Threat Database Trojans Trojan.Themida.Agent

Trojan.Themida.Agent

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 2,714
Threat Level: 80 % (High)
Infected Computers: 48,998
First Seen: March 24, 2012
Last Seen: March 18, 2026
OS(es) Affected: Windows

SpyHunter Detects & Remove Trojan.Themida.Agent

File System Details

Trojan.Themida.Agent may create the following file(s):
# File Name MD5 Detections
1. iSeptember21-ousEQ.exe 3a8d643f6533730c16656c5834bda80e 2,051
2. sixhost.exe 487aff306b7f3b6c75ecd508901d95c9 227
3. sys32.exe 5a053f38e1fbd602e3f209554995056c 179
4. ccjtu.exe 660c2bd54eb416f096f73ce45b35ab19 164
5. dwn.exe 91d539c5e4c0651b70e1bcaf77fecb40 138
6. Mule_35.exe 9996cfc532a4b942cbca80526232c0dc 50
7. Logen.exe 8ee2a2c809e55d9423ee8b20d728c4fd 35
8. microwind38.exe fe0f64b7b6f03663591f900c43dfb2ed 9
9. 9697ac07a6b929cb6a1adf905cba60a439f106d4af4cee49ca7212b566800a96 d22eeee62e19a9be5e5c2530f2ee744e 8
10. 09c307eecc3812997ed40330ee9e434c560bd8a480e59ebed50cf0f19e65bc30 a5caf66091b2645896075bfb781460dc 4

Analysis Report

General information

Family Name: Trojan.Themida.Agent
Signature status: No Signature

Known Samples

MD5: 66fcddf185bec5e1fdd9d649496ae5be
SHA1: 766de929d21c0a1bf8bf62386ce1c4aca89c9b1c
SHA256: 75F2BDFB69CE6856ED8E092C8FE47A03504D79028D08E4596D535755DB2ED89B
File Size: 6.03 MB, 6033432 bytes
MD5: a37015189467fc3b44cfe6bc34487e68
SHA1: bb440920c6dd2494816f9aa386e6a2d847946a9f
SHA256: 65048FB892F6EBD654079CDECD5D6B50B8B95ED8E1BA0C43365FE7D1DE7487CA
File Size: 3.42 MB, 3416576 bytes
MD5: 512e4c09e2f7ad14e029517ae17dff44
SHA1: 1bf23bf2bfed9bb570d74e794d8093e5e3087cb2
SHA256: BCDF709EB3FB3D27B201CF446FC69A000F17F9F096EA1380CDA1BFC8A2779B06
File Size: 5.21 MB, 5214720 bytes
MD5: 592d83336448477f20e816c8c281e02b
SHA1: f4bdfd9b38c3a398a47a659f27e6b50dbfcd9393
SHA256: 0CCC7709FFA9224E8AB067EEB772CA5A0DE6009D550A9EA256E07B18C15E1222
File Size: 1.79 MB, 1793072 bytes
MD5: edf792bb07fdaf652d16e276dc2c0e18
SHA1: 1fb3b0bd1f36747588a35273ae6d474233185d8f
SHA256: CF456C0DE5FAB6314E17B79C8996E82FAD94B4D39271C6FA2202BFB9E4C317F9
File Size: 2.87 MB, 2870096 bytes
Show More
MD5: dd9bf255874798186a1e2380237f738e
SHA1: 9c8a43a20600e78cf39d55c52d00c08ed900491f
SHA256: 67A05FE036A5C299284FD264100F6FB49A0F396B4FFF2C742247A1D171EBF1C2
File Size: 2.51 MB, 2509824 bytes
MD5: c70997dfe6973a02f342fa2962c6ec1d
SHA1: ae9ebf1f1f18aa8205760f3984541a3bd079e694
SHA256: 7555E49F000AE057B468D22CF959401AC1D8242DDB39CD5FC8B4D1C8CFB106F4
File Size: 2.85 MB, 2850640 bytes
MD5: e92cef132ee30b39ff36ff98018e93db
SHA1: 537af2ba203bc257c64feca7e57c231e5aaee3ba
SHA256: 5CB3F0E5338A9093D1FD790BC45B61DC6086DCD9B14DDF698E6386AF3FCB6DDB
File Size: 2.89 MB, 2894336 bytes
MD5: db35221430485dec060342a2b6e799f0
SHA1: fd4e2a9f15f353a7fd422af9f25511be432c8f81
SHA256: 2971AF2D55A973642E445903E5FD043744D24EE69C5659310011E411E8F5F2C0
File Size: 3.36 MB, 3358208 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Gavrila Martau
  • Microsoft Corporation
  • mozglue
  • Nero AG
  • ZGN Launcher Updater
File Description
  • Nero Audio Decoder 2
  • Total Uninstall v7.0.0
  • Windows Wireless LAN 802.11 Extensibility Framework
  • WMI Provider Host
  • Zodiac Games Network Premium
File Version
  • 25.17.4684.88
  • 18, 2, 0, 0
  • 18, 0, 1, 23
  • 10.0.26100.5074 (WinBuild.160101.0800)
  • 7.0.0.600
  • 6.1.7600.16385 (win7_rtm.090713-1255)
  • 1.0.0.0
Internal Name
  • Builder.exe
  • libspv
  • wlanext.exe
  • Wmiprvse.exe
Legal Copyright
  • Copyright (c) 2025
  • Copyright 2016 Nero AG and its licensors
  • © Gavrila Martau
  • © Microsoft Corporation. All rights reserved.
  • © ZGN Team
Original Filename
  • Builder.exe
  • libspv.dll
  • NeAudio2.ax
  • wlanext.exe
  • Wmiprvse.exe
Product Name
  • libspv
  • Microsoft® Windows® Operating System
  • Nero Suite
  • Total Uninstall v7.0.0
  • ZGN Premium Ver
Product Version
  • 20.7.4674.85
  • 16.0.0.0
  • 10.0.26100.5074
  • 6.1.7600.16385
  • 1.1.0.0
Program I D 4114014412077

Digital Signatures

Signer Root Status
PROTECNOLOGY SOFT LTDA DigiCert Trusted Root G4 Root Not Trusted
Nero AG Symantec Class 3 SHA256 Code Signing CA Self Signed

File Traits

  • 2+ executable sections
  • dll
  • HighEntropy
  • Installer Version
  • No Version Info
  • themida
  • themida section variant
  • x64
  • x86

Block Information

Total Blocks: 4
Potentially Malicious Blocks: 0
Whitelisted Blocks: 3
Unknown Blocks: 1

Visual Map

? 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • AdjProg.A
  • Babar.AE
  • Bestafera.A
  • BitWall.A
  • Dinwod.E
Show More
  • Xtreme.B

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\05ddc6aa91765aacacdb0a5f96df8199 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\24bd96d5497f70b3f510a6b53cd43f3e_3a89246fb90c5ee6620004f1ae0eb0ea Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\dde8b1b7e253a9758ec380bd648952af_3a4de8c2e294aa1406667e99022477bb Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\05ddc6aa91765aacacdb0a5f96df8199 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\24bd96d5497f70b3f510a6b53cd43f3e_3a89246fb90c5ee6620004f1ae0eb0ea Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\dde8b1b7e253a9758ec380bd648952af_3a4de8c2e294aa1406667e99022477bb Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\766de929d21c0a1bf8bf62386ce1c4aca89c9b1c_0006033432.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\1fb3b0bd1f36747588a35273ae6d474233185d8f_0002870096.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ae9ebf1f1f18aa8205760f3984541a3bd079e694_0002850640.,LiQMAxHB

Trending

Most Viewed

Loading...