Multi-License Discount Quote

Change Region

English
Threat Database Trojans TrojanDownloader:MSIL/Pstinb.E

TrojanDownloader:MSIL/Pstinb.E

By GoldSparrow in Trojans

Threat Scorecard

Popularity Rank: 2,228
Threat Level: 90 % (High)
Infected Computers: 37,520
First Seen: November 23, 2015
Last Seen: February 2, 2026
OS(es) Affected: Windows

The Pstinb malware falls into the category of Trojan Downloaders and has several versions that may feature a slightly different code, but exhibit the same behavior. Cyber threats from the Pstinb subdivision of Trojan Downloaders connect to 'Command and Control' servers located on accounts on the Pastebin.com platform. The Pstinb Trojan Downloaders may be spread among users via spam mail campaigns and utilize the icon of ZIP, PNG, RAR and DOCX file types to invite users to launch the payload of Pstinb. Once the users attempt to open the disguised executable of TrojanDownloader:MSIL/Pstinb.E the Trojan installs its files in the Temp folder of Windows and creates a task in the Windows Task Scheduler to be run at the next system boot up.

As stated before, the TrojanDownloader:MSIL/Pstinb.E malware uses port 80 to connect to a predefined account on Pastebin.com, inform its operators of a successful infiltration and await instructs. Additionally, the TrojanDownloader:MSIL/Pstinb.E malware may compile a report on your computer configuration, browsing history, IP address, and ISP and send it o its operators. The Pstinb malware is a Trojan Downloader and might download and install malware such as Phase Bot and Rustock CV that may allow third parties to run, close, install and modify programs on your computer remotely. Another possibility that TrojanDownloader:MSIL/Pstinb.E opens to its operators is that it may install cryptomalware like Alpha Crypt and BandarChor, and you may lose your files for good and up to a thousand dollars in Bitcoins. Paste.bin is deemed as a trusted domain and the threatening activities of TrojanDownloader:MSIL/Pstinb.E may be hard to detect by most AV vendors. Responsible computer users should install a reputable anti-malware solution to prevent the infiltration of the Pstinb malware.

Analysis Report

General information

Family Name: Trojan.Betload.A
Signature status: No Signature

Known Samples

MD5: 646973660399972415e5117397b5aaf6
SHA1: deb364d7f3eced7cc76f3f3a2d604f6248f54101
File Size: 47.62 KB, 47616 bytes
MD5: 235c0f760fab7f527a5a677716ad35c1
SHA1: 463d05658cd4b5872290a87c08b671b3c4f9bda6
File Size: 74.24 KB, 74240 bytes
MD5: 7ee9c48d1593b24aa7623c6b6c03f304
SHA1: e3a781c41852a18426ac204b35e07dc52da87d8c
SHA256: DE15780551A69E70E556FB7A35C0869F63DF8C476D269D66A2A8A0487D9D6D2A
File Size: 188.93 KB, 188928 bytes
MD5: 0aa7c02dfeacdc12a695328a514a62c3
SHA1: d42000be1f789aeddd5c0da44c5c2f177b0887de
SHA256: 09EE00B15942F688C6A032C87E2BFD0148F60C174CE094CC2602D732A7E81536
File Size: 184.32 KB, 184320 bytes
MD5: 89109e7e55781b118dc4999710cf6f10
SHA1: 65444a0d5afa527445be1fd81fe0f43cc2bf46c4
SHA256: 04B0F5CFF40597345F6A411DDA5DFB2B57C3478C7214018A2EF9CE96B312BE34
File Size: 177.15 KB, 177152 bytes
Show More
MD5: 8b891a5eb43e8ee01801bdb9dbe5049b
SHA1: 69fce80fcfd4bc43239cb65ae964b5beec0ab551
SHA256: 1BB7454C816750A391C31C932B97803234384C1F1ECB512642EF87277CE57C9F
File Size: 71.17 KB, 71168 bytes
MD5: e7f2445f45dff64a1bf4c0973d58a1c8
SHA1: 7d871d386e650b4b95c609fca7ab86c2fe20347c
SHA256: C42304D2AB4F3738F95554A8D7BFEA5B7C9E46CACC4121AB00D3E61D78A7117A
File Size: 716.35 KB, 716345 bytes
MD5: b13cc03512d2ec9e99a1a2ace3e91d78
SHA1: 567cc061f9e160adcc35586230467bcd9d711da0
SHA256: D04792973382F59963FD365792D0945EE34A393FF9D1EE666D26AA2388A6B903
File Size: 226.30 KB, 226304 bytes
MD5: 8aaa5886df3a115833e36e253494dcff
SHA1: d21b3eb4d2348a1040ac9b6aa7819081b10fb27d
SHA256: 43D351D3E6AA91A023B9D4BF74CE3473AF486C2B5144910ADAC74857E7A6A8B9
File Size: 369.66 KB, 369664 bytes
MD5: 63142911b8e46081ae04bd6190fd26e3
SHA1: dfba33b25c30e42e306296aa2e715933e508119f
SHA256: 2B7C3A78457F5E7D4C5C8476AA643100AB77A17CCFDFB00BE725720A04644FE5
File Size: 58.37 KB, 58368 bytes
MD5: 871968610f977dc8cd60128fbdb118ee
SHA1: 48af7cbcd4c985a0b3cedc58fa46bf59aa8cacd3
SHA256: 281A85DF86C0614E1AB2604D0E8C33468DEC1E2FADE318087B07EBD45A618DA1
File Size: 356.86 KB, 356864 bytes
MD5: 7a4f73714e1b3f8d55b3086eef192b2e
SHA1: c8190a8cc2b7abd69733403fd71a4f40a0d3ed87
SHA256: 2F03B4364C84C5CA129920F084E15EDE790B53E2531AB632B10FFD6208374377
File Size: 506.88 KB, 506880 bytes
MD5: e5919fd746bf384030bf2296f60f0ff9
SHA1: cb806b2ed71ca4bd9ee985be7c21066b47cbb6a3
SHA256: 01C9E62F3ACF9C53951E9A4BB6304DB6955EFEE9FBD88834980FBF6F31B53357
File Size: 1.54 MB, 1536000 bytes
MD5: 1ee75287deb7b0f7d765e33c4afda523
SHA1: 84eb0fb190e714333bc237ca89b8e4e3b9aa408a
SHA256: 3E9C4733B67F90A78ED7D378933AD3D702ECD7A04AFE79FDC97C9D000AD82E3F
File Size: 32.26 KB, 32256 bytes
MD5: 8e6a91a0075cb5910219ebe6c2ae70ff
SHA1: 866dc223715453a1893e385d679b1198adf22aca
SHA256: 8985BB6D2A56C9F5EEC5A3536B31D57254AE53596CCBBCB6A80E6D81367B9C87
File Size: 443.90 KB, 443904 bytes
MD5: c3601b2f59714bb8235a2842cb29fb4a
SHA1: 345c1343e350a29981e9da923d4820dffdd579f5
SHA256: 25E0A9890E7863C0B3B2365CABED46996C992F4C0AC7C8A235B7422D94D443F3
File Size: 75.26 KB, 75264 bytes
MD5: e4a1a1145cacdb53eaf81edf9f433f5c
SHA1: 407bb19978e9f5c69727bc668acf9d87c0416f86
SHA256: 0735046C3FDADACB237E3145617731726B68F090DDDD1A0C02893B028AD0EF9B
File Size: 349.18 KB, 349184 bytes
MD5: 2be05f5ca1c8a1c8bd14376aad46e0d9
SHA1: b96bc5295b7033dc6a600cb8411a228e1da7f970
SHA256: EA004CA56F245F6040992F2A6F7009ED6F5C61CE88C513A6BBDB94B9A5A10156
File Size: 72.70 KB, 72704 bytes
MD5: 61865858ce6ca06eb37b593fcee7519e
SHA1: 14f818b0ef112c0012e7500ca4d211f2ce830aff
SHA256: 861EFEED0F3CAB41C46FED799E1E8EF7F89EEC3DA2A38BBE361A1F03C6610419
File Size: 47.10 KB, 47104 bytes
MD5: d73e94f9bc961a16347304dddb7e10b4
SHA1: 4abbaaffd6743b59014aa3f7cd1022c9dc706d9d
SHA256: AFAFE7C32FFA66E50616627CE55AC90668840EFDCD6BA4281C97C1B8B326FE4E
File Size: 158.21 KB, 158208 bytes
MD5: 103551b91d924d314ce13485e9abc168
SHA1: a001e1f9d605a00dd694f51392707f085a0f7491
SHA256: 34025EBDA6864A1CF9E13EBCBDAECF8E723D8D659E6BE974CA95CF9AB63534EB
File Size: 2.69 MB, 2693120 bytes
MD5: ded949518cd96168a5d0db04933184aa
SHA1: 532304aeaaae67d978e4fc663fe2cb224d1a4f13
SHA256: 4661A0946D055951BAC22203AD4F626929FD85FC61CC666926CF342121677A9E
File Size: 782.37 KB, 782371 bytes
MD5: b6ba4bbd1beec5898f0a180614898cee
SHA1: 72646a31693b20b92d58d0ce1dda923414c197d2
SHA256: 1C82B3846F3E6A0B7E48B73DB6DF47E9035CB0E3CB6BC0E810033969A542D140
File Size: 178.63 KB, 178631 bytes
MD5: 2ed9418a3d9570ac59695fd2d3b61c22
SHA1: 215e38eaefab80ac0db5feb93ab610dfd9e7c26c
SHA256: 870A8498811D54F6B89CAACEBF387ADE8FA13C5191965E7D6514B62BDE282D78
File Size: 83.46 KB, 83456 bytes
MD5: a3dce2fe2d3e8d5b18bdc27e81a2a0ae
SHA1: 0938c6df4d6cb816441337a2cc2d75503988bc9f
SHA256: 52415154E6DF6AA814BA89946CB2CB8F2D818BBA23D52C845715CA5EEE07069B
File Size: 232.96 KB, 232960 bytes
MD5: 6d9d21998c83a8a97208ab0deb795779
SHA1: 83bbbb7f2c7fede8f6aae28de20da0fc2d1ddeb6
SHA256: 72C037E5C32B70E9A0DF46106709621CCEAB602CF879D16E01E170D8A9C04982
File Size: 81.92 KB, 81920 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Company Name
  • Cheathappens
  • DragonApps.org
  • Elke
  • Hatteland Display AS
  • http://www.damasgate.com/vb
  • JamFlux Inc.
  • Las Tech
  • Nolex
  • Sementsul Maxim
  • Sistema Simpliza
Show More
  • 홍차의 꿈 - 윈도우 11
File Description
  • Desliga i9Pdv
  • DragonPong
  • Patch
  • silent activation Internet Download Manage by Arabi&Abuehab
  • SVDM
  • Unpack & Repack android images
  • Verifica se o Simprinter esta em execução
  • 홍차의 꿈 - 윈도우 11
File Version
  • 6,25,12,2
  • 4.9
  • 2,0,6,0
  • 2,0,0,0
  • 1.50
  • 1.0.0.0
  • 1,0,0,5
  • 1,0,0,2
  • 1,0,0,0
Internal Name
  • AppKill
  • DP2013
  • Menu Run
  • silent activation
  • SVDM
  • VerificaSimprinter
Legal Copyright
  • by JamFlux
  • Copyright 2013 DragonApps.ORG
  • Copyright © Arabi&Abuehab 2015
  • Cristiano de Souza
  • Hatteland Display AS
  • https://simpliza.com.br
  • Sementsul Maxim
  • 홍차의 꿈 - 윈도우 11
Original Filename
  • dragonpong.exe
  • menu_run.exe
Product Name
  • AppKill
  • DragonPong
  • Dragons Dogma Dark Arisen
  • Driver Menu Software
  • E Vision Light
  • Motorsport Manager
  • silent activation
  • SVDM
  • URTool
  • VerificaSimprinter
Product Version
  • 22124
  • 21415
  • 6.25.12.2
  • 4.9
  • 2.0.6.0
  • 2.0.0.0
  • 1.0.0.5
  • 1.0.0.2
  • 1.0.0.0
Website
  • http://dragonapps.org
  • www.hatteland-display.com

File Traits

  • 2+ executable sections
  • big overlay
  • HighEntropy
  • No Version Info
  • packed
  • VirtualQueryEx
  • WRARSFX
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 300
Potentially Malicious Blocks: 57
Whitelisted Blocks: 243
Unknown Blocks: 0

Visual Map

x 0 0 x 0 x 0 x x 0 x 0 x 0 x x x 0 x 0 x 0 x x 0 x x 0 x 0 x x x x x x 0 0 0 0 x x x 0 0 0 0 x 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x x x x x 0 0 x x 0 x x x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 1 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 x 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.LPB
  • Autoit
  • Badda.A
  • Betload.A
  • Delf.Q
Show More
  • GameHack.LA
  • Philadelphia.A
  • Philadelphia.B

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\srvsvc Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\10b8.tmp\10b9.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\1352.tmp\abrir carpeta configuracion.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\300a.tmp\install.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\410c.tmp\410d.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\41d2.tmp\41d3.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\4300.tmp\4301.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\4618.tmp\4619.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\49ef.tmp\49f0.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\5209.tmp\5219.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\56fa.tmp\huawei_fix_ip.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\59b5.tmp\moto auto flash tool v7.1 by jamesjerss.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\5d43.tmp\5d44.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\6182.tmp\6183.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\632.tmp\643.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a255.tmp\a256.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a5c0.tmp\instalar.cmd Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a6e9.tmp\a6ea.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\b2c0.tmp\111.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\b2c0.tmp\del.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\b2c0.tmp\reg.reg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\b80a.tmp\b80b.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\ec07.tmp\smd - tomtom 2025.04 sygic23 # here 2025.03.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\f346.tmp\f357.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\norbert\a_bogenrangliste\bogenrangliste.mdb Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\common files\ .exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\common files\ .exe Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\run.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\run.bat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\auta7f3.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\autb060.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jetb5ff.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\downloads\appkill.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\connect to shared drives aig bxl - y, x (v2.0) Generic Write,Read Attributes
c:\users\user\downloads\edcd.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\filetouch.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\lang\en.lng Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\t1850.img Generic Write,Read Attributes
c:\users\user\downloads\tomtom-quickgpsfix-sirfstar.cab Generic Write,Read Attributes
c:\users\user\downloads\wget.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\odbc.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\softwaredistribution\datastore\  Synchronize,Write Attributes
c:\windows\softwaredistribution\datastore\ \111.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\softwaredistribution\datastore\ \111.exe Generic Write,Read Attributes
c:\windows\softwaredistribution\datastore\ \desktop.ini Generic Write,Read Attributes
c:\windows\softwaredistribution\datastore\ \desktop.ini Synchronize,Write Attributes
c:\windows\temp\wget.exe Synchronize,Write Data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 凑鱗Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蛛Ǜ RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe Ꮊ傊ᝐǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 툟㜞᠒ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 옌⩞☞ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䌹ꥷ⛵ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㬛亼⹆ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⛩仈⹆ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\odbc data sources::purebogenrangliste Microsoft Access Driver (*.mdb) RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::driver C:\WINDOWS\system32\odbcjt32.dll RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::dbq C:\Norbert\A_Bogenrangliste\bogenrangliste.mdb RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::description Purebogenrangliste RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::driverid  RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste\engines\jet::implicitcommitsync RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::pwd RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::safetransactions RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste\engines\jet::threads  RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste::uid RegNtPreCreateKey
HKCU\software\odbc\odbc.ini\purebogenrangliste\engines\jet::usercommitsync Yes RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ⢂徖䵉ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 佷徝䵉ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ٕ亩ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe RegNtPreCreateKey
HKCU\system\currentcontrolset\control\mediaproperties\privateproperties\directinput\vid_0627&pid_0001\calibration\0::guid 跠ꄝ벰ᇰƀ䕄呓 RegNtPreCreateKey
HKCU\software\microsoft\directinput\mostrecentapplication::version ܀ RegNtPreCreateKey
HKCU\software\microsoft\directinput\mostrecentapplication::name 345C1343E350A29981E9DA923D4820DFFDD579F5_0000075264 RegNtPreCreateKey
HKCU\software\microsoft\directinput\mostrecentapplication::id 345C1343E350A29981E9DA923D4820DFFDD579F5_00000752645ECCEF4900012600 RegNtPreCreateKey
HKCU\software\microsoft\directinput\mostrecentapplication::mostrecentstart ⯇熙儀ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 乮쁠刘ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 㘫鋜授ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 릷厗榡ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ⥒猪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 햙⥞猪ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 黺胣ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::appinit_dlls C:\PROGRA~1\COMMON~1\System\symsrv.dll RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::loadappinit_dlls  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::requiresignedappinit_dlls RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 돹膘ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ꗩස迸ǜ RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\ndfapi.dll,-40001 Windows Network Diagnostics RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 窦ꄻ邒ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
Show More
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTransaction
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenKeyTransactedEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory

131 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Network Winhttp
  • WinHttpOpen
Network Urlomon
  • URLDownloadToFile
Network Winsock2
  • WSAStartup
Service Control
  • OpenSCManager
  • OpenService
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Keyboard Access
  • GetKeyState
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Network Winsock
  • connect
  • freeaddrinfo
  • getaddrinfo
  • gethostbyname
  • inet_addr
  • send
  • socket
Network Icmp
  • IcmpCreateFile
  • IcmpSendEcho2Ex

Shell Command Execution

open \56FA.tmp\HUAWEI_FIX_IP.bat "c:\users\user\downloads\deb364d7f3eced7cc76f3f3a2d604f6248f54101_0000047616.exe"
"C:\WINDOWS\sysnative\cmd" /c "\4618.tmp\4619.bat c:\users\user\downloads\463d05658cd4b5872290a87c08b671b3c4f9bda6_0000074240.exe"
"\59B5.tmp\Moto Auto Flash Tool v7.1 By Jamesjerss.bat" "c:\users\user\downloads\e3a781c41852a18426ac204b35e07dc52da87d8c_0000188928"
C:\WINDOWS\system32\mode.com mode con:cols=80lines=150
"C:\WINDOWS\sysnative\cmd" /c "\F346.tmp\F357.bat c:\users\user\downloads\d42000be1f789aeddd5c0da44c5c2f177b0887de_0000184320"
Show More
c:\Windows\System32\taskkill.exe taskkill /f /t -im qubnfe.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Focoger5.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im EnvProdTerminais.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im MovImportar.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im MovExportar.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im PrintSpool.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoPDV.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoRetaguarda.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Gerenciador.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im AtualizaTerminal.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoGFix.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Validade.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im sendEmail.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im ApagaArquivos.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im ConfirmaPrecos.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im I9Gerenciador.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im TrazCaixaRotDtH.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoPDVTools.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im BalancaTeste.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im BarCodToVidaLink.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im CancelaPedidos.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DadosAtualizTerminal.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DarumaIni.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DarumaUtils.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DemoLog2.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoAtualiz.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Import.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im KeyCods.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im LeUrano.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im TestaImprWindowsRaw.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im AtualizaPrecosDistr1.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im BiometriaWarp.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im CEST.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im CorrigeCusto.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DadosAtualizRetaguarda.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im DarumaFramework_Delphi.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Daruma_Framework_Delphi7.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im env_bematech_nfi.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im env_daruma_nfi.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im ExportMov.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im ExportProds.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoBack.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im FocoBackup.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im BitNFe.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im Frequencia.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im GarantirEstSaldoFDB.exe
c:\Windows\System32\taskkill.exe taskkill /f /t -im ImportaSaldo.exe
"C:\WINDOWS\sysnative\cmd" /c "\41D2.tmp\41D3.bat c:\users\user\downloads\65444a0d5afa527445be1fd81fe0f43cc2bf46c4_0000177152"
C:\WINDOWS\system32\mode.com mode con: cols=75 lines=15
C:\WINDOWS\system32\timeout.exe TIMEOUT /T 3 /nobreak
C:\WINDOWS\system32\mode.com mode con: cols=75 lines=28
"C:\WINDOWS\sysnative\cmd" /c "\49EF.tmp\49F0.bat c:\users\user\downloads\69fce80fcfd4bc43239cb65ae964b5beec0ab551_0000071168"
C:\WINDOWS\system32\taskkill.exe taskkill /f /im jqs.exe
C:\WINDOWS\system32\taskkill.exe taskkill /f /im javaw.exe
C:\WINDOWS\system32\taskkill.exe taskkill /f /im java.exe
"C:\WINDOWS\sysnative\cmd" /c "\410C.tmp\410D.bat c:\users\user\downloads\567cc061f9e160adcc35586230467bcd9d711da0_0000226304"
C:\WINDOWS\system32\mode.com mode con lines=30 cols=90
C:\WINDOWS\system32\timeout.exe timeout 3
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="W" dir=out action=block remoteip="43.135.180.235"
C:\WINDOWS\system32\timeout.exe timeout 8
"C:\WINDOWS\sysnative\cmd" /c "\5209.tmp\5219.bat c:\users\user\downloads\d21b3eb4d2348a1040ac9b6aa7819081b10fb27d_0000369664"
C:\WINDOWS\system32\diskmgmt.msc C:\WINDOWS\system32\diskmgmt.msc
open C:\WINDOWS\sysnative\cmd /c "\4300.tmp\4301.bat c:\users\user\downloads\48af7cbcd4c985a0b3cedc58fa46bf59aa8cacd3_0000356864"
WriteConsole:
WriteConsole: c:\users\user\do
WriteConsole: qzdoom\qzdoom.ex
WriteConsole: -file pwads\PSX
WriteConsole: The system canno
"\EC07.tmp\SMD - TomTom 2025.04 SYGIC23 # HERE 2025.03.bat" "c:\users\user\downloads\cb806b2ed71ca4bd9ee985be7c21066b47cbb6a3_0001536000"
C:\WINDOWS\system32\mode.com mode con cols=83 lines=43
open C:\WINDOWS\sysnative\cmd /c "\300A.tmp\Install.cmd "c:\users\user\downloads\84eb0fb190e714333bc237ca89b8e4e3b9aa408a_0000032256""
WriteConsole: IF
WriteConsole: EXIST "C:\Progra
WriteConsole: (
WriteConsole: GOTO
WriteConsole: 64BIT
WriteConsole: )
WriteConsole: ELSE
WriteConsole: 32BIT
WriteConsole: start
WriteConsole: /wait winrar-x6
WriteConsole: /wait rarreg.ex
WriteConsole: END
"C:\WINDOWS\sysnative\cmd" /c "\5D43.tmp\5D44.bat c:\users\user\downloads\866dc223715453a1893e385d679b1198adf22aca_0000443904"
C:\WINDOWS\system32\findstr.exe findstr /v /a:e0 /R "^$" "Connect to shared drives AIG BXL - Y
"C:\WINDOWS\sysnative\cmd" /c "\10B8.tmp\10B9.bat c:\users\user\downloads\407bb19978e9f5c69727bc668acf9d87c0416f86_0000349184"
c:\users\user\downloads\wget.exe "c:\users\user\downloads\wget.exe" -q "http://home.tomtom.com/download/Ephemeris.cab?type=ephemeris&eeProvider=SiRFStarIII&devicecode=2" -O "TomTom-QuickGPSFix-SirfStar.cab"
"C:\WINDOWS\sysnative\cmd" /c "\6182.tmp\6183.bat c:\users\user\downloads\b96bc5295b7033dc6a600cb8411a228e1da7f970_0000072704"
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="MYSQL UDP Porta 3306" dir=in action=allow protocol=UDP localport=3306
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="MYSQL UDP Porta 3306" dir=out action=allow protocol=UDP localport=3306
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="MYSQL TCP Porta 3306" dir=in action=allow protocol=TCP localport=3306
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="MYSQL TCP Porta 3306" dir=out action=allow protocol=TCP localport=3306
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="FIREBIRD UDP Porta 3050" dir=in action=allow protocol=UDP localport=3050
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="FIREBIRD UDP Porta 3050" dir=out action=allow protocol=UDP localport=3050
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="FIREBIRD UDP Porta 3060" dir=in action=allow protocol=UDP localport=3060
C:\WINDOWS\system32\netsh.exe netsh advfirewall firewall add rule name="FIREBIRD UDP Porta 3060" dir=out action=allow protocol=UDP localport=3060
open \1352.tmp\Abrir Carpeta Configuracion.bat "c:\users\user\downloads\14f818b0ef112c0012e7500ca4d211f2ce830aff_0000047104"
C:\WINDOWS\system32\explorer.exe explorer.exe "C:\Users\Kdiuzxxj\OneDrive\Documentos\Dungeon Siege\"
open C:\WINDOWS\sysnative\cmd /c "\632.tmp\643.bat c:\users\user\downloads\4abbaaffd6743b59014aa3f7cd1022c9dc706d9d_0000158208"
C:\WINDOWS\system32\PING.EXE ping mktsimpliza.com.br
WriteConsole: Could Not Find C
WriteConsole: 'wget' is not re
C:\WINDOWS\system32\PING.EXE ping -n 60 -w 1000 0.0.0.1
C:\Program Files (x86)\Common Files\ .exe
C:\WINDOWS\SoftwareDistribution\DataStore\ \111.exe
open \B2C0.tmp\DEL.bat C:\WINDOWS\SoftwareDistribution\DataStore\�\111.exe
"C:\WINDOWS\sysnative\cmd" /c "\A6E9.tmp\A6EA.bat c:\users\user\downloads\72646a31693b20b92d58d0ce1dda923414c197d2_0000178631"
"C:\WINDOWS\sysnative\cmd" /c "\B80A.tmp\B80B.bat c:\users\user\downloads\215e38eaefab80ac0db5feb93ab610dfd9e7c26c_0000083456"
C:\Windows\System32\reg.exe Reg.exe query "HKU\S-1-5-19\Environment"
"\A5C0.tmp\Instalar.cmd" "c:\users\user\downloads\0938c6df4d6cb816441337a2cc2d75503988bc9f_0000232960"
"C:\WINDOWS\sysnative\cmd" /c "\A255.tmp\A256.bat c:\users\user\downloads\83bbbb7f2c7fede8f6aae28de20da0fc2d1ddeb6_0000081920"

Related Posts

Trending

Most Viewed

Loading...