Threat Feed
nz.sh
2026-07-17T20:13:16.123
malicious
Shell Script
Close
nz.sh
malicious
SHA256:
a92eff9facee7e09d3c4090355af7a0ab3777534d6658b5d44e4b7f475cc2d3a
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
2/5
Tries to execute downloaded binary of different architecture than the host
2/5
Downloads file
1/5
Connects to remote host
Downloader
Master Bill .lnk
2026-07-17T20:07:26.895
malicious
Windows Batch File (Shell Link)
Close
Master Bill .lnk
malicious
SHA256:
da50eb6030b8760f13c2e1fbd9d325b15f06e5c6f015b38c2c2ffde870b7ac0c
VMRay Threat Identifiers
Close
Severity
Operation
4/5
Attempts to connect through HTTP
4/5
Makes indirect system call to possibly evade hooking based monitoring
3/5
Suspicious content matched by YARA rules
3/5
Modifies native system functions
3/5
Deletes file after execution
3/5
Loads dropped dll via known dll loaders
3/5
Bypasses PowerShell execution policy
3/5
Schedules task
2/5
Executes dropped PE file
2/5
Writes an unusually large amount of data to the registry
2/5
Performs DNS request
2/5
Tries to connect using an uncommon port
2/5
Drops PE file
2/5
Loads a dropped DLL
2/5
Executes PowerShell without default profile
2/5
Executes PowerShell with hidden window
1/5
Query OS Information
1/5
Connects to remote host
1/5
Queries system time
1/5
Accesses Microsoft Security Software registry keys
1/5
Creates mutex
orden_560360580__________.js
2026-07-17T20:00:22.104
malicious
JScript
Close
orden_560360580__________.js
malicious
SHA256:
9f6cd3ea392971c0b581c2ff97dc1ab238ff49b98ad06a0e41023860791379f1
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Monitors keyboard input
5/5
XWorm configuration was extracted
5/5
Malicious content matched by YARA rules
5/5
Combination of other detections shows multiple input capture behaviors
4/5
Process Hollowing
4/5
Reads from memory of another process
4/5
Tries to detect the presence of antivirus software
4/5
Writes into the memory of another process
4/5
Attempts to connect through HTTP
3/5
Executes PowerShell commands from environment variables
3/5
Obfuscates control flow
3/5
Schedules task
2/5
Enables process privileges
2/5
Tries to detect debugger
2/5
Collects hardware properties
2/5
Performs DNS request
2/5
Writes an unusually large amount of data to the registry
2/5
Queries OS info via WMI
2/5
Tries to connect using an uncommon port
2/5
Executes PowerShell without default profile
1/5
Queries system time
1/5
Accesses volumes directly
1/5
Connects to remote host
1/5
URL contains a TLD highly associated with phishing
1/5
Executes PowerShell commands
1/5
Query OS Information
1/5
Enumerates running processes
1/5
Creates mutex
1/5
Accesses Microsoft Security Software registry keys
Spyware
Keylogger
Injector
Detailed_Request_scanned_copy_07_16_2026_ipj_group_selected_files.vbe
2026-07-17T19:59:01.284
malicious
VBScript
Close
Detailed_Request_scanned_copy_07_16_2026_ipj_group_selected_files.vbe
malicious
SHA256:
af29c7b1532d6a87b6bb49093077652d0a7060c4c4597af64e2bbfa1c88808ee
VMRay Threat Identifiers
Close
Severity
Operation
5/5
GuLoader configuration was extracted
5/5
Remcos configuration was extracted
5/5
Malicious content matched by YARA rules
4/5
Makes unaligned API calls to possibly evade hooking based sandboxes
4/5
Reads from memory of another process
3/5
Reads installed applications
3/5
Reads sensitive mail data
3/5
Modifies native system functions
2/5
Searches for sensitive application data
2/5
Searches for sensitive browser data
2/5
Searches for sensitive mail data
2/5
Possibly does reconnaissance
2/5
Enumerates running processes
2/5
Performs DNS request
2/5
Suspicious content matched by YARA rules
1/5
Accesses Microsoft Security Software registry keys
Backdoor
Downloader
cmutil.dll
2026-07-17T19:48:05.499
malicious
Windows DLL (x86-64)
Close
cmutil.dll
malicious
SHA256:
c13be88a14d2c50b4e5ebca6b490fd6b8a6982555051c58b1d45fef6011671ee
VMRay Threat Identifiers
Close
Severity
Operation
5/5
Malicious content matched by YARA rules
3/5
Uses HTTP to upload a large amount of data
3/5
Reads installed applications
3/5
Tries to evade debugger
2/5
Tries to detect virtual machine
2/5
Delays execution
2/5
Dead Drop Resolver
1/5
Enumerates running processes
1/5
Query OS Information
1/5
URL contains a TLD highly associated with phishing
1/5
Creates mutex
1/5
Tries to detect debugger
1/5
Resolves API functions dynamically
1/5
Query CPU Properties
Spyware