Trojan.MSIL.Stealer

By CagedTech in Stealers, Trojans

Threat Scorecard

Popularity Rank:	3,583
Threat Level:	80 % (High)
Infected Computers:	43,426

First Seen:	January 12, 2022
Last Seen:	April 3, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.MSIL.Stealer
Signature status:	No Signature

Known Samples

MD5: 5731c778eb89c4bf53ed3ab0303df80b

SHA1: 322041a280019a369e562888c4579bee1792233c

File Size: 5.32 MB, 5320192 bytes

MD5: b980f0a52d3dfae79496c9d6226a3447

SHA1: c31cdf5bfbf03149aed83484aba3f9575f783c81

File Size: 1.87 MB, 1874944 bytes

MD5: 0cbca520a15d42bc859d77e7cc7c6b26

SHA1: 4ab1d57cbad77a30554dc209d21da32cfa336beb

File Size: 13.82 KB, 13824 bytes

MD5: fcc0390053b6b4ae749c50fbde9652b4

SHA1: ec79c0eae26062cc049cc8053b31f8c5445afc8e

File Size: 2.11 MB, 2110976 bytes

MD5: 2bb62a5067f6287850034cf9a79feae1

SHA1: 1b114d22d0860a09a8b48d825da1b92ab84b0fca

SHA256: 43C2F4B7A1E04544C66F256731A0BFA18BEB427C8C19DEDF43D7063A09910AF9

File Size: 2.08 MB, 2080256 bytes

MD5: f886ea8e6db06d490258830ddc4bfd00

SHA1: 7984d96c61cea6d0626470884ff48aafeccf5596

SHA256: 97F8DE23046C20924C77AAB7332FE11793C6DE4DA7DCCA3CFB0B71063F185892

File Size: 989.18 KB, 989184 bytes

MD5: 73debc2cf96533f665ecca1eb9e31148

SHA1: 9fd3c0d7d5d8cfaf784dd36b79777d7eef5fd2bf

SHA256: DD8174CEC55736A539BCB2154CBE6E8991C71277E0C800FF4DC533C8832479F2

File Size: 6.03 MB, 6031597 bytes

MD5: 56a91b2cc1599725a71d9c9990ff5c1b

SHA1: 949b8779b1b40a7063758007293feb1c2b585562

SHA256: B5EEAC3CCE17366E6A9946690842776645942F83B773FB7619E979D0D21AC03E

File Size: 2.28 MB, 2283520 bytes

MD5: acfaccf392ece6b4042790a8de85a86e

SHA1: d12f07e82c1927b22ee3d4f2a1f5b59478944163

SHA256: 1E9FCD3DF0E86145D3EF878D875766C98E6012FD51725E2EBC61C38AA7544FD1

File Size: 307.71 KB, 307712 bytes

MD5: 5b85cce77ed306beb39436316c7c4e66

SHA1: 12b9b03bf1b98f8feef8fb26bdd58c8ee62b29d4

SHA256: D47B8EBAEF68C975426F339AF9C7F17F9F1399C881416268E823B44AA155C7D0

File Size: 2.28 MB, 2283520 bytes

MD5: 29b8883e46107efe95d039306bdb963c

SHA1: 75848fb9c6f3a808bb32216675472d5d9d8012b4

SHA256: 7E5C269AC46943FE93BE8C14D5E2B82DB5AEF24C75A9885C19A083D54BA9FB36

File Size: 2.05 MB, 2049024 bytes

MD5: aaece4bfe9aef86a5af44fd1bd5d7b1b

SHA1: d63a4a7e3b68e232a45e5e6de6e3278063c5b050

SHA256: 2DB6938351D75FA88670ED1A48C27AAF326D4335DBDC966C7D03DFE630572DF6

File Size: 7.68 KB, 7680 bytes

MD5: 37cd04645f0933648932f0a1a8a3bdc6

SHA1: dc9d02258f9b6cb34e306216a01d4d9d284ed7ef

SHA256: E0F7DF187494CFF70D35543210B3619327A59329DFFD1D141D922F8FB67F335C

File Size: 69.12 KB, 69120 bytes

MD5: d57dff6b0d167730e55f8c9017299529

SHA1: 5158aa0e8aff8454f59c23f2bb69c76dcfa76ff2

SHA256: 0327AF3297329BA26A48A62C95CB80741A8A9F90A4C4B63392A9B23BB25150D1

File Size: 7.37 MB, 7372288 bytes

MD5: 189a8ff62489550755957a9bfe48e4c9

SHA1: 08821ea50dae42c62153ba653d413ad8c4c47482

SHA256: 1AC4976B5553ADDFA29F18FE3AE545378640F6ED20A4DB9513479EDFC2A910F3

File Size: 34.30 KB, 34304 bytes

MD5: 5792c32729aec7031b6eb57565ab79f1

SHA1: 7fb5b21fef89ea58d76c3f3f40083b34fde587ea

SHA256: 8E706ACA7BFA8A796F21AE00BF1EE3F7055F1CB6D68B9AEC6331404CCBBCD9D6

File Size: 2.32 MB, 2323456 bytes

MD5: 2c817d8cd4ad49ebb75adfd1857a8afd

SHA1: 9f02d54c905b1eda460672e216e72c0d8da03b82

SHA256: 455E79472B0EC2D974ECBAD86E44FB95F8F7A1BEEDE0C5916220DF40AFBFD0EB

File Size: 4.46 MB, 4462896 bytes

MD5: bb0e1e191c80dc9c60e3a27a1a154279

SHA1: 1e652b15781abc6125f9109b46e9a979142c6734

SHA256: DC3E8684167715BE985553F532625715ED209ED24B12FCC5BF8494518FD47CA1

File Size: 2.28 MB, 2284032 bytes

MD5: b975ec36b07038f5d19777af00370aaf

SHA1: 9501f492481ceecf41f4f5ac2d9b536e2207a394

SHA256: 03F1C0DE207E27B45C8A2BB0A77E0895AB98A7271FA3AF11B86BE22BFA9BF9F0

File Size: 202.75 KB, 202752 bytes

MD5: cfc700ea7d40b38c93f6901ba1495e0c

SHA1: 9504015a7101579c99c7e05d7fb6c1bfafdf5276

SHA256: D2166793421F640CC1B0819C727C1655C441DA0D98461E6B773121C5FE8F060F

File Size: 204.29 KB, 204288 bytes

MD5: dc87dc00270ce8dbbaaa5e75100595d8

SHA1: 6a70c9266f4a1e8d6d27f66be5254225d8f9b499

SHA256: 5795B085BD9C00A721369763538FD7987683967250D5B4720596DC31D51A34E0

File Size: 116.74 KB, 116736 bytes

MD5: 838703d503b5c20e07412c080c1dfc62

SHA1: bc5664cf6ebcbd3032c183a89f70abdf056573f3

SHA256: 599F8044AC833677564223F34B28FC9286C40683095485BA366EC465ACCDFA74

File Size: 307.71 KB, 307712 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has TLS information
File is .NET application
File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)

File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	10.0.17763.3469 2.0.0.0 1.10.4911.24294 1.1.50.0 1.1.49.0 1.1.37.0 1.1.30.0 1.1.23.0 1.1.21.1 1.0.9079.27548 Show More 1.0.7501.30217 1.0.1.33 1.0.0.15 1.0.0.0 0.0.0.0
Comments	Print driver host for applications Steam Game Adder v1.0 This installation was built with Inno Setup. XHP Booster XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Company Name	ABELSoft Corporation ComputerSluggish Công ty Cổ phần Công nghệ Tin học EFY Việt Nam Ing. Mauro Barale Microsoft Microsoft Corporation Sony Computer Entertainment Inc. Steam Game Adder v1.0
File Description	AsyncMac conhost Easy System Utility EFY.Signatures FMGU BOT REBORN 2 LaunchMSBuild MB Muro 3.01 Setup Phantom PlayStation Mobile UI Composer SharpDomainSpray Show More splwow64 Steam Game Adder v1.0 wlg XHP
File Version	12.9.1.22 10.0.17763.3469 2.0.0.0 1.10.4911.24294 1.1.50.0 1.1.49.0 1.1.37.0 1.1.30.0 1.1.23.0 1.0.9079.27548 Show More 1.0.7501.30217 1.0.1.33 1.0.0.15 1.0.0.0 0.0.0.0
Internal Name	1_nexus_7000.exe conhost.exe Easy System Utility.exe EFY.Signatures.exe FMGU BOT REBORN 2.exe LaunchMSBuild.exe MB_Muro_305.exe msvchost.exe RDP Miner.exe SharpDomainSpray.exe Show More Steam Game Adder v1.0.exe Steanings.exe stub.exe UIComposerMain.exe wlg.exe
Legal Copyright	${AuthorCopyright} AsyncMac Copyright © 2010 Copyright © 2023 Copyright © 2023 Copyright © ABELSoft Corporation 2014 Copyright © Microsoft 2018 Copyright © Old phantom 2022 XHP Corporation Copyright © 2021 © 2013 Sony Computer Entertainment Inc. All Rights Reserved. Show More © Microsoft Corporation. All rights reserved.
Legal Trademarks	泽商顾太首顾太司希城行席
Original Filename	1_nexus_7000.exe AsyncMac.exe conhost.exe Easy System Utility.exe EFY.Signatures.exe FMGU BOT REBORN 2.exe LaunchMSBuild.exe MB_Muro_305.exe msvchost.exe RDP Miner.exe Show More SharpDomainSpray.exe Steam Game Adder v1.0.exe Steanings.exe stub.exe UIComposerMain.exe wlg.exe
Product Name	AsyncMac conhost Easy System Utility EFY.Signatures FMGU BOT REBORN 2 LaunchMSBuild MB Muro 3.01 Microsoft® Windows® Operating System Phantom PlayStation®Mobile UI Composer Show More Steam Game Adder v1.0 wlg XHP booster
Product Version	12.9.1.22 10.0.17763.3469 4.4.4.4 3.01 2.0.0.0 1.10.4911.24294 1.1.50.0 1.1.49.0 1.1.37.0 1.1.30.0 Show More 1.1.23.0 1.0.9079.27548 1.0.7501.30217 1.0.1.33 1.0.0.15 1.0.0.0 1.0.0 0.0.0.0

File Traits

.NET
.sdata
Agile.net
CryptUnprotectData
Fody
HighEntropy
NewLateBinding
No CryptProtectData
ntdll
Run

WriteProcessMemory
x64
x86

Block Information

Total Blocks:	489
Potentially Malicious Blocks:	271
Whitelisted Blocks:	185
Unknown Blocks:	33

Visual Map

x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x 0 0 x 0 0 x x x x 0 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? ? ? ? ? ? ? x ? ? ? ? ? x x ? ? ? x 0 0 0 0 0 x 0 0 0 0 0 ? 0 x x 0 x 0 0 0 x x x ? 0 0 ? 0 x x x x x x x x x 0 x x x ? 0 0 ? 0 x x 0 x x ? x x x 0 x x x ? ? ? 0 x x 0 ? 0 0 x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x ? x 0 x x x x x x x x x x x x x x x ? x x x x x x x 0 x x x x ? x x x x x x x x x x x x x x x 0 x x x 0 0 0 x x x x ? x x 0 x x x x x x x x 0 x x x x x x 0 x 0 x x x x x x x x x 0 0 x x x x x ? ? ? 0 x x x x x ? x x x x x x x x x x x x x x x x x x x x x x x x 0 x 0 0 0 0 0 x 0 0 0 x 0 0 0 x 0 0 0 0 x 0 x x x x x 0 0 0 0 x x 0 x x x 0 x x x x x 0 x x 0 x 0 x x x x 0 0 x 0 0 0 x x x x x x x 0 0 0 0 x x x x x x x x x 0 0 x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 x x x 0 x x 0 x 0 x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

MSIL.Agent.XGA
MSIL.BadJoke.XJ
MSIL.Coinminer.XB
MSIL.Gamehack.RB
MSIL.HackAgent.CD

MSIL.PSW.Agent.GB
MSIL.Stealer.RAR

Files Modified

File	Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
\device\namedpipe\pshost.134170763569777854.5376.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_1h1s0kx2.ady.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4l4z4ems.0vs.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\05a92ec28edc5561548638caa951f864\64\sqlite.interop.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ex_44261.ps1	Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\actualizaciones.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data

c:\windows\appcompat\programs\amcache.hve	Write Attributes
desktop-dlos3m3*\mailslot\net\netlogon	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing		RegNtPreCreateKey

HKLM\software\microsoft\tracing\rasmancs::filetracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize		RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory	%windir%\tracing	RegNtPreCreateKey
HKCU::di	!	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	핿㷔ꮙǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data	隞̃봁耀꧌Ť'	RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext Show More ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetWriteWatch ntdll.dll!NtLoadKeyEx ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThread ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResetWriteWatch ntdll.dll!NtResumeThread 27 additional items are not displayed above.
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSAConnect WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	closesocket freeaddrinfo getaddrinfo recv send setsockopt
Network Winhttp	WinHttpOpen
Network Info Queried	GetAdaptersAddresses GetNetworkParams
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Process Shell Execute	CreateProcess

Shell Command Execution


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 824


							"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -File "C:\Users\Apjshkwp\AppData\Local\Temp\ex_44261.ps1"


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 860

Trojan.MSIL.Stealer

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed