PUP.Coiner

Analysis Report

General information

Family Name: PUP.Coiner
Signature status: Root Not Trusted

Known Samples

MD5: 4bb846f899bcc7cc20d4739ab4aa5204
SHA1: 6cc8fe7480b6bae53649ca507a3623460589bf87
SHA256: 186D50E1325FAF99E026691B69F1BFE2A94945291F0CA26F26BB36D6BCEF3E22
File Size: 326.42 KB, 326416 bytes
MD5: eeb56c78c188460850b7869a7bbb9646
SHA1: 39a7320757580e5a873e7bd244c0bf866d3530b1
SHA256: 1118CC74A01B036D43221AF5D5C3700383F9F5D97B9D6918CCFB9F0FF6635A6F
File Size: 900.11 KB, 900110 bytes
MD5: 316edd74b5eff2e82ffd9355bd855123
SHA1: 965b29b27e953f02673e98ba78e282bb2b961ced
SHA256: CD3F59C7393EBDACF600A8D760A6854EEF43441B7737656FF52C2195878F3B27
File Size: 258.68 KB, 258680 bytes
MD5: 0007240cb73aaedb28efac0bb14583fe
SHA1: e4b9025efe2c7671e13163ebf1e2f59a001ba75b
SHA256: B72C0BD30A56F4DDB7BCFCC0C97151D47B0349E56C643F7DFEEE2DC4995DD415
File Size: 326.42 KB, 326416 bytes
MD5: b136831a2385a78537c12d5388dd89de
SHA1: e3daa1f071fa3bb1492a79c8f4232b4f1b9ba62f
SHA256: 4928DE86B0FC4375F98E60AF4484CFC91A10CC21F35E85E6C46EDB0A74ABDDBA
File Size: 22.02 KB, 22016 bytes
Show More
MD5: aeeb06bd2f2dc7cab85aad21b9219e9b
SHA1: e306c90ad79e71a344143fa397caf2ddef100abc
SHA256: 4D0BC128C5B71F836C5E7EC565B3E555F1BBFC26C5577BD914475D6A76280AFB
File Size: 228.37 KB, 228366 bytes
MD5: 3b87cfc05321a5cea0d3ab9dbe979e5f
SHA1: e82a7ec40bcca60fa57a99a7af927cf55e54fca7
SHA256: DC44601C41940EF61F6EAF753314F3B8F4460501EC56C009EFDDCD2715408156
File Size: 3.23 MB, 3226232 bytes
MD5: b6d617968ef9bf28ed34cee63e844607
SHA1: 72d2eb25493c6adad1f8046cf9401bfa35851609
SHA256: 33FB6B6461A959AA70DD75C48A9EBDDE25E38170F6374A12214AFAF095843637
File Size: 23.04 KB, 23040 bytes
MD5: e907e8ac2d30316aba179537cb08306f
SHA1: 1e16c7d160556266fc72de24b2e53fed0993dc25
SHA256: D3415B4F0B14581598A968042EC8A8ED33A247D7341F8010B6A996D0D8A81823
File Size: 247.43 KB, 247432 bytes
MD5: 1eb2129cfb3ac0611a52b9095ca818a1
SHA1: 8d2e6f4f15ee3d514643dfa6ad0569fa983280e9
SHA256: D27393FB4AFEC677D2267EF5D1F9A22AD222E33234DEA71D21FF9B79C01B3439
File Size: 247.83 KB, 247832 bytes
MD5: 396fa69d6c55815379eb77720ca881ad
SHA1: 3fc1a9796ba19e170518037c780c4f5b126e1e3a
SHA256: 575363772472A1C671B67F9AB26FED071EDDEBDCE420E36AFF79E66DEF341DD3
File Size: 2.20 MB, 2196992 bytes
MD5: e89afe0d119f1ff1b193971e3fe35128
SHA1: df7106ceb50654c028aa0ac4d768bf2e6737594e
SHA256: B0DBCD9B9BB2F9A13E054D9AF691DCA3A4B643AAE21B87B69012E8088B205AB5
File Size: 4.06 MB, 4057088 bytes
MD5: f6919b51a127a644a6ee0900a0f74eff
SHA1: 73d189510f6c21b407b8b0fdaa45358f3846a047
SHA256: 9DCB7CFCAC4BA32E34300B2D5DB8AB1AEF0BD2E2AFEA49ABEF655026EE9DEADC
File Size: 2.66 MB, 2664488 bytes
MD5: 0ebc1716603fcc06278d32473677531f
SHA1: 57d8008aaca43ea6e8df0d0897087eb24a69de5a
SHA256: C6C55ABA8FE20C55CEA427C5B266A79A9F8FC3BCB36F64A9C045FE8D774CD376
File Size: 2.20 MB, 2196992 bytes
MD5: 6c6c7a1e71d7467e13966f68301d4414
SHA1: 5e4eb35ee4ee52d9b8c4b63ded68a2e428f8b690
SHA256: 5301CF3091DB7973C78773A638D54E7AF52B557AB6E21F4CAACA63F49F61BD17
File Size: 15.36 KB, 15360 bytes
MD5: 6af476a2fed417c63d08d0ae6f7ded90
SHA1: 789ef17306acbd0f6d3523a98f23e72f020e836e
SHA256: B13A0D1723C9FD7EBF9EF8F653D88049EC77B800D513486474B582FBB7BC0DBB
File Size: 327.15 KB, 327152 bytes
MD5: fc356f03ccdb9eddd4a5b9ec0913b1e0
SHA1: 81daea80b3262796600ec32fdb364c9690c75c0b
SHA256: 5025406C949FFF02469F61E2D11B498F20B6B67670FBE4745A0E29161F24493A
File Size: 112.03 KB, 112032 bytes
MD5: f99dabbc6cbccbbbc97e8d4784c27c90
SHA1: 2e250101c0e04ab4b3fc4f5172753127d246e332
SHA256: 8EF575D9263F7009EA4525347CB3980D49430DEDD3F6562D7BDB816664314555
File Size: 3.18 MB, 3182080 bytes
MD5: 349cdd51f605bed8973a5c1f025d9d2c
SHA1: 7968f7f4bdf024178fc1580a4b197f47ee9ef455
SHA256: D46F5D0C3202B18F6BD04F8ED29DF7A5760FE31A93BF7857F40C5B19CCA7F9F1
File Size: 320.22 KB, 320216 bytes
MD5: 8ef5919a1bebc25b25b9e8e95d21f5c6
SHA1: 1b7f22861cb9c34f935ac4172117b637765bceef
SHA256: 9D8693FE140F4999211FF56C7C6DC3C9B85D6690691066089A79F9606658E4F5
File Size: 3.26 MB, 3256968 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
Show More
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 8.0.22.0
  • 1.91.0.0
  • 1.72.2.0
  • 1.39.3.0
  • 1.0.0.0
  • 0.26.0.0
  • 0.10.11.0
Comments GamerHash AI
Company Name
  • C-Axe Sp. z o.o.
  • Michael Kunz
  • MP.CryptoDredge
  • MP.GMiner
  • Riverbed Technology, Inc.
  • Zelcore Technologies Inc.
File Description
  • GamerHash
  • GamerHash AI
  • MP.CryptoDredge
  • MP.GMiner
  • Nvml for managedCuda
  • packet.dll (Vista) Dynamic Link Library
  • Zelcore Platform
File Version
  • 8.0.22
  • 6.0.0
  • 5.21.1
  • 5.19.4
  • 5.4.1
  • 4.1.0.2980
  • 1.91.0
  • 1.72.2
  • 1.39.3
  • 1.0.0.0
Show More
  • 0.26.0
  • 0.10.11
Internal Name
  • GamerHash.exe
  • GamerHashAI.dll
  • ManagedNvml.dll
  • MP.CryptoDredge.dll
  • MP.GMiner.dll
  • packet.dll
Legal Copyright
  • Copyright © 2010-2013 Riverbed Technology, Inc. Copyright © 2005-2010 CACE Technologies. Copyright © 1999-2005 NetGroup, Politecnico di Torino.
  • Copyright © 2021 Zelcore Technologies Inc.
  • Copyright © 2022 Zelcore Technologies Inc.
  • Copyright © C-Axe Sp. z o.o. 2024
  • Copyright © C-Axe Sp. z o.o. 2025
  • Copyright © CoinAxe Sp. z o.o. 2022
  • Copyright © GamerHash 2020
  • Copyright © Michael Kunz 2016
Original Filename
  • GamerHash.exe
  • GamerHashAI.dll
  • ManagedNvml.dll
  • MP.CryptoDredge.dll
  • MP.GMiner.dll
  • packet.dll
Product Name
  • GamerHash
  • GamerHash AI
  • MP.CryptoDredge
  • MP.GMiner
  • Nvml for managedCuda
  • WinPcap
  • ZelCore
Product Version
  • 8.0.22
  • 6.0.0
  • 5.21.1
  • 5.19.4
  • 5.4.1
  • 4.1.0.2980
  • 1.91.0
  • 1.72.2
  • 1.39.3
  • 1.0.0
Show More
  • 0.26.0+ac539a985a109eb37827bc371bbc161f0cd54215
  • 0.10.11+177828743529987aadea2783f1ab6e938d29d1b4

Digital Signatures

Signer Root Status
pueev OÜ AAA Certificate Services Root Not Trusted
CoinAxe sp. z o.o. Certum Extended Validation Code Signing CA SHA2 Self Signed
CoinAxe sp. z o.o. Certum Trusted Network CA 2 Root Not Trusted
Zelcore Technologies Inc. SSL.com Root Certification Authority RSA Root Not Trusted
Kairos Collective, Inc. Sectigo Public Code Signing Root R46 Root Not Trusted
Show More
Kairos Collective, Inc. Sectigo Public Code Signing Root R46 Root Not Trusted

File Traits

  • .NET
  • dll
  • HighEntropy
  • Installer Manifest
  • No Version Info
  • Nullsoft Installer
  • packed
  • x64
  • x86

Block Information

Total Blocks: 1,670
Potentially Malicious Blocks: 26
Whitelisted Blocks: 946
Unknown Blocks: 698

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 0 ? 0 0 ? 0 0 0 ? ? ? ? ? 0 ? 0 ? ? ? ? ? 0 0 0 ? 0 0 0 ? ? 0 0 0 ? ? 0 0 ? ? 0 ? 0 0 ? ? ? 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? 0 ? 0 ? 0 0 ? ? ? ? ? ? 0 ? ? 0 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 0 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 0 0 0 0 ? ? 0 ? ? ? 0 0 0 ? 0 ? ? ? 0 ? 0 ? 0 ? 0 0 ? ? 0 ? ? ? ? ? ? ? 0 ? ? 0 ? 0 ? ? ? ? ? ? 0 x 0 ? 0 ? 0 ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 ? 0 ? 0 ? ? ? ? ? ? 0 ? ? ? 0 0 ? ? 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 ? 0 0 0 ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? 0 0 0 0 ? 0 ? 0 0 0 0 0 ? ? ? x 0 ? ? ? ? ? ? ? 0 0 0 ? ? 0 0 ? ? ? 0 0 0 0 ? ? ? 0 0 0 0 ? ? 0 0 0 ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 ? ? ? ? 0 ? 0 ? 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 0 ? ? ? ? 0 ? ? ? ? 0 ? ? 0 0 ? ? ? ? 0 ? 0 ? 0 ? ? ? ? ? 0 0 ? ? 0 ? ? ? ? ? ? ? ? ? ? x ? 0 ? 0 ? ? 0 ? ? ? ? ? 0 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 ? ? 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? ? ? ? ? ? 0 0 0 x 0 0 ? 0 0 0 ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 ? 0 0 ? 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? 0 ? ? ? ? ? 0 ? 0 ? 0 0 0 0 ? ? 0 0 ? 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 ? ? 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? 0 ? ? ? ? ? 0 0 ? ? 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? 0 ? 0 0 ? 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 ? ? 0 x ? 0 0 ? 0 0 0 0 ? 0 0 x ? ? 0 ? ? ? 0 0 ? ? ? ? 0 0 0 0 0 ? 0 0 0 0 ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? 0 ? ? x 0 0 0 0 ? ? 0 0 0 0 0 x ? ? ? ? ? ? ? 0 ? ? ? 0 0 ? 0 0 ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? x ? x ? ? x x x ? ? x ? ? ? x x ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 ? 0 ? 0 ? 0 ? ? ? 0 0 0 0 0 ? ? ? 0 ? 0 ? ? 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? ? 0 ? ? 0 ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 ? ? ? 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? 0 ? ? 0 ? 0 ? 0 ? 0 0 ? ? 0 0 ? ? ? ? 0 0 ? 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 ? 0 0 0 ? ? ? 0 0 0 0 0 0 ? 0 0 ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? 0 0 0 0 ? 0 0 0 0 0 ? ? 0 ? 0 0 ? 0 ? 0 ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.JA
  • Agent.LA
  • Bitcoinminer.CBA
  • Bitcoinminer.E
  • Brute.BHA
Show More
  • Chapak.HBX
  • CobaltStrike.GI
  • CobaltStrike.GIA
  • Coinminer.EB
  • Coinminer.G
  • Downloader.Agent.BTH
  • Downloader.Agent.BTO
  • Downloader.Agent.BTP
  • MSILZilla.TC
  • NukeSped.XB
  • Rozena.H
  • Trojan.Agent.Gen.VN

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\nsexec.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsoe58c.tmp\winshell.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsoe58c.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsr1ab9.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr1ab9.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr1ab9.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrb42b.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrb42b.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrb42b.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssa92c.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssa92c.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssa92c.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssa92c.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dobvrnra\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dobvrnra\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Dobvrnra\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Cv RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 㑳啟邓ǜ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerNameEx
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
Show More
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush

94 additional items are not displayed above.

Process Terminate
  • TerminateProcess
Network Winsock2
  • WSAStartup
Process Manipulation Evasion
  • NtUnmapViewOfSection
Other Suspicious
  • AdjustTokenPrivileges

Shell Command Execution

"C:\Users\Dobvrnra\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq ZelCore.exe" | %SYSTEMROOT%\System32\find.exe "ZelCore.exe"
"C:\Users\Cvxkjhrh\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Cvxkjhrh" /FI "IMAGENAME eq ZelCore.exe"
C:\WINDOWS\System32\find.exe C:\WINDOWS\System32\find.exe "ZelCore.exe"
Show More
"C:\Users\Jxxirhxz\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
C:\WINDOWS\system32\tasklist.exe tasklist /FI "USERNAME eq Jxxirhxz" /FI "IMAGENAME eq ZelCore.exe"
"C:\Users\Wpkpdjtb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

Related Posts

Trending

Most Viewed

Loading...