Win32/Agent.XRR [Threat Name] go to Threat

Win32/Agent.XRR [Threat Variant Name]

Category	trojan
Size	64512 B
Detection created	Dec 05, 2015
Detection database version	12677
Aliases	Trojan.Inject2.57861 (Dr.Web)
	Trojan:Win32/Ruandmel.A!bit (Microsoft)

The trojan serves as a backdoor. It can be controlled remotely.

When executed, the trojan copies itself into the following location:

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Windows Defender " = "%appdata%\Win Defender.exe"

After the installation is complete, the trojan deletes the original executable file.

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

The trojan launches the following processes:

The trojan creates and runs a new thread with its own code within these running processes.

The trojan can create and run a new thread with its own program code within the following processes:

Win32/Agent.XRR is a trojan that steals sensitive information.

The trojan collects the following information:

The trojan attempts to send gathered information to a remote machine.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.

It can execute the following operations:

The trojan hides its presence in the system.

The trojan hooks the following Windows APIs: