Trojan-Downloader.Win32.Agent.ahoe
Cartão de pontuação de ameaças
EnigmaSoft Threat Scorecard
Os EnigmaSoft Threat Scorecards são relatórios de avaliação para diferentes ameaças de malware que foram coletadas e analisadas por nossa equipe de pesquisa. Os Scorecards de Ameaças da EnigmaSoft avaliam e classificam as ameaças usando várias métricas, incluindo fatores de risco reais e potenciais, tendências, frequência, prevalência e persistência. Os Scorecards de Ameaças da EnigmaSoft são atualizados regularmente com base em nossos dados e métricas de pesquisa e são úteis para uma ampla gama de usuários de computador, desde usuários finais que buscam soluções para remover malware de seus sistemas até especialistas em segurança que analisam ameaças.
Os Scorecards de Ameaças da EnigmaSoft exibem uma variedade de informações úteis, incluindo:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Nível de gravidade: O nível de gravidade determinado de um objeto, representado numericamente, com base em nosso processo de modelagem de risco e pesquisa, conforme explicado em nossos Critérios de Avaliação de Ameaças .
Computadores infectados: O número de casos confirmados e suspeitos de uma determinada ameaça detectada em computadores infectados conforme relatado pelo SpyHunter.
Consulte também Critérios de Avaliação de Ameaças .
| Popularity Rank: | 1,490 |
| Nível da Ameaça: | 80 % (Alto) |
| Computadores infectados: | 548,580 |
| Visto pela Primeira Vez: | July 24, 2009 |
| Visto pela Última Vez: | January 30, 2026 |
| SO (s) Afetados: | Windows |
O Trojan-Downloader.Win32.Agent.ahoe é um vírus do cavalo trojan, que normalmente se infiltra no computador através de sites nocivos ou de programas de arquivos compartilhados. O Trojan-Downloader.Win32.Agent.ahoe baixa conteúdos maliciosos da Internet e executa-os na máquina comprometida, sem o conhecimento ou aprovação do usuário. O Trojan-Downloader.Win32.Agent.ahoe cria a sua própria entrada de registo para assegurar que ele comece a ser executado a toda vez que o Windows inicia. O Trojan-Downloader.Win32.Agent.ahoe normalmente aparece listado nos resultados da verredura feita pelo programa anti-spyware nocivo do Windows Antivírus Pro.
Índice
Outros Nomes
15 fornecedores de segurança sinalizaram este arquivo como malicioso.
| Antivirus Vendor | Detecção |
|---|---|
| AVG | Downloader.Generic12.XJL |
| Fortinet | W32/Downloader_x.GCN!tr |
| AntiVir | TR/Agent.dpp.2 |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| eSafe | Win32.TRAgent.Dpp |
| Avast | Win32:Agent-APGZ [Trj] |
| McAfee | Generic.dx!bcx4 |
| Ikarus | Trojan.SuspectCRC |
| AhnLab-V3 | Win-Clicker/Agent.499712 |
| AntiVir | TR/Gendal.kdv.300198 |
| BitDefender | Trojan.Generic.KDV.300198 |
| eSafe | Win32.WS.Reputation |
| McAfee | Artemis!764155503436 |
| Panda | Trj/Downloader.QBT |
| AVG | Delf.EKJ |
SpyHunter detecta e remove Trojan-Downloader.Win32.Agent.ahoe
Detalhes Sobre os Arquivos do Sistema
Trojan-Downloader.Win32.Agent.ahoe pode criar o(s) seguinte(s) arquivo(s):
| # | Nome do arquivo | MD5 |
Detecções
Detecções: O número de casos confirmados e suspeitos de uma determinada ameaça detectada nos computadores infectados conforme relatado pelo SpyHunter.
|
|---|---|---|---|
| 1. | tcharar.exe | fb499993c46f50b75f102d5d59b61eb2 | 9,924 |
| 2. | NetUpdService.exe | ac9fa3514f1313c92ae5a52938a50d9a | 1,482 |
| 3. | lsmsrv.exe | b262a3f123fc2ad625654813cf3c3734 | 84 |
| 4. | Client.exe | 1362cac64386ac917c3b91e29749740f | 49 |
| 5. | TssWpfWrp.exe | d017768239636f67bfafd5e02ec53918 | 29 |
| 6. | digital1610_Good_11cr13.exe | 35164e8135d144bf04395e62461d2a0e | 23 |
| 7. | Server.exe | 7f5b5834f8e8a25b7b6586b86091b72d | 20 |
| 8. | mscorsvcw.exe | 860a6d17959203f41a2ca6226270516c | 15 |
| 9. | AGSService.exe | 2d364060d6b042250a351507c0b6d556 | 9 |
| 10. | g666.tmp.exe | c7d0fd72924d39d78010aa13e5f1e3bf | 5 |
| 11. | WindowsDefenderUpdate.exe | 844430aac97001ca90f1e319711ba820 | 5 |
| 12. | get.exe | cd49e0979be34d51eee3606438184f52 | 4 |
| 13. | 4b3f7176cfd3fb818f8e4780b9ded838de5ff6d8cf01865d59fc68fb4c0e0424 | 00e7325c6b03ae161c5fbf755fa14739 | 3 |
| 14. | CasPol.exe | a7aaf4d9e10897faded9a4727a626900 | 1 |
| 15. | rundl64.exe | bce7203e636f826142284d5ac72892ec | 0 |
| 16. | msmsgs.exe | 2ab1867e8b59176adbac333f6357e978 | 0 |
| 17. | iOmm100.exe | 315dbe28016a28842556704148eba158 | 0 |
| 18. | ikwnmb.exe | dcb43c208a13b5c1cccebce576987b26 | 0 |
| 19. | dealassistant.exe | 1ae1c57db53066c7e1ef5076bb9b1b8b | 0 |
| 20. | retadpu77.exe | fc83423421cd2d1b09955e3aee7f29cf | 0 |
| 21. | mrofinu1000106.exe | 3e9f2da6cd3519cb9320f9ba8ed92c72 | 0 |
| 22. | retadpu1002397.exe | dde8bfd270ffeea1c763d1827734d0e4 | 0 |
| 23. | orz.exe | 8a548d9d41f045b29884ecd682d4f1d1 | 0 |
| 24. | pridl.exe | cd88b89d5e4eb922a4e179a1be66aefc | 0 |
| 25. | cpds.exe | fca86cdf5a1851c1c9c33726f0fc6c82 | 0 |
| 26. | file.exe | 865cd7bf0e4612204bfaff0e11bfd166 | 0 |
Detalhes sobre o Registro
Trojan-Downloader.Win32.Agent.ahoe pode criar a seguinte entrada de registro ou entradas de registro:
File name without path
fja9sdfh.exe
hhb91hih.exe
j0192udlkhas.exe
pdqjw9d8as123hdk.exe
pqjw9d8123hk.exe
svb98s12e.exe
svb98s15e.exe
svj9812e.exe
Regexp file mask
%ALLUSERSPROFILE%\FXGuard\fxnet.exe
%APPDATA%\Alianz.exe
%APPDATA%\fileSystem.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\directxwebpack.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\newcpuchecker.js
%APPDATA%\syse.sys
%APPDATA%\workk.exe
%HOMEDRIVE%\ntldr~[RANDOM CHARACTERS]
%HOMEDRIVE%\smartdata\bbaassd.exe
%HOMEDRIVE%\smartdata\fasfd.exe
%HOMEDRIVE%\SmartData\fhalslk.dll
%HOMEDRIVE%\SmartData\performer.exe
%HOMEDRIVE%\SmartData\servicer.exe
%HOMEDRIVE%\SmartData\svchost_ms.exe
%LOCALAPPDATA%\Audiodg\audiodgs.exe
%LOCALAPPDATA%\bbuy.exe
%LOCALAPPDATA%\Default Folder\server.exe
%LOCALAPPDATA%\Microsoft\TaskPlay\caches.dat
%LOCALAPPDATA%\VirtualStore\ntldr~[RANDOM CHARACTERS]
%LOCALAPPDATA%\WServices\performer.exe
%LOCALAPPDATA%\WServices\smaters.exe
%LOCALAPPDATA%\WServices\svsmst.exe
%Programfiles%\fuwu.exe
%PROGRAMFILES%\WindowsPowerShell\Configuration\Registration\svhost.exe
%PROGRAMFILES(x86)%\smartdata\asdd.exe
%PROGRAMFILES(x86)%\smartdata\asdffdf.exe
%PROGRAMFILES(x86)%\smartdata\bbaassd.exe
%PROGRAMFILES(x86)%\smartdata\fasfd.exe
%PROGRAMFILES(x86)%\smartdata\fsadfsadfsdf.exe
%PROGRAMFILES(x86)%\smartdata\gagadsfgafg.exe
%PROGRAMFILES(x86)%\SmartData\performer.exe
%PROGRAMFILES(x86)%\smartdata\servicer.exe
%PROGRAMFILES(x86)%\smartdata\svchost_ms.exe
%PROGRAMFILES(x86)%\WindowsPowerShell\Configuration\Registration\svhost.exe
%TEMP%\networkservice.exe
%WINDIR%\gdp32.exe
%WINDIR%\imgsvc\imgsvc.exe
%WINDIR%\lsasc.exe
%WINDIR%\sysde32.exe
%WINDIR%\System32\NetUpdService.exe
%WINDIR%\system32\show.exe
%WINDIR%\system32\wbem\123.bat
%WINDIR%\System32\wmiex.exe
%WINDIR%\sysve32.exe
%WINDIR%\SysWoW64\NetUpdService.exe
%WINDIR%\SysWOW64\wmiex.exe
%WINDIR%\temp\bestfile1.exe
%WINDIR%\Temp\y2b.exe
%WINDIR%\winmds.exe
SOFTWARE\Machiner
SOFTWARE\MaxPlugs\Emmail
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Update
SOFTWARE\Wow6432Node\Machiner
SOFTWARE\WOW6432Node\MaxPlugs\Emmail
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update
eMail Extractor_is1
Emoticons Mail_is1
{88826714-E1D9-4D5C-9BB7-16DFA935C4C1}
{EF758C50-5FA2-4B0A-86D3-8B65B176BC53}
Diretórios
Trojan-Downloader.Win32.Agent.ahoe pode criar o seguinte diretório ou diretórios:
| %ALLUSERSPROFILE%\gramblr |
| %ALLUSERSPROFILE%\nirds |
| %ALLUSERSPROFILE%\tlrzjcfpeq |
| %ALLUSERSPROFILE%\yemjxjfcbj |
| %APPDATA%\ww.fm |
| %LOCALAPPDATA%\WServices |
| %PROGRAMFILES%\Procedure |
| %PROGRAMFILES%\Windows Utility Update |
| %PROGRAMFILES%\eMail Extractor |
| %PROGRAMFILES%\machinerdata |
| %PROGRAMFILES(x86)%\Windows Utility Update |
| %PROGRAMFILES(x86)%\machinerdata |
| %TEMP%\HWMonitor |
| %USERPROFILE%\SecurityHealthSystray |
| %USERPROFILE%\cabapi |
| %UserProfile%\AppXDeploymentServer |
| %UserProfile%\wksprt |
Relatório de análise
Informação geral
| Family Name: | Trojan.Downloader.Agent |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
4c87a98b06b25d056ba958054f6df7a0
SHA1:
78e7071501e35ab8f8a06920869088d23cd72898
Tamanho do Arquivo:
46.18 KB, 46183 bytes
|
|
MD5:
b37f263aa3a12f66ac4cea307aa71bd5
SHA1:
7d39c32d4d5b78a79b1fe20121647f14d12958ee
Tamanho do Arquivo:
46.18 KB, 46180 bytes
|
|
MD5:
1b98bdc7a806091ddf1f929ff93abc97
SHA1:
de04ec480dc52fd96f883fb177f2402497f268b2
SHA256:
888F878D224C18A884FA2C2A68A5EE869CFA23939D3114E70656ADD9BE7ABDBE
Tamanho do Arquivo:
46.18 KB, 46181 bytes
|
|
MD5:
2892e1c722fe4a15e9f6451be44b1c97
SHA1:
80c1237f62ff8ad6ddbe20b6b00c22ef3e72ec1d
SHA256:
470B8826F437B92C95A09D0F83016B9CA8D25FFF777C288013B2282552175EF4
Tamanho do Arquivo:
46.18 KB, 46180 bytes
|
|
MD5:
02bd686d7320405b38fcb84578ad9bf9
SHA1:
8c48ee4cd9b0fa70f305b7c4a3ab70a391b2f026
SHA256:
8F3D62B448BB53A5F39373CA296FB5E6E2C50814EC3CA3FDDC5299E56AAAEC30
Tamanho do Arquivo:
46.18 KB, 46183 bytes
|
Show More
|
MD5:
3d6dc175d4a640a344b09b0313e7621c
SHA1:
b6c9d28d5dc128f4f44dc05f1714d2becc5b440d
SHA256:
D8776458DE607BA71132DE5F6877EBFB6950786B1BE1649E22AAFEEC1A1ECDC4
Tamanho do Arquivo:
46.18 KB, 46179 bytes
|
|
MD5:
fb33bad211ac5405443eeaad2cd4f324
SHA1:
307e6b510f1b8590adeb0514c8ee3db57d910d31
SHA256:
D94EFDE45FC4367F5B61C4614453052AEC335D848C88D28A392D2446A8AFA16B
Tamanho do Arquivo:
1.52 MB, 1515520 bytes
|
|
MD5:
b06df00c4478dc8e100e6af0079505dc
SHA1:
2f539c32b5b0fa8f042e161d674072ae13f67232
SHA256:
A52BD84EDFC8BF9A2922A413FF0E6D9928EE1ED9620F19C0DF206FF28602BC9B
Tamanho do Arquivo:
39.67 KB, 39667 bytes
|
|
MD5:
be57f871c1f3fd9f0fe98ea97de21a00
SHA1:
09339ea667e3f3975797b8fc41945b68502d544b
SHA256:
D4C74959C9BEF137F42341AB7F6CC9F557CDD4635A79350015F3D8A86673DD3F
Tamanho do Arquivo:
568.84 KB, 568836 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Nome | Valor |
|---|---|
| Company Name | noOrg |
| File Version | 1.00 |
| Internal Name | gg |
| Original Filename | gg.exe |
| Product Name | Project1 |
| Product Version | 1.00 |
File Traits
- HighEntropy
- No Version Info
- vb6
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,418 |
|---|---|
| Potentially Malicious Blocks: | 9 |
| Whitelisted Blocks: | 1,343 |
| Unknown Blocks: | 66 |
Visual Map
0
0
0
0
0
0
0
0
0
0
?
?
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
0
0
x
?
?
?
0
0
0
x
?
0
?
0
0
?
?
?
?
?
?
0
?
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
?
?
?
x
0
?
0
?
?
?
0
?
?
?
?
0
0
?
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
?
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
1
1
1
1
0
0
0
0
0
1
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
1
0
0
0
0
0
1
0
0
0
1
1
0
1
0
0
0
0
1
0
1
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
2
0
0
1
0
0
0
0
0
0
0
0
0
1
1
0
0
1
1
0
0
0
0
0
0
1
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
1
1
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
2
3
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\nsa5a18.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsa5a18.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa5a18.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsa5a18.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa5a18.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb3091.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb3091.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb3091.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb3091.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb3091.tmp\system.dll | Synchronize,Write Attributes |
Show More
| c:\users\user\appdata\local\temp\nsc5110.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsc5110.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsc5110.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsc5110.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsc5110.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsf7ab9.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsf7ab9.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf7ab9.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsf7ab9.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsf7ab9.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh57b1.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh57b1.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh57b1.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh57b1.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh57b1.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsn540d.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsn540d.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsn540d.tmp\pwgen.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsn540d.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsn540d.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsq338e.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsq338e.tmp\pwgen.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsq338e.tmp\pwgen.dll | Synchronize,Write Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Dados | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; Win64; x64; ovrFT49HUY | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; Win64; x64; ovrFT49HUY | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Nmqimwrn\AppData\Local\Temp\nsn540D.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovP2wW2d09 | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovP2wW2d09 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Fjxikcma\AppData\Local\Temp\nsc5110.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; WOW64; ovLqlLUcpU | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; WOW64; ovLqlLUcpU | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Zxtblvbb\AppData\Local\Temp\nsa5A18.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovYdEXgYaa | RegNtPreCreateKey |
Show More
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovYdEXgYaa | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Oosmxeyw\AppData\Local\Temp\nsh57B1.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovsyYj3YHK | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; ovsyYj3YHK | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Nfvsrdon\AppData\Local\Temp\nsb3091.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; WOW64; ov098YfArb | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; WOW64; ov098YfArb | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Syxcgwon\AppData\Local\Temp\nsf7AB9.tmp\ | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; Win64; x64; oQaf2tau | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\internet settings\5.0\user agent::platform | Windows NT 10.0; Win64; x64; oQaf2tau | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Windows\SystemTemp\626d5325-4419-4ac5-baae-1ad029bac7c6.tmp��\ | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Encryption Used |
|
| Other Suspicious |
|
