Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Mamut.D

Trojan.MSIL.Mamut.D

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 7,504
Threat Level: 80 % (High)
Infected Computers: 733
First Seen: August 31, 2022
Last Seen: April 9, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Mamut.D
Signature status: No Signature

Known Samples

MD5: 4824dc4099867fabfe57625624232b9b
SHA1: 47fcb1d6e87d4f1a73b9acd356bc063a3a5eb93a
File Size: 3.27 MB, 3265536 bytes
MD5: ca3c34d6de7d4a3a192c1fef8f4b368e
SHA1: b1baa751276613d023d8d014846f7ca076126719
File Size: 356.35 KB, 356352 bytes
MD5: a9f5f7fb476c4f05c5d496c60133ce9d
SHA1: 8367825361b2ecaabe9f78917da235d9c3cf90dc
File Size: 1.94 MB, 1943552 bytes
MD5: 1223bed61e32626bc8dd6b546c1cc479
SHA1: b8a344eca2e25ea26668bd854b1aaec52f024814
File Size: 1.95 MB, 1950208 bytes
MD5: 6c976eb9f922bab6b6101b5e28c5ab13
SHA1: 41174895611257a1c3a588eb865389c90c9f5560
File Size: 5.10 MB, 5100772 bytes
Show More
MD5: 7e2a81c5746dc7c12d48e68fe127d8ea
SHA1: d7af4e4f32066e969afa964fbf26faf1c8779843
SHA256: 629A35B0FE18CD59C1E15F8957FF8CA083158FD4DA80CC84D13C33A33FBA170B
File Size: 356.35 KB, 356352 bytes
MD5: d413d5145d28a4bbaa4f782853d0540e
SHA1: 0f19d54f04784cf8633ce2dd840bf192d16717b5
SHA256: 4173148ED2216C9951D0AEBC1486F7D62B559A520F654ECFF0026DF6C3BC55AC
File Size: 356.35 KB, 356352 bytes
MD5: 129eeb59916656b8868ad6659524793f
SHA1: 1c353a0bd759f3fc102bda20770e0947a6f2104e
SHA256: AFB21157DF59F263E31A6F88332D15971A37CCC66723CCBDC8C28187721EF245
File Size: 355.84 KB, 355840 bytes
MD5: 934b1dcd60569db28e7c058213c68b0a
SHA1: 4442d5209d30d8af96dd4a18939dc0071b449bec
SHA256: 3D82387DD57384DAE1632DD087FC27D1719A096048FB80AF56FF786A8D4B7158
File Size: 356.35 KB, 356352 bytes
MD5: 03e8a85478f9bd7a7a9693abb91b6dac
SHA1: aa96e39ad3ad51f3fea1e865e94342a84fc65e6b
SHA256: 1B9BA79F7FF1DE0BF578215A7023D738A28B7BC06A4ACBCC049074BF5C25167C
File Size: 1.87 MB, 1868800 bytes
MD5: 04e122f0402f3ec42f09c6771a5d8772
SHA1: 3bcbb3c9b3e31455ebab36b544d311fa42421ea2
SHA256: D353B281625F95A5B6250085CE2F9AE7141EB270C2986F09E2D1A7F9AC19AB66
File Size: 1.96 MB, 1955328 bytes
MD5: 41e1566feffd042eef2dc9ab8e438429
SHA1: b82b77aeeb8449e09a1498446cbadbfaf599494d
SHA256: 910C37395889F9F8DD7A46124D63C6F5BAC04311AF84EADA5F10CD608AE13449
File Size: 1.95 MB, 1949184 bytes
MD5: d374f8d3b5cb7578e91c2e440d2b485b
SHA1: 1fd0d69cfb4cf0ab8e900d8948b0e2e1b31a9db6
SHA256: 859EE677DD2199533C17035E89510336A639656D232917385931F8BA982D954C
File Size: 356.35 KB, 356352 bytes
MD5: 68326db2d8561c015abee540fdbd38df
SHA1: 4ad3ff09ab8e4ba5efc138f3c8eea7db7e1a57ef
SHA256: 3AA8EDBDA750242FEAC1E8DD25BA744AA143A87B6A78DAC2EB1D4A3B2CE9F0B1
File Size: 356.35 KB, 356352 bytes
MD5: 32a4a959228688f6fbe1a5af3d18cfb5
SHA1: 5fe1e21e718a878b845e2fc9673c9b4c6dd91146
SHA256: 2312ED59A38D03B9035719369AF00C1D3B36DC1DB24DE8833124BCED3A9D5815
File Size: 1.87 MB, 1869312 bytes
MD5: 83319d1a994cc2b963506d839278b0d6
SHA1: 819f1319b91d0d4fdd40b760e73d9b335f134499
SHA256: 658969EA1B975D303AAFE8174AA75345BEB2A210D48B145A7C9B1504A9BEE54E
File Size: 1.87 MB, 1866240 bytes
MD5: 92644c64b11dbe29b7efee2ee2d263da
SHA1: deb2f305dcff50d0c58f8e30a10b54794cafcec1
SHA256: C68B6377041FB4C03FB8F5F6F1D2146896B03C10C669D16D5043D6A1DD6B9E73
File Size: 1.87 MB, 1870848 bytes
MD5: 6dbe2d4af10731e664ab695acde48346
SHA1: 7a3ff74342215e8fed0967be511511bb76512117
SHA256: C6CECA30F065DCF6AB91B6C808B3EC066D5C1B7EEEDBEFBD0A96BDD71FEC0E78
File Size: 1.84 MB, 1835520 bytes
MD5: 62e6fa0dc0f1c937fe55258a8ab4b4e9
SHA1: b3ca4dfa4c1f3699986361f20dc89261a80c714d
SHA256: 490874BED49DE067FE5AF01DC24BED1B8A47168E5B4CFECC284B23356EB4B5E7
File Size: 940.03 KB, 940032 bytes
MD5: 29a5858217eb2e9dabb065d782b456dc
SHA1: 6454094592440bc839d22c7d86bb8ab039e4c8e3
SHA256: 0786B8C00C1F0D8582F0E31BA2C2C014FF32B17E65A6105D032C3CB7D1FCE5C1
File Size: 3.27 MB, 3266048 bytes
MD5: 20362b941bd850a4baaf2cc1095602c4
SHA1: 31a04da5a1664d2b069b54a0c6fd78d9c92832e7
SHA256: 5FB3C00FE1AE8FCBE8016C87B8DB595F430E88A92F35C044C37132742FCCAA80
File Size: 1.87 MB, 1872384 bytes
MD5: c2721638fefa9807fa5385c5f19c7be8
SHA1: 3895cb77727fca9210d0a0444e0896e8c520f753
SHA256: 1885A13EF7D825520E65D1EF4A05F6772DA436FAE4FA3E55E9EDC2B55624023B
File Size: 356.35 KB, 356352 bytes
MD5: fdcae6d1b7e4b48e1630e3d3fc7ff8fc
SHA1: d5c20c540d0844f34fe817179b001cd0cd2b31f2
SHA256: B148D6A425F38E043F42009BC6C6E738E1DEB55B07EE369EB658BDA10ED9288B
File Size: 1.62 MB, 1624576 bytes
MD5: 57caa771cdc49a089b783f3df4e72f99
SHA1: 94609144f4752e594e6f569f05cea5c2f80473e0
SHA256: 23D78DEFB24BC7E2496D016A368054DF8F7F9B64988FFCBA00DAB9311B7329D4
File Size: 3.27 MB, 3265536 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 22.12020.0.1
  • 10.0.19041.5794
  • 9.2.4.2
  • 1.7.4.0
  • 1.7.3.0
  • 1.6.6.0
  • 1.6.5.0
  • 1.6.4.0
  • 1.4.1.0
  • 1.3.0.0
Show More
  • 1.1.1.1
Company Name
  • Intel Corporation
  • Microsoft
  • Microsoft Corporation
File Description
  • explorer
  • Intel® Wireless Wifi IHV Extensibility support DLL
  • Quasar Client
  • Windows host process (Rundll32)
  • Хост-процесс для служб Windows
File Version
  • 22.12020.0.1
  • 10.0.19041.5794
  • 9.2.4.2
  • 1.7.4
  • 1.7.3
  • 1.6.6
  • 1.6.5
  • 1.6.4
  • 1.4.1
  • 1.3.0.0
Show More
  • 1.1.1.1
Internal Name
  • Client.exe
  • explorer.exe
  • IntelIHVRouter.dll
  • RUNDLL32.EXE
  • svchost.exe.mui
Legal Copyright
  • All rights reserved 2026
  • Copyright © 2019 Intel Corporation
  • Copyright © MaxXor 2023
  • © Microsoft Corporation. All rights reserved.
  • © Корпорация Майкрософт. Все права защищены.
Legal Trademarks Explorer
Original Filename
  • Client.exe
  • explorer.exe
  • IntelIHVRouter.dll
  • RUNDLL32.EXE
  • svchost.exe.mui
Product Name
  • explorer
  • Intel® Wireless Wifi IHV Extensibility Software
  • Microsoft® Windows® Operating System
  • Quasar
  • Операционная система Microsoft® Windows®
Product Version
  • 22.12020.0.1
  • 10.0.19041.5794
  • 9.2.4.2
  • 1.7.4
  • 1.7.3
  • 1.6.6
  • 1.6.5
  • 1.6.4
  • 1.4.1
  • 1.3.0.0
Show More
  • 1.1.1.1

File Traits

  • .NET
  • Agile.net
  • CryptUnprotectData
  • Fody
  • HighEntropy
  • No CryptProtectData
  • ntdll
  • Run
  • VirtualQueryEx
  • WriteProcessMemory
Show More
  • x86

Block Information

Total Blocks: 14,560
Potentially Malicious Blocks: 308
Whitelisted Blocks: 14,252
Unknown Blocks: 0

Visual Map

x x x x 0 0 x x x x x x x 0 0 0 x 0 x x 0 x x x 0 x x 0 x x x x 0 x x x 0 x x x x x x x x x x x x x x 0 0 x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x 0 x x x 0 x x x 0 x 0 0 0 0 0 x x 0 0 0 0 0 0 x x 0 0 0 0 0 0 x x x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x x x x x x x x x x x 0 x 0 x x x x 0 0 0 0 0 x x x x x 0 x x x x x x x x x 0 x 0 x 0 0 0 0 x 0 0 x x 0 0 x x x x x x x x x x x 0 x x x x x 0 0 0 x 0 0 x 0 0 0 0 x 0 x x 0 0 x 0 x x x x 0 x 0 0 x x x 0 x x x x x x 0 x 0 x x x x 0 0 x x 0 0 x 0 0 x x x x x 0 x 0 0 0 0 x x x x x x x x x x x x 0 0 0 0 x x x x x x x x 0 x x x x x x x x 0 x x x x 0 x x x 0 x x x x x x x x x x 0 x x x 0 x x x 0 x 0 x x 0 x x x x 0 x x x x x 0 x x 0 0 0 x 0 0 0 0 x 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x x x x 0 0 x x x x 0 x x x x 0 x 0 0 x 0 x 0 0 0 x x 0 x 0 x 0 0 0 0 x x x x 0 0 0 x x x x 0 0 0 0 x 0 0 x x 0 x x 0 x x x x 0 x x x x 0 x x 0 x x x x 0 x 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Mardom.SF
  • MSIL.Quasar.B
  • MSIL.Quasar.CA
  • MSIL.Quasar.CB
  • MSIL.Spy.RC
Show More
  • MSIL.Spy.RCB
  • Tedy.L

Files Modified

File Attributes
c:\users\user\downloads\4455rgf.exe Generic Write,Read Attributes
c:\users\user\downloads\4455rgf.exe Synchronize,Write Attributes
c:\users\user\downloads\656443.exe Generic Write,Read Attributes
c:\users\user\downloads\656443.exe Synchronize,Write Attributes
c:\users\user\downloads\__tmp_rar_sfx_access_check_753671 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\hgf3423.exe Generic Write,Read Attributes
c:\users\user\downloads\hgf3423.exe Synchronize,Write Attributes
c:\windows\system32\windowsupdate\win_update.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetWriteWatch
  • ntdll.dll!NtLockFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtModifyDriverEntry
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtPrivilegeObjectAuditAlarm
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResetWriteWatch
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread

154 additional items are not displayed above.

User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
Anti Debug
  • IsDebuggerPresent
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Keyboard Access
  • GetKeyState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Network Winsock2
  • WSAConnect
  • WSARecv
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • setsockopt

Shell Command Execution

(NULL) c:\users\user\downloads\4455RGF.exe
(NULL) c:\users\user\downloads\656443.exe
(NULL) c:\users\user\downloads\HGF3423.exe
"schtasks" /create /tn "winupdate" /sc ONLOGON /tr "C:\WINDOWS\system32\WindowsUpdate\win_update.exe" /rl HIGHEST /f
"schtasks" /create /tn "IntelSR" /sc ONLOGON /tr "c:\users\user\downloads\b3ca4dfa4c1f3699986361f20dc89261a80c714d_0000940032" /rl HIGHEST /f

Related Posts

Trending

Most Viewed

Loading...