Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.KillProc.N

Trojan.MSIL.KillProc.N

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.MSIL.KillProc.N
Signature status: No Signature

Known Samples

MD5: 2d0be5016b599b755a29813a47722285
SHA1: 7a385c4739a3847e027cb1deb187814d1261b1cb
SHA256: A9D72CDD646E09FD8D6E1B090D2ADD9648B30D2F6CBE0BDB3189E7C6507D6C1E
File Size: 2.18 MB, 2180216 bytes
MD5: c50e8904870edbfd1871a0ae9a33c92c
SHA1: 909a4ce92f2e04c9b3597d090c14620cf58b073d
SHA256: 365282A88F5AD1D0DD15C17020EFAC04B655CD109564705E605F3AB9716DFA0E
File Size: 2.18 MB, 2180216 bytes
MD5: 4a39de8e992aeaa82cb2d7279a8da345
SHA1: 31f24b572dae15abbc53e7b33d6a60cfcba6b3aa
SHA256: 620FBD7AA790EA5EE307B5C3FD82764726F2BEC84B98BBD1069DE6211FF709B4
File Size: 2.18 MB, 2180216 bytes
MD5: 4774d427d944d0b4c9ffcf2cb7bdaa70
SHA1: 65e1c7f09ee88f6eb8781ddd22142eae881410cd
SHA256: 9163D41300FDA804823A0032A205F1E4E38B90DAF00FBFCFF99161AF80A6CEDC
File Size: 1.41 MB, 1405440 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments Unlocker by Eject NotOfficial
File Description Unlocker by Eject NotOfficial
File Version 1.0.0.0
Internal Name Unlocker.exe
Legal Copyright Copyright © NotOfficial
Legal Trademarks Unlocker by Eject NotOfficial
Original Filename Unlocker.exe
Product Name Unlocker by Eject NotOfficial
Product Version 1.0.0.0

File Traits

  • .NET
  • HighEntropy
  • msil.krypt
  • ntdll
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 94
Potentially Malicious Blocks: 31
Whitelisted Blocks: 58
Unknown Blocks: 5

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x x x x x x x x x 0 x x x x x 0 0 0 0 0 0 0 0 0 x x x 0 x x 0 0 0 0 x x ? 0 ? 0 0 0 0 0 0 0 0 0 0 x x 0 x x x x x ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 x 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.KillProc.N

Files Modified

File Attributes
c:\users\user\appdata\local\temp\9miltcf.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\9miltcf.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\__tmp_rar_sfx_access_check_22562 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__tmp_rar_sfx_access_check_23921 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__tmp_rar_sfx_access_check_85953 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\barer Generic Write,Read Attributes
c:\users\user\appdata\local\temp\barer Synchronize,Write Attributes
c:\users\user\appdata\local\temp\barer\7z.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\barer\7z.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\barer\cecho.exe Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\barer\cecho.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\barer\game.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\barer\game.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\barer\nircmd.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\barer\nircmd.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\barer\nsudolg.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\barer\nsudolg.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\m6yzoxs.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\m6yzoxs.bat Synchronize,Write Attributes
c:\users\user\appdata\local\temp\v1kxjel.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\v1kxjel.bat Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKU\.DEFAULT\software\microsoft\windows\currentversion\themes\personalize::appsuselighttheme RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe Ů䙃㗈ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
Show More
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush

142 additional items are not displayed above.

Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • ReadProcessMemory

Shell Command Execution

(NULL) C:\Users\Jcmufoks\AppData\Local\Temp\v1KXjeL.bat
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: cd
WriteConsole: /d "C:\Users\Jc
Show More
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: nircmd
WriteConsole: win min process
WriteConsole:
C:\Users\Jcmufoks\appdata\local\temp\barer\nircmd.exe nircmd win min process "cmd.exe"
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: chcp
WriteConsole: 65001
WriteConsole: 1>
WriteConsole: nul
WriteConsole:
C:\WINDOWS\system32\chcp.com chcp 65001
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: Color
WriteConsole: 0f
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: set
WriteConsole: "Arch="
WriteConsole: &
WriteConsole: set
WriteConsole: "ArgNsudo="
WriteConsole: &
WriteConsole: set
WriteConsole: "MainFolder1="
WriteConsole: &
WriteConsole: set
WriteConsole: "MainFolder2="
WriteConsole: &
WriteConsole: set
WriteConsole: "ProcList="
WriteConsole: &
WriteConsole: set
WriteConsole: "NumberWin="
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: SetLocal
WriteConsole: EnableDelayedEx
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: cd
WriteConsole: /d "C:\Users\Jc
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: set
WriteConsole: "Arch=x64"
WriteConsole: &
WriteConsole: (
WriteConsole: If
WriteConsole: "x86" == "x86"
WriteConsole: if
WriteConsole: not
WriteConsole: defined PROCESSO
WriteConsole: set
WriteConsole: Arch=x86
WriteConsole: )
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: reg
WriteConsole: query "HKU\S-1-
WriteConsole: 1>
WriteConsole: nul
WriteConsole: 2>
WriteConsole: &1
WriteConsole: ||
WriteConsole: nircmd
WriteConsole: elevate "C:\Use
WriteConsole: &&
WriteConsole: exit
WriteConsole:
C:\WINDOWS\system32\reg.exe reg query "HKU\S-1-5-19"
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: if
WriteConsole: defined WT_SESSI
WriteConsole: (
WriteConsole:
WriteConsole: reg
WriteConsole: add "HKCU\Conso
WriteConsole: 1>
WriteConsole: nul
WriteConsole:
WriteConsole: reg
WriteConsole: add "HKCU\Conso
WriteConsole: 1>
WriteConsole: nul
WriteConsole:
WriteConsole: )
WriteConsole:
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: reg
WriteConsole: add "HKU\S-1-5-
WriteConsole: 1>
WriteConsole: nul
WriteConsole: 2>
WriteConsole: &1
WriteConsole:
C:\WINDOWS\system32\reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
WriteConsole:
WriteConsole: C:\Users\Jcmufok
WriteConsole: if
WriteConsole: /I
WriteConsole: "Jcmufoks" NEQ "
WriteConsole: NSudoLG
WriteConsole: -U:T -P:E -UseC
WriteConsole: &&
WriteConsole: exit
WriteConsole:
C:\Users\Jcmufoks\appdata\local\temp\barer\nsudolg.exe NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Jcmufoks\AppData\Local\Temp\v1KXjeL.bat" any_word
(NULL) C:\Users\Azwrnnrv\AppData\Local\Temp\m6YzOXs.bat
WriteConsole: C:\Users\Azwrnnr
WriteConsole: /d "C:\Users\Az
C:\Users\Azwrnnrv\appdata\local\temp\barer\nircmd.exe nircmd win min process "cmd.exe"
WriteConsole: "Azwrnnrv" NEQ "
C:\Users\Azwrnnrv\appdata\local\temp\barer\nsudolg.exe NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Azwrnnrv\AppData\Local\Temp\m6YzOXs.bat" any_word
(NULL) C:\Users\Cvebmgll\AppData\Local\Temp\9MILTCf.bat
WriteConsole: C:\Users\Cvebmgl
WriteConsole: /d "C:\Users\Cv
C:\Users\Cvebmgll\appdata\local\temp\barer\nircmd.exe nircmd win min process "cmd.exe"
WriteConsole: "Cvebmgll" NEQ "
C:\Users\Cvebmgll\appdata\local\temp\barer\nsudolg.exe NSudoLG -U:T -P:E -UseCurrentConsole "C:\Users\Cvebmgll\AppData\Local\Temp\9MILTCf.bat" any_word

Trending

Most Viewed

Loading...