Multi-License Discount Quote

Change Region

English
Threat Database Spyware Spyware.Agent

Spyware.Agent

By CagedTech in Spyware

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
TrendMicro TROJ_VIVIA.E
Symantec Adware.ZioCom.B
Sophos Troj/Vivia-G
Panda Spyware/LZIO-Media
NOD32 a variant of Win32/TrojanDownloader.Agent.LG
McAfee-GW-Edition Trojan.Dldr.Agent.MW
McAfee Downloader-LE
Ikarus Trojan-Dropper.Agent
Fortinet W32/VIVIA.E!tr
F-Secure Trojan-Downloader.Win32.Agent.lg
eTrust-Vet Win32/Darliz.G
eSafe Win32.TRDldr.Agent.m
Comodo TrojWare.Win32.TrojanDownloader.Agent.lg
CAT-QuickHeal TrojanDownloader.Agent.mw
BitDefender Trojan.Downloader.Agent.MW

File System Details

Spyware.Agent may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. POHAEK.exe 8b4d2c29bdbe95741036212b6f183488 0
2. cwhwont.exe 99bf8bb8ef5c7918f2cd1d9221768354 0
3. NETXZ.EXE cd35acfea15ed84ed82c74adc68c9fcd 0

Analysis Report

General information

Family Name: Trojan.Agent
Signature status: No Signature

Known Samples

MD5: 034aeffe6d1b99d85c2471c1301ccc10
SHA1: 689ef15be29438e2b5c952e38006691e6df182ed
File Size: 3.17 MB, 3172985 bytes
MD5: 39105f8ac510efe7f5b7d6c67c2db0a7
SHA1: 52069a6f0f66c7f9192cba27899c728883f61eb7
File Size: 315.39 KB, 315392 bytes
MD5: a1bebca8b9618045a83ebf5f0dd25894
SHA1: 0bfd269195cbec4af7144009464410af04012bdf
File Size: 152.06 KB, 152064 bytes
MD5: 4e8bd96f56a7edc8e6e797ff1b2a8849
SHA1: 345bcf3ab1f384717a8829d07bfd45e96ba6c0c6
File Size: 712.70 KB, 712704 bytes
MD5: 79187c801cfeae8695908bda908ec6d2
SHA1: 4886e42d78068fdf0c81beffe41de0374d6cfee4
File Size: 3.17 MB, 3172985 bytes
Show More
MD5: 10eb5e49706f22a8deace0a2dbdc82c6
SHA1: 5b2f524fc0d7fe4fa7bf9d389ff2a8a6af51ac36
SHA256: 836AF134423747FED3A54E2F258D3C5165DDB010AEBE2DC88839988D1A733217
File Size: 259.07 KB, 259072 bytes
MD5: 982e02da0d1b4c14cf6514dfd6d8946c
SHA1: 79e005d1c8d12265766d41f989ad1c6b0175d3d1
SHA256: 51253A229E97D2BC8928021B690E5657937793E5A268B76CCA48E0AF7A0B4051
File Size: 4.32 MB, 4315648 bytes
MD5: 3fdd34dc0177d250c16ed3efdc807f0a
SHA1: f03ba3bc296375d6a7bf07fbdf37437d1bfa2e22
SHA256: A42F8140A82D6741B3A3D15A6215853AFA94E8FE8EEA27F7A134B0D00B934B5F
File Size: 5.46 MB, 5456384 bytes
MD5: df2e6b2e6960520c0f482741c79dc24a
SHA1: cb26843852dda20f03ab4998b6683f55ae2d3608
SHA256: 40AFEC8B1433B13EF1EF83579EAA332FAD5E1374319A68AF6DF7701E35397CBE
File Size: 5.43 MB, 5430784 bytes
MD5: e215575c3fee36bb0121f4db50257d7a
SHA1: 4423aacfad4fc1118c12cd66bf68aa4f236aa8a8
SHA256: 65E05A9375A7B380FB7D5015B473644EC879F418CAADE97F1808CBE6070D8EC6
File Size: 7.26 MB, 7264256 bytes
MD5: 400bd063c90795b3c746f56b20811552
SHA1: 1cf446bc8a5c1e1d06faeaedb7fe60f979ef8601
SHA256: FE45293CD5AE73720D20505E1706FF1E3A76A698CF9B5CC7F5319F27D888493A
File Size: 1.78 MB, 1782504 bytes
MD5: 91dfe7793d1ea3dea55f08435c4ea846
SHA1: 5bdb172a4954382270f8f028d02ce99e9f12c833
SHA256: 76320C125F0750F787868F351897BCE1F753FE7270D5361843CADCCD8419D71B
File Size: 84.48 KB, 84480 bytes
MD5: 80fbe78de0b2daca2c7d7713042c0647
SHA1: 0a28918f32111ab71bb3f37388d407056a54e6c7
SHA256: DEA17A69E716E42799EC824BD42D3C3438B76799792DD7AF92B82A10CD0BA972
File Size: 316.93 KB, 316928 bytes
MD5: 5ad3e10228e5e93cd23570ec095af782
SHA1: 36b07cc3f35c7250bfe20502a5825c16f399d30f
SHA256: 10CB893D05979F366FF7B5AB24D5882DD80998E1DA41226D1E171D4063935160
File Size: 9.64 MB, 9639936 bytes
MD5: ec3812058142c9ed90d7d86210d3a23d
SHA1: 61b90de3b1ecf016970ff127447087e7d6f10883
SHA256: F117BB2021A0D1B09ADB5CCA0788B41E5AFD9363B6A68255290721B89A862FA0
File Size: 3.56 MB, 3555840 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 3.3.0.0
  • 1.1.12.6
  • 1.0.0.0
  • 0.0.0.0
Comments
  • Control Panel for KetcauSoft' Application
  • This installation was built with Inno Setup.
Company Name
  • Audi AG
  • GENERATION NT
  • LTPTeam
  • Microsoft
  • NL-X
  • The Classic PW - Genesis
  • The Classic PW - Mar em Fúria
  • TML
  • WEFLY Structure JSC
  • Youxiland Co. Ltd.
File Description
  • Client Login Program
  • GESTION DE POLYCLINIQUE
  • KCS Inside
  • Laptop Battery Analyzer
  • Macro X Evolution
  • MuUpdater
  • NL-X
  • pwprotector
  • SD Creator
  • Setup/Uninstall
Show More
  • UNDERTALE Engine
File Version
  • 51.1052.0.0
  • 3.3.0.0
  • 1.11W
  • 1.1.12.6
  • 1.0.0.0
  • 1, 0, 0, 1
  • 0.1.0.3
  • 0.0.0.0
Internal Name
  • KCS Inside.exe
  • Login.dat
  • ModisEvolution.exe
  • MuUpdater.exe
  • NL-X.dll
  • NLBA_LaptopBatteryAnalyzer.exe
  • NL Hybrid.dll
  • pwprotector.exe
  • SdUpdater2.exe
Legal Copyright
  • 2018~2021 TML
  • Copyright (C) 2004 Youxiland Co. Ltd. All rights reserved.
  • Copyright KetcauSoft © 2012
  • Copyright © 2015-2022 AUDI AG
  • Copyright © 2020
  • Copyright © 2023
  • Copyright © GENERATION NT 2008
  • Copyright © LTPTeam 2016
  • Copyright © Microsoft 2015
Legal Trademarks KetcauSoft
Original Filename
  • KCS Inside.exe
  • Login.dat
  • ModisEvolution.exe
  • MuUpdater.exe
  • NL-X.dll
  • NLBA_LaptopBatteryAnalyzer.exe
  • NL Hybrid.dll
  • pwprotector.exe
  • SdUpdater2.exe
Private Build 01.00.00.00
Product Name
  • Client Login Program
  • GntMedDocteur
  • KCS Inside 2024
  • Laptop Battery Analyzer
  • Macro X Evolution
  • MuUpdater
  • NL-X
  • pwprotector
  • SD-Creator
  • The Classic PW - Genesis
Show More
  • The Classic PW - Mar em Fúria
  • UNDERTALE Engine
Product Version
  • 36
  • 31
  • 3.3.0.0
  • 1.11W
  • 1.1.12.6
  • 1.0.0.0
  • 1.0.0
  • 1, 0, 0, 1
  • 0.1.0.3
  • 0.0.0.0
Version 1.11W
W D Version 27.0

File Traits

  • .NET
  • 00 section
  • 2+ executable sections
  • Confuser
  • GenKrypt
  • HighEntropy
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
Show More
  • NewLateBinding
  • No Version Info
  • ntdll
  • Reactor
  • Reflective
  • RijndaelManaged
  • VirtualQueryEx
  • WriteProcessMemory
  • x64
  • x86

Block Information

Total Blocks: 1,293
Potentially Malicious Blocks: 186
Whitelisted Blocks: 804
Unknown Blocks: 303

Visual Map

0 ? ? 0 0 ? ? ? ? ? ? ? ? 0 ? 0 0 0 ? ? x 0 ? 0 0 0 0 ? ? ? 0 0 ? ? 0 ? 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 x 0 0 0 0 0 x 0 0 x ? x 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x 0 0 0 0 0 x x x x x x x x x x x x x x x x x x x x x x 0 0 0 ? x 0 ? 0 ? ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 ? x 0 0 0 x x x x ? ? ? x x ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 0 0 0 0 ? 0 ? 0 ? ? ? ? 0 ? ? ? ? ? ? x ? 0 ? ? x x x ? ? x x ? ? ? ? ? ? ? ? 0 0 0 0 0 0 ? ? ? ? ? x x x ? 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 ? ? 0 0 ? x x ? ? ? ? ? ? ? ? x x 0 ? x ? ? ? ? 0 x ? ? ? x ? x x ? 0 0 0 0 0 0 0 0 0 0 x x x x x 0 ? x ? ? 0 ? 0 ? 0 x 0 ? x ? ? 0 x ? 0 ? ? x ? ? ? ? x 0 ? ? x ? ? ? ? ? ? ? x x x ? ? ? 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 0 0 ? x x x x ? x x ? 0 0 ? x x x x ? ? ? x x x x x ? ? x ? x x x 0 0 0 0 0 0 x ? ? 0 x 0 x 0 x x x x x x x ? ? x x x x 0 ? ? ? ? x 0 x ? ? ? ? ? ? ? x x 0 ? ? ? x ? x x ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? x ? ? ? ? ? x x x ? 0 0 0 0 ? ? x ? x x x ? ? 0 0 ? ? ? 0 x 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? x ? ? x ? ? ? 0 x 0 x x ? ? ? ? ? x ? x x ? ? 0 ? ? ? ? ? ? ? ? x x x x x x x 0 0 x x ? ? ? ? ? x x x x x x x x x x x x x x x x x x ? ? ? ? ? 0 x x x x ? 0 0 0 0 0 0 0 0 0 0 x x x ? ? x ? x x ? ? ? ? ? x x ? ? ? x ? ? ? ? ? ? ? ? ? x ? x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 ? 0 ? x ? 0 0 x x x 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Emotet.CDD
  • Injector.AK
  • Lumma.GFD
  • MSIL.Agent.GDE
  • MSIL.Agent.OAAR
Show More
  • MSIL.BadJoke.XF
  • MSIL.BlackGuardStealer.A
  • MSIL.Brute.BGF
  • MSIL.Brute.GFA
  • MSIL.DllInject.LE
  • MSIL.Filecoder.GG
  • MSIL.Gamehack.JS
  • MSIL.Heracles.IP
  • MSIL.Injector.FSA
  • MSIL.Tedy.F
  • MSIL.Tedy.NN
  • Remcos.AI
  • Stealer.KF
  • Zenpak.C

Files Modified

File Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\srvsvc Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_256.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots  RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bags\94\shell::sniffedfoldertype Downloads RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\pc soft\windev\27.0\appli\36b07cc3f35c7250bfe20502a5825c16f399d30f_0009639936::last_framework 270103j RegNtPreCreateKey

Windows API Usage

Category API
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelTimer2
  • ntdll.dll!NtCancelWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtSuspendThread
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • ntdll.dll!NtYieldExecution
  • UNKNOWN

2 additional items are not displayed above.

Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Network Winsock2
  • WSASend
  • WSASocket
  • WSAStartup
Network Winsock
  • connect
  • gethostbyname
  • inet_addr
Encryption Used
  • BCryptOpenAlgorithmProvider

Trending

Most Viewed

Loading...