Trojan.ReflectiveLoader

By CagedTech in Trojans

Threat Scorecard

Popularity Rank:	3,376
Threat Level:	80 % (High)
Infected Computers:	1,701

First Seen:	March 20, 2024
Last Seen:	April 22, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.ReflectiveLoader
Signature status:	No Signature

Known Samples

MD5: 9bb882e4275a9a5bcb311b228bd50c1c

SHA1: a5198f2c88266eb1a5f7cb172ac2547b94b99a5a

SHA256: E845549652A887DFB3A516AE23A877DF0175A907C2CA3910570FEC051A7E47A0

File Size: 3.74 MB, 3744669 bytes

MD5: e3ba26e59bf6915265dacbc82269bf6b

SHA1: fd99666fa5f6c5f7c40e175c8b8b087ae4cd7a67

SHA256: E3945D191C7F83A76544A52107C2C5A6E2904AFE02FF229F60565E269C53E7CB

File Size: 56.83 KB, 56832 bytes

MD5: 867a90f51e41c0654ba4f992961eb18e

SHA1: 821eded29ce15f610748057c927271f49dd39c3f

SHA256: 727E1163D2CF199AB525C2BBC931E481CFE412FA41F0C0C396F25FCCF84B48A9

File Size: 97.28 KB, 97280 bytes

MD5: d9160a72105c9d6cb90640bca60aa426

SHA1: 9d9a05370565419710e8dcc869af231e95f6fa08

SHA256: 07BBFF7609B94E8853575E3A6803F33435E8D3EDE7D96EDD83237B583B76B716

File Size: 292.35 KB, 292352 bytes

MD5: 8b3a5259224773661335f7cebff5b0c3

SHA1: 4da1f746bb838793ba9938bc85e96bd46000e982

SHA256: D0C7650C91AF02AB2EA52828FB69A04D1B711516F599AB831FE12BBB700F3158

File Size: 356.46 KB, 356456 bytes

MD5: f7ea91ea0dfeaba9808dd8968d8a5bf8

SHA1: b8aed825afe5f4257c78c95a95f8013910c6e077

SHA256: 26805DA0F180DF1B67FE25DFC56D7E287A90F16D6F0F1ED4C9A2CEC35D03FC9B

File Size: 187.39 KB, 187392 bytes

MD5: 4fce92f3912532c7fcbf83b1f506f6a3

SHA1: 1a6b6a8b2caef3a57ad94bd96a77d90d73fb46bb

SHA256: 206F479DFC4FB3E3E15F571ED1BB1FAD65575A017753724FD578AC4F2D4DFE83

File Size: 2.46 MB, 2458624 bytes

MD5: de41c4f3a2a0b785ad56b85f9002246e

SHA1: fac9dca8510b4355d28362697099911f995cd693

SHA256: AB97FD0715DB48F6EA45C6F0C9BE322223A49F71CA51D43E2A11548C75F6A3D9

File Size: 1.72 MB, 1720320 bytes

MD5: 48a4628d76da3dc17caed4aa8d716127

SHA1: 810a29eaa2a06462de2cfba4d67c289500b72bc8

SHA256: 8B48D434B1461E837FF0B5E5905BEAD2F8BFE02862FCB285091DF440A0725686

File Size: 112.64 KB, 112640 bytes

MD5: 02fdbe96cfecf85a1fc2b72080e8124b

SHA1: 9e8648e860f7cdcaaea4ac92ae5148e1664ba1e6

SHA256: 91DE64322ECD76277443B2C32A715D338DEC7C7F5E3F393E35452182A9098122

File Size: 3.78 MB, 3776000 bytes

MD5: 0deb147fa583d7e56bf2a73f505d4e85

SHA1: 92749acb52587414f2d59a97edcbab71872337ab

SHA256: 50A7398916603F7A8167C76C169910AF592A81DB3A30911078BE7203C434E499

File Size: 262.66 KB, 262656 bytes

MD5: 9e167f984500a4835096535bb57718bc

SHA1: 7a67e486ec0d6c2f1746197ea106dc80b0e2ed5c

SHA256: 79AD5D4117E63D424AB2DD2AE69F4389C40F806C72DB0FB3DA834809A72625D1

File Size: 1.95 MB, 1947136 bytes

MD5: 3de9048cd4205fac660fc37fb9850f41

SHA1: 8d4e5618e8343c69ce816f91d6532a5fcb369eb1

SHA256: 957FCC8565B3F5EED88CE4841E692ED3BDFFE4000FDD7C139AB68C77614DC539

File Size: 1.79 MB, 1786880 bytes

MD5: 3abbe613b73e6ffae1a385fecf4e240c

SHA1: 8bdc97481c5f8a6110c023bc0ee83e7d0af8017a

SHA256: 4A4926DA491D98BEDDAC17F2737F66EB6C5698C5EEC0319F00C70BE203412F49

File Size: 3.92 MB, 3922432 bytes

MD5: 4e5f2e666f8f79753b7ec52067ecf7be

SHA1: 5ca35796279738a399fff183fbf404d295b3f321

SHA256: 4A90BFE4054CD21F045717642273FA89BBD3FDF4C6808811AB1904B4175680A1

File Size: 2.51 MB, 2506240 bytes

MD5: a82e8ec5d9a27254bd8f9331326d896e

SHA1: 4824204a8a42e0f94e9e74fb1939dfccc3f28d09

SHA256: 3B9AF651CE7C2940D90DBA62DDCB3EB7E803E5424B7050D226DF33D417D5277C

File Size: 2.12 MB, 2121728 bytes

MD5: e5f76b2db75723b2803f5d4a5b5187e8

SHA1: 23e0ceb34a9d968465054fb7fb32e205f9ac786e

SHA256: BAF43D31EE9E62706CA5A894735202BBAF918729A09BCD91B5066B8E820DBC90

File Size: 259.07 KB, 259072 bytes

MD5: 0c64a9f904cf1a6a79b399e5d4a1e7ff

SHA1: 472ba1593a88df0da770dba57263089dca45e16a

SHA256: DF05AAF3C935D994C6616B2E96A459CCB2C0EFA67EA0917642CC94887124EB41

File Size: 17.92 KB, 17920 bytes

MD5: ddaebaeec5b390e4a961b6875a35dd8a

SHA1: c55a9e603c11633686895635e7ecd872dc317159

SHA256: 8EE7EE8B38ADD2CB0B3772B3E235CB59E2BF8515A5F356A59CFD7A98F8B123DE

File Size: 1.79 MB, 1792512 bytes

MD5: 81ff1ba414fcf2b635b00b77b3c4f12a

SHA1: 4c85cc3a5d67884627cb791d1e8fbeeae974c46f

SHA256: FD34489FF9FDA01456B90C7FF2C747F4DFAFBEC4B3BF2CBDBD29011B25F5892B

File Size: 2.29 MB, 2285056 bytes

MD5: 48eaed01fee202508d9cac0d7d9a4d4d

SHA1: 900280370d2bb2ca41f70f215781128c4865891d

SHA256: 52825DBF3FC28B9F7C3A24ADF78D3425AC714E975769F4D70E8C718DDCBB9856

File Size: 2.80 MB, 2800640 bytes

MD5: ee62d56965e05168a553bf7c2dfaaec0

SHA1: cd72c0ab62540e297a224abd48b1f6d586a07289

SHA256: F58FCC5D3C9BE3261305A5309B2055F0AC098DDB58D8E8731252F00C5D44FD43

File Size: 412.16 KB, 412160 bytes

MD5: e70e4b206a16765d37fc7b94d3ae3f0a

SHA1: 0f8f854b3bf168261594e9794c22a9f6ad6bb4b0

SHA256: 9B96FB3882CEEB0755DD245B4704084E2ED510B329632D7C6A9C1F2108E87593

File Size: 1.13 MB, 1132032 bytes

MD5: 2adfaa0e9ace027fef988bbd8b0e7f3c

SHA1: d19e40b5b3f17da6a7ede238e4a5d1c298e02564

SHA256: CE881D747B8F8578163C8F5743C6F459428F93546DFB71C83C3960BE51520F70

File Size: 733.70 KB, 733696 bytes

MD5: 8cb837654b3a9d0b89fbc2268b401cca

SHA1: 40403cfc76d6016c35e75ff7c2a4244c5b3d2df1

SHA256: FE4E5FB28D2C2B3A640112B6B125CE8C4AFA8BE28342E3BFDA097AD9DD2EF9EE

File Size: 2.88 MB, 2880000 bytes

MD5: 7b2cba7ce9792101e7180994efc46b8f

SHA1: 875d31a7ff19a4e443f7a40ceba9e1ded2007777

SHA256: B52943263D9B10F2ECD5AFCEC024470BD87AD0B5EFDA0B5D7F2066F955351588

File Size: 362.50 KB, 362496 bytes

MD5: 9cdf17ed5b52fac130b8f980eba24c26

SHA1: f12519a3a90ed761dd4b8c226c27f169cdbd0d35

SHA256: 7260A1D0DABECFACDAEB0AA91FB3AECD504B5FE8CC82D36DAB7D6DDBCB4C2D75

File Size: 1.76 MB, 1763328 bytes

MD5: 83af99a03697c2f99d3276a61301fb14

SHA1: 175217898bc6006bc5c6433640c747619c6429a6

SHA256: 629645296B461A16127329CB16F07D8F7FEFFD8B108D9A0E7DC42347DFDE72CC

File Size: 1.79 MB, 1785856 bytes

MD5: c137e1ba3d33f2bc7bc6d43fbfdd2d3e

SHA1: 89cd689e744064be3f52733133124913b02d99b5

SHA256: BC14AD7FF3A54CED983BF4FD11F0C01858053BEA93BC9C8A8ED5CF1CE3D413D6

File Size: 48.64 KB, 48640 bytes

MD5: 0b6fef3d865872c17326ebca3303d48f

SHA1: e92f8ee36278e54316bec4bf078e948d5791d13b

SHA256: EBFE31B5A3090FA0D66B4FD9D6179782B9F22778C1849081788ED6B6680A4345

File Size: 3.14 MB, 3136000 bytes

MD5: e8eb6cb596e6c89e2f64d258d92706d5

SHA1: eb8a4c27abbf526ee88d6780b0c0758847e1f6f8

SHA256: 2F3D8BF8174044B548617536C952F5C8ED96896FC7252AE8FD260279CCA8471F

File Size: 4.47 MB, 4469760 bytes

MD5: 8220a1438b8323a94dc9a806a73994f8

SHA1: 5f5069ac483ef5ee4cee735b957ec1cb4c32f25b

SHA256: 148FA2CA797D7E5D88C1CAF1EF69DD998AA6F4F97CBDCC2A12204BF558B68C25

File Size: 296.96 KB, 296960 bytes

MD5: 1e6ddc5cd77af7641f14f9f49895683e

SHA1: f507837db6e4761942db35e7506b7075ebafedab

SHA256: 2F77B32D357EE32396ED1724ED88C5C5F9FD8DB8CEDBD1B07A1BB1D58989862A

File Size: 284.67 KB, 284672 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application

File is 32-bit executable
File is 64-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
Company Name	Microsoft Corporation Microsoft Windows Host
File Description	Microsoft Windows Host NewStealer System Windows Application
File Version	8.1.0.1 2.2.0.1 1.0.0.0
Internal Name	NewStealer.dll System.exe system.exe Windows Host.exe
Legal Copyright	Copyright (C) 2025 Copyright (C) 2026 Copyright © 2023 Copyright © 2025
Original Filename	NewStealer.dll System.exe system.exe WindowsHost.exe
Product Name	Microsoft Windows Host Microsoft® .NET Framework NewStealer Windows Application
Product Version	8.1.0.1 1.0.0.1 1.0.0.0

File Traits

2+ executable sections
big overlay
CryptUnprotectData
dll
fptable
GetConsoleWindow
HighEntropy
MZ (In Overlay)
No CryptProtectData
No Version Info

ntdll
packed
VirtualQueryEx
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	425
Potentially Malicious Blocks:	2
Whitelisted Blocks:	411
Unknown Blocks:	12

Visual Map

? ? ? 0 0 0 0 0 0 0 0 0 x ? ? 0 x ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Agent.CZF
Agent.DSFA
Agent.DSFB
Agent.DSFC
Agent.FRFE

Agent.FRQ
Agent.KFGD
Agent.KOSA
Agent.KPSG
Downloader.Agent.BTAT
Downloader.Agent.DL
Downloader.Agent.OL
Gamehack.BED
Injector.GFDA
Kryptik.ODFC
PSW.Agent.FBA
PSW.Agent.KA
Spy.Agent.BP
Trojan.Agent.Gen.AEX
Trojan.Agent.Gen.BL
Trojan.Agent.Gen.NA
Trojan.Downloader.Gen.JV
Trojan.Downloader.Gen.KM
Trojan.Kryptik.Gen.CPV
Trojan.Kryptik.Gen.CYV
Trojan.Kryptik.Gen.CZW
Trojan.ShellcodeRunner.Gen.IO

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\bazaarlab_chrome	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\chromedecryptipc_05359ff3-087c-45db-8dd3-c7b117207d99	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\chromedecryptipc_92788697-1fdc-4bf7-ae87-29edf2030b76	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\chromium.ipc.44654.2252	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\chromium.ipc.47337.6352	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\f3018b6e-16ea-4edd-a5ef-64854a7649bf	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\msedge.crashpad_43465_0acc	Generic Read,Write Data,Write Attributes,Write extended,Append data

\device\namedpipe\pshost.134138318241428053.4300.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134144741362696729.8416.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\srvsvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\0v4ud4fg.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_0wyknhex.5bg.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_d3veedwe.yyd.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_r0415sxw.0gg.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zw2lsm5b.22q.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\chromelevator_63e07a943f454b36996924db82d6b62e.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\chromelevator_63e07a943f454b36996924db82d6b62e.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\chromelevator_d29469c3b58b47cfa58d615c734a4682.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\chromelevator_d29469c3b58b47cfa58d615c734a4682.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\entityframework.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\entityframework.sqlserver.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\newtonsoft.json.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\system.data.sqlite.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\system.data.sqlite.ef6.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\costura\d1138b0d14916c7db1e1faeb7dd76dfa\system.data.sqlite.linq.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\cpdpmqidgn.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\dgulxdcj-02042026-1550.aetheryx	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\iazrzjvzkx.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\log.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\shadowcopymanager_debug.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\un_unknown_2026-01-25 08_23_46_bfeb5820-9643-42ad-a79f-071dff4d8e64\browser_decryption.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\un_unknown_2026-01-31 18_32_30_bfeb5820-9643-42ad-a79f-071dff4d8e64\browser_decryption.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zzvaoichuv.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zzvaoichuv.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\0ed00d722c161117388365	Synchronize,Write Attributes
c:\users\user\appdata\roaming\0ed00d722c161117388365\0ed00d722c161117388365.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\0ed00d722c161117388365\0ed00d722c161117388365.exe	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\0ed00d722c161117388365\0ed00d722c161117388365.exe	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\0ed00d722c161117388365\0ed00d722c161117388365.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\0ed00d722c161117388365\system.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\0ed00d722c161117388365\system.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\adobe\adobe.dll	Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\usersetting\trnmg.sdb	Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\5f5069ac483ef5ee4cee735b957ec1cb4c32f25b_0000296960	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\f507837db6e4761942db35e7506b7075ebafedab_0000284672	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\services.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\sivoyu.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\sivoyu.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\suovby.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\syscrost.exe	Generic Write,Read Attributes
c:\users\user\appdata\roaming\syscrost.exe	Synchronize,Write Attributes
c:\users\user\downloads\5f5069ac483ef5ee4cee735b957ec1cb4c32f25b_0000296960	Synchronize,Write Attributes
c:\users\user\downloads\a5198f2c88266eb1a5f7cb172ac2547b94b99a5a_0003744669	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads\a5198f2c88266eb1a5f7cb172ac2547b94b99a5a_0003744669	Synchronize,Write Attributes
c:\users\user\downloads\f507837db6e4761942db35e7506b7075ebafedab_0000284672	Synchronize,Write Attributes
c:\users\user\pictures\svchost.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\pictures\svchost.exe	Synchronize,Write Attributes
c:\windows\system32\bindsvc.exe	Generic Write,Read Attributes
c:\windows\system32\msfte.dll	Generic Write,Read Attributes
c:\windows\system32\oci.dll	Generic Write,Read Attributes
c:\windows\syswow64\bindsvc.exe	Generic Write,Read Attributes
c:\windows\syswow64\racfg.exe	Generic Write,Read Attributes
c:\windows\syswow64\wideshut.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\syswow64\wimsvc.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	♃ȁᴫ龡^İ紘Ç獖}ķ⦘·ķ좟Ê	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey

HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	숃Ǘ♠ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	숃Ǘ♠ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	♄ȁᴫ龡^İ紘Ç獖}ķ⦘·ķ좟Ê	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	镞Ɍ♠ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	镞Ɍ♠ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::services	C:\Users\Gkflwvtp\AppData\Roaming\0ED00D722C161117388365\System.exe	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::microsoft windows security	C:\Users\Txrptoot\AppData\Roaming\suovby.exe	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沑⬉ʾ阐䈛x䠱O᤹˃噀ñ᝹ʁ傄ë횎ǜɼ鶝꾢ʊ閾ʴ淃駃ó⟋ʪߙĤᯢV鈄ĞꩠŖ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::system updates	c:\users\user\downloads\92749acb52587414f2d59a97edcbab71872337ab_0000262656	RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count		RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state		RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes	(NULL)	RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ⅴ蠇橘ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䍃袊橘ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	擖褍橘ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	娴触橘ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::microsoft windows host	C:\Users\Bhdthcas\Pictures\svchost.exe	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	硗戀踖ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::microsoft windows security	c:\users\user\downloads\cd72c0ab62540e297a224abd48b1f6d586a07289_0000412160	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꢏ祫鏮ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows updates core	c:\users\user\downloads\875d31a7ff19a4e443f7a40ceba9e1ded2007777_0000362496	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\bfebadafdffdec::currentpath	c:\users\user\downloads\89cd689e744064be3f52733133124913b02d99b5_0000048640	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::services	C:\Users\Jebwtqpe\AppData\Roaming\0ED00D722C161117388365\0ED00D722C161117388365.exe	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\bfebadafdffdec::currentpath	C:\Users\Jebwtqpe\AppData\Roaming\0ED00D722C161117388365\0ED00D722C161117388365.exe	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::adobe	rundll32.exe "C:\Users\Tcvxatmr\AppData\Roaming\Adobe\Adobe.dll",start	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows updates core	c:\users\user\downloads\5f5069ac483ef5ee4cee735b957ec1cb4c32f25b_0000296960	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::windows updates core	c:\users\user\downloads\f507837db6e4761942db35e7506b7075ebafedab_0000284672	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

Windows API Usage

Category	API
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory VirtualAllocEx
Process Shell Execute	CreateProcess ShellExecute ShellExecuteEx WriteConsole
Service Control	OpenSCManager OpenService StartService
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort ntdll.dll!NtAlpcCreatePortSection Show More ntdll.dll!NtAlpcCreateResourceReserve ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcQueryInformationMessage ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAreMappedFilesTheSame ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelIoFileEx ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreateNamedPipeFile ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateUserProcess ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushBuffersFile ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetCompleteWnfStateSubscription ntdll.dll!NtGetNextProcess ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFile ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile 90 additional items are not displayed above.
Anti Debug	CheckRemoteDebuggerPresent IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation OpenClipboard
Process Terminate	TerminateProcess
Network Winhttp	WinHttpConnect WinHttpOpen WinHttpOpenRequest WinHttpReadData WinHttpReceiveResponse WinHttpSendRequest
Other Suspicious	AdjustTokenPrivileges
Network Info Queried	GetAdaptersInfo
Network Winsock2	WSAStartup
Network Winsock	closesocket connect gethostbyname recv send socket
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen InternetOpenUrl InternetQueryOption InternetReadFile InternetSetOption
Encryption Used	BCryptOpenAlgorithmProvider
Thread Create Remote	CreateRemoteThread

Shell Command Execution


							open C:\Users\Lltzmbaf\AppData\Local\Temp\cpdpmqidgn.exe "C:\Users\Lltzmbaf\AppData\Local\Temp\zzvaoichuv.exe" "c:\users\user\downloads\a5198f2c88266eb1a5f7cb172ac2547b94b99a5a_0003744669"


							C:\Users\Lltzmbaf\AppData\Local\Temp\iazrzjvzkx.exe


							C:\WINDOWS\System32\cmd.exe /c sc config msdtc obj= LocalSystem


							open c:\users\user\downloads\a5198f2c88266eb1a5f7cb172ac2547b94b99a5a_0003744669


							WriteConsole: 'sc' is not reco


									C:\Users\Lltzmbaf\AppData\Local\Temp\0V4Ud4FG.bat (NULL)


									C:\WINDOWS\System32\bindsvc.exe (NULL)


									WriteConsole:


									WriteConsole: c:\users\user\do


									WriteConsole: Del


									WriteConsole:  "C:\Users\Lltzm


									WriteConsole:


									WriteConsole:


									WriteConsole: c:\users\user\do


									WriteConsole: if


									WriteConsole: exist "C:\Users\


									WriteConsole: goto


									WriteConsole:  Repeat 1


									WriteConsole:


									WriteConsole:


									WriteConsole: c:\users\user\do


									WriteConsole: Del


									WriteConsole:  "C:\Users\Lltzm


									WriteConsole:


									WriteConsole: The batch file c


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\810a29eaa2a06462de2cfba4d67c289500b72bc8_0000112640.,LiQMAxHB


									open C:\Users\Txrptoot\AppData\Roaming\suovby.exe


									open schtasks.exe /query /tn "Google Chrome AutoUpdater"


									open schtasks.exe /create /sc minute /tn "Google Chrome AutoUpdater" /tr "C:\Users\Txrptoot\AppData\Roaming\suovby.exe"


									open C:\Users\Txrptoot\AppData\Roaming\syscrost.exe


									open C:\Users\Txrptoot\AppData\Roaming\services.exe


									C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe (NULL)


									"C:\Users\Utgrlwhh\AppData\Local\Temp\chromelevator_d29469c3b58b47cfa58d615c734a4682.exe" --verbose --output-path C:\Users\Utgrlwhh\AppData\Local\Temp\injector_output_9165cc5d97574a6c9dacbb2a2e0ec5f1 chrome


									"C:\Users\Utgrlwhh\AppData\Local\Temp\chromelevator_63e07a943f454b36996924db82d6b62e.exe" --verbose --output-path C:\Users\Utgrlwhh\AppData\Local\Temp\injector_output_9165cc5d97574a6c9dacbb2a2e0ec5f1 chrome


									"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --disable-gpu --disable-software-rasterizer --no-sandbox


									"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --disable-gpu --disable-software-rasterizer --no-sandbox


									powershell.exe -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'c:\users\user\downloads'"


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0f8f854b3bf168261594e9794c22a9f6ad6bb4b0_0001132032.,LiQMAxHB


									powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "(Get-WmiObject -Class Win32_ComputerSystemProduct).UUID"


									open schtasks.exe /query /tn "Windows SystemEnv Core"


									open schtasks.exe /create /sc minute /tn "Windows SystemEnv Core" /tr "c:\users\user\downloads\875d31a7ff19a4e443f7a40ceba9e1ded2007777_0000362496"


									runas C:\Users\Jebwtqpe\AppData\Roaming\0ED00D722C161117388365\0ED00D722C161117388365.exe


									"C:\WINDOWS\system32\rundll32.exe" "C:\Users\Tcvxatmr\AppData\Roaming\Adobe\Adobe.dll",start

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.ReflectiveLoader

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.Kryptik.JUD

Trojan.Agent.MBD

PUP.Baidu.A

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen