Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Agent.Gen.CTL

Trojan.Agent.Gen.CTL

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Agent.Gen.CTL
Signature status: No Signature

Known Samples

MD5: 28117a170707a0c5bc3d4f26269cf35f
SHA1: c298fec84a820b029191c809308e5a3e91ba6c72
SHA256: EA0A02B64C217F0C71B94123BCB832746C34CB415A54C4A595417C6409DE29B8
File Size: 462.63 KB, 462627 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have security information
  • File has TLS information
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name Value
Company Name Logitech International S.A.
File Description Device Management Sync Service
File Version 7.42.545.288
Internal Name gen1
Legal Copyright Copyright (C) Logitech. All rights reserved.
Original Filename gen1.exe
Product Name AMD Software Platform
Product Version 7.42.545.288

File Traits

  • big overlay
  • CryptUnprotectData
  • fptable
  • x64

Block Information

Total Blocks: 1,150
Potentially Malicious Blocks: 75
Whitelisted Blocks: 1,075
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x 0 x x 0 x x x x x x x x x 0 x 0 x x x x x 0 x x x 0 0 x x x x x 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 0 0 0 x x 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 x 0 x 0 0 x x x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x 0 0 0 x 0 0 x x 0 0 0 0 0 x x x x x x 0 0 x 0 x x x 0 0 x x x x x 0 0 0 x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 2 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Files Modified

File Attributes
c:\programdata\microsoft\devicesync\devicesynchost.exe Generic Write,Read Attributes
c:\programdata\microsoft\devicesync\devicesynchost.exe Synchronize,Write Attributes
c:\users\user\appdata\local\google\crashreports\googleupdatecore.exe Generic Write,Read Attributes
c:\users\user\appdata\local\google\crashreports\googleupdatecore.exe Synchronize,Write Attributes
c:\users\user\appdata\local\microsoft\devicesync\config.bin Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\edge\user data\chrome_update_manifest.html Generic Write,Read Attributes
c:\users\user\appdata\local\temp\svc_task_7126187.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\svc_task_7126203.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\svc_task_7126531.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\svc_task_7126546.xml Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\~ssclean_7126218.bat Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\protect\securityhealthsystray.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\microsoft\protect\securityhealthsystray.exe Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 踧异ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᘨ弌ǜ RegNtPreCreateKey
HKCU\software\microsoft\edge\elfbeacon::version 147.0.3912.72 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcOpenSenderProcess
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
Network Wininet
  • InternetOpen
  • InternetOpenUrl
  • InternetSetOption
Process Shell Execute
  • CreateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
Anti Debug
  • IsDebuggerPresent
  • OutputDebugString
User Data Access
  • GetComputerName
  • GetUserName
  • GetUserObjectInformation
Encryption Used
  • CryptProtectData
Network Winsock2
  • WSAStartup
Network Winsock
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • socket

Shell Command Execution

schtasks /Query /TN "Microsoft\Windows\AppID\PolicyConverter"
schtasks /Create /TN "Microsoft\Windows\AppID\PolicyConverter" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126187.xml" /F
schtasks /Query /TN "Google\Update\CrashReportTask"
schtasks /Create /TN "Google\Update\CrashReportTask" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126187.xml" /F
schtasks /Query /TN "Microsoft\Windows\DeviceSync\Routine"
Show More
schtasks /Create /TN "Microsoft\Windows\DeviceSync\Routine" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126203.xml" /F
C:\Users\Jqkiildn\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe (NULL)
cmd.exe /C "C:\Users\Jqkiildn\AppData\Local\Temp\\~ssclean_7126218.bat"
schtasks /Query /TN "Microsoft\Windows\AppID\PolicyConverter"
schtasks /Create /TN "Microsoft\Windows\AppID\PolicyConverter" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126531.xml" /F
schtasks /Query /TN "Google\Update\CrashReportTask"
schtasks /Create /TN "Google\Update\CrashReportTask" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126531.xml" /F
schtasks /Query /TN "Microsoft\Windows\DeviceSync\Routine"
schtasks /Create /TN "Microsoft\Windows\DeviceSync\Routine" /XML "C:\Users\Jqkiildn\AppData\Local\Temp\svc_task_7126546.xml" /F
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio --edge-skip-compat-layer-relaunch
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio --edge-skip-compat-layer-relaunch
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="file:///C:/Users/Jqkiildn/AppData/Local/Microsoft/Edge/User Data/chrome_update_manifest.html" --disable-infobars --hide-crash-restore-bubble --disable-backgrounding-occluded-windows --disable-renderer-backgrounding --disable-occlusion-tracking --mute-audio

Trending

Most Viewed

Loading...