Multi-License Discount Quote

Change Region

English
Threat Database Backdoors HEUR:Backdoor.Java.Agent.a

HEUR:Backdoor.Java.Agent.a

By JubileeX in Backdoors

Threat Scorecard

Popularity Rank: 1,688
Threat Level: 100 % (High)
Infected Computers: 10,289
First Seen: January 31, 2014
Last Seen: April 3, 2026
OS(es) Affected: Windows

HEUR:Backdoor.Java.Agent.a is a threat that may commit DDoS attacks on determined targets. One of the most threatening aspects of HEUR:Backdoor.Java.Agent.a is the fact that HEUR:Backdoor.Java.Agent.a may launch DDoS attacks regardless of the victim's operating system. Although most DDoS bots before HEUR:Backdoor.Java.Agent.awere exclusive to computers using Windows, malware analysts have observed that HEUR:Backdoor.Java.Agent.a may launch DDoS attacks from computer systems with the Mac OS or Linux based computers as well. The rise of threats like HEUR:Backdoor.Java.Agent.a indicates that it is highly likely that DDoS attacks may also increase in the future.

HEUR:Backdoor.Java.Agent.a – Another Misuse for Java

Malware analysts received news of a cross-platform DDoS bot which is Java based. HEUR:Backdoor.Java.Agent.a is a Java application, which makes HEUR:Backdoor.Java.Agent.a compatible with any operating system that can run Java. This increases the scope of HEUR:Backdoor.Java.Agent.a attacks, since its reliance on Java implies that HEUR:Backdoor.Java.Agent.a may also be used on the Mac OS and Linux computers. However, this also means that shutting off Java and only using it when strictly necessary may stop HEUR:Backdoor.Java.Agent.a from running on an affected computer. However, the best way to stop HEUR:Backdoor.Java.Agent.a in its tracks is to avoid unsafe online content and always protect your computer with a reliable security application.

Malware analysts that have tried to study HEUR:Backdoor.Java.Agent.a have come across strong obfuscation using Zelix Klassmaster whenever they try to study HEUR:Backdoor.Java.Agent.a in order to come up with ways for computer users to detect and remove HEUR:Backdoor.Java.Agent.a immediately. However, its attack is fairly straightforward. As soon as HEUR:Backdoor.Java.Agent.a infects a computer, HEUR:Backdoor.Java.Agent.a will take action to ensure that HEUR:Backdoor.Java.Agent.a runs automatically when the infected computer starts up. On Windows, HEUR:Backdoor.Java.Agent.a makes changes to the Windows Registry. On an Apple Computer, HEUR:Backdoor.Java.Agent.a may use the automatic launch service and on Linux HEUR:Backdoor.Java.Agent.a may add itself to /etc/init.d/. Once installed, HEUR:Backdoor.Java.Agent.a may communicate with its Command and Control server using IRC. Criminals may use IRC to send HEUR:Backdoor.Java.Agent.a a simple command with the target's IP address and the type and intensity of the DDoS attack that they want to carry out. HEUR:Backdoor.Java.Agent.a may be used to carry out a DDoS attack using several protocols and the number of threads may be specified to make the attack more or less severe.

Analysis Report

General information

Family Name: HEUR.Malware.FakeAdb.Generic
Packers: PECompact v2.20
Signature status: No Signature

Known Samples

MD5: 6f45af5a22fd189640b16666cc835bb7
SHA1: 209f9b6b328c31d70dbd681e544bc8471fd4ede3
File Size: 128.84 KB, 128839 bytes
MD5: 5395ecc29ea073194241b33090653b2a
SHA1: e5681b546a1691977bf72de423003ae6a5f04235
File Size: 671.23 KB, 671232 bytes
MD5: 2476fad160dbf106bd3d0698bb2d09d2
SHA1: ef8c628351daba69dbf97d08da57095717ba54be
File Size: 558.08 KB, 558080 bytes
MD5: 6f3e3dda4f45d51448524300cafd719c
SHA1: 430efe826c6b70f84199f7932fea8b1f37a2529d
SHA256: AC9994B2EFDB4783E64769F8860EE3806D480CB9A25AD0B75D4A72C2790F0AD9
File Size: 607.05 KB, 607048 bytes
MD5: ede1610dfa106dc9400e94d782a423ca
SHA1: 5dfc8842587b44cd6dd3ef46e201004e45a5201b
SHA256: D1F101DCE18BCC31B6714D3F89C275E53B1C29D8A82B7BB43C7CBAF46A278917
File Size: 2.75 MB, 2749425 bytes
Show More
MD5: 4328a3203815a8919203083db45045c9
SHA1: fc69f1ea363622d08989b7c3fd3c7db7d961ee7c
SHA256: 606F6DA2E63F99751C48B49679539256E2680D6F10286CA4D0A636FA026D1ECF
File Size: 797.66 KB, 797664 bytes
MD5: 11d458606be7fe39c9473901c180e544
SHA1: baa1e998ac1a5ccadbde40000e502967fdb661ec
SHA256: EA8E741836B894439DA1EA83AC69D04DB9CB3B1F8E1A3DB84C8088086C375CDB
File Size: 427.44 KB, 427436 bytes
MD5: 568ba43db0410e4dd7c01d424b9e1d32
SHA1: cd6b0a2eed408d912716d5ac699ea962e4469800
SHA256: DDCB89832F68FD89368EDEAFA2727546A44D19BEF9E5C3F6D13EAB6C75B90D12
File Size: 427.44 KB, 427436 bytes
MD5: c94a0a06e75c6200efb8e408b6b2d26d
SHA1: d3b5a5d7fc1f38674819e631f55e9b45d9f0d170
SHA256: 31AB24F882C8CBBF11A2D3B37ED11B90F160B5D7BA4989793C5044C6EB323517
File Size: 1.88 MB, 1875870 bytes
MD5: dae59d618256ce8d099d1a72ed6b4678
SHA1: c15346651b97b104371b07fe80686c93c8dc73d7
SHA256: C4FD677FFEF781D6F4B1E08444FC844F6B923B136A74FCAA2B8D289D9E802D3B
File Size: 427.43 KB, 427428 bytes
MD5: e0bdfa63d5cd9b80ab3371153bab1609
SHA1: 4b5e57d24b8a8075139f555e4735eb8bd8d0440d
SHA256: C408E8E7A5932CAF0F088799E852D736AE3C01AFD24C34F627F30775AC1FA9AA
File Size: 6.43 MB, 6431744 bytes
MD5: dc43073ba3d297beb74ca96d328935c9
SHA1: 9fc6f55b561c6c99eeba0246f81ab4b7d78c365d
SHA256: 50810D55A32C0BC9844A42806AE382890BAAF9C7311B7328848AD93ED0809366
File Size: 427.41 KB, 427412 bytes
MD5: cc816b560087cea90dabccff8e748910
SHA1: 893bfb63a05fc5b6320cd833bf1a9c063de7139f
SHA256: E39D3B33BA47EE294EFA185FBB8393B3542BD3612A99B8BABD3CA1EC0E232A42
File Size: 120.95 KB, 120953 bytes
MD5: 2e85b234a732ef54b40563232fd98447
SHA1: 56589da434c609097b269b325a841419d1ff751f
SHA256: 0B9DE940855494FE4569996730034868E64E15137F7583CB679B0EB38CBB40DD
File Size: 120.95 KB, 120953 bytes
MD5: 4b8a8db66007e9f451a563892ad6ace5
SHA1: c7e146246cd68c77f2a70a1c8e835cd6ca50fd21
SHA256: 336B63150437B698022928198EE18E63D8A3D3A87839A85BBBEB4AFD1CAE42BA
File Size: 120.98 KB, 120981 bytes
MD5: 4445c10b356aee72426c5e09fedd8be0
SHA1: 644e23f234ee604e6a46532bef73ab975b8f9f94
SHA256: F10416D602459C4A9AB67E5F4A5462633506C918C84926232C3FB5D83677BC2A
File Size: 6.43 MB, 6431744 bytes
MD5: 1d47649aa66cdcb812bb7134187fc593
SHA1: cd4e322839fb5739a1236ef56ff7f6b97030c1b4
SHA256: C0E90E6AB7AF32DB24C3F191C9A6CEA9F16BF9C151358A27D017545E03AA6CB7
File Size: 3.86 MB, 3863552 bytes
MD5: dcff94f8bb92076cd80dd0c9b94303e7
SHA1: 04e7698c1f617b11a85d24170ff11fca89e96280
SHA256: 2E3116413D40A1707F4A02BBF1F5950C45E6956323DE23BFE860FCDF2C3290AC
File Size: 120.95 KB, 120948 bytes
MD5: b402cc6aee63aa314c83089d587638da
SHA1: 7aab897fd77b48f2604cfba9b6ffcef3b2298dd6
SHA256: 2F266077ABAFAD910FB911C1C6389DFACA151680FDEBA09AD83A834469B4CA9B
File Size: 3.84 MB, 3840788 bytes
MD5: 089e9a725a4b5a20eb5d400232028682
SHA1: 5f55fa4aaa0d79541feba8282f2ccebec5ad5e3b
SHA256: B3EE237C1B65F09B98F082952AE02020113CEDE718EDE2AE240C1AAF11A8A23D
File Size: 6.43 MB, 6431744 bytes
MD5: 704a685a7e5f2ead1f17916003e87e56
SHA1: c21befc5badec93ca7d3ae698267cf55ccfe764f
SHA256: F5C8022ECD241576962E64952DD1781518EB59C364F786B65940CC66C610F7CC
File Size: 342.14 KB, 342144 bytes
MD5: 6f3410e62ffdfd59060ecb054e17a7c2
SHA1: 693e223a512c47dae57f1f2fad14f6de2c43f01a
SHA256: 53B17BEA09A849B0FDDC5EBC06A893A408B6FB17650F89EA65F36FBED76FE321
File Size: 121.51 KB, 121507 bytes
MD5: 461c30c65035b83c824bce755fe957f8
SHA1: d778b4d49c93f1966e45f7c84f7dac987de1522d
SHA256: 9F4EB8B0EEB353AF0DA0D5A2A3E03755542CC5EA188B1414A91AE8B983F00564
File Size: 575.30 KB, 575304 bytes
MD5: 6abc94e9b6b9b658cb745b647fea4cd0
SHA1: da9dce4cd0335faace1a19df3e34dc40d0d94b0e
SHA256: 9ADA971CC4227AA78BA7C97E005224C0968AB389A191BAE9E5450830AFDE075B
File Size: 45.06 KB, 45056 bytes
MD5: f7ae13c38ed0973465e4267c65504d6d
SHA1: d383f0bfa4a37e5137dfc637d9f5f4de355454be
SHA256: 9C0ED1326C561DD148CEE8C9F1F2E45E5CF94C4F4378EDAC72DEA45D675EFBCC
File Size: 417.08 KB, 417077 bytes
MD5: 29a9326d06b5380f90d79504395701dc
SHA1: 9eb4d4101cd8eb8a398664afdddc6ff00b272358
SHA256: F304F0FA66DFD3E25AF901AEEAEA004E31E0EEC71E6E16DAF7FCBAD2745ECF8A
File Size: 120.98 KB, 120981 bytes
MD5: 032a943d3c8dca8fcac69a3059186b3c
SHA1: 52161200d05fec5f74ceee43f47581d8797100a8
SHA256: C25E90AD9D3928D976C819D451FD7E4B97EF3D099CA3ACA5A5F9439D19125915
File Size: 1.47 MB, 1470976 bytes
MD5: abc3a5e13b951362495a9aec59425107
SHA1: 0ed139b5c27f6eae42eaf3ed31bef165c9f4544a
SHA256: 20C7838D0F6A3ADE8E76958B22DFB5EFA637D4415BA0E63379609CAF0B9037C6
File Size: 867.33 KB, 867328 bytes
MD5: e8f259cadbf84e46738b95f5d7c5f391
SHA1: 475f81fd3470b1db8f8019baf5f8f71281ba1b78
SHA256: 45D272CFD23E7901FA0FF09BCDED2FBADF7040F437FDAA3868D2ACA9421A029A
File Size: 1.73 MB, 1726583 bytes
MD5: b9f98b9b8ff8ccd796ea6cdab2e6e639
SHA1: 97fe807de27360f5019c549c1c19ee233d7cad69
SHA256: 1E2E0D099BA1096BF5651234E840D1460306405C4C8A2AF2121F676FA96A284B
File Size: 1.47 MB, 1466880 bytes
MD5: fa023e1b3d2d8af3be534f457829e766
SHA1: bee226261e06d17c7cb03019f2c5186b24c42a66
SHA256: 704D39F49F610479F3A07C3120728C8948451D8B9ADE490FE82F22D6228A4054
File Size: 1.47 MB, 1470976 bytes
MD5: 3226d9d0ecc9b5533ee77d64c1829b86
SHA1: c2fe5f328189bd0d4961925ca336cdd261cb7db3
SHA256: FEACED10043C4D1FD204F5450B3B55C355CE15DD0B94829CFFEB84274F6AEA13
File Size: 868.35 KB, 868352 bytes
MD5: 15b5cb3ef8f313671d1c567ef9a064ec
SHA1: 8648a1f198a379e4fdce5d41d88d6edc2ad0b80d
SHA256: C92DDBBE70E9170CD05767F21B446EF4257A7E0883033632041AFF458D306759
File Size: 1.47 MB, 1470976 bytes
MD5: d10cd9f47d469a84007d089179660595
SHA1: a3481e02e645ea6dca10694f909a89a91308a0bd
SHA256: F335A06568D38E476C76F82D24BFB4F4E705AB6736664132C59F5E0169A1570D
File Size: 120.98 KB, 120981 bytes
MD5: 9aa85b43f9e320daf48998d4b1c5891b
SHA1: c6fbb810e8b948fdf0d0652a2532f66d217655a3
SHA256: 1F23D69D86C9DEC9A69F4EF48862C7B3154CDFECD656BCB0A39926367109D2CB
File Size: 1.93 MB, 1930952 bytes
MD5: 05f9ab0a9f94a556de57abc4875e5868
SHA1: 736a1de7bade85fe3d2b48eec9d3b3ffe1f0dd32
SHA256: 0507274435A6DC86974E0BD566757D63F34028D17E5A6AA278FAAC3C603B7835
File Size: 120.78 KB, 120785 bytes
MD5: 77424c3e18a59d5954f8ba33bc9b3900
SHA1: 80f14e7024e9d619fb8090a94069551a7dd1e3ac
SHA256: CCD085142538571F4722DB8173947BA70CBADF5DB91948165D6C0A00FB957788
File Size: 1.47 MB, 1470976 bytes
MD5: 6765bda54d5aa5f344f58fefb41ea1fa
SHA1: 690b4201a7fd633698cdba7e24a1e8b39c0963fe
SHA256: EE8F2539A6493EF1CD56687FD66F124A7530CFCD6680067B7077AF48FC8A71FC
File Size: 643.07 KB, 643072 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version
  • 20.0.27.0
  • 1.0.0.0
Comments
  • Created with AutoPlay Media Studio (www.indigorose.com)
  • This installation was built with Inno Setup.
  • Visualizzatore di file in formato PDF
Company Name
  • Antarctica Softwares LTD
  • Boxoft Solution
  • Coy Flatley
  • Dreamify Corp
  • Erin Zieme
  • Flexera
  • Lavern Bode
  • Microsoft Corporation
  • Millennium s.r.l. Company
  • Priscilla Tremblay
Show More
  • Theron Prohaska
  • WK Sistemas
Compiled Script AutoIt v3 Script: 3, 3, 6, 1
File Description
  • Block Firewall for Adobe Acrobat Pro DC.
  • Block hosts for Adobe Acrobat Pro.
  • Boxoft PDF to Flash (freeware) Setup
  • Emiliano McCullough
  • HERE Manager Setup
  • Ice CMS updater
  • InstallShield
  • Lee Greenfelder
  • Lelia
  • Mac Harvey
Show More
  • MillePdfViewer
  • PdfFlowline
  • Unblock Firewall for Adobe Acrobat Pro DC.
  • Vladimir Cartwright
File Version
  • 2024.005.20982.0
  • 2024.005.20937.0
  • 2024.005.20918.0
  • 2024.005.20813.0
  • 2024.005.20744.0
  • 2024.005.20693.0
  • 2024.005.20467.0
  • 2024.005.20458.0
  • 2024.005.20432.0
  • 26.0.720
Show More
  • 20.0.27.0
  • 8.0.0.243
  • 6.3.1
  • 6, 17, 0, 567
  • 6, 12, 0, 492
  • 3, 3, 6, 1
  • 2.5.4.1
  • 1.1.4
  • 1.1.3
  • 1.0.0.0
Internal Build Number 202227
Internal Name
  • ams_runtime
  • IceUpd
  • Lelia
  • MillePdfViewer.exe
  • PdfFlowline.exe
  • _IsIcoRes.exe
Legal Copyright
  • 7997
  • Copyright (C) 2015 GitHub, Inc. All rights reserved.
  • Copyright (c) 2020 Flexera. All Rights Reserved.
  • Copyright © 2010
  • Copyright © 2023 Coy Flatley
  • Copyright © 2023 Lavern Bode
  • Copyright © 2023 Priscilla Tremblay
  • Copyright © 2023 Theron Prohaska
  • Copyright © 2023-2026 Antarctica Softwares LTD
  • Copyright © Microsoft. All rights reserved.
Show More
  • Copyright © Millennium s.r.l. Company 2014
  • © WK Sistemas
Legal Trademarks © WK Sistemas
Original Filename
  • IceUpdater.exe
  • Lelia.exe
  • MillePdfViewer.exe
  • PdfFlowline.exe
  • PSCS6.exe
  • _IsIcoRes.exe
Product Name
  • BlockFirewall
  • Block Hosts
  • Boxoft PDF to Flash (freeware)
  • HERE Manager
  • Ice CMS Updater
  • InstallShield
  • Julien
  • Lelia
  • MillePdfViewer
  • Myles
Show More
  • PDF Flowline
  • Radar
  • Rico
  • Tad
  • UnblockFirewall
Product Version
  • 2024.005.20982.0
  • 2024.005.20937.0
  • 2024.005.20918.0
  • 2024.005.20813.0
  • 2024.005.20744.0
  • 2024.005.20693.0
  • 2024.005.20467.0
  • 2024.005.20458.0
  • 2024.005.20432.0
  • 26.0
Show More
  • 22
  • 20.0.27.0
  • 10.0.19041.1
  • 6.3.1
  • 6, 17, 0, 567
  • 6, 12, 0, 492
  • 2.5.4.1
  • 1.1.4
  • 1.1.3
  • 1.0.0.0
Squirrel Aware Version 1
Requested-execution-level asInvoker

Digital Signatures

Signer Root Status
MILLENNIUM S.P.A. MILLENNIUM S.P.A. Self Signed
Valve Valve Self Signed
Fedder Corporation Limited VeriSign Class 3 Code Signing 2010 CA Self Signed
WK Sistemas WK Sistemas Self Signed

File Traits

  • .NET
  • 2+ executable sections
  • AMS
  • Autoit
  • fptable
  • HighEntropy
  • imgui
  • Inno
  • InnoSetup Installer
  • Installer Manifest
Show More
  • Installer Version
  • nosig nsis
  • No Version Info
  • Nullsoft Installer
  • packed
  • PEC2
  • PECompact v2.20
  • RAR (In Overlay)
  • RARinO
  • VirtualQueryEx
  • WinRAR SFX
  • WRARSFX
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 4,070
Potentially Malicious Blocks: 1
Whitelisted Blocks: 4,061
Unknown Blocks: 8

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.LA
  • Agent.XFM
  • Agent.XRD
  • Autoit
  • BadJoke.XA
Show More
  • Banker.AR
  • Bitcoinminer.BDA
  • Bitcoinminer.BDB
  • Bitcoinminer.DJE
  • Brute.BHA
  • Caosoft.A
  • Chapak.HBX
  • Chinflej.A
  • CobaltStrike.GI
  • CobaltStrike.GIA
  • Delf.PA
  • Delf.XB
  • Lnkhyd.A
  • MSILZilla.TC
  • Motnug.A
  • Quasar.CB
  • Rozena.H
  • Rozena.XC
  • Rugmi.T
  • Sckeylog.C
  • Trojan.Agent.Gen.VN

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.0.cs Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.cmdline Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.err Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.out Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4h4ahpgk\4h4ahpgk.tmp Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\askimage.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-64m5i.tmp\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-n9sm2rgiib.tmp\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-yi8ujdjzld.tmp\_isetup\_isdecmp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-yi8ujdjzld.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsb911f.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\nsexec.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb911f.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\nsexec.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse6718.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsgbcde.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsjb869.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcff.tmp\execcmd.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcff.tmp\installoptions.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcff.tmp\iospecial.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nslbcff.tmp\iospecial.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcff.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsmdab4.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsme0aa.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsme0aa.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq6220.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq8e14.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss68b2.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsuc99e.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsvbcee.tmp.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsvbcee.tmp.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\nsexec.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw2452.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx2379.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsya9e8.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz4cf.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\s.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe v앍Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 勓웃Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᩡ접Ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 哘⡁ǜ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tkgoahnq\AppData\Local\Temp\nsb911F.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 庠 䠱O噀ñ቎ĤŁ傄ë릣ʝ閾ʴ淃⟋ʪ柏ũߙĤᰂŁ鈄Ğ鍂€ꩠŖ忶Ǥ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 庡 䠱O噀ñ቎ĤŁ傄ë鶝’릣ʝ閾ʴ淃⟋ʪ柏ũߙĤᰂŁ鈄Ğ鍂€ꩠŖ忶Ǥ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Br RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ㅬ遲傏ǜ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Windows\SystemTemp\18e967ed-b0b1-41c8-87ae-0663f0317f37.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 响㦇唼ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鯶益䳦ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe Ḭ筴倻ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鵾쟑擙ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 꿅嚍檊ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 戜왧綽ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 暔酵ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe Ⴉ酵ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 咍뚉ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 䜸뚉ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 씜붺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 巨붺ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 륭䄾빇ǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable

70 additional items are not displayed above.

Process Terminate
  • TerminateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
  • ZwMapViewOfSection
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSAStartup
Service Control
  • OpenSCManager
  • OpenService

Shell Command Execution

taskkill /F /IM armsvc.exe
taskkill /F /IM AGSService.exe
taskkill /F /IM AGMService.exe
"C:\Users\Igyrhwht\AppData\Local\Temp\is-64M5I.tmp\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425.tmp" /SL5="$701F4,2507560,54272,c:\users\user\downloads\5dfc8842587b44cd6dd3ef46e201004e45a5201b_0002749425"
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Sbjwfetn\AppData\Local\Temp\4h4ahpgk\4h4ahpgk.cmdline"
Show More
"C:\Users\Tkgoahnq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Rico.exe" | %SYSTEMROOT%\System32\find.exe "Rico.exe"
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Tkgoahnq" /FI "IMAGENAME eq Rico.exe"
C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe "Rico.exe"
"C:\Users\Brdwhbjc\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Julien.exe" | %SYSTEMROOT%\System32\find.exe "Julien.exe"
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Brdwhbjc" /FI "IMAGENAME eq Julien.exe"
C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe "Julien.exe"
"C:\Users\Jbiivguf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Myles.exe" | %SYSTEMROOT%\System32\find.exe "Myles.exe"
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Jbiivguf" /FI "IMAGENAME eq Myles.exe"
C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe "Myles.exe"
"C:\Users\Xzcdikrg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Tad.exe" | %SYSTEMROOT%\System32\find.exe "Tad.exe"
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Xzcdikrg" /FI "IMAGENAME eq Tad.exe"
C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe "Tad.exe"
netsh advfirewall firewall add rule name="Acrobat.exe" dir=in action=block program="\Acrobat.exe" enable=yes profile=any
netsh advfirewall firewall add rule name="AcroCEF.exe" dir=in action=block program="\AcroCEF\AcroCEF.exe" enable=yes profile=any
netsh advfirewall firewall delete rule name="Acrobat.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 852
"C:\Users\Vgjqptle\AppData\Local\Temp\is-N9SM2RGIIB.tmp\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788.tmp" /SL5="$60368,2752995,893440,c:\users\user\downloads\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788"
(NULL) c:\users\user\downloads\7aab897fd77b48f2604cfba9b6ffcef3b2298dd6_0003840788 /VERYSILENT /PASSWORD=0fba05a7-db88-44a4-9508-00d6a0b51919
msiexec.exe /i AcroRead.msi /qn
trdil.exe
x.bat
netsh advfirewall firewall delete rule name="AcroCEF.exe"
C:\WINDOWS\system32\cmd.exe /C C:\Users\Aenkmidq\AppData\Local\Temp\nsvBCEE.tmp.exe /Scheck
C:\Users\Aenkmidq\AppData\Local\Temp\nsvbcee.tmp.exe C:\Users\Aenkmidq\AppData\Local\Temp\nsvBCEE.tmp.exe /Scheck
C:\WINDOWS\system32\cmd.exe /C C:\Users\Aenkmidq\AppData\Local\Temp\nsvBCEE.tmp.exe /tb=IJBME
C:\Users\Aenkmidq\AppData\Local\Temp\nsvbcee.tmp.exe C:\Users\Aenkmidq\AppData\Local\Temp\nsvBCEE.tmp.exe /tb=IJBME

Trending

Most Viewed

Loading...