Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.ShellCodeLoader

Trojan.ShellCodeLoader

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 809
Threat Level: 80 % (High)
Infected Computers: 33,148
First Seen: January 11, 2024
Last Seen: April 20, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.ShellCodeLoader
Signature status: No Signature

Known Samples

MD5: 4f285cb9b994d0b7b0474a98765c37c5
SHA1: ac35a9d95d9e19cf98983ed0756fac9c59e80a34
File Size: 1.08 MB, 1075712 bytes
MD5: 9610824fe5e0a02925278438389367ba
SHA1: ab1d7dc1dab9958ae49dfc9dcdfea17c59c1cfb8
File Size: 1.74 MB, 1739264 bytes
MD5: 4615109044d631ecf36b80bede6a7b31
SHA1: d0e505613db90ba651b5adf54902ffa21066ac16
File Size: 795.14 KB, 795136 bytes
MD5: 60d689b86f1f74f00e1066d7a4db44eb
SHA1: 89901eb543957b8b9a469c4eec0cc65eb64e525c
File Size: 468.48 KB, 468480 bytes
MD5: e5c24700889bd6996a9552a980e3c81a
SHA1: e0f87b3f115bd57586ca4e292236a0ef840d685c
File Size: 392.97 KB, 392972 bytes
Show More
MD5: 1b7af44f266b0ce7ca589e96cb572127
SHA1: 05966796996d9f99086bfef695f453888d853506
File Size: 498.69 KB, 498688 bytes
MD5: aa82cc14dc0273a8ad5105d73d7f611d
SHA1: d54d287c24c8233f6569a661d96fd13c22ad53dc
SHA256: B32CCC93308193BB31F6CE0F6B31D79289C2961C4705B0E683111EF8CFF457D8
File Size: 1.54 MB, 1539464 bytes
MD5: c07842f8f947d5fa8cdd1b997638d4b1
SHA1: 12bd2e71675fba01d979fe68238b7c02c4b736d2
SHA256: 20D665798795391FB8ECE168E125BA72791D20282417DB753AF50262B11F4F51
File Size: 1.55 MB, 1550120 bytes
MD5: 84abd7265ead89f1c43be6cb261c43de
SHA1: 24c9844518e74701f7e47b7673d8db145b86a7a4
SHA256: 910C55FFDADD65B0CA97C95DEDE0C3AE5D3CDBE0122C88032766F8F941E3846E
File Size: 1.14 MB, 1142272 bytes
MD5: 4dd16a3b977582bf34be450752e7e338
SHA1: 098de81a4b7dec1643f652fd0d700ba8076e6c90
SHA256: 5F60B2DB0C30F0B2FB394021FD48439C17589DE3B79FB3E68BE9173CE409AC34
File Size: 1.55 MB, 1550120 bytes
MD5: db33ded87c0354607469474b38f42e52
SHA1: b38acd05e6f60ff1e3619a0ab1d690b489a60f6e
SHA256: 4E87FA34FE7721981C4AA54EC412784E2FFDD7C250FEA3EF2466F530016F92DF
File Size: 15.87 KB, 15872 bytes
MD5: eab532c58b62a82be5c10eb6cd2afc42
SHA1: 7c33c4679958499d27943f842581b4891a77d55f
SHA256: 9AA7CC1B0B5541B61CF4DEA15AD4BDE4280D2FDC746435816A0F7579ADA53F3B
File Size: 1.25 MB, 1252864 bytes
MD5: 0c4827d02d0a396b9f54f42243e4ad09
SHA1: bffc7a5c318f5758d0bb8b2f0bf0d42e9e6ac728
SHA256: AAF78544B8650810D923B117DC02DF06BE1184B89F8CF58AB4374A6C9E554E1F
File Size: 99.84 KB, 99840 bytes
MD5: 41af82cbcea9a7df4f8a5552dc47c36e
SHA1: c755fcd7521148c77e293efc412b1e2431945309
SHA256: F50FFCB9841F0694CBFD2852C1AAF84AAA0E6B22212B66537F8BB160E0A2FD4D
File Size: 978.43 KB, 978432 bytes
MD5: 902b6709b2ab81b471b25dc9ee9197c9
SHA1: 2a854b883e16f035fafe414c2dd2fe7477dce50a
SHA256: 1C42C26FAC13D9B6B7757C3FDD85FD05BED21E3586AA4354250332B792A4AEF9
File Size: 493.06 KB, 493056 bytes
MD5: 68c679db236cc77e207c7e893a898d69
SHA1: d1753b63900233b53294cae02dfd19099ccc94d7
SHA256: F87553628DAE61C03B0CBC001C25908D734AB62D4D2BBDC823357108939D8340
File Size: 33.28 KB, 33280 bytes
MD5: c02bb6d77d6ac0016107ec40e4fe4b5d
SHA1: 1670b3a2069927f2e2cedccd3a8a18089d4743ba
SHA256: A9AF66D298B2F7AC8FE0E914738CD757C30BC448AFBA3CC0D71194E17E6FE69A
File Size: 59.39 KB, 59392 bytes
MD5: 2bcfc367d243ef65934762d8bbfcc043
SHA1: 8b75c574570108c4c109c4fefdc13560ea6c5a3f
SHA256: 71837AC4E360F836F48F77A5B9F7F331012D0B4803E6C8B708CA6C327146A235
File Size: 1.55 MB, 1550176 bytes
MD5: c42f517698f4b8130057c81fae239f73
SHA1: 15b31aa0aefc2ec2455da38bf565149e1d0a4fae
SHA256: 04A30A8D94E9C6E43BC06AC4045D528DFB01FEC4D6B06B4323304B41855BF986
File Size: 521.73 KB, 521728 bytes
MD5: 9b8c9665bb1ddb63772a83bf06f8cab0
SHA1: f3e6deb0740fa7654134b3b4bfdc6cad01e1ac80
SHA256: F3B15B13E5B77833EDD63EDEDA1E94CCA7F05AB05EAEAAB060A240EB2B94911D
File Size: 1.38 MB, 1377280 bytes
MD5: aaf55cc65d487fffb1af9d707fdcf77b
SHA1: 17e3c1a3c85621b1a7066fbd59e57d8c3cc23142
SHA256: B43ADB6171BB87A669727B5D39C10F45324C5024F43DB6C8EC32F36F8C75EB7F
File Size: 16.38 KB, 16384 bytes
MD5: 4189eb05c47ae4b4a57de57f58b7b9e3
SHA1: d9a66524118b4bcb3da86e5ef1ae0f1f39d78dce
SHA256: 24840528F7CD7BB44137A3C3D8D307254F5B9AB9023D1F0C44477DADED374807
File Size: 857.60 KB, 857600 bytes
MD5: 70385357adae5090d1a6480c8f25cca4
SHA1: fb0e913fcc4079809eee19819e8575412d7aedff
SHA256: 1F43B8B32E2E5F0637E30B1800212F4FEA4AC53D33C1E477DFDAD7CFDFBEF3F3
File Size: 1.80 MB, 1800192 bytes
MD5: 13dbc64150b9ad909ba85663f08fabdb
SHA1: 44f03a42e3f0bda015fc034e2a6f1ff0b960b5cd
SHA256: 24B23FFC1784FC7258CA77514BF3E697C31B6AACABA474A90C9FCDCEEDF740C1
File Size: 1.54 MB, 1539464 bytes
MD5: 93d63eb4a2638127a84d8692d76efa76
SHA1: 6bbb4632f64614c66613d0412e016357e2aff1a3
SHA256: 86268AA3EEE1D8AD3911FF6792E38E6C6AF56459981883BA275F55D41560943C
File Size: 1.74 MB, 1739776 bytes
MD5: dce28da10c1c41bfba7b6783d4310e19
SHA1: db23496dd8fea9667de66e7578604a4b3ca89579
SHA256: 274E6575220B03F1A6E927FF98A636D106887F8485B89AD9337FFB4C3B2284E9
File Size: 2.35 MB, 2348544 bytes
MD5: f7e382870ad56ee105a63c5b07298392
SHA1: 3d1a0b5fcf53b8c302f287264ffc0c91a19b8b5a
SHA256: CD00E0383B4DCE2FFD78614C586BF9629DF4BCC02C09CF439421FD9AF798050F
File Size: 131.58 KB, 131584 bytes
MD5: 0a02f45ea495f6de1736fbcb4b30eef7
SHA1: 8612305cee38f10148566a5365623bdbfba7da53
SHA256: D246DFB4EB36D2EED5597F400C4E982335DCAA01399403E6117F9FB5C7078E13
File Size: 2.79 MB, 2788352 bytes
MD5: 68f1b1d12f4d36d760c31c456068a04f
SHA1: 4f7521921d05eb17a56781e07762140cf851b685
SHA256: B2BCCAB36BB1BF06F4162FFAC03DAEC221E8F3D02A3B1585F6028EC69BD647D6
File Size: 1.22 MB, 1215488 bytes
MD5: 3d2285f8b58c9bb14634347c3a64d7c1
SHA1: 374349b2cb52ed72afcb42a62d75e96a6191e60a
SHA256: F00C947A50CA9B4DDB4371E0EA40BBE350F66F5D9DA0FB65F590B2A1A874F0AD
File Size: 1.59 MB, 1588104 bytes
MD5: e4e46712745cf140da1b3c20109d4429
SHA1: 2a6aaa6d0e051f049c6dcbfd35822ea880243b02
SHA256: 5319FDD4B0410B661AAB265C21E128E33593DBFEB2C0B81EDFF171E19EB0E6AA
File Size: 2.27 MB, 2265088 bytes
MD5: bf080370b24cf7ba0cf96f3c316a7fab
SHA1: ba63dfc037521159ece2019fd770e9fcc7f1e4f7
SHA256: 551003C10C11DCCB07D2B386413DCDBB3EC9DD671E6A239F79BD2A85E78BC422
File Size: 2.84 MB, 2843648 bytes
MD5: d82f0ab530b771c131934c115a83a615
SHA1: 38b1d14442ea91ca2a15cab6d62460ea5f657bc8
SHA256: 5B313BBAA87DA4A71ACE0723E4D6E92916C91759439FA8B23C1E093CE7BF9585
File Size: 974.85 KB, 974848 bytes
MD5: 64d743d87f4b894934462da2df1e2ffe
SHA1: 49284e2fc8a9cbce87d2f264cd82070c96bdebd0
SHA256: 6AF59C91F6D8AE063803A7D318E08EE88196425B39CB79B55B9C23E0D45F9AF9
File Size: 7.68 KB, 7680 bytes
MD5: 14d56915a9c755d780cce18f57152c6d
SHA1: e713f0625d93d51dc5a02c5d03c12134c0375093
SHA256: C3EEDE99459A16CA90F7CC62CDAE861967413DC1CB5D6393E86F146BEAEF734F
File Size: 822.27 KB, 822272 bytes
MD5: bbfad9768255a720b56b60ee02c3ba3f
SHA1: eff2fc55e117978dbea427fbacbb2bab0038a537
SHA256: E15DDD7B83344F9F7112F0EF9862BEACCD7C5B201A83A15D0C87405F36856ED0
File Size: 82.43 KB, 82432 bytes
MD5: fda1bb46a6792cb733603e8bad4d13e0
SHA1: 2e9b597712df1ff9d9b0d3925c659c6621ca1974
SHA256: 84F9F1188BCC35328FEE791AF0130D90D693414B4ACAB38FBF17D1D46B9CE85B
File Size: 494.08 KB, 494080 bytes
MD5: a43af276038662bbee684866695736d6
SHA1: 5f4474b33986412941362b90d8562673b4be4761
SHA256: 65528BDE3CCD503F443C1803BE289262A397C522C595246D77DBED9B3276B8AD
File Size: 4.22 MB, 4222976 bytes
MD5: b065d21a5bcdd310f7f71ecb1e343bc1
SHA1: ac98d809945115207d274335c05a90048f5b1ba9
SHA256: 29CE1F2353C17A2F5535D4558F943104042F9F6CD30F54D7691BB03AE21AF06F
File Size: 909.31 KB, 909312 bytes
MD5: c0acb60ac3bb48c268a0bc8a08f8c3e9
SHA1: b0a9cb1ba383df24f50a07878d9d0538e32f9637
SHA256: D1B69FA9067C378DA8C1105569B8BA9690EA6ADBA738211704B6A920BB1E30F6
File Size: 568.83 KB, 568832 bytes
MD5: e5508e817a3c3c4c37984dc4b71c9f4b
SHA1: af788531c265ffcf5756f18ac0e50c40f4274c36
SHA256: 04D50068078F4C0662DFAB9F93EE5ECDBFDD8736B7B4265F273166F068F8CAD7
File Size: 557.06 KB, 557056 bytes
MD5: 3ec6b8ce4282b9f1740cbc6bf4c7e16c
SHA1: 27c9c9220599043a8e0a2639928ba81c70553861
SHA256: BDA2D23339CDF43513BD61CBC77C11DB303D3B900F6A99A985B3AC02B31D1A8B
File Size: 69.12 KB, 69120 bytes
MD5: 109723b0cba6dc257bc9acf2047441d2
SHA1: 1377299e6a0241e090e4b5e98e15462ed4cc33c6
SHA256: 5258C20CE2AF940503E25B5DC10F3908D59718058D126EFE89268991225FC506
File Size: 1.70 MB, 1700352 bytes
MD5: 20e517e11be8be7059a8c5b4252a0711
SHA1: a4bb566184330f5540e952074802f33135b0bf25
SHA256: 8863241FC194FFD4C4AE7F738B915E3899A306B05A4613137C58B39F40ECFC7A
File Size: 22.53 KB, 22528 bytes
MD5: 6e9c39cce812d454dba772fc36070d81
SHA1: e7493c738aa1f0456f45b3096fcd3ba35e19d387
SHA256: 8C80197ED22922A713DE53609F2BFE18B2175E9A57A4713766B8CE01817BA1AF
File Size: 9.22 KB, 9216 bytes
MD5: 5a800d595a17e4d912f2c37d61efa93c
SHA1: 11e02622345f577bfce719f3ab7e37f06b837280
SHA256: 99DCF6224AC79B9C7B8B97BB316F41A46FE8AC69AF3D9EA909C9373338104EF2
File Size: 1.07 MB, 1072640 bytes
MD5: 512926f1dd221bddd0819f237862c467
SHA1: b73091f29635e105cc3ef141b21f257cca94c2e0
SHA256: D995863B742C3F4BDD84C38EA96797EFA8891718E12814D3C9A59111EEAA1F8F
File Size: 245.76 KB, 245760 bytes
MD5: 48101d6a29e5b1d6cbd6d39ceac5dd9e
SHA1: b9ff9c5dad8325e6e51118d64c2aa2b07066ce4d
SHA256: D03CB230212ABAECEB8B46E62DC59DD87E331FEDCE03D57348FA27DEA38CCBBD
File Size: 9.01 MB, 9006592 bytes
MD5: 496241789102da89845a62d11e1e8a4c
SHA1: b15d947c45bfcab05f7992c5db47cf73f70d1403
SHA256: F89A4976747C3D6BA8F3E6981FABB1B03BC213E8F52A4C08CD08E500AF6C2E09
File Size: 9.88 MB, 9883136 bytes
MD5: f26aef12a535d98b9d93e7ca005d6ae8
SHA1: 40b6de83de62488680aea3be25ac889168f8805e
SHA256: 93916CABAE517FEF8A244C9ABD0AFAA09752927C4D9750206602D9B3A9A80EBD
File Size: 39.94 KB, 39936 bytes
MD5: ad4eb99dda989e7897572971b99e0d3e
SHA1: 7b986cf27184e79bcf3523572be3e247cf3727e5
SHA256: C74CBD9A63BEA7004FE6B6455B4EF8FE1265EFDA7CEEF496B14240BD11AADB87
File Size: 4.51 MB, 4513792 bytes
MD5: fa4c26010a0b3c65147799749820a125
SHA1: 17ab71f04a6f685d9dc5f92ca9078e984af14ad7
SHA256: BEE638F563E3FDBC18CA28AC5619DB2B3197447F229D13F392D17BB6434990F5
File Size: 222.72 KB, 222720 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is "other" type (not driver, not console, not GUI)
  • File is .NET application
Show More
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments
  • 2014-07-16 00:00:00
  • Windows System Cache Management Service
Company Name
  • Chronic-Dev Team
  • Deep Sea Coding
  • Hunter Systems
  • Microsoft Corporation
  • Software
  • Tencent Inc.
File Description
  • Absinthe iOS 5.1.1 untethered jailbreak
  • Desktop Application
  • maintenance
  • Network stress testing and packet flooding utility.
  • Player and entity signature tracking across the environment.
  • QQ浏览器
  • Windows System Cache Manager
  • 腾讯TBS
File Version
  • 4.4.1
  • 4.1.0
  • 3.7.1
  • 2.0.0
  • 1.0.1175.400
  • 1.0.0.400
  • 1.0.0.0
  • 1, 0, 0, 1310
Internal Name
  • absinthe2.0
  • CTCNotUpdated.exe
  • minibrowser_shell.dll
  • SimpleRunPE.exe
Legal Copyright
  • Copyright (C) 1999-2017 Tencent. All Rights Reserved
  • Copyright (C) 2024 Deep Sea Coding
  • Copyright (C) 2024 Hunter Systems
  • Copyright © 2016
  • Copyright © 2021 Tencent. All Rights Reserved.
  • Copyright © 2026
  • Copyright © Microsoft Corporation. All rights reserved.
  • © 2011-2012 Chronic-Dev Team. All rights reserved.
Original Filename
  • app.exe
  • CTCNotUpdated.exe
  • minibrowser_shell.dll
  • SimpleRunPE.exe
Product Name
  • App
  • Bloodhound
  • Chronic-Dev Absinthe
  • Leviathan
  • maintenance
  • QQ浏览器
  • Windows System Cache Manager
  • 腾讯TBS
Product Version
  • 4.4.1
  • 4.1.0
  • 3.7.1
  • 2.0.0
  • 1.0.0.0
  • 1, 0, 1175, 400
  • 1, 0, 0, 1310
  • 1, 0, 0, 400
Special Build 127

Digital Signatures

Signer Root Status
Tencent Technology(Shenzhen) Company Limited DigiCert Assured ID Code Signing CA-1 Self Signed
Tencent Technology(Shenzhen) Company Limited DigiCert SHA2 Assured ID Code Signing CA Self Signed
Tencent Technology (Shenzhen) Company Limited DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
Tencent Technology(Shenzhen) Company Limited Symantec Class 3 SHA256 Code Signing CA Self Signed
Tencent Technology(Shenzhen) Company Limited VeriSign Class 3 Code Signing 2010 CA Self Signed

File Traits

  • .NET
  • 2+ executable sections
  • dll
  • fptable
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • JMC
  • No Version Info
  • ntdll
Show More
  • VirtualQueryEx
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 462
Potentially Malicious Blocks: 13
Whitelisted Blocks: 88
Unknown Blocks: 361

Visual Map

? ? ? ? ? ? ? ? 0 0 0 0 0 0 ? ? ? 0 ? 0 x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? x ? ? ? 0 ? ? 0 0 ? 0 ? ? ? ? ? ? 0 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? x ? x ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? x 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 x ? ? ? ? ? ? ? ? ? ? ? x x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? x ? 0 0 x ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? 0 ? ? ? x x 0 0 0 0 ? 0 0 0 ? 0 ? 0 0 0 0 ? ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 ? ? ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.OPSA
  • Agent.THB
  • Agent.UTA
  • Agent.XSKB
  • Agent.ZFBJ
Show More
  • Agent.ZFKD
  • BypassUAC.Y
  • BypassUAC.Z
  • CobaltStrike.BL
  • CsgoInjector.FB
  • DcRat.A
  • Downloader.Agent.BTF
  • Downloader.Agent.BTW
  • Filecoder.RO
  • Gamehack.GACI
  • Gamehack.GAII
  • Gamehack.PS
  • Kryptik.BJA
  • Kryptik.FSJ
  • Kryptik.KBBI
  • Kryptik.ODV
  • Marte.MD
  • Metasploit.A
  • Remcos.HD
  • Remcos.HF
  • Remcos.HG
  • Remcos.HH
  • Remcos.HK
  • ReverseShell.PE
  • ShellcodeRunner.G
  • ShellcodeRunner.XJ
  • Trojan.Agent.Gen.AEM
  • Trojan.Agent.Gen.AFN
  • Trojan.Agent.Gen.RD
  • Trojan.Downloader.Gen.HM
  • Trojan.Downloader.Gen.HN
  • Trojan.Downloader.Gen.KB
  • Trojan.Filecoder.Gen.AZ

Files Modified

File Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\pshost.134211687570419764.8844.defaultappdomain.powershell Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\sql\query Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\sqllocal\mssqlserver Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\cheat engine Read Attributes,Synchronize,Write Attributes,Delete
c:\programdata\amarrado\amarrado.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\microsoft\windows\caches\d3f4e2a1 Synchronize,Write Attributes
c:\programdata\microsoft\windows\caches\d3f4e2a1\.w Generic Write,Read Attributes
c:\programdata\microsoft\windows\caches\d3f4e2a1\runtimehost.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\microsoft\windows\caches\d3f4e2a1\runtimehost.exe Synchronize,Write Attributes
Show More
c:\programdata\remcos\remcos.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\word\oficces.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_vqusfcdw.jwv.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_whk0kp54.yjn.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~update.tmp.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\genemis\offsets.toml Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\templates\svc_host.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\softwaredistribution\download\90fag.exe Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\windows\softwaredistribution\download\90fag.sys Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows\currentversion\run::amarrado-8cfo22 "C:\ProgramData\AMARRADO\AMARRADO.exe" RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 밟쌋♆ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ೥♵ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ♵ǜ RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::failed_count RegNtPreCreateKey
HKCU\software\microsoft\edge\blbeacon::state  RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes (NULL) RegNtPreCreateKey
HKCU\software\microsoft\edge\thirdparty::statuscodes  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䀋敫✄ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 驚礊⟒ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::rmc-f51lac "C:\ProgramData\Remcos\remcos.exe" RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::rmc-f51lac "C:\ProgramData\Remcos\remcos.exe" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 歅㦓㐼ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 愵빲煺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䢻뻛煺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 뼩煺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ꏧ뽸煺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 돂뿉煺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 쎗쀚煺ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::userinit C:\Windows\system32\userinit.exe,,c:\users\user\downloads\4f7521921d05eb17a56781e07762140cf851b685_0001215488 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::windowsdefenderhelper c:\users\user\downloads\4f7521921d05eb17a56781e07762140cf851b685_0001215488 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 축쫐觶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⥔쭮觶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ﰛ쯢觶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ੑ챓觶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 簟쳅觶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 挿촮觶ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\winlogon::userinit C:\Windows\system32\userinit.exe,,c:\users\user\downloads\e713f0625d93d51dc5a02c5d03c12134c0375093_0000822272 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::windowsdefenderhelper c:\users\user\downloads\e713f0625d93d51dc5a02c5d03c12134c0375093_0000822272 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::rmc-litpvw "C:\ProgramData\Word\Oficces.exe" RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::rmc-litpvw "C:\ProgramData\Word\Oficces.exe" RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 퉏跒鉏ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᵇ踟鉏ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᵇ踟鉏ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 殆踭鉏ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 氲혻뾇ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc4c75 ᇤā锜\ďᨭ耇В$€€᫑ᛰŒÔ봙àëL湯捥牯履潣屭潣扭獡履慣慴潬屧慣慴潬⹧硣x〴㙢敤㌸敤㈶㠴㘸〸敡㍡敢㔲捡㠸ㄹ㠶㡦〸攵た〰〰㤳㌹6潣扭獡⹥汤l湯捥牯略灡楜瑮牥慮屬桳汥屬湩屣牰癩瑡履桓牡摥瑓牯条卥畯捲獥獜湣瑯晩⹹灣p䡓䱅㍌⸲汤l桳潣敲搮 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\run::winsyscache C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::winsyscache C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 膡驙탑ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateLocallyUniqueId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
Show More
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateTransaction
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenKeyTransactedEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtPrivilegeCheck
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemEnvironmentValueEx
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory

168 additional items are not displayed above.

Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
Network Urlomon
  • URLDownloadToFile
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup
Network Info Queried
  • GetAdaptersAddresses
  • GetAddrInfo
  • GetNetworkParams
Network Winsock
  • accept
  • bind
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • getpeername
  • getsockname
  • recv
  • send
Show More
  • setsockopt
  • socket
Process Shell Execute
  • CreateProcess
  • ShellExecute
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Service Control
  • OpenSCManager
  • OpenService
Encryption Used
  • BCryptOpenAlgorithmProvider
Process Terminate
  • TerminateProcess
Keyboard Access
  • GetAsyncKeyState
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\d54d287c24c8233f6569a661d96fd13c22ad53dc_0001539464.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\12bd2e71675fba01d979fe68238b7c02c4b736d2_0001550120.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\098de81a4b7dec1643f652fd0d700ba8076e6c90_0001550120.,LiQMAxHB
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c pause
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8b75c574570108c4c109c4fefdc13560ea6c5a3f_0001550176.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\44f03a42e3f0bda015fc034e2a6f1ff0b960b5cd_0001539464.,LiQMAxHB
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c cls
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_In_57001 dir=in action=allow protocol=TCP localport=57001
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_Out_57001 dir=out action=allow protocol=TCP localport=57001
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_In_57002 dir=in action=allow protocol=TCP localport=57002
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_Out_57002 dir=out action=allow protocol=TCP localport=57002
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_In_56001 dir=in action=allow protocol=TCP localport=56001
C:\WINDOWS\system32\netsh.exe "netsh" advfirewall firewall add rule name=Telemetry_Out_56001 dir=out action=allow protocol=TCP localport=56001
C:\WINDOWS\system32\schtasks.exe "schtasks" /Create /F /SC ONLOGON /TN WindowsUpdateAssist /TR c:\users\user\downloads\4f7521921d05eb17a56781e07762140cf851b685_0001215488 /RL HIGHEST
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\374349b2cb52ed72afcb42a62d75e96a6191e60a_0001588104.,LiQMAxHB
C:\WINDOWS\system32\schtasks.exe "schtasks" /Create /F /SC ONLOGON /TN WindowsUpdateAssist /TR c:\users\user\downloads\e713f0625d93d51dc5a02c5d03c12134c0375093_0000822272 /RL HIGHEST
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c color 5
runas C:\WINDOWS\SoftwareDistribution\Download\90fAG.exe -map C:\WINDOWS\SoftwareDistribution\Download\90fAG.sys
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c color 6
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\af788531c265ffcf5756f18ac0e50c40f4274c36_0000557056.,LiQMAxHB
"schtasks.exe" /create /tn "Windows System Health" /tr "C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe" /sc onlogon /rl HIGHEST /f
"schtasks.exe" /create /tn "Windows System Health Monitor" /tr "C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe" /sc onstart /delay 0001:00 /rl HIGHEST /f
"schtasks.exe" /create /tn "Windows System Health Check" /tr "C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe" /sc minute /mo 5 /rl HIGHEST /f
"powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath @('C:\','C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\','C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe','C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\','C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\','C:\Users\Xiusvdpb\AppData\Roaming\Microsoft\Windows\Caches\D3F4E2A1\','C:\Users\Xiusvdpb\AppData\Local\Microsoft\Windows\Caches\D3F4E2A1\','C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\Content.IE5\','C:\Users\Xiusvdpb\AppData\Local\Temp\','C:\WINDOWS\Temp\','C:\ProgramData\Microsoft\Windows\Caches\D3F4E2A1\B8C9\') -ErrorAction SilentlyContinue"

Trending

Most Viewed

Loading...