Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.MSIL.Agent.KA

Trojan.MSIL.Agent.KA

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 4,926
Threat Level: 80 % (High)
Infected Computers: 1,735
First Seen: December 6, 2021
Last Seen: January 24, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Agent.KA
Signature status: No Signature

Known Samples

MD5: 039435ed3321c7818453e3f2204921ba
SHA1: dcaa81bb7134c5227195a4bcf220454310ca11eb
File Size: 75.78 KB, 75776 bytes
MD5: 65a2e68be12cf41547d601c456c04edd
SHA1: c39fec7bd6d0fce49441798605452f296f519689
File Size: 38.91 KB, 38912 bytes
MD5: 8b4eff5ec7160166e87ec0021f7db571
SHA1: 8a40e88d3fd4358a36920bcc43ceeef2905a82cc
File Size: 103.42 KB, 103424 bytes
MD5: b96dafdfe821ba72837eddf730714b4d
SHA1: 2e3f784aa891c295d7b15e9647cbedb4226ae416
File Size: 34.30 KB, 34304 bytes
MD5: 2424844604e33100e84667ef83ca5246
SHA1: 5403a5059fd059c5a8c0d6d4a86be85cce4593cf
File Size: 51.20 KB, 51200 bytes
Show More
MD5: e57c21e4076c52248e336b70f084fbbf
SHA1: 52cb58fc7e5eb609baa00d2f293ea615208e19f6
SHA256: A39D194BA50CD1D8EC766EA499925DD4624F3A5809845AB093DDBC22D3BE6EF8
File Size: 45.57 KB, 45568 bytes
MD5: 170ea28120f31aaa6dfb71dd43294077
SHA1: e504f3ebd6abcc1f038783aaaaaecb043ed69d69
SHA256: 2BB7DFFBB1AA9CF6FB2C603AF71FE1DDEAE006ADEDA05016D2CE4942BB56E87F
File Size: 42.50 KB, 42496 bytes
MD5: e93204f2265ea08cc7228ca8552ee5bd
SHA1: 4d393e50d97761bcaa6f892344007918dc83f451
SHA256: F058D3F068ABE2C9E8F40CCA13C01E9167FDDBDC5777DD4258034DE213EA5689
File Size: 40.96 KB, 40960 bytes
MD5: 65e5541169796f170978a02f2972708d
SHA1: 6ccdd4556a5626de4f4206f5c33167484cbec26e
SHA256: 48F5EAE2625D594042EE75AD5E4FB46AA79D5ECC7E69D227BB73F9E2E7EFDF91
File Size: 82.43 KB, 82432 bytes
MD5: 3228d024a067b420f5425062803ffa02
SHA1: 521eb28004487d589839e02daec17f7ca55440aa
SHA256: 5EA46A993DE736CE59671D72F721B5B4983DB5A179AE2D3CE1625420FACF685A
File Size: 38.91 KB, 38912 bytes
MD5: 3a02581708050a86afecfd1dd912b03a
SHA1: 313cc62bac82dd35797b413f8affcbddc1ffee4d
SHA256: A5A1BDC5923D98326A397682313B08E1F01DC00E88F7320E673B91758FA545AF
File Size: 42.50 KB, 42496 bytes
MD5: 52c7b2a7061a052bf1b65aa3f1b4d6bc
SHA1: 6d98b5a773fcffca4319b0324230370ad19658e6
SHA256: 012E918927C67F967B1184BCBA446BC141F74FF02CE7F1B4AA7805C0C91A51AB
File Size: 70.66 KB, 70656 bytes
MD5: 573fb8756166dab45155245aa789f990
SHA1: 37ebbd1808d6966f276fb72a1178c4d4242ac419
SHA256: 7AC47C01B5CC2C4E892F270E20C082676843ED39E2EA7CD5967DE2E5C1F23115
File Size: 103.94 KB, 103936 bytes
MD5: 3a600ec9263904c86352ec0619f6a292
SHA1: 22fe8efca49da96e882f8dd61391b2f08460e0c2
SHA256: 6133AEDB48ED6B7B3740E5F9C2E8F3F5F31E263A5AF340993B7480455908566B
File Size: 65.02 KB, 65024 bytes
MD5: 040b30746d6278c8a60016a9d0f618c1
SHA1: 2dd657a462124588f3003cf14ed6c19651c959ed
SHA256: 2B4AD4C59B2D3D48F42C632C67C6C90FD38EFC1A0654D9DFD2B912EB3B06F92D
File Size: 45.57 KB, 45568 bytes
MD5: 0f1a15030fd5565cfe98165e324ef02b
SHA1: a475a4ff444e343fae925114ddc941b0a5f09688
SHA256: 671B0CCA5EA7B73BF2446872D61E65BA709DD73FBA2AB97A395EF1AEC9D33D7B
File Size: 252.93 KB, 252928 bytes
MD5: fa2f4e1c98e088d50d07ec0b351e6118
SHA1: 09d7b8588c317f551a4aee79a21e1cfa2a00401f
SHA256: D6814195C2D481CA8B68A36F1059420C36D870B31AAAC32B46CA33F2EBADE385
File Size: 335.36 KB, 335360 bytes
MD5: 1046813da3a62eef94ba91f30d80cc27
SHA1: db5fb98f814c6309ea1ef6b30820f3edce16f253
SHA256: F209A652087023D2942ED3F77A08327EEB66FA103DA7EBD92DC54012B6A87847
File Size: 69.12 KB, 69120 bytes
MD5: 31a07f719d17834742142821d095443a
SHA1: e3f0115e4e03e21ac593e04b980be0fc0fa6a5f2
SHA256: 2EA9DF30563198D0DA7626F525D29C912A12178DD799F50FBDF1A9822D0F0522
File Size: 55.30 KB, 55296 bytes
MD5: b3899d0b39606e55962bb020ae090c36
SHA1: 42a5dbb3a47a388fc55c0c7213c83efdd82a94d4
SHA256: FB73CD9C974F7FABC367BE9CF9A581E0D7EA9CA0F42B294779D548117F1EB6DB
File Size: 44.54 KB, 44544 bytes
MD5: 9e56e96d8b6b25af65d58f3d4d6f585b
SHA1: 915e9bbe6721a8ee970293cd4bc71a485e71f155
SHA256: 69826A9470297FE081B4F75F666ACB50FE5D3E05296FBADE26205C9AED6D686F
File Size: 35.33 KB, 35328 bytes
MD5: 7c1243aac3248ae75cc2bab7bf4dfaba
SHA1: 3dd055ef06380e5886f59b76761132c36e8b3e8f
SHA256: DBF81C18B8FA71DE185DA60A70E41F5799405E5A8331E759B399CAB5353A1EDA
File Size: 78.34 KB, 78336 bytes
MD5: 383112a2f4f93eac069d45a69621a3b3
SHA1: 0b100c66ee474c908efd53579931950a7e199171
SHA256: 3ECCD3915DF091F8EC9986D409D7385987B896B5B0B8CFE4FDBE492A0C6EEE69
File Size: 38.91 KB, 38912 bytes
MD5: 46e70331ca5b668cddb99b80db08cc3f
SHA1: 8924e242df64dcf60c6ace04697fe00fd7b65e33
SHA256: 755F74F6367AFEC0C50D35F55DD7D5BDE5C917E3CCE881F024C4DB1FC42AC864
File Size: 33.28 KB, 33280 bytes
MD5: 10d4fdf1a9181f1d8d1d8e4489216d24
SHA1: 593bccb5cc86836c58a41f2e96620397c0b022d4
SHA256: 96B7DB1B9CC778DC4B36A2A60AA7F8ECE78801C15BCBF5393C1CEED96CF197E2
File Size: 86.53 KB, 86528 bytes
MD5: f4fbcdb34615758cf06524fe1c107353
SHA1: 9a89dd390b6f1dbabfcbc6e22a3f06f461dd3008
SHA256: 6EBE05EF042AE93F2C7C20A61B61F01AF17589B9F709E1219365D02684D48631
File Size: 171.01 KB, 171008 bytes
MD5: bdc7b34c12352895417098a50290f7b0
SHA1: 3d42ce2481fd3cdf35f619d7cdc7713965778a1d
SHA256: 84535219214C5CA0E4F020E9E2B5CD64F7CA4E301BF468C2AC0A91B4A92B27DC
File Size: 74.75 KB, 74752 bytes
MD5: da19b87be4ed0faab684eae2395a0eb3
SHA1: 1841bb78bf3f4079b6186cb03c2b70a06b1828dc
SHA256: AA4CCA5297A647114A653564C9F96B3B76172CC14CE90D58C29876B391ABA074
File Size: 83.46 KB, 83456 bytes
MD5: a2ddf32354622e3cfcf5b49fc5036ecf
SHA1: 4893675ad242b3e78f0a95b6e6030c61a137c951
SHA256: 75CED277475DE4281EFA96968C23A82144052E53A5C935AD284D678A07785F49
File Size: 75.26 KB, 75264 bytes
MD5: 0207002f7d5c9bddaca77659972087fd
SHA1: 6329b6987b92e83236b47061d75bd522168c2591
SHA256: 02A7AF38BC94261FB844D444EB855094C817D00665FE87EEF6D5F7FE77207CA4
File Size: 44.54 KB, 44544 bytes
MD5: 4b175982ccdecbac2a53c7d1d0c5b160
SHA1: 84ecd6c38f3942b5d577e601fe3df2a28db8d452
SHA256: 0F4BAFF41B149AC8651AA50920C12FA9E93F9750A49A074F6579235D00577D95
File Size: 84.99 KB, 84992 bytes
MD5: 1a59bb8b24fc19f42082d331a9514f65
SHA1: 8057883e1f73d6bfd5f423415baff49b4fea0f38
SHA256: 5C16D42BDE8238F0C490B2C8C64904B31C743AFF1667515928F902F48F716655
File Size: 34.30 KB, 34304 bytes
MD5: 67174d06bf389fdeab36ff338cac0b6b
SHA1: 38bcfaaf4cd2383e6aa43898f4f83a6166deda12
SHA256: 67CD5613C6D62BD2D0BCEC1E3E92F8EACAF4FF4BCF4C182ED31CDD3D3073D008
File Size: 72.70 KB, 72704 bytes
MD5: 6a52cf9c8fa392d129dcd51271311cb3
SHA1: ab48dc4da5c3af962d61df8e5b593b52f18e18c1
SHA256: A601018643655E78631FB071502662D693DF5193164D218AF33D6E1DBFAD52EB
File Size: 91.14 KB, 91136 bytes
MD5: 74bb6ceb54f1477f636011ca5d69fa01
SHA1: 879263e4d7ed4fb0ccdf08e3bd26cb2e898c619a
SHA256: A9F0E64757C4476A62A98F86339810C952DAA0E3DC67D5A830A4669432416135
File Size: 40.96 KB, 40960 bytes
MD5: 0e2e93112b9ee10a6c35124c7ee6b3aa
SHA1: d27a2e6ada9ae96fcecf6592fc65fdd868690c0a
SHA256: 730699964636042755CF602903907A90A0E348531020C11997962C3F4AE87392
File Size: 41.98 KB, 41984 bytes
MD5: 90f9b7af90defca181e63f4d857256d2
SHA1: eb914885ff8ae0238ae5a1ddb08b0f7dcb06e17d
SHA256: FB1CABCD3132C1BBFBE20C287520065DB222A9A82A24665A1FCD995EF3229CDD
File Size: 64.00 KB, 64000 bytes
MD5: 8d498dfc5238c22964987b104fd1601f
SHA1: ccd6fdc70757a1a6451c44fa358c7e31b08e4002
SHA256: 490EA351F7631160A1DCAEA7C8362A19366960D2E09593B0720BF0A11905AAAE
File Size: 72.70 KB, 72704 bytes
MD5: ed8891655087cebffa469575763a41a4
SHA1: fb7349c0b33fad099bc542391d0bb994f8e18ad2
SHA256: 2F142205909A1C36C1A04FE2495BFC591B3100F092A08FA920783D193614ED68
File Size: 81.92 KB, 81920 bytes
MD5: a734dee33736b40c20ddd90bd9870a15
SHA1: 7dcd1ea7824153cd5f056179c4eba7527bce57c2
SHA256: 331BB279B83B48304A28810BD86E1D34F1E3BD7C7777356BF01A5DC7626538D8
File Size: 224.26 KB, 224256 bytes
MD5: 286882ecf62ad92ae6e26aca69045ccf
SHA1: 6e2a91e71c332d13d33e8e9e9cb241e3a8cce48c
SHA256: CF778FAEA0414B7401341773C9EB369BA29396056FF59E261BA477D21744AD50
File Size: 82.43 KB, 82432 bytes
MD5: d1773dbf85d917eb86780278256b5314
SHA1: 921c853202eada39d4f6e5f4a26fbfc3ea3a204f
SHA256: B0F7B41DA01A331E50612953EC181657074D9EB942361FCF3E97A10B544F43E1
File Size: 229.38 KB, 229376 bytes
MD5: 8d6e86e6e799c75bd5123534bdbf411b
SHA1: 9fc526e97077ed2a5e78371fdab5ab7ecf789368
SHA256: 7892C9F14967696E15B99B3EAC66D65643357C9A4315F5E8210C8437C6617888
File Size: 77.31 KB, 77312 bytes
MD5: d9b2b1e88a7991135e7bfa6443716013
SHA1: 70933def79bd5b1ff0728db251a0b595c9cecd22
SHA256: D570FC0F10D6C885F2252E20FE908E981CFE6FC0B24E2FECB2757072DFB8444D
File Size: 68.10 KB, 68096 bytes
MD5: 79ae472c31cd542bfb782f997ddd7323
SHA1: 8a286b5354a08e695a906c84a68c6a5a29248df3
SHA256: D745155B9A1597A59AD589625FD496B55465697B835AF4970618C213B7108E93
File Size: 164.86 KB, 164864 bytes
MD5: 4c759098278dbfa727388249e54c97e9
SHA1: 3fb97080645eb8d36e9f250b4a1f39fbe015676c
SHA256: DD5C3F297BF83C4B127373E8F560AFD512F1ADB1E7B8E783BBFD69869CD5566A
File Size: 91.14 KB, 91136 bytes
MD5: ff504e2fe32b057696a0c5017dfdbb65
SHA1: db71fec90927c014cb9153389d40805d760d8fff
SHA256: 58FB7B487EA671CFD565DB7A3A48743BDD1B94DF7AFFD5605F684A4F75C06F5E
File Size: 71.68 KB, 71680 bytes
MD5: c471492c8eb22c02614f9b0d1ac5a911
SHA1: 76d06ec306f49d0f05fd00b9db64e4752af3e289
SHA256: 68CC399AC33200E625C1A1A89600B540CBCA82B18539F2A6E11533C344DE9438
File Size: 36.35 KB, 36352 bytes
MD5: a056387cda23ce0a466935f3cdbe5695
SHA1: cb95d02bf8490de615f5f0b78255d4e7728eb176
SHA256: 9D9DF2F7E710729C6C350801057D54D6EE063334C72908B29B1EF2209431C5A3
File Size: 84.48 KB, 84480 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 120.0.5543.161
  • 7.13.0.0
  • 6.2.22621.1
  • 6.2.19041.4355
  • 2.8.461.11
  • 1.39.3323.1171
  • 1.0.0.0
  • 0.0.0.0
Company Name
  • Alexander Roshal
  • Microsoft Corporation
  • Opera Software
  • Oracle Corporation
File Description
  • Host Process for Windows Services
  • Java Update Scheduler
  • Opera Internet Browser
  • WinRAR
File Version
  • 120.0.5543.161
  • 10.0.22621.1 (WinBuild.160101.0800)
  • 7.13.0.0
  • 6.2.22621.1
  • 6.2.19041.4355
  • 2.8.461.11
  • 1.39.3323.1171
  • 1.0.0.0
  • 0.0.0.0
Internal Name
  • 0.exe
  • 222games.exe
  • aimware.exe
  • ANWXClient.exe
  • AudioDriver.exe
  • ByPass FF V2.exe
  • client.exe
  • dllhost.exe
  • Drive64.exe
  • ergjkn5.exe
Show More
  • Fatality.exe
  • google_updates.exe
  • Java21.exe
  • JETZTGIBTSSTRESS.exe
  • JSClient.exe
  • jusched.exe
  • lauunch1exe.exe
  • Microsoft Network Realtime Inspection Service.exe
  • Microsoft Windows Search protocol Host.exe
  • Monero.exe
  • NVIDIA App.exe
  • outlook.exe
  • ReaperUltimate.exe
  • RuntimeBroker.exe
  • SearchSystem.exe
  • setup.exe
  • shaderlibrary.exe
  • svchost.exe
  • synapsez.exe
  • System32.exe
  • System64.exe
  • T1.exe
  • taskhostw.exe
  • TEST2.exe
  • UEngine4kama.exe
  • wdewde.exe
  • Windows Defender.exe
  • Windows Defender Notification.exe
  • XCl.exe
  • XClient.exe
  • XWorm.exe
  • XWormClient.exe
  • zuwax.exe
Legal Copyright
  • Copyright Opera Software 2025
  • Copyright © 2025
  • Copyright © Alexander Roshal 1993-2025
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • 0.exe
  • 222games.exe
  • aimware.exe
  • ANWXClient.exe
  • AudioDriver.exe
  • ByPass FF V2.exe
  • client.exe
  • dllhost.exe
  • Drive64.exe
  • ergjkn5.exe
Show More
  • Fatality.exe
  • google_updates.exe
  • Java21.exe
  • JETZTGIBTSSTRESS.exe
  • JSClient.exe
  • jusched.exe
  • lauunch1exe.exe
  • Microsoft Network Realtime Inspection Service.exe
  • Microsoft Windows Search protocol Host.exe
  • Monero.exe
  • NVIDIA App.exe
  • outlook.exe
  • ReaperUltimate.exe
  • RuntimeBroker.exe
  • SearchSystem.exe
  • setup.exe
  • shaderlibrary.exe
  • svchost.exe
  • synapsez.exe
  • System32.exe
  • System64.exe
  • T1.exe
  • taskhostw.exe
  • TEST2.exe
  • UEngine4kama.exe
  • wdewde.exe
  • Windows Defender.exe
  • Windows Defender Notification.exe
  • XCl.exe
  • XClient.exe
  • XWorm.exe
  • XWormClient.exe
  • zuwax.exe
Product Name
  • Java Platform SE Auto Updater
  • Microsoft® Windows® Operating System
  • Opera Internet Browser
  • WinRAR
Product Version
  • 120.0.5543.161
  • 10.0.22621.1
  • 7.13.0.0
  • 6.2.22621.1
  • 6.2.19041.4355
  • 2.8.461.11
  • 1.39.3323.1171
  • 1.0.0.0
  • 0.0.0.0

File Traits

  • .NET
  • HighEntropy
  • Installer Version
  • NewLateBinding
  • ntdll
  • RijndaelManaged
  • Run
  • x86

Block Information

Total Blocks: 87
Potentially Malicious Blocks: 48
Whitelisted Blocks: 22
Unknown Blocks: 17

Visual Map

0 x x 0 0 0 x x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? x x x ? x x x x x x x x 0 x x x x x ? ? ? ? x ? ? x x x ? ? x ? ? ? x x x ? ? x x x x 0 x x x x x 0 0 x x x x x x x x x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.KA
  • MSIL.Krypt.UJB

Files Modified

File Attributes
c:\programdata\svchost.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\5403a5059fd059c5a8c0d6d4a86be85cce4593cf_0000051200 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\6329b6987b92e83236b47061d75bd522168c2591_0000044544 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\roaming\edge.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\google_updates.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6329b6987b92e83236b47061d75bd522168c2591_0000044544 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\6329b6987b92e83236b47061d75bd522168c2591_0000044544 Synchronize,Write Attributes
Show More
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe Synchronize,Write Attributes
c:\users\user\appdata\roaming\svchost.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\xwormclient.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
Show More
HKLM\software\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::google_updates C:\Users\Qqfrbewc\AppData\Roaming\google_updates.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424 C:\Users\Ilxqevuf\AppData\Roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::xwormclient C:\Users\Vcodtrzn\AppData\Roaming\XWormClient.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::edge C:\Users\Ztzbbnrc\AppData\Roaming\Edge.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::6329b6987b92e83236b47061d75bd522168c2591_0000044544 C:\Users\Gyiypwki\AppData\Roaming\6329b6987b92e83236b47061d75bd522168c2591_0000044544 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePortSection
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSectionView
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
Show More
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueueApcThread
  • ntdll.dll!NtQueueApcThreadEx2
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetThreadExecutionState
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSetValueKey

15 additional items are not displayed above.

User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
  • OpenClipboard
Encryption Used
  • BCryptOpenAlgorithmProvider
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
  • NtQuerySystemInformation
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Process Manipulation Evasion
  • ReadProcessMemory
Network Icmp
  • IcmpCreateFile
  • IcmpSendEcho2
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx

Shell Command Execution

C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424" /tr "C:\Users\Ilxqevuf\AppData\Roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe"
(NULL) schtasks.exe /create /f /sc minute /mo 1 /tn "8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424" /tr "C:\Users\Ilxqevuf\AppData\Roaming\8a40e88d3fd4358a36920bcc43ceeef2905a82cc_0000103424.exe"

Related Posts

Trending

Most Viewed

Loading...