Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.XDR

Trojan.Agent.XDR

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.XDR
Signature status: No Signature

Known Samples

MD5: d0b15b32a5ae47378832e3fe757ac3df
SHA1: 6e7f94d529a361d2d6474c0a438316e6eac8dc65
SHA256: 332CE31777BF274F35D4A13F0E292F767EED6CACAB87C6B4B8388D0A28286879
File Size: 91.14 KB, 91136 bytes
MD5: 6cd2d4d9954309124f79df12827697a8
SHA1: 416f5613fbac45b1225e9bc04f7ce17d0e855db9
SHA256: 7CA7E6F3586196AC5093BCB92A601BFDE7EDD23A3D0F90EAA5E8F43E6BEA940F
File Size: 177.66 KB, 177664 bytes
MD5: 2fe5676e83e3d34411a6b712ff0ed715
SHA1: 834b3a18d1983e51c73af343b891912204c0727f
SHA256: EE0BB42696144AC27C9AB27AAD127452211931A195C2303839AF1CBB74A26E01
File Size: 15.87 KB, 15872 bytes
MD5: 774c535c885054d285ece6cc7b252cb1
SHA1: 20504371397cb66bd01351dc76b82f6231291cf5
SHA256: 127A15CBA66E6463FA74E8D38B9194D372266A05B057AB7EB5D6ECE70EA836BE
File Size: 20.99 KB, 20992 bytes
MD5: 95eed7a45fe277ef039288b67f0be6e1
SHA1: bc3a978ba88d14f2bdb4db0e6cd0ea72987898ea
SHA256: 5B3CF2C36D8131BD286E072C7D8E1AC66C9551633B5C4A1296DC4501B10816BB
File Size: 894.98 KB, 894976 bytes
Show More
MD5: 3441d4d79dbd3c34c67a05d7624d12c5
SHA1: ad2ec5c82106ac86a9549125e6c2f3c28e0dd43c
SHA256: 3E84E56D9B89A7BFA9EEF5F77033A3BC86C92BA43F5613650B450CF95AD434BF
File Size: 46.59 KB, 46592 bytes
MD5: 0448bd542c6b5b52ea98c7117fd0884c
SHA1: 9e5a509113b2235d20f022bec9662c6b818951e4
SHA256: 8CD1B103C4E5962DCEC3DF4ECCB2D518A04A009725CAE8C4BB6281D060E053B4
File Size: 2.52 MB, 2521088 bytes
MD5: 1c746b5d59cdd0eb71c4ce67b0670c21
SHA1: 9bbe5edc2042cf4e164cd9f272f33c55ba90db93
SHA256: BEC3A8A3F099240B1590D3C4B3A17413D19039113135ED8FFA2158F1340F1407
File Size: 66.05 KB, 66048 bytes
MD5: 7b998a7149f4102944ceec53822a2a14
SHA1: 9d285a2272443ab1032714be997f3cd264564cdd
SHA256: 02EC4F687D56741BDD32D3F3CC3F1D47CEADB17220D1925D450BAC2D4E19B6DE
File Size: 32.77 KB, 32768 bytes
MD5: dc55770339420b0cf92cd92f4d199c5b
SHA1: 77d4dd2ad52d379605ef360fcad3df702cc54c80
SHA256: D4109759C5CA99BA0BA81C4902A471F5A3C5F8BED7B45A3A5B5642495C7E69EA
File Size: 158.72 KB, 158720 bytes
MD5: f37b58c0f093d2bb861bac857aeaf2dd
SHA1: 55d03f1ea00c2e956b86ae3eccf6276513c165e7
SHA256: 1FFF45B92E231940060223027CBA633A57D53A456029B20D739E7D3C7838DF96
File Size: 104.03 KB, 104025 bytes
MD5: f4bb2995db3ce4d37f56b3ddf364982c
SHA1: 9f3a5da89188bd23eb9f7621dec300fc80f3c066
SHA256: 909774EC44C72320633292B6D2D94A543E61191EE145F3120FE7B97B96A97ECC
File Size: 93.70 KB, 93696 bytes
MD5: 059cc87873f664f2bc8e86e94715dedb
SHA1: 4669309469e2eb10852255810a8e8f60e8d8a568
SHA256: 453FFF0A1C61037DA6A79BA44C3FAA13128D8121E30554759C279F28D4533CBC
File Size: 488.96 KB, 488960 bytes
MD5: 6c0ecc4f955e576536e2abb59f3ef776
SHA1: 48faa1cbca9165244ebea158c20fc4ece741e725
SHA256: F14DDFD8EB1FEAAA18A7298F64F83FA042B7056318F342EA1B181C7CAEF69172
File Size: 232.96 KB, 232960 bytes
MD5: bf6eaab64199c91ebf04c1a2e5a607af
SHA1: 38313e5e0a329835912c6b449f38adb962bc9526
SHA256: E1728C949B5DF812632AEB0C4FEFE31FBFBFD60130524850A27CE4EF9E0DEB26
File Size: 361.98 KB, 361984 bytes
MD5: ad5b2ba471f8b7fb36cb829f6f0e8622
SHA1: c48c9225d866ea35cef4c9d09e9ce3a48dc2370a
SHA256: 9829155CAB59ADAC7268949371CEFD3C31171B2AC05BA2BA3D3332B4F55246AA
File Size: 139.78 KB, 139776 bytes
MD5: 3211ddb56f85af4e861943926003a1f0
SHA1: b38898e9af9448c1ef4749d9a5f998b0df52e60a
SHA256: 97FCD098156FE0441BFA9A1D318B653CA1D10600EF035D0A91948DE221E46FD0
File Size: 139.78 KB, 139776 bytes
MD5: d6126e8cbfe0abeac1aafb237e93cf30
SHA1: b1a4d691c7bf727147f7b7d48008807b1ae7dbe8
SHA256: 9B33443CF292353D24A81A11C89FADE6E233A79C6D169ADE22271D908B46DC66
File Size: 361.98 KB, 361984 bytes
MD5: 3b262cf7e8ea810f47453ff918664e44
SHA1: 6175483dd9b25472467f1e3903a554b678ba106c
SHA256: F5B02A080F3342D8CB378828F2833789E7C02A7368EAF6ABBB2714AB157A9372
File Size: 177.66 KB, 177664 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Company Name
  • Marcin Szeniak
  • Microsoft
  • Smart Game Booster
  • Steam006
  • Synaptics
  • TODO: <Company name>
File Description
  • BCUninstaller launcher
  • Metal Gear Rising: Revengeance PC Fix
  • NucleusGaming
  • Smart Game Booster
  • Synaptics Pointing Device Driver
  • TODO: <File description>
File Version
  • 11.0.0.599
  • 1.9.3.0
  • 1.2.0.0
  • 1.0.0.4
  • 1.0.0.1
  • 1.0.0.0
Internal Name
  • BCUninstaller.exe
  • crack.dll
  • Metal_Gear_Rising_Revengeance_PCFix
  • Nucleus.Gaming.dll
  • Temperature.dll
Legal Copyright
  • Copyright (C) 2022
  • Copyright (C) 2023
  • Copyright © Microsoft 2012
  • Steam006
  • © Smart Game Booster. All rights reserved.
Legal Trademarks Smart Game Booster
Original Filename
  • BCUninstaller.exe
  • crack.dll
  • Metal_Gear_Rising_Revengeance_PCFix.dll
  • Nucleus.Gaming.dll
  • Temperature.dll
Product Name
  • BCUninstaller launcher
  • Metal Gear Rising: Revengeance PC Fix
  • NucleusGaming
  • Smart Game Booster
  • Synaptics Pointing Device Driver
  • TODO: <Product name>
Product Version
  • 5.2
  • 1.9.3.0
  • 1.2.0.0
  • 1.0.0.1
  • 1.0.0.0

Digital Signatures

Signer Root Status
ORANGE VIEW LIMITED DigiCert High Assurance EV Root CA Hash Mismatch

File Traits

  • Default Version Info
  • dll
  • fptable
  • HighEntropy
  • imgui
  • Installer Version
  • packed
  • WriteProcessMemory
  • x86

Block Information

Total Blocks: 715
Potentially Malicious Blocks: 21
Whitelisted Blocks: 653
Unknown Blocks: 41

Visual Map

x x 0 x 0 x 0 x x 0 x x x x x x ? x 0 ? x 0 0 0 0 0 0 0 0 0 0 0 x ? x ? ? 0 ? ? ? ? ? x ? 2 2 2 ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? ? ? ? 0 0 0 2 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 2 2 0 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 3 1 1 0 1 1 0 1 0 1 2 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.FDV
  • Agent.XDR
  • ClipBanker.PI
  • Ekstak.AN
  • IRCBot.LM
Show More
  • Kryptik.AFA
  • Kryptik.CBAC
  • Kryptik.GSJ
  • Kryptik.MNA
  • Mint.B
  • Rugmi.FC
  • Trojan.Agent.Gen.AJO
  • Trojan.Agent.Gen.AYV
  • Trojan.Agent.Gen.AZG
  • Trojan.Agent.Gen.BCE
  • Trojan.Agent.Gen.DV
  • Trojan.Agent.Gen.SM
  • Trojan.Agent.Gen.XG
  • Trojan.ShellcodeRunner.Gen.AK

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\programdata\synaptics Synchronize,Write Attributes
c:\programdata\synaptics\rcx6c33.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics\synaptics.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\synaptics\synaptics.exe Synchronize,Write Attributes
c:\programdata\synaptics\synaptics.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\o17gx6r.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\winsl Synchronize,Write Attributes
c:\users\user\appdata\roaming\winsl\l12\20\2025 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\._cache_bc3a978ba88d14f2bdb4db0e6cd0ea72987898ea_0000894976 Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\downloads\._cache_bc3a978ba88d14f2bdb4db0e6cd0ea72987898ea_0000894976 Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::synaptics pointing device driver C:\ProgramData\Synaptics\Synaptics.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDuplicateToken
Show More
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Service Control
  • OpenSCManager
Network Winsock2
  • WSAStartup
  • WSAttemptAutodialName
User Data Access
  • GetUserObjectInformation
Network Winhttp
  • WinHttpOpen
Network Wininet
  • InternetOpen
  • InternetOpenUrl
  • InternetReadFile
Network Winsock
  • bind
  • closesocket
  • gethostbyname
  • getsockname
  • socket
Keyboard Access
  • GetKeyState

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6e7f94d529a361d2d6474c0a438316e6eac8dc65_0000091136.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\416f5613fbac45b1225e9bc04f7ce17d0e855db9_0000177664.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\834b3a18d1983e51c73af343b891912204c0727f_0000015872.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\20504371397cb66bd01351dc76b82f6231291cf5_0000020992.,LiQMAxHB
runas c:\users\user\downloads\._cache_bc3a978ba88d14f2bdb4db0e6cd0ea72987898ea_0000894976
Show More
runas C:\ProgramData\Synaptics\Synaptics.exe InjUpdate
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ad2ec5c82106ac86a9549125e6c2f3c28e0dd43c_0000046592.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9bbe5edc2042cf4e164cd9f272f33c55ba90db93_0000066048.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9d285a2272443ab1032714be997f3cd264564cdd_0000032768.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\77d4dd2ad52d379605ef360fcad3df702cc54c80_0000158720.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9f3a5da89188bd23eb9f7621dec300fc80f3c066_0000093696.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4669309469e2eb10852255810a8e8f60e8d8a568_0000488960.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\48faa1cbca9165244ebea158c20fc4ece741e725_0000232960.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c48c9225d866ea35cef4c9d09e9ce3a48dc2370a_0000139776.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b38898e9af9448c1ef4749d9a5f998b0df52e60a_0000139776.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6175483dd9b25472467f1e3903a554b678ba106c_0000177664.,LiQMAxHB

Trending

Most Viewed

Loading...