080 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134114024902585082.5412.defaultappdomain.52b09d907705ede98971fb7a89320cf703007ee3_0000034816 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134122957061448092.1076.defaultappdomain.75bf3f59c1ff489ae6aa51556578db9f2279e633_0000546304 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134124588256167128.1900.defaultappdomain.60bdcbc93a81f508fe927d1708dcd45bd27a77a7_0000101376 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134130797352046805.3812.defaultappdomain.e5aca6e1ede1f868b165298c7fbcf1415416d7f4_0000027136 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134138063991809473.7044.defaultappdomain.252fb0b79ab34c72fed5c9a38ed33992e9877cf6_0000437760 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134151346175507975.7704.defaultappdomain.b2f90c3ac09516fa0fadc296f1891f7e873f47d7_0000326656 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134171621435397121.7124.defaultappdomain.96603ced3bab90197c596bb66173cc9fb5624c12_0000129536 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134189425699083645.7024.defaultappdomain.19e255d5c0887efb67a37e25357cfd048fc17c3c_0000322560 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134213562668149225.3888.defaultappdomain.2eda397c63fd9bbea9191ae0f92a514637ff8335_0000138752 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\tst\23h2up.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_1d4tepgj.t4u.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_1vouahby.sbf.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_2ljszzpm.52t.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_2qhtbbcd.ftt.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4qxmnzyi.1e4.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_50aquiwq.4ue.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_5oib4iid.pjc.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bdcddwie.xzd.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_blnvbcfb.krw.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_cifu1rua.fzv.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_d5zcls4r.eiz.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_dn50u0hb.q04.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_e2znmdsb.ubx.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_es1zq0kz.vas.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_f2bhvjwm.htx.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_fhxmrtzg.1mc.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_heonqdce.oar.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_hery0eni.fyk.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_hilxfa4n.e4d.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_hrjugsi0.bxg.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ijmapy0z.rxf.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_iuv0hawr.wak.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_jpni24fa.3vk.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_lmklyqyw.b4w.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_lpwlfgph.1wn.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_luciboh1.ymb.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_opxqg3xe.f5v.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_r0qaqbkl.mpd.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rh4xuezz.az3.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rnq1ogdp.1tb.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rq2yud4c.20z.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rr2w15rf.ste.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_rv1ovlyy.ssr.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_s1q3stfp.gkr.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_tevhojpc.3to.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_tlhxmxei.fg0.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ukxrjqnm.5ct.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_woc0x5r1.cxl.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.0.cs Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.cmdline Generic Write,Read Attributes
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.err Generic Write,Read Attributes
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.out Generic Write,Read Attributes
c:\users\user\appdata\local\temp\lc0etmiq\lc0etmiq.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsd8a44.tmp\langdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy8a24.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\downloads\logs\pcinfostartuplog_09012026_110029.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\logs\pcinfostartuplog_09012026_110029.log Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell::executionpolicy Bypass RegNtPreCreateKey
HKLM\software\microsoft\powershell\1\shellids\microsoft.powershell::executionpolicy RemoteSigned RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
Show More
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletion
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResetWriteWatch
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess

23 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Other Suspicious
  • AdjustTokenPrivileges
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Network Winsock2
  • WSAConnect
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • setsockopt
Network Winhttp
  • WinHttpOpen
Process Shell Execute
  • CreateProcess
Service Control
  • OpenSCManager
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

"C:\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --silent
"C:\WINDOWS\system32\mode.com" con cols=60 lines=13
"C:\WINDOWS\system32\mode.com" "C:\WINDOWS\system32\mode.com" con cols=60 lines=13
"C:\WINDOWS\system32\cscript.exe" "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /inpkey:2FBND-M92WF-GWYQV-FCB8D-Y4KJ9
"C:\WINDOWS\system32\cscript.exe" "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /act
Show More
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Druxhhez\AppData\Local\Temp\lc0etmiq\lc0etmiq.cmdline"

Trending

Most Viewed

Loading...