Multi-License Discount Quote

Change Region

English
Threat Database Worms W32.Shadesrat.C

W32.Shadesrat.C

By GoldSparrow in Worms

Threat Scorecard

Popularity Rank: 1,878
Threat Level: 80 % (High)
Infected Computers: 3,288
First Seen: July 2, 2012
Last Seen: November 27, 2025
OS(es) Affected: Windows

W32.Shadesrat.C is a worm that is distributed by attackers through removable drives. W32.Shadesrat.C also proliferates through various peer-to-peer programs that include Kazaa, BitTorrent, eMule, Azureus, and LimeWire. W32.Shadesrat.C can also try to spread through AOL Instant Messenger (AIM). W32.Shadesrat.C also opens a back door on the compromised PC. When activated, W32.Shadesrat.C replicates itself by creating potentially infectious files. W32.Shadesrat.C creates the specific file so that it can start automatically when the drives are accessed. W32.Shadesrat.C executes the specific process if the victim is running Windows XP or Windows 7. W32.Shadesrat.C then copies a signed Microsoft .NET ClickOnce Launch Utility file as the specific file. W32.Shadesrat.C then creates the certain registry entry so that it can start automatically whenever you boot up Windows. W32.Shadesrat.C also creates a few registry entries in order to avoid the Windows firewall. W32.Shadesrat.C then modifies the specific registry entry to permit the certain firewall exceptions.

SpyHunter Detects & Remove W32.Shadesrat.C

File System Details

W32.Shadesrat.C may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. %Windir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
2. %Temp%\local3.exe
3. %Temp%\D3D8THK.exe
4. %UserProfile%\Templates\VSCover.exe (Trojan.ADH.2)
5. %Temp%\Application Data\data.dat (a log file used to store recorded keystrokes)
6. %DriveLetter%\autorun.inf
7. file.exe 291ce2c51e5ea57b571d6610e1d324f9 0
More files

Registry Details

W32.Shadesrat.C may create the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
mp%\local3.exe" = "%Temp%\local3.exe:*:Enabled:Windows Messanger"
Messanger"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\[CERTIFICATE NUMBER]\Blob
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft® Windows® Operating System" =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%Te
ndir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" = "%Windir%\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\"DC596I04Z1" = "Local"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
"%UserProfile%\Templates\VSCover.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"%Wi
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\"DC596I04Z1" = "[DATE THREAT EXECUTES MM/DD/YYYY]"

Analysis Report

General information

Family Name: Trojan.Delshad
Signature status: No Signature

Known Samples

MD5: 82f539be19ac5e2452540832a8fb00bd
SHA1: 70242adba5368680b812ff543a7e34d6139e2840
SHA256: A1A9A3E6D791A5B8422AE479DA750209D2C5BF61626FBC0E791EDFB2B5943306
File Size: 1.26 MB, 1257984 bytes
MD5: 7b8256b1f50f8560dd470a2fe96ffceb
SHA1: 75fc56704ca97f4495892e2414577cf9f4e1d5ae
SHA256: CCC888F375E595B1CD985180464B68013C970471B166DCA3EBFC10F0F491A8DD
File Size: 1.65 MB, 1646592 bytes
MD5: 9e381ab79de827117f808f177b965462
SHA1: c314d904c0b820e0b6abaa582054e1d42fdebc69
SHA256: 66942F8408F1CE9A53934A9651DD9F5F6B49DB635A91D24B2FDD628659F44D76
File Size: 140.29 KB, 140288 bytes
MD5: 52d39915bddb42651ccdaf94f64002ff
SHA1: 5bc07cdaa01b7efb92915306ee4dd53d4035dd1a
SHA256: ACFC86C1DCCA595427938616972B887CD293663D108B3477D6434D07F4128491
File Size: 140.29 KB, 140288 bytes
MD5: c24c6f0cf4b790c67a770a8adb30f7d8
SHA1: 179d135b277ec3cfd4cd4c7d0cff6ef4c81abceb
SHA256: 7C99B3CA61CDFB1054E0013117AC8B36575DA470C39ADF5D123BFC29C562CFD8
File Size: 1.94 MB, 1938944 bytes
Show More
MD5: 8e983a57206011d26249eef1d94146fb
SHA1: 5b668b737b7a129e913b39465f238e42a996d2a9
SHA256: 4C7A43B650347D74EB704EBAE36D559B3585542456953DBACAF1CD83142C7DDD
File Size: 1.94 MB, 1939968 bytes
MD5: e67c5aee0f3fb64f621cd41371aa45c5
SHA1: 8258619ce780c4df8ab25a90347f2f364cf821c9
SHA256: 4AF7EFBD3D7AFDFE96BDF90A4F37460564BB75320D408C0BE0EDA12FA313D0C6
File Size: 653.31 KB, 653312 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Version
  • 2.7.5
  • 2.7.2
Internal Name WinTune
Legal Copyright tranht17
Product Name WinTune
Product Version
  • 2.7.5
  • 2.7.2

File Traits

  • 2+ executable sections
  • AutoHK
  • GetConsoleWindow
  • HighEntropy
  • JMC
  • No Version Info
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 1,804
Potentially Malicious Blocks: 7
Whitelisted Blocks: 1,790
Unknown Blocks: 7

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.KFF
  • Clipbanker.DO
  • DllInject.LF
  • Gamehack.SBA
  • Gamehack.SBG
Show More
  • Tedy.K
  • Trojan.ShellcodeRunner.Gen.AN

Files Modified

File Attributes
Generic Read,Write Data,Write Attributes,Write extended,Append data
Generic Write,Read Attributes
Synchronize,Write Attributes
\\ Generic Read,Write Data,Write Attributes,Write extended,Append data
\\ Synchronize,Write Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\$winreagent\hype ransmoware.txt Generic Write,Read Attributes
c:\documents and settings\user\start menu\programs\startup\xinfecter.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\hype ransmoware.txt Generic Write,Read Attributes
Show More
c:\n-save-sfgnc.sys Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\hype ransmoware.txt Generic Write,Read Attributes
c:\program files\hype ransmoware.txt Generic Write,Read Attributes
c:\programdata\hype ransmoware.txt Generic Write,Read Attributes
c:\sandbox_local\hype ransmoware.txt Generic Write,Read Attributes
c:\sandbox_stage\hype ransmoware.txt Generic Write,Read Attributes
c:\startup_test\hype ransmoware.txt Generic Write,Read Attributes
c:\users\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\appdata\n-save-sfgnc.sys Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\n-save-sfgnc.sys Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\xinfecter.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\s-2153.bat Generic Write,Read Attributes
c:\users\user\appdata\s-6748.bat Generic Write,Read Attributes
c:\users\user\appdata\s-8459.vbs Generic Write,Read Attributes
c:\users\user\desktop\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\documents\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\downloads\5bc07cdaa01b7efb92915306ee4dd53d4035dd1a_0000140288 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\5bc07cdaa01b7efb92915306ee4dd53d4035dd1a_0000140288 Synchronize,Write Attributes
c:\users\user\downloads\5bc07cdaa01b7efb92915306ee4dd53d4035dd1a_0000140288.email=[ranshype@gmail.com]id=[9fff5e695582ad9d].hype Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\5bc07cdaa01b7efb92915306ee4dd53d4035dd1a_0000140288.email=[ranshype@gmail.com]id=[9fff5e695582ad9d].hype Synchronize,Write Data
c:\users\user\downloads\c314d904c0b820e0b6abaa582054e1d42fdebc69_0000140288 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\c314d904c0b820e0b6abaa582054e1d42fdebc69_0000140288 Synchronize,Write Attributes
c:\users\user\downloads\c314d904c0b820e0b6abaa582054e1d42fdebc69_0000140288.email=[ranshype@gmail.com]id=[6629368d8873f451].hype Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\c314d904c0b820e0b6abaa582054e1d42fdebc69_0000140288.email=[ranshype@gmail.com]id=[6629368d8873f451].hype Synchronize,Write Data
c:\users\user\downloads\dll host.dll Generic Write,Read Attributes
c:\users\user\downloads\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\music\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\pictures\hype ransmoware.txt Generic Write,Read Attributes
c:\users\user\videos\hype ransmoware.txt Generic Write,Read Attributes
c:\windows\sysmain.sys Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\sysmain.sys Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\applicationassociationtoasts::vbsfile_.vbs RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.friendlyappname Microsoft ® Windows Based Script Host RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\muicache::c:\windows\system32\wscript.exe.applicationcompany Microsoft Corporation RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 仒ȁ偫~ꚐơH龡^듛ï紘Ç0獖}偫~엦1좟Êdᵂċᵆċeᖐ엦1 ¶}ꙥžꙥž RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 韐鵐⛍ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 必ꒌ卢ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 蛋꒓卢ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Encryption Used
  • CryptAcquireContext
Process Shell Execute
  • CreateProcess
  • ShellExecute
  • WriteConsole
User Data Access
  • GetComputerNameEx
  • GetUserName
  • GetUserObjectInformation
Network Lmaccess
  • NetUserEnum
Other Suspicious
  • AdjustTokenPrivileges
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate

69 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
C:\WINDOWS\system32\tasklist.exe tasklist /v /fo csv
C:\WINDOWS\system32\findstr.exe findstr /i "dcdcf"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Efsrpizz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
C:\WINDOWS\system32\sc.exe sc create SqlBakup binPath= "C:\Users\Efsrpizz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
Show More
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Efsrpizz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
C:\WINDOWS\system32\sc.exe sc create SqlBakup binPath= "C:\Users\Efsrpizz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Efsrpizz\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
C:\WINDOWS\system32\sc.exe sc create SqlBakup binPath= "C:\Documents and Settings\Efsrpizz\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c ver
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
C:\Users\Efsrpizz\AppData\s-8459.vbs "C:\Users\Efsrpizz\AppData\S-8459.vbs"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
C:\WINDOWS\system32\schtasks.exe schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Efsrpizz\AppData\S-2153.bat'" /f
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c echo %date%-%time%
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c systeminfo|find /i "os name"
C:\WINDOWS\system32\systeminfo.exe systeminfo
C:\WINDOWS\system32\find.exe find /i "os name"
open cmd.exe /c vssadmin.exe delete shadows /all /quiet
C:\WINDOWS\system32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
WriteConsole: Access is denied

Trending

Most Viewed

Loading...