Threat Database Trojans Trojan.MSIL.Downloader.ACD

Trojan.MSIL.Downloader.ACD

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 14,410
Threat Level: 80 % (High)
Infected Computers: 1,566
First Seen: March 7, 2022
Last Seen: March 1, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.MSIL.Downloader.ACD
Signature status: No Signature

Known Samples

MD5: bad3df107efcea6a0074bfd421f09a2f
SHA1: 64d7968fe4b181800019878d743570f7f429e0f8
SHA256: E69131E863C2C14873B89AD219D2840302274D88851205ED26ACEB87CF21829F
File Size: 246.18 KB, 246180 bytes
MD5: 3a999edccfb08e7a2f433f506d7005f6
SHA1: f492c0fd75ae55daf1cc1dd57840864b87a00eaf
SHA256: 25D9D926B3C0E98CFB21D56E7146BEF3967CA480A4B2216F4979A618EED21DD5
File Size: 394.54 KB, 394538 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Description secretes
File Version 9.7.2.36
Legal Copyright secretes secretes
Original Filename doulton.exe
Product Name secretes 9.7.2.36
Product Version 9.7.2.36

File Traits

  • .NET
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\soundvolumeview.exe Generic Write,Read Attributes
c:\users\user\appdata\local\soundvolumeview64.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\class.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\class.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\microsoft.web.webview2.core.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\microsoft.web.webview2.core.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\microsoft.web.webview2.winforms.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\microsoft.web.webview2.winforms.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\predatory.exe Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsc416a.tmp\predatory.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\webview2loader.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc416a.tmp\webview2loader.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\awacs.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\awacs.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\class.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\class.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\microsoft.web.webview2.core.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\microsoft.web.webview2.core.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\microsoft.web.webview2.winforms.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\microsoft.web.webview2.winforms.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\webview2loader.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf59e9.tmp\webview2loader.dll Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Mlpiqqap\AppData\Local\Temp\nsf59E9.tmp\awacs.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Mlpiqqap\AppData\Local\Temp\nsf59E9.tmp\awacs.exe\??\C:\Users\Mlpiqqap\AppData\Local\Temp\nsf59E9.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
Show More
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • UNKNOWN

Shell Command Execution

C:\Users\Mlpiqqap\AppData\Local\Temp\nsf59E9.tmp\Awacs.exe ""
C:\Users\Honjcqtk\AppData\Local\Temp\nsc416A.tmp\Predatory.exe ""

Trending

Most Viewed

Loading...