Trojan.Agent.COMA
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Agent.COMA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8fccf1aa5e8fc4b51dbe46bbbfae8c0e
SHA1:
21a0cca9f31c52465510447a2e051b433cc1f2e9
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
fbd43430df688a01ae60b1d039233afa
SHA1:
26be7c1073cde337037274b4de83e9fa50f01797
File Size:
6.14 MB, 6138880 bytes
|
|
MD5:
4f4516f659b391af73ab82710adc32b8
SHA1:
197190df8d754a5563b90846fc574cf24224afa7
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
b383a43d07ab997bbfecb3294b25a702
SHA1:
91c410830bfb8f7e99a9bbd747b5006d7b7bf334
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
c7e6c470fb9b6241e1ff1b749429fe54
SHA1:
851c01de00d7140ce38ce9e8083393491aeccb85
File Size:
5.99 MB, 5985792 bytes
|
Show More
|
MD5:
dee572e67fa03478d4c8996621ace591
SHA1:
055088fb5c2899b70079fa9e1ba7e5d6c7054325
File Size:
6.14 MB, 6142976 bytes
|
|
MD5:
2c5a207e7b80d0702161d3d206551146
SHA1:
53f275e7cdf9df8871cd456645ec3ef820ee9ef0
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
53ba3d1dd7a78c5f6580dd18fa33c767
SHA1:
711d2a4c53765be32e4f47b855fddd265310e376
SHA256:
1DAA1D8AE2A50D128FC6FAF32BC9AC6BB129B7E27C08FDEB808ACC2EEF1F04CA
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
962c026303461fcb95cb9bf3baeb77e3
SHA1:
c9ca687c8502ef57e91a0b88e24862d77517562a
SHA256:
831534EF4B96D201749D0D3FC2DDD3C2ADA0A9F6F84CAF12D2F2E8B574751335
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
db8abe1ef69f5b6aed7679df3ee7c4ff
SHA1:
3cffb8a07c8e2aa12f6e6851f8f9ff73f77352aa
SHA256:
66A762FBD9697BF1ED3A87A38B6C6B4B4D77587B47A82A11AAF1EEF49A13E628
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
be5fe87e283701d4683a3fae9ac8bc9a
SHA1:
852f406ad395504a1e9b8fc52bfa69e91f04a1ae
SHA256:
F3094AB392DEB358F4CDB4010C29E2BD631F69ECB171A8442ED9359FABB01465
File Size:
6.22 MB, 6219776 bytes
|
|
MD5:
fcc8493e6b6154e92128c03d227a24a1
SHA1:
b4332304ef1d79697de883007cf479dd0108c02d
SHA256:
A89767D5E25BA5679A52FCD2BE9B7BDB686D7C41C107785E6606BC6BABA758AF
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
169a01ff233ad23a2efb4432768d7f87
SHA1:
80892709f68748d3dd64c538a66396e6ae6a07c4
SHA256:
CB5DCBC5A9E6CD432EED5F4C3A7B36EF71BC21DA9FA78972894CB7E0596B99CA
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
ab05ccdb35baf1bdeac7957b8a93d11c
SHA1:
66622c8f6d6750aa9ff4b1b24c0c145027d845d0
SHA256:
70FCA4BEE38A1005D00819CA82399863E101E0B6D91B77F8A6053098A69269F0
File Size:
6.14 MB, 6142976 bytes
|
|
MD5:
c3961152cf4cca7f750d2876298ffc0e
SHA1:
2626eff40bae73d2383def21b55bec14be546000
SHA256:
609C6A2273BBBFE4FA1F499A993EDDE77DF317745A66C820204EC226F2A35073
File Size:
5.94 MB, 5940736 bytes
|
|
MD5:
cee52a8d809666b792e4c69bc3f8ec19
SHA1:
f901dd211a7c6725aa1e4d4e1e8534c0ad628982
SHA256:
95F723D87CBFFFB3E294994D9498D9136A0831E26587DF52064125A839F174B0
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
58a202738c6956b5e64f5ca8e8e6a0c9
SHA1:
10695113caf66734e231f90197117bdcc142b857
SHA256:
8377798C21987C69A4E74E15DCC0E52FF8E05ED36B38C87E6D38879405BE748C
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
cc62ebfda1d8ad7f4f491c12a7f42c7a
SHA1:
e81b8d46b2a3309fc27fe29d3a01fb66d1d1d6a0
SHA256:
2C4C59332819C6B57653725936C1349B2D4F3A3922A26ED87BD3E0438CC3ADA3
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
ea9c48af527a31b65e5dd7f8dbe3c23f
SHA1:
a32148394e569e232ab1039a023226d4e4edd383
SHA256:
F1A0081851793DD0761C43059349889EFD8110794CEE109A376799E538945FBE
File Size:
5.99 MB, 5987840 bytes
|
|
MD5:
14b9c24508a346487e6c567c4e8f6132
SHA1:
6383810140ba7144c2350447c7c0163953f80471
SHA256:
6DE4F1AEB5C88E45A14137F270478E7910635D9301F7D24B44CB684334EB5145
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
476ad5a505a967fe37a9ad05f13967fb
SHA1:
2fcbbb24f8688226806aa0acca83655e5c2ef724
SHA256:
0292300C65A0A755D745078FE7DEFA1204DA7B9B9F98BD0C5BC24AEB5E69CC4C
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
0e4a4119e66dd4a3d0c6c5bcfd871356
SHA1:
be83acf6945dfb6cc97f4a2cd114ceebbcae6491
SHA256:
FAABA49705F27B5D68D62D88C205BAE23AE079CE1E4752E3D2BDCEE3DFF55B6E
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
d29bdb680d8bf2d4581047d26594f42d
SHA1:
38f79fa8ff5456c583ccf9f66e840ddfc00a76be
SHA256:
38F8646F6A8AB10E4E342B52B9946AE1A7CA0C52DEB644FA9939FC7E8634247D
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
da6b1248c97bec0d3f05e44a6806e0e3
SHA1:
9a535e5705b98a373a56875ba115ff110e81019a
SHA256:
040FC98334D60D12245E7CF3A52D42A687D1479F1D813DFF123195143DE7FB61
File Size:
6.21 MB, 6205440 bytes
|
|
MD5:
38cf5e6675cefefe55f017bc2e6a8aea
SHA1:
9e145eeab70cf357015ddf703486800a322713ee
SHA256:
373E395BE7AAD50B926DB978C267633FAE71F41C1D22F76F5A5E1F0EBFA70479
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
54ca5137f619d5394601dc5746a42f9f
SHA1:
24facf325c574717fc083de96b6a4e9183be33cb
SHA256:
E0160E57783E67F8AB79BC8DD619F8CD8AC988B70C9232BA32970675485E1D38
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
572230ffa972e096dbd6819a35a84517
SHA1:
e47b7171e8528888e7530071b4e21160facf540d
SHA256:
75CDEB866E8921A94F6DA9ABF46A0BE852954A31AF6F3D10AEADB065E1DE29EB
File Size:
5.60 MB, 5602816 bytes
|
|
MD5:
e456bb89120761405ff2f0d20e931894
SHA1:
f51542f6773701fb0c2ce068f2deb7e079a8d502
SHA256:
52DF1253215F5CF1E89906EDF80FF37D1503477B46D5BA9F3FC711B82DA54A66
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
b40531403ed7e0f9d428881c86ad8d7a
SHA1:
84ff59c60c69a370387e7cc2c6d63c49a48e064f
SHA256:
584281C5D3AB2C6326A6BA9F399786F071E14EC60BDB50C72CF6488C6898B9EE
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
9ce2b46aa9a98191dd665af61078200d
SHA1:
e1ce2562443435b6d36f6e5c693e704297fe1fb7
SHA256:
1FE2219F685B6D6FE429D5490425BFC1EF115970AB50A1660FFB4869629F77A7
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
c7fb53a36341a0f8b49a46b67807ab31
SHA1:
67916e915fe195cec75b5e14337ce25a61b2421e
SHA256:
A5AF97EE46E4E1F4D29B3CF4EB8F026C820B747EB771C56A287CDB85D3AC8F09
File Size:
6.14 MB, 6136832 bytes
|
|
MD5:
8365ae49430bee2df678d99fbb5559e3
SHA1:
d1f04a02561a9cbcb1190847aa3448a68bcc5979
SHA256:
EAE64AEA5310EB2B67FA087ECF32B2103E70A564E35B43957A7DA7D8547FEC84
File Size:
5.87 MB, 5872128 bytes
|
|
MD5:
05becdcff62a77a417413174a95f53ad
SHA1:
6e27addf7728af797c23d455e6fbc1a6646b6179
SHA256:
A7B48AEE3C918B67A48A410F0747F056C6CDC6DDDBB03010E8B355E4F6645A58
File Size:
5.99 MB, 5985792 bytes
|
|
MD5:
843943ef50e38e7e75ffa47f76196fd8
SHA1:
94bdaf0b83c07e79a8fba5d22cbae1dd721f23fb
SHA256:
F8555D2A78DB1C13315869880DD2A7E1AA15462E22D2154520DAF6054784618C
File Size:
5.87 MB, 5872128 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have resources
- File doesn't have security information
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- No Version Info
- ntdll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 7,434 |
|---|---|
| Potentially Malicious Blocks: | 491 |
| Whitelisted Blocks: | 6,745 |
| Unknown Blocks: | 198 |
Visual Map
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
?
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
x
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
0
0
?
0
0
0
0
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
x
0
0
?
0
?
?
?
?
?
?
?
?
?
?
0
0
0
?
?
0
0
0
0
0
0
0
0
0
x
x
0
0
x
0
0
0
0
0
x
x
x
0
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
x
x
0
x
0
?
0
0
0
0
0
0
x
0
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
0
?
0
0
0
?
0
0
0
0
0
0
?
0
0
?
0
?
0
0
?
0
0
0
?
0
?
0
0
0
?
?
?
0
?
?
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
?
0
0
0
0
?
?
0
?
0
0
?
?
0
0
0
0
0
?
0
0
?
?
0
?
?
?
?
?
?
0
0
0
0
0
0
0
x
?
0
0
0
0
0
0
0
?
?
?
?
0
?
?
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
x
?
0
0
0
0
x
x
?
0
0
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
?
0
?
?
?
?
?
?
0
?
?
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
?
0
0
?
?
?
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
0
0
0
?
0
0
0
0
0
0
?
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
?
0
0
0
0
0
0
0
0
0
?
?
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
?
?
0
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
?
?
x
0
?
?
0
0
0
?
0
0
0
0
0
0
0
?
?
?
?
?
?
0
0
0
0
x
0
0
?
0
?
?
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
?
0
0
?
?
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
?
0
0
0
x
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
x
?
0
0
?
x
?
x
0
0
0
0
0
x
0
0
0
0
?
0
0
0
0
x
0
0
x
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
?
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
?
?
0
0
?
?
?
?
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
0
0
0
x
0
0
0
0
x
0
?
0
x
?
0
?
0
0
0
x
0
?
?
0
x
x
0
0
0
?
0
0
0
?
0
0
?
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
x
0
0
0
0
0
x
0
x
x
0
0
0
0
x
0
0
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.COMA
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
| \device\namedpipe\__rust_anonymous_pipe1__.7432.16221982721883024099 | Generic Write,Read Attributes |
| \device\namedpipe\__rust_anonymous_pipe1__.7432.16221982721883024100 | Generic Write,Read Attributes |
| \device\namedpipe\__rust_anonymous_pipe1__.8160.9626395187921219698 | Generic Write,Read Attributes |
| \device\namedpipe\__rust_anonymous_pipe1__.8160.9626395187921219699 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\02313a91724d249ac21be3e1a304afba\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\0659bdaae28b1756cab5da8910326393\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\11b6aa7cabd45ae04d6cd2a43ea8b1d0\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\1b53d6c9e7569e34d0dafc4b87a3230e\user data\default\preferences | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\1cf1ac381774a989b0aeb6110bc584ee\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\233cfda17a640ba4a3f797f1225a468f\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\35822ecb586c8c7c1014701cf9611d12\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\39374b01343f14adfcf82e98a5838988\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\4910a6c347a605cbf3638078f13558c7\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\4bbb7aca9b39cb04723a923b8fdb94e2\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\4c68eb70c5b0dd8c12276a01b06d8406\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\56311a564c0c57c84ea04c068d07e16a\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\5731290862d78e9f457d375456224eb8\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\5d2b43f6337027eae097dd6a5f2a3f7f\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\657d1b2ae752e3eb0882002889661404\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\6ce5b9b803733462fa257f5234733e01\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7b4e364a6ebaa2806e49371b54858424\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\first run | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\local state | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\80a974a234582481d60f9bf8be0a2592\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\9fc0949ff67deb879edc30fffcb21be7\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ac52cbaed2e076f905a0c04dfc3ad4e5\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\b016a401ea80934e4c13b279742e321f\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\b0e7adb8d7d47dac77f3c8908bf9cda6\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\b300f5afaf5d37c1a7a3323205a32e21\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\c9bc4b423c76667d33afcee3ba5947f0\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\e3b199cc28ac122a5a40b614a679f4e0\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\e6788415d84db225afc8e4ef1e34a432\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\ecca30cb58ea52ee9440d3fc21dd2292\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\f2e830ad735be96c9530dd85a88a2fb5\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\f49303e6ff7a96746ffedd6fd72364d5\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\f4cc81089869e00a2d9ed3651f86bf74\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\f9b5d857d7a1f93e09f48bd2597a81d5\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\fe188fbd3d79c9d2bcf4ff8fb9749be7\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\snpx_data\user data\default\preferences | Generic Write,Read Attributes |
| c:\users\user\downloads\extension\manifest.json | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 洛ḥᆬǜ | RegNtPreCreateKey |
| HKLM\software\microsoft\rfc1156agent\currentversion\parameters::trappolltimemillisecs | 㪘 | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe | 遤怦莬ǜ | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Shell Execute |
|
| Network Winsock2 |
|
| Other Suspicious |
|
| Process Manipulation Evasion |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\system32\cmd.exe "cmd" /C "netstat -ano | findstr :16242"
|
C:\WINDOWS\system32\NETSTAT.EXE netstat -ano
|
C:\WINDOWS\system32\findstr.exe findstr :16242
|