Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.COMA

Trojan.Agent.COMA

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.COMA
Signature status: No Signature

Known Samples

MD5: 8fccf1aa5e8fc4b51dbe46bbbfae8c0e
SHA1: 21a0cca9f31c52465510447a2e051b433cc1f2e9
File Size: 5.99 MB, 5985792 bytes
MD5: fbd43430df688a01ae60b1d039233afa
SHA1: 26be7c1073cde337037274b4de83e9fa50f01797
File Size: 6.14 MB, 6138880 bytes
MD5: 4f4516f659b391af73ab82710adc32b8
SHA1: 197190df8d754a5563b90846fc574cf24224afa7
File Size: 5.99 MB, 5985792 bytes
MD5: b383a43d07ab997bbfecb3294b25a702
SHA1: 91c410830bfb8f7e99a9bbd747b5006d7b7bf334
File Size: 5.87 MB, 5872128 bytes
MD5: c7e6c470fb9b6241e1ff1b749429fe54
SHA1: 851c01de00d7140ce38ce9e8083393491aeccb85
File Size: 5.99 MB, 5985792 bytes
Show More
MD5: dee572e67fa03478d4c8996621ace591
SHA1: 055088fb5c2899b70079fa9e1ba7e5d6c7054325
File Size: 6.14 MB, 6142976 bytes
MD5: 2c5a207e7b80d0702161d3d206551146
SHA1: 53f275e7cdf9df8871cd456645ec3ef820ee9ef0
File Size: 5.99 MB, 5985792 bytes
MD5: 53ba3d1dd7a78c5f6580dd18fa33c767
SHA1: 711d2a4c53765be32e4f47b855fddd265310e376
SHA256: 1DAA1D8AE2A50D128FC6FAF32BC9AC6BB129B7E27C08FDEB808ACC2EEF1F04CA
File Size: 5.99 MB, 5985792 bytes
MD5: 962c026303461fcb95cb9bf3baeb77e3
SHA1: c9ca687c8502ef57e91a0b88e24862d77517562a
SHA256: 831534EF4B96D201749D0D3FC2DDD3C2ADA0A9F6F84CAF12D2F2E8B574751335
File Size: 5.87 MB, 5872128 bytes
MD5: db8abe1ef69f5b6aed7679df3ee7c4ff
SHA1: 3cffb8a07c8e2aa12f6e6851f8f9ff73f77352aa
SHA256: 66A762FBD9697BF1ED3A87A38B6C6B4B4D77587B47A82A11AAF1EEF49A13E628
File Size: 5.99 MB, 5985792 bytes
MD5: be5fe87e283701d4683a3fae9ac8bc9a
SHA1: 852f406ad395504a1e9b8fc52bfa69e91f04a1ae
SHA256: F3094AB392DEB358F4CDB4010C29E2BD631F69ECB171A8442ED9359FABB01465
File Size: 6.22 MB, 6219776 bytes
MD5: fcc8493e6b6154e92128c03d227a24a1
SHA1: b4332304ef1d79697de883007cf479dd0108c02d
SHA256: A89767D5E25BA5679A52FCD2BE9B7BDB686D7C41C107785E6606BC6BABA758AF
File Size: 5.99 MB, 5985792 bytes
MD5: 169a01ff233ad23a2efb4432768d7f87
SHA1: 80892709f68748d3dd64c538a66396e6ae6a07c4
SHA256: CB5DCBC5A9E6CD432EED5F4C3A7B36EF71BC21DA9FA78972894CB7E0596B99CA
File Size: 5.99 MB, 5985792 bytes
MD5: ab05ccdb35baf1bdeac7957b8a93d11c
SHA1: 66622c8f6d6750aa9ff4b1b24c0c145027d845d0
SHA256: 70FCA4BEE38A1005D00819CA82399863E101E0B6D91B77F8A6053098A69269F0
File Size: 6.14 MB, 6142976 bytes
MD5: c3961152cf4cca7f750d2876298ffc0e
SHA1: 2626eff40bae73d2383def21b55bec14be546000
SHA256: 609C6A2273BBBFE4FA1F499A993EDDE77DF317745A66C820204EC226F2A35073
File Size: 5.94 MB, 5940736 bytes
MD5: cee52a8d809666b792e4c69bc3f8ec19
SHA1: f901dd211a7c6725aa1e4d4e1e8534c0ad628982
SHA256: 95F723D87CBFFFB3E294994D9498D9136A0831E26587DF52064125A839F174B0
File Size: 5.87 MB, 5872128 bytes
MD5: 58a202738c6956b5e64f5ca8e8e6a0c9
SHA1: 10695113caf66734e231f90197117bdcc142b857
SHA256: 8377798C21987C69A4E74E15DCC0E52FF8E05ED36B38C87E6D38879405BE748C
File Size: 5.99 MB, 5985792 bytes
MD5: cc62ebfda1d8ad7f4f491c12a7f42c7a
SHA1: e81b8d46b2a3309fc27fe29d3a01fb66d1d1d6a0
SHA256: 2C4C59332819C6B57653725936C1349B2D4F3A3922A26ED87BD3E0438CC3ADA3
File Size: 5.87 MB, 5872128 bytes
MD5: ea9c48af527a31b65e5dd7f8dbe3c23f
SHA1: a32148394e569e232ab1039a023226d4e4edd383
SHA256: F1A0081851793DD0761C43059349889EFD8110794CEE109A376799E538945FBE
File Size: 5.99 MB, 5987840 bytes
MD5: 14b9c24508a346487e6c567c4e8f6132
SHA1: 6383810140ba7144c2350447c7c0163953f80471
SHA256: 6DE4F1AEB5C88E45A14137F270478E7910635D9301F7D24B44CB684334EB5145
File Size: 5.87 MB, 5872128 bytes
MD5: 476ad5a505a967fe37a9ad05f13967fb
SHA1: 2fcbbb24f8688226806aa0acca83655e5c2ef724
SHA256: 0292300C65A0A755D745078FE7DEFA1204DA7B9B9F98BD0C5BC24AEB5E69CC4C
File Size: 5.99 MB, 5985792 bytes
MD5: 0e4a4119e66dd4a3d0c6c5bcfd871356
SHA1: be83acf6945dfb6cc97f4a2cd114ceebbcae6491
SHA256: FAABA49705F27B5D68D62D88C205BAE23AE079CE1E4752E3D2BDCEE3DFF55B6E
File Size: 5.99 MB, 5985792 bytes
MD5: d29bdb680d8bf2d4581047d26594f42d
SHA1: 38f79fa8ff5456c583ccf9f66e840ddfc00a76be
SHA256: 38F8646F6A8AB10E4E342B52B9946AE1A7CA0C52DEB644FA9939FC7E8634247D
File Size: 5.99 MB, 5985792 bytes
MD5: da6b1248c97bec0d3f05e44a6806e0e3
SHA1: 9a535e5705b98a373a56875ba115ff110e81019a
SHA256: 040FC98334D60D12245E7CF3A52D42A687D1479F1D813DFF123195143DE7FB61
File Size: 6.21 MB, 6205440 bytes
MD5: 38cf5e6675cefefe55f017bc2e6a8aea
SHA1: 9e145eeab70cf357015ddf703486800a322713ee
SHA256: 373E395BE7AAD50B926DB978C267633FAE71F41C1D22F76F5A5E1F0EBFA70479
File Size: 5.99 MB, 5985792 bytes
MD5: 54ca5137f619d5394601dc5746a42f9f
SHA1: 24facf325c574717fc083de96b6a4e9183be33cb
SHA256: E0160E57783E67F8AB79BC8DD619F8CD8AC988B70C9232BA32970675485E1D38
File Size: 5.99 MB, 5985792 bytes
MD5: 572230ffa972e096dbd6819a35a84517
SHA1: e47b7171e8528888e7530071b4e21160facf540d
SHA256: 75CDEB866E8921A94F6DA9ABF46A0BE852954A31AF6F3D10AEADB065E1DE29EB
File Size: 5.60 MB, 5602816 bytes
MD5: e456bb89120761405ff2f0d20e931894
SHA1: f51542f6773701fb0c2ce068f2deb7e079a8d502
SHA256: 52DF1253215F5CF1E89906EDF80FF37D1503477B46D5BA9F3FC711B82DA54A66
File Size: 5.99 MB, 5985792 bytes
MD5: b40531403ed7e0f9d428881c86ad8d7a
SHA1: 84ff59c60c69a370387e7cc2c6d63c49a48e064f
SHA256: 584281C5D3AB2C6326A6BA9F399786F071E14EC60BDB50C72CF6488C6898B9EE
File Size: 5.87 MB, 5872128 bytes
MD5: 9ce2b46aa9a98191dd665af61078200d
SHA1: e1ce2562443435b6d36f6e5c693e704297fe1fb7
SHA256: 1FE2219F685B6D6FE429D5490425BFC1EF115970AB50A1660FFB4869629F77A7
File Size: 5.87 MB, 5872128 bytes
MD5: c7fb53a36341a0f8b49a46b67807ab31
SHA1: 67916e915fe195cec75b5e14337ce25a61b2421e
SHA256: A5AF97EE46E4E1F4D29B3CF4EB8F026C820B747EB771C56A287CDB85D3AC8F09
File Size: 6.14 MB, 6136832 bytes
MD5: 8365ae49430bee2df678d99fbb5559e3
SHA1: d1f04a02561a9cbcb1190847aa3448a68bcc5979
SHA256: EAE64AEA5310EB2B67FA087ECF32B2103E70A564E35B43957A7DA7D8547FEC84
File Size: 5.87 MB, 5872128 bytes
MD5: 05becdcff62a77a417413174a95f53ad
SHA1: 6e27addf7728af797c23d455e6fbc1a6646b6179
SHA256: A7B48AEE3C918B67A48A410F0747F056C6CDC6DDDBB03010E8B355E4F6645A58
File Size: 5.99 MB, 5985792 bytes
MD5: 843943ef50e38e7e75ffa47f76196fd8
SHA1: 94bdaf0b83c07e79a8fba5d22cbae1dd721f23fb
SHA256: F8555D2A78DB1C13315869880DD2A7E1AA15462E22D2154520DAF6054784618C
File Size: 5.87 MB, 5872128 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • No Version Info
  • ntdll
  • x64

Block Information

Total Blocks: 7,434
Potentially Malicious Blocks: 491
Whitelisted Blocks: 6,745
Unknown Blocks: 198

Visual Map

0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 x x 0 0 x 0 0 0 0 0 x x x 0 x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 x x 0 x 0 ? 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 ? 0 0 0 ? 0 0 0 0 0 0 ? 0 0 ? 0 ? 0 0 ? 0 0 0 ? 0 ? 0 0 0 ? ? ? 0 ? ? 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? ? 0 0 0 0 ? ? 0 ? 0 0 ? ? 0 0 0 0 0 ? 0 0 ? ? 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 x ? 0 0 0 0 0 0 0 ? ? ? ? 0 ? ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 x x ? 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? 0 ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? ? 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? ? x 0 ? ? 0 0 0 ? 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 0 x 0 0 ? 0 ? ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 ? ? 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 x ? 0 0 ? x ? x 0 0 0 0 0 x 0 0 0 0 ? 0 0 0 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? ? 0 0 ? ? ? ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 x 0 0 0 0 x 0 ? 0 x ? 0 ? 0 0 0 x 0 ? ? 0 x x 0 0 0 ? 0 0 0 ? 0 0 ? 0 x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 0 0 x 0 x x 0 0 0 0 x 0 0 x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.COMA

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\__rust_anonymous_pipe1__.7432.16221982721883024099 Generic Write,Read Attributes
\device\namedpipe\__rust_anonymous_pipe1__.7432.16221982721883024100 Generic Write,Read Attributes
\device\namedpipe\__rust_anonymous_pipe1__.8160.9626395187921219698 Generic Write,Read Attributes
\device\namedpipe\__rust_anonymous_pipe1__.8160.9626395187921219699 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\02313a91724d249ac21be3e1a304afba\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\0659bdaae28b1756cab5da8910326393\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\11b6aa7cabd45ae04d6cd2a43ea8b1d0\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1b53d6c9e7569e34d0dafc4b87a3230e\user data\default\preferences Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\1cf1ac381774a989b0aeb6110bc584ee\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\233cfda17a640ba4a3f797f1225a468f\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\35822ecb586c8c7c1014701cf9611d12\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\39374b01343f14adfcf82e98a5838988\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4910a6c347a605cbf3638078f13558c7\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4bbb7aca9b39cb04723a923b8fdb94e2\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\4c68eb70c5b0dd8c12276a01b06d8406\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\56311a564c0c57c84ea04c068d07e16a\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\5731290862d78e9f457d375456224eb8\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\5d2b43f6337027eae097dd6a5f2a3f7f\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\657d1b2ae752e3eb0882002889661404\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\6ce5b9b803733462fa257f5234733e01\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7b4e364a6ebaa2806e49371b54858424\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\first run Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7e8e41919765df610efaf4b619d8ba29\user data\local state Generic Write,Read Attributes
c:\users\user\appdata\local\temp\80a974a234582481d60f9bf8be0a2592\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\9fc0949ff67deb879edc30fffcb21be7\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ac52cbaed2e076f905a0c04dfc3ad4e5\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\b016a401ea80934e4c13b279742e321f\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\b0e7adb8d7d47dac77f3c8908bf9cda6\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\b300f5afaf5d37c1a7a3323205a32e21\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\c9bc4b423c76667d33afcee3ba5947f0\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e3b199cc28ac122a5a40b614a679f4e0\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\e6788415d84db225afc8e4ef1e34a432\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ecca30cb58ea52ee9440d3fc21dd2292\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f2e830ad735be96c9530dd85a88a2fb5\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f49303e6ff7a96746ffedd6fd72364d5\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f4cc81089869e00a2d9ed3651f86bf74\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f9b5d857d7a1f93e09f48bd2597a81d5\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\fe188fbd3d79c9d2bcf4ff8fb9749be7\user data\default\preferences Generic Write,Read Attributes
c:\users\user\appdata\local\temp\snpx_data\user data\default\preferences Generic Write,Read Attributes
c:\users\user\downloads\extension\manifest.json Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 洛ḥᆬǜ RegNtPreCreateKey
HKLM\software\microsoft\rfc1156agent\currentversion\parameters::trappolltimemillisecs RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 遤怦莬ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
Network Winsock2
  • WSAStartup
Other Suspicious
  • AdjustTokenPrivileges
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\system32\cmd.exe "cmd" /C "netstat -ano | findstr :16242"
C:\WINDOWS\system32\NETSTAT.EXE netstat -ano
C:\WINDOWS\system32\findstr.exe findstr :16242

Trending

Most Viewed

Loading...