Adware.OpenSUpdater.HA
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 7,549 |
| Threat Level: | 20 % (Normal) |
| Infected Computers: | 610 |
| First Seen: | October 12, 2023 |
| Last Seen: | April 21, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Adware.OpenSUpdater.HA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
d248c78f0ffd7bc7b3cf14f7ba61039b
SHA1:
f5523bd9cbe7e839bf870d45481aaaed46671f24
File Size:
191.59 KB, 191591 bytes
|
|
MD5:
778c4002754c97242275214da21cb09d
SHA1:
e366db26034a9345f36fbf1851fca1578c14a4da
File Size:
1.89 MB, 1889644 bytes
|
|
MD5:
32db32eae67780cda3e12b59fd76aeb5
SHA1:
900ae01206f2eb76ef45aa8ecb1608288b7469d0
SHA256:
09B5A1EC57F286C33AC77BB6A5B42F20E43F3D23F3A6E69CB9770E4C1E004C18
File Size:
191.61 KB, 191606 bytes
|
|
MD5:
e3d224639f713f715536bab1845718cb
SHA1:
6f299d01d969e5f501582a22ffa81336e714f7b9
SHA256:
1BEA30428DEBB18D76796837EFCD095534B98E4993D7A7C24313D58EF5544AEF
File Size:
623.39 KB, 623391 bytes
|
|
MD5:
b2a2312260125c7132fcb9c7ed2525d8
SHA1:
7f920006d9de1f8da5006196c8c2c84d4a4ef640
SHA256:
4381DAC3F3B82A4507F4911741886000CCA94961FDB2EC2769CDD8437CE82A9D
File Size:
1.89 MB, 1889620 bytes
|
Show More
|
MD5:
6d895d72a867bca23af8049edb42eb34
SHA1:
03bdf257362da4303688e9f6dbfe021a8485dbae
SHA256:
E9F3FE81F751D7C7013B9458F5753FF88DAC8718D07650DC45133BA6A19779F4
File Size:
620.95 KB, 620951 bytes
|
|
MD5:
ca04baa34d5727a9974228e746d1671c
SHA1:
7a75d1b3c563d47a95aa4cc3b21b12c9e8105b96
SHA256:
5B3C0D5B06E9DEB169977CCB6B86B7EEB3AB7DCEE2A472705A3983499EF6E1BA
File Size:
616.46 KB, 616456 bytes
|
|
MD5:
99d479655249dd25e547c37286e61ee5
SHA1:
a7ff5f5acacaff0530a0819c9469fccb76eaeecf
SHA256:
B0A68670387F368F264F29E08CB228179FCEA65A369BDDB773B66B230CF70E35
File Size:
208.58 KB, 208579 bytes
|
|
MD5:
0cf74ce2c2ec1f3f43bebf2965ca9202
SHA1:
6959880d1ee2f6dea4f998c3df2369247e170fdf
SHA256:
0D4675941FF9A4C4856C7C9212CFCC73B7EDF222451318D2DDC395A30129B213
File Size:
228.76 KB, 228758 bytes
|
|
MD5:
d3d5f6e5297e62938bc905dfc88e6c50
SHA1:
19ca8e1c1fee4a31c6c9fbdab2b13abda677a9ce
SHA256:
6187A8F54E0A359FD32D7BF1809DC440EC26A6951D88561BACCD40C516305306
File Size:
616.53 KB, 616533 bytes
|
|
MD5:
00268fdd066948beb2c2be3cea6f0788
SHA1:
b2061a208a6325739c7b4cd86f856fdc14128558
SHA256:
ECFFBA7A530D46D95BBE8DCA4D5AEAA944A022D0D33BF151C19DC95048AC2790
File Size:
208.56 KB, 208561 bytes
|
|
MD5:
a03fa15b315a955c15e15709938fb5dd
SHA1:
25c551c42a0c2abd71a80b8afc56e5c037c59352
SHA256:
501C174046FFB1DF7DD42A48E2C36A7BA5BD8A7D445513D1F78328A266479530
File Size:
623.17 KB, 623172 bytes
|
|
MD5:
323d8dc2e6888d59b13f4dc0d1c66204
SHA1:
147c7c2a74ed01ccfa036498ca24c7eff49ad1b2
SHA256:
27E237FABB9FAA1FE42E5677DA635F9383598E8A3E20B5C9A08E356803E58D87
File Size:
622.96 KB, 622955 bytes
|
|
MD5:
fb36eef285b3830e82f571b88b0cf4d3
SHA1:
f89900b47d52b6159476c791aed13d8aa6cc27bd
SHA256:
0D5104BB360BB9E60CBF4EA3100B5C7CBE3006927705129F96FD04541D32B1E6
File Size:
616.39 KB, 616394 bytes
|
|
MD5:
f87b023f7678068e50da14fadc118407
SHA1:
4776e605eab7426bfda3fa78d21b5db96402fa8f
SHA256:
FF21B2BAB47E576BCC40DD9E25E616B45B105A1DE8C49031C2C1AF87C85818D5
File Size:
1.89 MB, 1889797 bytes
|
|
MD5:
9e6bce95147d938154811b036910226b
SHA1:
6c1d9f4960f06dab86f41f68be4a80487191a0db
SHA256:
4BFDD11DBDE801E2C7779CBE5A776AB24E712EC0101F47CEDCF8FC0EA5D0F383
File Size:
623.35 KB, 623350 bytes
|
|
MD5:
32224e7a4d2fa71a698028f151155253
SHA1:
0fe70f5a4f16b7084644f01f0a2390b192c2eb46
SHA256:
6887FC6026796E668C99BE02EEC8807B921A00CFE7545087B6DF911E3FC7AA0B
File Size:
208.40 KB, 208398 bytes
|
|
MD5:
e8beb9e1bf73846c934320ae7fc83c37
SHA1:
9426435a488a8270c5421fad5856df0a9f9a53a6
SHA256:
6714249278C84D18B8B659C395E984142F70B6BCD91B41FB803D657B6BF9F793
File Size:
616.46 KB, 616461 bytes
|
|
MD5:
0fa8826696f9e894e9cc8d7fb7e6bd05
SHA1:
11c929bdfe072f68cc0c7022ba1e90db1a7b4161
SHA256:
905374F8DA48D5BF3D252906D9913FD9ACC58037C278A6276083441DEC936A1D
File Size:
1.89 MB, 1890064 bytes
|
|
MD5:
c54cf6522de20867b043baff58e40c31
SHA1:
5cdd589b62884e0be4597d5fd89d91ef1725fa9d
SHA256:
0FDBC6C7F1D72BE84C42EFA3A5BEB0E8303DF1FE2C729A10BAC5C2DBE4447F7D
File Size:
616.48 KB, 616477 bytes
|
|
MD5:
daf9e2df93e987f2f9031679b0cf40bb
SHA1:
4ad5d25ae5b75ee5d62e1e0e8440ee21da3d4b34
SHA256:
86E2A3BF915FBB4B33514A644CDC37B95DE93EDB51D5159FB81BD341AE0A27E0
File Size:
623.07 KB, 623065 bytes
|
|
MD5:
0cbdec161fbde6e0f0dd5ea72929b3a9
SHA1:
06b5f0a18a8afb295374fb9be1a53730857135a2
SHA256:
441BADC8350640B0713E19F46B227F5B29B906C9F2443F859CA52D621F434B6A
File Size:
228.77 KB, 228767 bytes
|
|
MD5:
af3ef2b0bd93dfd8a2109df40857bd47
SHA1:
58a8715a34745d6a10b62cef8ba8d683ea052b57
SHA256:
604EE9E86C9E457F790C25E058937C57362D1D7DEE096D4A1FA449A035F01B4C
File Size:
622.91 KB, 622915 bytes
|
|
MD5:
cc8e30c6eaf76b4e5c51a73008ccc972
SHA1:
b37b107fcbbf6890f0ecc8763f2df276cb25bc86
SHA256:
CA12BA0CD17B4E702B43D43391B244EEC5DEF1ECDA5303E97AB9F84E8D43B896
File Size:
623.49 KB, 623494 bytes
|
|
MD5:
69b750cc77df9548a03fff2717287e3d
SHA1:
ee9863b1a88876aff99673018d1e520cd6b30684
SHA256:
181252C1A70573A992C8694E21531C436C46838065890F252E2C2F8FAF4D3C01
File Size:
623.41 KB, 623414 bytes
|
|
MD5:
cb21c5fc7cdf58107928b9a9ea659ed8
SHA1:
68e8ab9725ffc52c4a073b5bbe88e46ac3ec9adf
SHA256:
14CFB6A1B4300A1025664EAE78FE59EF56CF8EE54BD0AAB912341A53A568733B
File Size:
228.94 KB, 228943 bytes
|
|
MD5:
6289d9ad9558e7fbfba93c26c114d91f
SHA1:
a4e007f28ae7b5342f434523bb02a2a362c9e61b
SHA256:
BC617C17673C84867DDE35EFF854ED9A9C0700FC37B507AEDA07628C023D25C7
File Size:
616.50 KB, 616500 bytes
|
|
MD5:
033d43d7565da94dc52fb550d15097db
SHA1:
7ee2e355597548dd41602bbf8fb1223abd7109fa
SHA256:
5AE88C018029D265792610B03644DE070B4F85F6F42306FEA8A729F5101CFE00
File Size:
623.09 KB, 623085 bytes
|
|
MD5:
bc2ae8d20213c1bbf4f039fde913eda5
SHA1:
b196f65581cc8b74c802c5b1ba2581a3de3d5f52
SHA256:
3D1E04FF830972263CC910EB23A7FA596B5D464B70688B7FE24B617C57436CC2
File Size:
1.89 MB, 1889727 bytes
|
|
MD5:
b465a37114c52df18749ad3d7dcc5294
SHA1:
817f3f1e278b0b6e21d33e614490f3cd7a7bd18c
SHA256:
D7B9746757248DCB46463F1F086960C83CF4DCA0B7013AE0AAD3CBE0583CBA23
File Size:
616.44 KB, 616437 bytes
|
|
MD5:
1548b569164ad885862e4632ab7671a4
SHA1:
2f605a7ebf3d150f60de67f45d6a2ad792d2b863
SHA256:
D79EFB8F4C8B065030BFE8DBD4C18AE09833789CF73D6D89549726C9175A5253
File Size:
623.24 KB, 623235 bytes
|
|
MD5:
f53367cc7948474cd4a7bd2ead48e5ff
SHA1:
4fb83e7e4837f3776bc2e38f153ecdbd5263797a
SHA256:
C2ADBAA02EB4587FA4EF219E98E0B4672039791A95ACBA0CE48163D3613020E2
File Size:
1.89 MB, 1889707 bytes
|
|
MD5:
236f8314f9d0a214edfc3e64898146dd
SHA1:
c44f9ea3a2fd30429fad1f4424c2a96815f626a6
SHA256:
E28E7B0529158CFB270650EF672FCC965C611F6C965F6A7834B8D29BD4114238
File Size:
616.51 KB, 616509 bytes
|
|
MD5:
a4919dc1d3ad1e43639e989dae77a12b
SHA1:
72f016f0210a124b883d09c8086c902152c64575
SHA256:
5EAF34A402400EF02444984AED4ABB09FBEE307E06E896E6F983D2DE47F16F7D
File Size:
208.48 KB, 208478 bytes
|
|
MD5:
74dcac3dff89709d39207933adf90c87
SHA1:
ab2cab7ec0e17b8a55c8d2d103267cc624708c77
SHA256:
DF97388B78EC89ED7D7EFC3B98E4A6A84973B80ABAC2E341B885A78955F7DA1D
File Size:
623.10 KB, 623095 bytes
|
|
MD5:
40acac3b47de58d096a4d90e4b9cddd1
SHA1:
279c9d708f5859e68246fd45cac05a83ba59f65f
SHA256:
C8B0AE909FE1C52C9B990EEDB0C9CB61D93709B75AD3ADFCF3D66484528BE0E6
File Size:
191.56 KB, 191558 bytes
|
|
MD5:
46527770300bc087d450cf19a8fe8150
SHA1:
3b95dbd3be6f703f176ed5d6c825f9e2144f1c63
SHA256:
DC710F1DA38C086C42211D6C555F5C6886A51F373234F607B97B1AF631690EB7
File Size:
623.37 KB, 623374 bytes
|
|
MD5:
9ca7959a28ce30ade8aef8174c6ac9e0
SHA1:
e43009f7c361fbeb1d749600a1458afc113300d7
SHA256:
A270733F15CDA0B1293A69FA95AA8D71853DB61FFBBDFEC6D85654A17F81ECD5
File Size:
623.86 KB, 623859 bytes
|
|
MD5:
68d4fe5477c10dd7ac0afc5844d8f84a
SHA1:
4b0fa8b5523f249e67b406ba082bf537482e9035
SHA256:
3E908C6854B0EC546034ADD5ADA98EC157D16BFCE68F34BF957B8DBDE5EFD90F
File Size:
623.40 KB, 623402 bytes
|
|
MD5:
9074749debeb1eb2ecfddc44ed8781f6
SHA1:
c64ffc252262140b334a2f52c0e13abc03b16571
SHA256:
4BF0086B5BCBBB091403F4C2B9A7CFA43B5763AF382D68BCB1CCC69D802AF921
File Size:
623.43 KB, 623427 bytes
|
|
MD5:
f2f36f8acd37128bcb6b4e2f50dec440
SHA1:
f893f2f19d8062b54ad7395e688d7e9f18a0787b
SHA256:
A8D9EC791591447D35214D27512C8E9D88231055998C2F3EA88D709BD783B300
File Size:
616.50 KB, 616502 bytes
|
|
MD5:
1590bffd39a13bb708d3876d412a3b94
SHA1:
0bf22d892090fec1fa85baa4f0b29c73a4478318
SHA256:
D52B71F28E54133043A7A0DB1B4B57B1AB922D0462E8673414BD4D731DA530CE
File Size:
228.78 KB, 228779 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
184 additional icons are not displayed above.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | SafiriAyo Byte |
| File Description |
|
| File Version | 1.0.0.1 |
| Legal Copyright |
|
| Product Name |
|
| Product Version |
Show More
|
File Traits
- dll
- HighEntropy
- x86
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\nsa1a48.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa8ff0.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsa8ff0.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa8ff0.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb6771.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsb6771.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsb6771.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsbc295.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsce1b3.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsdaa07.tmp\oupdater.dll | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\nsg3272.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsg5714.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsg5714.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsg5714.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsg74c4.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc94a.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsgc94a.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsgc94a.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh1c71.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh1c71.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh1c71.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh7c55.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsh7c55.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsh7c55.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsi1d3e.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsi1d3e.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsi1d3e.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsia458.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsia93c.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsia93c.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsia93c.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsj25ef.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk661e.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk78b6.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nskba3e.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsla479.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsldb9.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsldb9.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsldb9.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsm4928.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsm4928.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsm4928.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsma5b2.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsnaa45.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsnd705.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nso94dc.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsoa5c8.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsr6245.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsr6245.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsr6245.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsr9017.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsrcf4b.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsre2e5.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nssa890.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nssa890.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nssa890.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nssa97a.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu1652.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsu1652.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsu1652.tmp\oupdater.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsv821.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsvbc03.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nswd2d.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsx921.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsx9479.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsy511c.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsz1795.tmp\oupdater.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Quxqwrnk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Quxqwrnk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Quxqwrnk\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Inbnpjqx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Inbnpjqx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Inbnpjqx\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Iarzsobn\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Iarzsobn\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Iarzsobn\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Lnnmtfrp\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Lnnmtfrp\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Lnnmtfrp\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
Show More
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp��\??\C:\Users\Kg | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Dmfmgjnu\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Dmfmgjnu\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Dmfmgjnu\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Dgotnovb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Dgotnovb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Dgotnovb\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp��\??\C:\Users\Jz | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp��\??\C:\Users\Pt | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Qxzysxhv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Qxzysxhv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Qxzysxhv\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp��\??\C:\Users\Jw | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Klacbqki\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Klacbqki\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Klacbqki\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jdjjvjta\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Jdjjvjta\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Jdjjvjta\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Wzknanrx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Wzknanrx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\Users\Wzknanrx\AppData\Local\Temp\~nsuA.tmp | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Users\Xnnfsbbf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Users\Xnnfsbbf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\U | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Windows\SystemTemp\fc81efa7-248e-4d73-9e4e-a7dce4cadc80.tmp��\??\C:\Users\Hmmffums\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Users\Kcbhrkty\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Users\Kcbhrkty\AppData\Local\Temp\~nsuA.tmp\Un_A.exe��\??\C:\U | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Windows\SystemTemp\b1a39cca-eadf-4949-a384-a0ef6a3b3fd2.tmp��\ | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Windows\SystemTemp\77e37ce0-8214-4414-aced-551c5ae204d7.tmp��\??\C:\Windows\SystemTemp\e28eadcf-6ab0-4d8c-8821-7ce9a6aba1 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Windows\SystemTemp\a9dd6c3f-d641-4292-855a-e9c09c1b694b.tmp��\??\C:\Windows\SystemTemp\85968c61-a19d-4e7b-a80f-d2a1fc3c08 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\112215\3544\c\users\user\appdata\local\temp\~nsua.tmp\un_a.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\112215\3544\c\users\user\appdata\local\temp\~nsua.tmp\un_a.exe��*1\??\C:\sandbox_live\tmp\112215\3544\ | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\112696\5768\c\users\user\appdata\local\temp\~nsua.tmp\un_a.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\112696\5768\c\users\user\appdata\local\temp\~nsua.tmp\un_a.exe��*1\??\C:\sandbox_live\tmp\112696\5768\ | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Quxqwrnk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Inbnpjqx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Iarzsobn\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Lnnmtfrp\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Kgboenax\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
Show More
"C:\Users\Dmfmgjnu\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Dgotnovb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Jzlfgkpk\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Ptuszrdv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Qxzysxhv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Jwqokthb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Klacbqki\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Jdjjvjta\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Wzknanrx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Xnnfsbbf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Hmmffums\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Kcbhrkty\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Ylswpzzj\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Khlwyxvg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Amtisuwe\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Slezmtnx\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Eyhbbhla\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Lszxsvwb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Kgvsucte\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Evgcmdho\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Xbqizrwi\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Gsuxgvcg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Efltgiep\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Ernqarlg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Soygjrtb\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Pngvgsji\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Vhakggsh\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Atxdvfsf\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Jyteknrg\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Cqnbnmyy\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Votzgwpe\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Pyxwgwcq\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Fmlgwrwu\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Oyjkucgn\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Skkaoaza\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Kdsyxbsv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
"C:\Users\Dmmslsev\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
|
