Trojan.Agent.HD

By CagedTech in Trojans

Threat Scorecard

Threat Level:	80 % (High)
Infected Computers:	26

First Seen:	December 2, 2021
Last Seen:	May 5, 2023
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Agent.HD
Signature status:	No Signature

Known Samples

MD5: 1c5b418491169201ecdaa8430cb6a6b0

SHA1: 2dcecd092812d2ef8ffd4cfa217c35e9bc0c25e2

File Size: 260.61 KB, 260608 bytes

MD5: 00c6d40de368d68be22ee81514131788

SHA1: 8e91c95655a1b33fd5b38942eedcc80ba8147461

SHA256: B1397FC844B18AD86FB71A0EE8F0A0E23E1DE90E48EFD535B2CEC5E84EEC7EAB

File Size: 111.62 KB, 111616 bytes

MD5: 0bdd6dbe0ed7c6899f11eb79e9aeba12

SHA1: 0292e5a532914c38b3363eeac638dff24166fb6c

SHA256: 943A021E9D8CD4063C0C38672DB7AEFD964CFE312BEDB1C737FF4B150ACE9275

File Size: 453.12 KB, 453120 bytes

MD5: f54c0820486c1c74053ed23950928084

SHA1: ccea7993b8b333eac17ec161069d2097322a38d3

SHA256: 3296F7ED6DA232FD4CDFFD7611E6F673D7E4535848452E389416E478A99E5C8E

File Size: 567.81 KB, 567808 bytes

MD5: 7ae420fe2342114ec5d47170909308aa

SHA1: f5e613e6ee1c324b95a5b412c58d5fc2838f95a1

SHA256: 4451BA6D711E51B17E75BB83F725B5BC8E7F2E85C7B1C4089805DD5CB5D56682

File Size: 104.45 KB, 104448 bytes

MD5: a9447c5e718652fbdba1e8b8d7a4164b

SHA1: 873fea7ea2d01f08031d4cfe96d9d88f30be0034

SHA256: 3760C070FBDA4AA558D7BAD4323266FB43D11CBDB848A6DDF13BF57B0A1DE2AB

File Size: 73.22 KB, 73216 bytes

MD5: b8922c9d8e96015aacf7a27c932fe40d

SHA1: af57d824fc2d4d9b2b97c4f053ad0ccb6e8ec1f4

SHA256: E3583D544D9F1B2599CA74970F0558146888BCE9AD6FB183F65A94F917E95295

File Size: 140.80 KB, 140800 bytes

MD5: 6e83969355bd82e5345e8317e23d2694

SHA1: e4b88ee77caf93b1340411368b30535ea294f617

SHA256: 447E8913560BD923FDD6247E8DF061DFBAF37CAA28F5F6C9CA8F95B2A041B99D

File Size: 47.62 KB, 47616 bytes

MD5: 851d1e26ed7b54e69eb4d3fbb0981732

SHA1: f1b0c9cd62261cd1dae94508ff32fd905130ee60

SHA256: B1E26BDA952B5BFD945E0DE5FBD613B06DCCC68435BC0C1EE116FB010A664ABA

File Size: 172.54 KB, 172544 bytes

MD5: d73104a40da6513051de17517752e0ec

SHA1: 6ff247d0eea953870ee9c6b846a924ff211e5318

SHA256: CEB56F0E4C3DEB64F72D88AEEF16C0F40C74EABA1B4E41BC23F0E035EFA822CE

File Size: 88.06 KB, 88064 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have resources
File doesn't have security information
File has been packed
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application

File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Company Name	Coach inc. Jocoka
File Description	Run World of Warcraft Starship Troopers 2005 Restore Safe Backup
File Version	1,0,7,5 1,0,0,0
Internal Name	Starship Troopers 2005 Restore Safe Backup
Legal Copyright	Jocó Soft TRENERA 홍차의 꿈 (Windows 11) - jsb000.tistory.com
Product Name	Starship Troopers 2005 Restore Safe Backup
Product Version	1.0.7.5 1.0.0.0

File Traits

2+ executable sections
HighEntropy
No Version Info
packed
x86

Block Information

Total Blocks:	300
Potentially Malicious Blocks:	57
Whitelisted Blocks:	243
Unknown Blocks:	0

Visual Map

x 0 0 x 0 x 0 x x 0 x 0 x 0 x x x 0 x 0 x 0 x x 0 x x 0 x 0 x x x x x x 0 0 0 0 x x x 0 0 0 0 x 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x x x x x 0 0 x x 0 x x x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 1 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 x 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Betload.A

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134139308969738431.7408.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\8cd0.tmp\8cd1.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a3ad.tmp\a3ae.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\a5b1.tmp\a5c1.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bb56.tmp\bb57.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bcbd.tmp\bcbe.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data

c:\cfc6.tmp\cfc7.bat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\pizzabit v3\log\aggiornamento.txt	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\pizzabit v3\log\aggiornamento.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_2birrwwt.mtb.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_maojl3bu.oud.ps1	Generic Write,Read Attributes
c:\users\user\downloads\current.lang	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\default.lang	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\edcd.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\log.txt	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\mtkdroidtools.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey

HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317	Ƥ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324	#	RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993	ǩ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986	http://nubuc.ch/blog/wp-content/themes/f8-lite/images/styles.g	RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331		RegNtPreCreateKey
HKCU\software\apcr::u1_0	吡	RegNtPreCreateKey
HKCU\software\apcr::u2_0	ἦ	RegNtPreCreateKey
HKCU\software\apcr::u3_0	権ă	RegNtPreCreateKey
HKCU\software\apcr::u4_0		RegNtPreCreateKey
HKCU\software\apcr::u1_1	㶿㐇	RegNtPreCreateKey
HKCU\software\apcr::u2_1	旒牥	RegNtPreCreateKey
HKCU\software\apcr::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\apcr::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\apcr::u1_2	顗ퟺ	RegNtPreCreateKey
HKCU\software\apcr::u2_2	ﰝ	RegNtPreCreateKey
HKCU\software\apcr::u3_2	賃	RegNtPreCreateKey
HKCU\software\apcr::u4_2		RegNtPreCreateKey
HKCU\software\apcr::u1_3	房洡	RegNtPreCreateKey
HKCU\software\apcr::u2_3	䶱地	RegNtPreCreateKey
HKCU\software\apcr::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\apcr::u4_3	婟地	RegNtPreCreateKey
HKCU\software\apcr::u1_4	숌轗	RegNtPreCreateKey
HKCU\software\apcr::u2_4	즕	RegNtPreCreateKey
HKCU\software\apcr::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\apcr::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\apcr::u1_5	웻직	RegNtPreCreateKey
HKCU\software\apcr::u2_5	庰㯻	RegNtPreCreateKey
HKCU\software\apcr::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\apcr::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\apcr::u1_6	矻틬	RegNtPreCreateKey
HKCU\software\apcr::u2_6	酴깠	RegNtPreCreateKey
HKCU\software\apcr::u3_6		RegNtPreCreateKey
HKCU\software\apcr::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\apcr::u1_7	ꔽ芀	RegNtPreCreateKey
HKCU\software\apcr::u2_7	੘⃆	RegNtPreCreateKey
HKCU\software\apcr::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\apcr::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\apcr::u1_8	팤	RegNtPreCreateKey
HKCU\software\apcr::u2_8	裧錫	RegNtPreCreateKey
HKCU\software\apcr::u3_8	鈨	RegNtPreCreateKey
HKCU\software\apcr::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\apcr::u1_9		RegNtPreCreateKey
HKCU\software\apcr::u2_9	ᥐ֑	RegNtPreCreateKey
HKCU\software\apcr::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\apcr::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\apcr::u1_10	惍	RegNtPreCreateKey
HKCU\software\apcr::u2_10	鶌矶	RegNtPreCreateKey
HKCU\software\apcr::u3_10	盵	RegNtPreCreateKey
HKCU\software\apcr::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\apcr::u1_11	⥷咱	RegNtPreCreateKey
HKCU\software\apcr::u2_11	픪	RegNtPreCreateKey
HKCU\software\apcr::u3_11	鰮	RegNtPreCreateKey
HKCU\software\apcr::u4_11		RegNtPreCreateKey
HKCU\software\apcr::u1_12	톩냅	RegNtPreCreateKey
HKCU\software\apcr::u2_12	糧峁	RegNtPreCreateKey
HKCU\software\apcr::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\apcr::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\apcr::u1_13	薷⌠	RegNtPreCreateKey
HKCU\software\apcr::u2_13	셛켦	RegNtPreCreateKey
HKCU\software\apcr::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\apcr::u4_13		RegNtPreCreateKey
HKCU\software\apcr::u1_14	ꕔ潴	RegNtPreCreateKey
HKCU\software\apcr::u2_14	丹䆌	RegNtPreCreateKey
HKCU\software\apcr::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\apcr::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\apcr::u1_15	蚭䌲	RegNtPreCreateKey
HKCU\software\apcr::u2_15	돱	RegNtPreCreateKey
HKCU\software\apcr::u3_15	꧲닲	RegNtPreCreateKey
HKCU\software\apcr::u4_15	쏛돱	RegNtPreCreateKey
HKCU\software\apcr::u1_16		RegNtPreCreateKey
HKCU\software\apcr::u2_16	⤀♗	RegNtPreCreateKey
HKCU\software\apcr::u3_16	嵹❔	RegNtPreCreateKey
HKCU\software\apcr::u4_16	㝐♗	RegNtPreCreateKey
HKCU\software\apcr::u1_17	矸尐	RegNtPreCreateKey
HKCU\software\apcr::u2_17	뉸颼	RegNtPreCreateKey
HKCU\software\apcr::u3_17	샬馿	RegNtPreCreateKey
HKCU\software\apcr::u4_17	꫅颼	RegNtPreCreateKey
HKCU\software\apcr::u1_18	籡⺵	RegNtPreCreateKey
HKCU\software\apcr::u2_18	ųଢ	RegNtPreCreateKey
HKCU\software\apcr::u3_18	琓ਡ	RegNtPreCreateKey
HKCU\software\apcr::u4_18	Ḻଢ	RegNtPreCreateKey
HKCU\software\apcr::u1_19		RegNtPreCreateKey
HKCU\software\apcr::u2_19	觉綇	RegNtPreCreateKey
HKCU\software\apcr::u3_19	ﮆ粄	RegNtPreCreateKey
HKCU\software\apcr::u4_19	醯綇	RegNtPreCreateKey
HKCU\software\apcr::u1_20		RegNtPreCreateKey
HKCU\software\apcr::u2_20	Ⓛ	RegNtPreCreateKey
HKCU\software\apcr::u3_20	漍	RegNtPreCreateKey
HKCU\software\apcr::u4_20	Ԥ	RegNtPreCreateKey
HKCU\software\apcr::u1_21	⎤쿽	RegNtPreCreateKey
HKCU\software\apcr::u2_21	枀扒	RegNtPreCreateKey
HKCU\software\apcr::u3_21	ኰ捑	RegNtPreCreateKey
HKCU\software\apcr::u4_21	碙扒	RegNtPreCreateKey
HKCU\software\apcr::u1_22	㶬濓	RegNtPreCreateKey
HKCU\software\apcr::u2_22	ﯩ풷	RegNtPreCreateKey
HKCU\software\apcr::u3_22	蘧햴	RegNtPreCreateKey
HKCU\software\apcr::u4_22	풷	RegNtPreCreateKey
HKCU\software\apcr::u1_23	Ҿ	RegNtPreCreateKey
HKCU\software\apcr::u2_23	䔥䜝	RegNtPreCreateKey
HKCU\software\apcr::u3_23	㖪䘞	RegNtPreCreateKey
HKCU\software\apcr::u4_23	徃䜝	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	㝦ڙ蓎ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꘉ雯趱ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	襷ꓩ軽ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ꥼ瞬貏ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	䜫씈餬ǜ	RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\ndfapi.dll,-40001	Windows Network Diagnostics	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe	ʫꃷ뎠ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Keyboard Access	GetAsyncKeyState GetKeyState
Network Winsock2	WSAStartup
Network Winsock	accept bind closesocket connect freeaddrinfo getaddrinfo gethostbyname getsockname inet_addr recv Show More send setsockopt socket
Process Shell Execute	CreateProcess
Process Manipulation Evasion	NtUnmapViewOfSection
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAccessCheckByType ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreatePort ntdll.dll!NtAlpcCreateSecurityContext Show More ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtAlpcSetInformation ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtImpersonateAnonymousToken ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryEvent ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRemoveIoCompletion ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject 24 additional items are not displayed above.
Other Suspicious	AdjustTokenPrivileges
Encryption Used	BCryptOpenAlgorithmProvider
Process Terminate	TerminateProcess

Shell Command Execution


							"adb.exe" -d version


							"c:\users\user\downloads\adb\adb.exe" -d kill-server


							"c:\users\user\downloads\adb\adb.exe" -d start-server


							"c:\users\user\downloads\adb\adb.exe" -d version


							"C:\WINDOWS\sysnative\cmd" /c "\CFC6.tmp\CFC7.bat c:\users\user\downloads\f5e613e6ee1c324b95a5b412c58d5fc2838f95a1_0000104448"


									C:\WINDOWS\system32\xcopy.exe xcopy  SafeBackup\*.* "C:\Users\Ncmjthpl\Documents\Empire Interactive\SST\" /s /w /y /q


									C:\WINDOWS\system32\choice.exe choice  /c y /n /t 5 /d y


									"C:\WINDOWS\sysnative\cmd" /c "\BCBD.tmp\BCBE.bat c:\users\user\downloads\873fea7ea2d01f08031d4cfe96d9d88f30be0034_0000073216"


									C:\WINDOWS\system32\curl.exe curl  -L "https://github.com/rustdesk/rustdesk/releases/download/1.2.6/rustdesk-1.2.6-x86_64.exe" -o rustdesk.exe


									C:\WINDOWS\system32\timeout.exe timeout  /t 10


									"C:\WINDOWS\sysnative\cmd" /c "\8CD0.tmp\8CD1.bat c:\users\user\downloads\af57d824fc2d4d9b2b97c4f053ad0ccb6e8ec1f4_0000140800"


									C:\WINDOWS\system32\chcp.com CHCP  65001


									C:\WINDOWS\system32\mode.com mode  con:cols=110 lines=35


									C:\WINDOWS\system32\taskkill.exe TASKKILL  /F /IM MK10.exe


									C:\WINDOWS\system32\taskkill.exe TASKKILL  /F /IM MKXLauncher.exe


									C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe PowerShell  -Command "Add-Type -AssemblyName PresentationFramework


									"C:\WINDOWS\sysnative\cmd" /c "\A3AD.tmp\A3AE.bat c:\users\user\downloads\e4b88ee77caf93b1340411368b30535ea294f617_0000047616"


									C:\Windows\System32\reg.exe Reg.exe  query "HKU\S-1-5-19\Environment"


									"C:\WINDOWS\sysnative\cmd" /c "\A5B1.tmp\A5C1.bat c:\users\user\downloads\f1b0c9cd62261cd1dae94508ff32fd905130ee60_0000172544"


									"C:\WINDOWS\sysnative\cmd" /c "\BB56.tmp\BB57.bat c:\users\user\downloads\6ff247d0eea953870ee9c6b846a924ff211e5318_0000088064"


									C:\WINDOWS\system32\ftp.exe FTP  -s:ftpcommand.txt

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Agent.HD

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.MSIL.Krypt.RB

Operatecurrentextremelyinfo-file.info

Trojan.Downloader.Tracur.AH

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

How to Fix 'macOS cannot verify that this app is...

Discord Shows Black Screen when Sharing Screen