HLDASVC.EXE

File Behavior

HLDASVC.EXE has been seen to perform the following behavior:

• The Process is packed and/or encrypted using a software packing process
• Executes a Process
• Enables an In Process Object/Server - Common with DLL Injections
• Writes to another Process's Virtual Memory (Process Hijacking)
• Terminates Processes
• Registers a Dynamic Link Library File
• Enables a COM Object/Server on the Local Machine
• Adds products to the system registry
• This Process uses Anti Dissasembly Tricks to avoid analysis by security products
• The Process is polymorphic and can change its structure
• This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
• Makes outbound connections to other computers using NETBIOSOUT protocols

HLDASVC.EXE has been the subject of the following behavior:

• Enabled as a COM Object/Server on the Local Machine
• Created as a new Background Service on the machine
• Created as a process on disk
• Executed as a Process
• Has code inserted into its Virtual Memory space by other programs
• Terminated as a Process
• Executed from Temporary Folders
• Deleted as a process from disk