Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Downloader.Agent.BTF

Trojan.Downloader.Agent.BTF

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 5,037
Threat Level: 80 % (High)
Infected Computers: 146
First Seen: August 18, 2023
Last Seen: April 14, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Downloader.Agent.BTF
Signature status: No Signature

Known Samples

MD5: 0a2fcfd25664e2ef431729cbd4aa97e3
SHA1: c351e07dc5407821f7e2702a6720b844df6589d0
SHA256: ED6B98D968819A2813C03531204D0B4792B97D407EBEFA29A27432723F4DB09C
File Size: 5.95 MB, 5948928 bytes
MD5: 5514226480508157273ecb6f2e8cee66
SHA1: fbb6898c3b4b27528bdace4db93480dd350624fc
SHA256: 32B9E18956B8760CCE9B64F8D37BBBF61417834D5AD1FC8E533DB13911F75131
File Size: 445.44 KB, 445440 bytes
MD5: 73cf2632f5c3984520a8f352ca417969
SHA1: ad71a60834eb3cd0110030bfc49b756d7cc18aa7
SHA256: E20AF320EEE235BD8CF4311F87BA5489E23DC63A7491E272AE0AB7493525C966
File Size: 1.08 MB, 1076224 bytes
MD5: c4e02e4f50920e7d543e26881fabab7c
SHA1: b0166c0ab9dfef90cf58a1fe573f727780c5b590
SHA256: FAAD4C6E56D0FD28530DA18A926D7AD12F9707956E8C94319BF773E9BDAEFB7E
File Size: 4.72 MB, 4723200 bytes
MD5: 4fce17a363dfe8b3de863c31b0ead05a
SHA1: 85445ceca1f3abc1ca8cb69f09d9d96b5a4239a3
SHA256: 7C4A3F07A620244080E5FFA2DB23D2A5BFBD2444EA24ED25E186588DC1021237
File Size: 1.41 MB, 1406976 bytes
Show More
MD5: 76731c61ba1697242a0dc0f9c323c625
SHA1: 66fad53dd58b71aac34b4bbe95c57bfb5cd3d01d
SHA256: D21038083EDC69342F9E91C406FBECB70A4B5BF7F51FD0BB817851FA8CB0D0C9
File Size: 6.07 MB, 6069248 bytes
MD5: 1b8b1b87a135ef4ca9df7c7e14ab289e
SHA1: 6440d8d20d914172f3b30073bae7b286482fbd99
SHA256: 243506F7358B49B89F1FA0368891288A6734106A098A18784517F5F68F21E876
File Size: 3.59 MB, 3591680 bytes
MD5: 5e1d69971ae8d9ecec625b6d3657bbf2
SHA1: 16ec23ad09a8caee0c24c89a52db71e892cd9a9a
SHA256: BC46E4DA769D94C0C91A9411884BDD8D6B8DDE08592332AA6CD4B1B8A7ACC51B
File Size: 6.33 MB, 6333440 bytes
MD5: 505d56207465c766d76ed52290c3f87f
SHA1: 64c503fca033560047094460d584ff8fad8d1df0
SHA256: 550AD2585B0767BD393B42AE510C6FFE021A8FCBA49D9E06E2C606EB74E6BD50
File Size: 9.38 MB, 9384960 bytes
MD5: 357e0f67625a226d36efa8bcb895c0cc
SHA1: 1c6bb577e7f89584e47e67957a59440695ace37b
SHA256: D6188BCBF8CEB53F7CA40B46E6676BD5B56ECAFE6E3792372B0F3A2CAFA8C62B
File Size: 9.39 MB, 9385984 bytes
MD5: 7717bfa01cd68710b67145647a9d6658
SHA1: 9a9b035cfa3f7ce255647638f67312af1e671fa6
SHA256: B0F56314A59F5FF4A9C0BB8BB480A9CED0BA755710CEAC34AA8C850083025B8D
File Size: 3.21 MB, 3214336 bytes
MD5: fd8ba382799b8b72e5cb17fbd2aec501
SHA1: 407e9a77106c39f069b5a66f7f828bb6425d4164
SHA256: 9A36AC63FA47D44447E9A3331011B9C524B4003B6E53FA5D876227FD5CD9592B
File Size: 4.66 MB, 4657664 bytes
MD5: 3fde25e9e9995285b8d20fc23c48c613
SHA1: d6c231778a992159308941496ccc3f3d7105dc65
SHA256: A3D933F0611B89C60089482D5E6DB7488BDEEDC403778C51FDB7BC33AC8C2407
File Size: 9.63 MB, 9626112 bytes
MD5: 071903e6a813fad999160a67be2bb6a8
SHA1: 8fccf1aa2eaee90174d332394dac4c92bd4b61f0
SHA256: E83AA4595E34DD80CC8890364E5C65BFCFB8B1E885A367D148E98EF57041A00F
File Size: 1.08 MB, 1080469 bytes
MD5: 56f18224085fd262308b469d15ea2352
SHA1: c6e67f9d797e4d98ea47e5079f9ffa80b30da219
SHA256: A41074EAA1C63472FD0C64CF30400348FFB4143F39263339734172E429112A11
File Size: 4.61 MB, 4608000 bytes
MD5: 7cafd53788ebc0a7f4b09c84ffde04e1
SHA1: 6777c085a2829fa0a59f99607014b9a2442bd910
SHA256: 2130AE4F969582512ABADA43824B158EDD0903E9472D24B1930F2677E98DE20E
File Size: 1.03 MB, 1027584 bytes
MD5: bfc7584f1c8cd9aa01e6d00c3ebecea7
SHA1: 69dde4c90416dfd3cee55adde06cbbedd94c6dcc
SHA256: E5CDB7814AA133F870D0F834568B78A4DB13701680380EAED7769ED00FB45523
File Size: 1.05 MB, 1052160 bytes
MD5: bc8eab3d5858d52c25c74dd4016f767c
SHA1: eb91e30bda2cd335d778730470cfddaf85b93e6d
SHA256: 1AD2E058FA4EE931A8373CF206A098AFF0E9B1480E6BFCFB4DBFA36292808CA5
File Size: 3.12 MB, 3115520 bytes
MD5: 424f96be74dca6dcc88ce108313f13f2
SHA1: 84271467555e6df745aabcdb594fff68f31cacb2
SHA256: B1B508C1D719969A9E537C587DFAC62B98D109E68571F1B04BDCCB2BBEEB6C66
File Size: 1.11 MB, 1106944 bytes
MD5: 41d3cfd55dd1157be4374003c687c07a
SHA1: 6e44baacd5e6bc2cbd8981439e7b73fc00192c71
SHA256: 5417BD83A4389A743FFAEFDB0318284788FD70B9E0A4DDBC3BFB9FC4FD375A48
File Size: 580.10 KB, 580096 bytes
MD5: 201bf6483b763e6dd2c41dfdf3974df6
SHA1: 7ffef12acb1638daf0fdd94e373aa4e5efb03087
SHA256: 582032DD5303F2293AE37F1D1E9A49245FFBDBD0C750409E53B238ADB4F1D16A
File Size: 1.03 MB, 1030656 bytes
MD5: 57e86111de805879b9659913c0a763ae
SHA1: 93ba48dd032fa0be9b75edcc3f51cc6b7bb0c81f
SHA256: C32D62DA66EBBCB9BA5FCDF7634B4C75B47D685BC72F99EB1B4D45FDFD6BCE7D
File Size: 6.03 MB, 6034944 bytes
MD5: 6e3b04e6c8174107b5a69ef6712e0c08
SHA1: cbe59b7191568680c4bf488ff6c8f97d10bd28d1
SHA256: ABA1BF0F4A5CD0C2788ADE2E4E19BBE309EF008B101CF0C8D79381ADEEE824B2
File Size: 2.69 MB, 2685440 bytes
MD5: 6cd44f8a6ad8884bf4054e063b15f4d9
SHA1: 4b14f5cbe7ec9312190bfbf1a5ddbbbf0a80a335
SHA256: FCB46F5149AA25F38660223A82C0715E7809D2873DDC320BDA9089C58A58CC21
File Size: 1.07 MB, 1074688 bytes
MD5: ad7f7de5c17ea3547255fc3c89e98a6b
SHA1: 897e4c548746d82f6acdb0d70ba04675ba0ca6b2
SHA256: 826D4B1F2D9A1F5A21F573D9C55501D8E95A1F65C7177929DBBBE38D03FE2A4E
File Size: 3.33 MB, 3334144 bytes
MD5: 41720d63abff4af6400d13ee5b09de81
SHA1: 17674a0acfda58df0253b30ded467c81f021b7c0
SHA256: 99AFEA779A92265F41788BF94F60E312038F890418F1D55ADE74CDE3F4FB0279
File Size: 7.40 MB, 7398912 bytes
MD5: bcb6abbc52f80cda697425fcd1e4d59e
SHA1: 0eb65d862dc465deb64cdf65382956edbf5a2a96
SHA256: 7308C6BEC5F497D9DB50EC9D0DF96BA05D2A4CA485EFA6EB6F6DF0BE1D79D939
File Size: 5.81 MB, 5810176 bytes
MD5: b00091379d6e862e509c51d73ee8046e
SHA1: c6677b9cd7b61d494071cc1e35deaa0513a3f6d4
SHA256: E26AC86A828458C413F9E808A238ED9BD417A05A106EF42B14F94B0D0EB142E3
File Size: 2.29 MB, 2285568 bytes
MD5: ef7b6de3d0fb6c23599012f8d075bbd5
SHA1: ce272337d12b72c0202b4862f66116a1d579aa2b
SHA256: 5FA727C9FBD4D8BADCC44B762D9B094A636AD917AB6176C1F98EBE46A314BE29
File Size: 7.10 MB, 7104000 bytes
MD5: 5e78e8c3f1281212c6d15cbd8c257598
SHA1: 87739fb6818625ba35ba22d84f1b0dc026948d15
SHA256: CD51C21CF8333CF98DA1B03AA58DB79B439D0E9360B1AC32DCE20D5AA2B498F4
File Size: 7.37 MB, 7369728 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
File Version 1.00
Internal Name TJprojMain
Original Filename TJprojMain.exe
Product Name Project1
Product Version 1.00

File Traits

  • 2+ executable sections
  • dll
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • packed
  • VirtualQueryEx
  • WriteProcessMemory
Show More
  • x64

Block Information

Total Blocks: 4,638
Potentially Malicious Blocks: 322
Whitelisted Blocks: 4,117
Unknown Blocks: 199

Visual Map

0 0 ? 0 0 0 0 0 0 0 0 0 x ? x x 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 0 0 0 1 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x ? ? 0 0 0 0 ? 0 0 0 0 1 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 ? 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 1 0 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 1 0 0 1 0 1 0 0 0 0 0 0 0 0 0 ? 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x ? 0 ? ? 0 0 ? ? 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 1 0 0 0 0 1 0 0 1 0 x 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 x x ? x 0 ? ? ? 0 ? ? ? ? 0 0 ? ? ? ? ? ? 0 ? 0 ? ? 0 ? ? 0 ? 0 0 0 0 0 x 0 0 0 x 0 x 0 x 1 x 0 0 0 0 x ? 0 0 x 0 ? ? ? ? ? ? ? ? ? ? ? ? x ? 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x x x 0 x 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 x 0 0 0 x 0 0 x 0 0 0 0 0 0 0 x 0 x 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 x 0 0 0 0 0 0 0 ? 0 x 0 1 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 x x 0 0 0 x x x 0 0 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x x x x x 0 0 0 x 0 0 x x x 0 x 1 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 1 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 1 x 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 x 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 0 0 0 ? ? 0 0 x x 0 0 0 0 x 0 0 0 x x x x 0 x 0 0 0 x 0 0 0 0 ? ? 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? ? 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 ? 0 x ? x x x x 0 0 x 0 0 0 0 0 0 0 0 x x x x 0 x x 0 x 0 x x x 0 x 0 0 x 0 ? x x ? 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 0 x x 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 1 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 1 0 x x 0 x x 1 0 0 x 0 x ? ? ? ? 0 ? ? 0 0 0 0 0 0 0 ? ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 x 0 ? x 0 ? ? ? ? ? ? ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 ? x x ? ? 0 x x x x x x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? x 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 ? x ? 0 ? ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? ? 0 ? 0 x ? ? ? 0 x ? ? 0 ? ? ? 0 ? ? ? 0 ? ? 0 ? 0 x x 0 0 0 0 ? 0 0 0 0 0 ? 0 x 0 x x 0 0 0 0 0 0 0 x 0 ? ? 0 x 0 ? ? 0 x 0 ? x 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 x
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.GBG
  • Agent.KFR
  • Agent.UTA
  • Agent.ZFBJ
  • Agent.ZFKD
Show More
  • CsgoInjector.FB
  • Downloader.Agent.BTF
  • Downloader.Agent.BTW
  • Gamehack.EBB
  • Gamehack.GACI
  • Gamehack.GAII
  • Gamehack.GDDG
  • Gamehack.GDDH
  • Gamehack.GSH
  • Gamehack.GYF
  • Gamehack.PSA
  • Injector.KFSC
  • Kryptik.EFJ
  • Kryptik.FSJ
  • Kryptik.KBBI
  • Trojan.Agent.Gen.RD
  • Trojan.Downloader.Gen.KB

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\downloads\16h8k3gihmmkc.exe Synchronize,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᠻ둽濡ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 楠盽碈ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᧳眎碈ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 웅傛꘦ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 톬밪ꌖǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 隞밯ꌖǜ RegNtPreCreateKey
HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.1!7::name szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION RegNtPreCreateKey
HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.2!7::name szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION RegNtPreCreateKey
HKLM\software\microsoft\cryptography\oid\encodingtype 0\cryptdllfindoidinfo\1.3.6.1.4.1.311.60.3.3!7::name szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL RegNtPreCreateKey
Show More
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe R봽ꌖǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 犁ڋ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 蜧ڞ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 깎ڥ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ︳ڳ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 萉ڽ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 퍰ۋ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䘕܀꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ܐ꜇ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 䘡ࢦ꜇ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
Show More
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCompareSigningLevels
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCachedSigningLevel
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtGetContextThread
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletionEx
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetThreadExecutionState

19 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
  • WinExec
Anti Debug
  • CheckRemoteDebuggerPresent
  • IsDebuggerPresent
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserObjectInformation
Keyboard Access
  • GetAsyncKeyState
Network Winsock2
  • WSAStartup
Network Winsock
  • accept
  • bind
  • closesocket
  • connect
  • getsockname
  • recv
  • send
  • setsockopt
  • socket

Shell Command Execution

C:\WINDOWS\system32\taskkill.exe taskkill /f /im procexp.exe
C:\WINDOWS\system32\certutil.exe certutil -hashfile "c:\users\user\downloads\6e44baacd5e6bc2cbd8981439e7b73fc00192c71_0000580096" MD5
C:\WINDOWS\system32\find.exe find /i /v "md5"
C:\WINDOWS\system32\find.exe find /i /v "certutil"
C:\WINDOWS\system32\taskkill.exe taskkill /f /im procexp64.exe
Show More
C:\WINDOWS\system32\taskkill.exe taskkill /f /im HTTPDebuggerUI.exe
cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
C:\WINDOWS\system32\taskkill.exe taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\WINDOWS\system32\taskkill.exe taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
C:\WINDOWS\system32\taskkill.exe taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\WINDOWS\system32\sc.exe sc stop HTTPDebuggerPro
C:\WINDOWS\system32\taskkill.exe taskkill /IM HTTPDebuggerSvc.exe /F
C:\WINDOWS\system32\certutil.exe certutil -hashfile "c:\users\user\downloads\7ffef12acb1638daf0fdd94e373aa4e5efb03087_0001030656" MD5

Trending

Most Viewed

Loading...