HEUR:Backdoor.Java.Agent.a

By JubileeX in Backdoors

Threat Scorecard

Popularity Rank:	2,480
Threat Level:	100 % (High)
Infected Computers:	10,100

First Seen:	January 31, 2014
Last Seen:	February 4, 2026
OS(es) Affected:	Windows

HEUR:Backdoor.Java.Agent.a is a threat that may commit DDoS attacks on determined targets. One of the most threatening aspects of HEUR:Backdoor.Java.Agent.a is the fact that HEUR:Backdoor.Java.Agent.a may launch DDoS attacks regardless of the victim's operating system. Although most DDoS bots before HEUR:Backdoor.Java.Agent.awere exclusive to computers using Windows, malware analysts have observed that HEUR:Backdoor.Java.Agent.a may launch DDoS attacks from computer systems with the Mac OS or Linux based computers as well. The rise of threats like HEUR:Backdoor.Java.Agent.a indicates that it is highly likely that DDoS attacks may also increase in the future.

Table of Contents

HEUR:Backdoor.Java.Agent.a – Another Misuse for Java

Malware analysts received news of a cross-platform DDoS bot which is Java based. HEUR:Backdoor.Java.Agent.a is a Java application, which makes HEUR:Backdoor.Java.Agent.a compatible with any operating system that can run Java. This increases the scope of HEUR:Backdoor.Java.Agent.a attacks, since its reliance on Java implies that HEUR:Backdoor.Java.Agent.a may also be used on the Mac OS and Linux computers. However, this also means that shutting off Java and only using it when strictly necessary may stop HEUR:Backdoor.Java.Agent.a from running on an affected computer. However, the best way to stop HEUR:Backdoor.Java.Agent.a in its tracks is to avoid unsafe online content and always protect your computer with a reliable security application.

Malware analysts that have tried to study HEUR:Backdoor.Java.Agent.a have come across strong obfuscation using Zelix Klassmaster whenever they try to study HEUR:Backdoor.Java.Agent.a in order to come up with ways for computer users to detect and remove HEUR:Backdoor.Java.Agent.a immediately. However, its attack is fairly straightforward. As soon as HEUR:Backdoor.Java.Agent.a infects a computer, HEUR:Backdoor.Java.Agent.a will take action to ensure that HEUR:Backdoor.Java.Agent.a runs automatically when the infected computer starts up. On Windows, HEUR:Backdoor.Java.Agent.a makes changes to the Windows Registry. On an Apple Computer, HEUR:Backdoor.Java.Agent.a may use the automatic launch service and on Linux HEUR:Backdoor.Java.Agent.a may add itself to /etc/init.d/. Once installed, HEUR:Backdoor.Java.Agent.a may communicate with its Command and Control server using IRC. Criminals may use IRC to send HEUR:Backdoor.Java.Agent.a a simple command with the target's IP address and the type and intensity of the DDoS attack that they want to carry out. HEUR:Backdoor.Java.Agent.a may be used to carry out a DDoS attack using several protocols and the number of threads may be specified to make the attack more or less severe.

Analysis Report

General information

Family Name:	HEUR.Malware.FakeAdb.Generic
Signature status:	No Signature

Known Samples

MD5: 6f45af5a22fd189640b16666cc835bb7

SHA1: 209f9b6b328c31d70dbd681e544bc8471fd4ede3

File Size: 128.84 KB, 128839 bytes

MD5: 5395ecc29ea073194241b33090653b2a

SHA1: e5681b546a1691977bf72de423003ae6a5f04235

File Size: 671.23 KB, 671232 bytes

MD5: 2476fad160dbf106bd3d0698bb2d09d2

SHA1: ef8c628351daba69dbf97d08da57095717ba54be

File Size: 558.08 KB, 558080 bytes

MD5: 6f3e3dda4f45d51448524300cafd719c

SHA1: 430efe826c6b70f84199f7932fea8b1f37a2529d

SHA256: AC9994B2EFDB4783E64769F8860EE3806D480CB9A25AD0B75D4A72C2790F0AD9

File Size: 607.05 KB, 607048 bytes

MD5: ede1610dfa106dc9400e94d782a423ca

SHA1: 5dfc8842587b44cd6dd3ef46e201004e45a5201b

SHA256: D1F101DCE18BCC31B6714D3F89C275E53B1C29D8A82B7BB43C7CBAF46A278917

File Size: 2.75 MB, 2749425 bytes

MD5: 4328a3203815a8919203083db45045c9

SHA1: fc69f1ea363622d08989b7c3fd3c7db7d961ee7c

SHA256: 606F6DA2E63F99751C48B49679539256E2680D6F10286CA4D0A636FA026D1ECF

File Size: 797.66 KB, 797664 bytes

MD5: 11d458606be7fe39c9473901c180e544

SHA1: baa1e998ac1a5ccadbde40000e502967fdb661ec

SHA256: EA8E741836B894439DA1EA83AC69D04DB9CB3B1F8E1A3DB84C8088086C375CDB

File Size: 427.44 KB, 427436 bytes

MD5: 568ba43db0410e4dd7c01d424b9e1d32

SHA1: cd6b0a2eed408d912716d5ac699ea962e4469800

SHA256: DDCB89832F68FD89368EDEAFA2727546A44D19BEF9E5C3F6D13EAB6C75B90D12

File Size: 427.44 KB, 427436 bytes

MD5: c94a0a06e75c6200efb8e408b6b2d26d

SHA1: d3b5a5d7fc1f38674819e631f55e9b45d9f0d170

SHA256: 31AB24F882C8CBBF11A2D3B37ED11B90F160B5D7BA4989793C5044C6EB323517

File Size: 1.88 MB, 1875870 bytes

MD5: dae59d618256ce8d099d1a72ed6b4678

SHA1: c15346651b97b104371b07fe80686c93c8dc73d7

SHA256: C4FD677FFEF781D6F4B1E08444FC844F6B923B136A74FCAA2B8D289D9E802D3B

File Size: 427.43 KB, 427428 bytes

MD5: e0bdfa63d5cd9b80ab3371153bab1609

SHA1: 4b5e57d24b8a8075139f555e4735eb8bd8d0440d

SHA256: C408E8E7A5932CAF0F088799E852D736AE3C01AFD24C34F627F30775AC1FA9AA

File Size: 6.43 MB, 6431744 bytes

MD5: dc43073ba3d297beb74ca96d328935c9

SHA1: 9fc6f55b561c6c99eeba0246f81ab4b7d78c365d

SHA256: 50810D55A32C0BC9844A42806AE382890BAAF9C7311B7328848AD93ED0809366

File Size: 427.41 KB, 427412 bytes

MD5: cc816b560087cea90dabccff8e748910

SHA1: 893bfb63a05fc5b6320cd833bf1a9c063de7139f

SHA256: E39D3B33BA47EE294EFA185FBB8393B3542BD3612A99B8BABD3CA1EC0E232A42

File Size: 120.95 KB, 120953 bytes

MD5: 2e85b234a732ef54b40563232fd98447

SHA1: 56589da434c609097b269b325a841419d1ff751f

SHA256: 0B9DE940855494FE4569996730034868E64E15137F7583CB679B0EB38CBB40DD

File Size: 120.95 KB, 120953 bytes

MD5: 4b8a8db66007e9f451a563892ad6ace5

SHA1: c7e146246cd68c77f2a70a1c8e835cd6ca50fd21

SHA256: 336B63150437B698022928198EE18E63D8A3D3A87839A85BBBEB4AFD1CAE42BA

File Size: 120.98 KB, 120981 bytes

MD5: 4445c10b356aee72426c5e09fedd8be0

SHA1: 644e23f234ee604e6a46532bef73ab975b8f9f94

SHA256: F10416D602459C4A9AB67E5F4A5462633506C918C84926232C3FB5D83677BC2A

File Size: 6.43 MB, 6431744 bytes

MD5: 1d47649aa66cdcb812bb7134187fc593

SHA1: cd4e322839fb5739a1236ef56ff7f6b97030c1b4

SHA256: C0E90E6AB7AF32DB24C3F191C9A6CEA9F16BF9C151358A27D017545E03AA6CB7

File Size: 3.86 MB, 3863552 bytes

MD5: dcff94f8bb92076cd80dd0c9b94303e7

SHA1: 04e7698c1f617b11a85d24170ff11fca89e96280

SHA256: 2E3116413D40A1707F4A02BBF1F5950C45E6956323DE23BFE860FCDF2C3290AC

File Size: 120.95 KB, 120948 bytes

MD5: b402cc6aee63aa314c83089d587638da

SHA1: 7aab897fd77b48f2604cfba9b6ffcef3b2298dd6

SHA256: 2F266077ABAFAD910FB911C1C6389DFACA151680FDEBA09AD83A834469B4CA9B

File Size: 3.84 MB, 3840788 bytes

MD5: 089e9a725a4b5a20eb5d400232028682

SHA1: 5f55fa4aaa0d79541feba8282f2ccebec5ad5e3b

SHA256: B3EE237C1B65F09B98F082952AE02020113CEDE718EDE2AE240C1AAF11A8A23D

File Size: 6.43 MB, 6431744 bytes

MD5: 704a685a7e5f2ead1f17916003e87e56

SHA1: c21befc5badec93ca7d3ae698267cf55ccfe764f

SHA256: F5C8022ECD241576962E64952DD1781518EB59C364F786B65940CC66C610F7CC

File Size: 342.14 KB, 342144 bytes

MD5: 6f3410e62ffdfd59060ecb054e17a7c2

SHA1: 693e223a512c47dae57f1f2fad14f6de2c43f01a

SHA256: 53B17BEA09A849B0FDDC5EBC06A893A408B6FB17650F89EA65F36FBED76FE321

File Size: 121.51 KB, 121507 bytes

MD5: 461c30c65035b83c824bce755fe957f8

SHA1: d778b4d49c93f1966e45f7c84f7dac987de1522d

SHA256: 9F4EB8B0EEB353AF0DA0D5A2A3E03755542CC5EA188B1414A91AE8B983F00564

File Size: 575.30 KB, 575304 bytes

MD5: 6abc94e9b6b9b658cb745b647fea4cd0

SHA1: da9dce4cd0335faace1a19df3e34dc40d0d94b0e

SHA256: 9ADA971CC4227AA78BA7C97E005224C0968AB389A191BAE9E5450830AFDE075B

File Size: 45.06 KB, 45056 bytes

MD5: f7ae13c38ed0973465e4267c65504d6d

SHA1: d383f0bfa4a37e5137dfc637d9f5f4de355454be

SHA256: 9C0ED1326C561DD148CEE8C9F1F2E45E5CF94C4F4378EDAC72DEA45D675EFBCC

File Size: 417.08 KB, 417077 bytes

MD5: 29a9326d06b5380f90d79504395701dc

SHA1: 9eb4d4101cd8eb8a398664afdddc6ff00b272358

SHA256: F304F0FA66DFD3E25AF901AEEAEA004E31E0EEC71E6E16DAF7FCBAD2745ECF8A

File Size: 120.98 KB, 120981 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application
File is 32-bit executable

File is 64-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	20.0.27.0 1.0.0.0
Comments	Created with AutoPlay Media Studio (www.indigorose.com) This installation was built with Inno Setup. Visualizzatore di file in formato PDF
Company Name	Boxoft Solution Coy Flatley Dreamify Corp Erin Zieme Flexera Lavern Bode Microsoft Corporation Millennium s.r.l. Company Priscilla Tremblay Theron Prohaska Show More WK Sistemas
Compiled Script	AutoIt v3 Script: 3, 3, 6, 1
File Description	Block Firewall for Adobe Acrobat Pro DC. Block hosts for Adobe Acrobat Pro. Boxoft PDF to Flash (freeware) Setup Emiliano McCullough HERE Manager Setup InstallShield Lee Greenfelder Lelia Mac Harvey MillePdfViewer Show More PdfFlowline Vladimir Cartwright
File Version	2024.005.20982.0 2024.005.20918.0 2024.005.20744.0 2024.005.20693.0 2024.005.20467.0 2024.005.20458.0 2024.005.20432.0 26.0.720 20.0.27.0 6.3.1 Show More 6, 17, 0, 567 6, 12, 0, 492 3, 3, 6, 1 1.1.4 1.1.3 1.0.0.0
Internal Build Number	202227
Internal Name	ams_runtime Lelia MillePdfViewer.exe PdfFlowline.exe _IsIcoRes.exe
Legal Copyright	7997 Copyright (C) 2015 GitHub, Inc. All rights reserved. Copyright (c) 2020 Flexera. All Rights Reserved. Copyright © 2010 Copyright © 2023 Coy Flatley Copyright © 2023 Lavern Bode Copyright © 2023 Priscilla Tremblay Copyright © 2023 Theron Prohaska Copyright © Microsoft. All rights reserved. Copyright © Millennium s.r.l. Company 2014 Show More © WK Sistemas
Legal Trademarks	© WK Sistemas
Original Filename	Lelia.exe MillePdfViewer.exe PdfFlowline.exe PSCS6.exe _IsIcoRes.exe
Product Name	BlockFirewall Block Hosts Boxoft PDF to Flash (freeware) HERE Manager InstallShield Julien Lelia MillePdfViewer Myles PDF Flowline Show More Radar Rico Tad
Product Version	2024.005.20982.0 2024.005.20918.0 2024.005.20744.0 2024.005.20693.0 2024.005.20467.0 2024.005.20458.0 2024.005.20432.0 26.0 20.0.27.0 10.0.19041.1 Show More 6.3.1 6, 17, 0, 567 6, 12, 0, 492 1.1.4 1.1.3 1.0.0.0
Squirrel Aware Version	1
Requested-execution-level	asInvoker

Digital Signatures

Signer	Root	Status
MILLENNIUM S.P.A.	MILLENNIUM S.P.A.	Self Signed
Valve	Valve	Self Signed
WK Sistemas	WK Sistemas	Self Signed

File Traits

.NET
2+ executable sections
AMS
Autoit
fptable
HighEntropy
imgui
Inno
InnoSetup Installer
Installer Manifest

Installer Version
nosig nsis
No Version Info
Nullsoft Installer
packed
RAR (In Overlay)
RARinO
VirtualQueryEx
WinRAR SFX
WRARSFX
WriteProcessMemory
x64
x86

Block Information

Total Blocks:	101
Potentially Malicious Blocks:	0
Whitelisted Blocks:	101
Unknown Blocks:	0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Agent.LA
Agent.XFM
Autoit
BadJoke.XA
Banker.AR

Bitcoinminer.BDA
Bitcoinminer.BDB
Bitcoinminer.DJE
Brute.BHA
Chapak.HBX
Chinflej.A
CobaltStrike.GI
CobaltStrike.GIA
Delf.PA
Delf.XB
Lnkhyd.A
MSILZilla.TC
Quasar.CB
Rozena.H
Rozena.XC
Rugmi.T
Sckeylog.C
Trojan.Agent.Gen.VN

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.0.cs	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.cmdline	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.err	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.out	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.tmp	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\is-64m5i.tmp\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-n9sm2rgiib.tmp\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-yi8ujdjzld.tmp\_isetup\_isdecmp.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-yi8ujdjzld.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsb911f.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsmdab4.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsme0aa.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsme0aa.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq6220.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq8e14.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss68b2.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsya9e8.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz4cf.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve	Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	v앍Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	勓웃Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᩡ접Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	哘⡁ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tkgoahnq\AppData\Local\Temp\nsb911F.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	庠䠱O噀ñ቎ĤŁ傄ë릣ʝ閾ʴ淃⟋ʪ柏ũߙĤᰂŁ鈄Ğ鍂ꩠŖ忶Ǥ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	庡䠱O噀ñ቎ĤŁ傄ë鶝릣ʝ閾ʴ淃⟋ʪ柏ũߙĤᰂŁ鈄Ğ鍂ꩠŖ忶Ǥ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Br	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ㅬ遲傏ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Windows\SystemTemp\18e967ed-b0b1-41c8-87ae-0663f0317f37.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	响㦇唼ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鯶益䳦ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	Ḭ筴倻ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鵾쟑擙ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	꿅嚍檊ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	戜왧綽ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	暔酵ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	Ⴉ酵ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Process Shell Execute	CreateProcess ShellExecute
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile Show More ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiAnyLinkedFonts win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateRectRgn win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiDoPalette win32u.dll!NtGdiDrawStream win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiExtTextOutW win32u.dll!NtGdiFontIsLinked win32u.dll!NtGdiGetCharABCWidthsW win32u.dll!NtGdiGetDCDword win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiGetDeviceCaps win32u.dll!NtGdiGetDIBitsInternal win32u.dll!NtGdiGetEntry win32u.dll!NtGdiGetFontData win32u.dll!NtGdiGetGlyphIndicesW win32u.dll!NtGdiGetOutlineTextMetricsInternalW win32u.dll!NtGdiGetRandomRgn win32u.dll!NtGdiGetRealizationInfo win32u.dll!NtGdiGetTextFaceW win32u.dll!NtGdiGetTextMetricsW win32u.dll!NtGdiGetWidthTable win32u.dll!NtGdiHfontCreate win32u.dll!NtGdiIntersectClipRect win32u.dll!NtGdiQueryFontAssocInfo win32u.dll!NtGdiRestoreDC 66 additional items are not displayed above.
Process Terminate	TerminateProcess
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory ZwMapViewOfSection
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Other Suspicious	AdjustTokenPrivileges
Network Winsock2	WSAStartup
Service Control	OpenSCManager OpenService

Shell Command Execution


							taskkill /F /IM armsvc.exe


							taskkill /F /IM AGSService.exe


							taskkill /F /IM AGMService.exe


							"C:\Users\Igyrhwht\AppData\Local\Temp\is-64M5I.tmp\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425.tmp" /SL5="$701F4,2507560,54272,c:\users\user\downloads\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425"


							"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Sbjwfetn\AppData\Local\Temp\4h4ahpgk\4h4ahpgk.cmdline"


									"C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"  _?=c:\users\user\downloads\


									cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Rico.exe" | %SYSTEMROOT%\System32\find.exe "Rico.exe"


									C:\WINDOWS\system32\tasklist.exe tasklist  /FI "USERNAME eq Tkgoahnq" /FI "IMAGENAME eq Rico.exe"


									C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe  "Rico.exe"


									"C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"  _?=c:\users\user\downloads\


									cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Julien.exe" | %SYSTEMROOT%\System32\find.exe "Julien.exe"


									C:\WINDOWS\system32\tasklist.exe tasklist  /FI "USERNAME eq Brdwhbjc" /FI "IMAGENAME eq Julien.exe"


									C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe  "Julien.exe"


									"C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"  _?=c:\users\user\downloads\


									cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Myles.exe" | %SYSTEMROOT%\System32\find.exe "Myles.exe"


									C:\WINDOWS\system32\tasklist.exe tasklist  /FI "USERNAME eq Jbiivguf" /FI "IMAGENAME eq Myles.exe"


									C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe  "Myles.exe"


									"C:\Users\Xzcdikrg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"  _?=c:\users\user\downloads\


									cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Tad.exe" | %SYSTEMROOT%\System32\find.exe "Tad.exe"


									C:\WINDOWS\system32\tasklist.exe tasklist  /FI "USERNAME eq Xzcdikrg" /FI "IMAGENAME eq Tad.exe"


									C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe  "Tad.exe"


									netsh advfirewall firewall add rule name="Acrobat.exe" dir=in action=block program="\Acrobat.exe" enable=yes profile=any


									netsh advfirewall firewall add rule name="AcroCEF.exe" dir=in action=block program="\AcroCEF\AcroCEF.exe" enable=yes profile=any


									netsh advfirewall firewall delete rule name="Acrobat.exe"


									C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 852


									"C:\Users\Vgjqptle\AppData\Local\Temp\is-N9SM2RGIIB.tmp\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788.tmp" /SL5="$60368,2752995,893440,c:\users\user\downloads\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788"


									(NULL) c:\users\user\downloads\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788 /VERYSILENT /PASSWORD=0fba05a7-db88-44a4-9508-00d6a0b51919


									msiexec.exe /i AcroRead.msi /qn


									trdil.exe


									x.bat


									netsh advfirewall firewall delete rule name="AcroCEF.exe"

HEUR:Backdoor.Java.Agent.a

Threat Scorecard

EnigmaSoft Threat Scorecard

HEUR:Backdoor.Java.Agent.a – Another Misuse for Java

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Most Viewed