Релевантни знания
Показател за заплахи
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards са доклади за оценка на различни заплахи от зловреден софтуер, които са събрани и анализирани от нашия изследователски екип. EnigmaSoft Threat Scorecards оценява и класира заплахите, като използва няколко показателя, включително реални и потенциални рискови фактори, тенденции, честота, разпространение и устойчивост. EnigmaSoft Threat Scorecards се актуализират редовно въз основа на нашите изследователски данни и показатели и са полезни за широк кръг компютърни потребители, от крайни потребители, търсещи решения за премахване на зловреден софтуер от техните системи, до експерти по сигурността, анализиращи заплахи.
EnigmaSoft Threat Scorecards показва разнообразна полезна информация, включително:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Ниво на сериозност: Определеното ниво на сериозност на обект, представено числено, въз основа на нашия процес на моделиране на риска и изследване, както е обяснено в нашите критерии за оценка на заплахите .
Заразени компютри: Броят на потвърдените и предполагаеми случаи на определена заплаха, открити на заразени компютри, както се съобщава от SpyHunter.
Вижте също Критерии за оценка на заплахите .
| Popularity Rank: | 70 |
| Ниво на заплаха: | 20 % (Нормално) |
| Заразени компютри: | 1,448,820 |
| Първо видяно: | July 24, 2009 |
| Последно видян: | February 6, 2026 |
| Засегнати операционни системи: | Windows |
RelevantKnowledge е софтуер, който съществува в морална сива зона. RelevantKnowledge е широко смятан за шпионски софтуер, тъй като RelevantKnowledge ще събере огромни количества информация за вашето използване на Интернет и след това ще използва тази информация, за да събере още повече информация за вас. След това тази информация се продава анонимно или поотделно, или като част от обобщени данни. Като се има предвид начина, по който RelevantKnowledge е инсталиран на повечето компютри, малко вероятно е повечето от тези потребители да са напълно наясно с фактите за RelevantKnowledge.
Съдържание
Какво е RelevantKnowledge и откъде идва
RelevantKnowledge е продукт на компанията MarketScore, наричана преди Netsetter. MarketScore разработи и използва RelevantKnowledge, за да събира данни за използването на Интернет и да продава тези данни за целите на интернет развитие, търговия и развитие, както и за целите на икономически анализ, прогнози и инвестиране. MarketScore има история на предлагане на награда за регистрация на потребител на уебсайтове, които пускат реклами за RelevantKnowledge.
За да примами потребителите да инсталират RelevantKnowledge, MarketScore винаги е предлагал някакъв вид стимул. Първоначално те предложиха интернет "ускорител", който уж е способен да подобри скоростта на интернет връзката. След като бяха разкрити дупки в сигурността в този „ускорител“, който позволи на зловреден софтуер да се изтегля на компютъра, на който е инсталиран, и след като проучванията показаха, че софтуерът не подобрява скоростта на интернет, MarketScore спря да предлага това като стимул. За известно време те преминаха към партньорство със Symantec, за да предложат безплатен антивирусен софтуер, но Symantec прекрати тази връзка, когато беше разкрито, че RelevantKnowledge се инсталира умишлено през дупки в сигурността на браузъра на персоналните компютри на хората без тяхното знание или съгласие. MarketScore вече "предлага" безплатен софтуер като стимул, въпреки че много по-често срещаният сценарий е RelevantKnowledge да бъде включен заедно със софтуер за изтегляне, който не дава никакви външни индикации, че е свързан с MarketScore. Следователно много хора, които намират RelevantKnowledge на своите компютри, не знаят защо е там
Информацията, която RelevantKnowledge събира
RelevantKnowledge събира огромно количество информация за потребителя или потребителите на компютъра, на който е инсталиран. Той буквално следи целия интернет трафик от всякакъв вид, включително трафик към защитени сайтове, където потребителят поддържа или въвежда лична или чувствителна лична информация. MarketScore гарантира само, че ще използват „търговски жизнеспособни усилия“ за защита на чувствителната информация, която събират, което по същество се превежда като „каквото искаме да правим“. Освен това, в своето Лицензионно споразумение с краен потребител за RelevantKnowledge – което може дори да не бъде предоставено на всеки, който има RelevantKnowledge, инсталиран на своя компютър – MarketScore изрично заявява, че ще работят за създаването на изчерпателен профил за вас, свързвайки вашите записи с рецепти и кредитна история към вашата онлайн активност. Дейността, която MarketScore следи, не е само кои уебсайтове се посещават, а колко често се посещават сайтовете, колко кликвания се въвеждат и върху кои неща се щракват, какво въвеждате в сайтовете и дори заглавките на имейлите, които изпращате и получавате. RelevantKnowledge събира тази информация, за да я продаде, а MarketScore ще я продаде. Вашата информация може да бъде продадена като индивидуален, изчерпателен анонимен профил на заинтересована компания; или вашата информация може да е част от съвкупност. MarketScore не ограничава бизнеса си до обобщени данни.
В допълнение към изключителното ниво на интернет наблюдение, в което RelevantKnowledge участва, понякога това ще доведе до появата на изскачащи анкети и реклами на засегнатия компютър. MarketScore казва в RelevantKnowledge EULA, че тези проучвания са незадължителни екстри за потребители, които искат да помогнат и да предоставят повече информация, и може да има или не може да има участие в лотарии. Ако рекламите се появяват на компютъра поради RelevantKnowledge, те се насочват въз основа на интернет историята и използването на потребителя.
Текущо разпространение на релевантни знания
Тъй като RelevantKnowledge се разпространява почти изключително чрез изтегляне на безплатен софтуер на друг софтуер и се споменава само в средата на инсталационния процес, може да има пречка за потребителя да чете EULA. Например, да предположим, че се опитвате да инсталирате MKV Player, за да слушате някои аудио файлове. Изтегляте софтуера, който е описан само като аудио плейър, и по средата на процеса на инсталиране получавате екран, който пита дали сте съгласни да инсталирате RelevantKnowledge. Ако инсталирате софтуера само за начало, защото наистина искате аудио плейъра, екранът RelevantKnowledge е стъпка, която вероятно ще преминете, без да й обръщате много внимание. Освен това, ако този екран идва с огромно дълго лицензионно споразумение с краен потребител, колко е вероятно средният човек да отдели петнадесет минути, за да прочете това огромно парче легален текст? Ако инсталирате софтуер доброволно и това е софтуер, който искате или трябва да използвате, може просто да имате добър стимул да прекарате времето си в четене на това споразумение. Тогава обхватът на това, което RelevantKnowledge следи и съхранява, е огромен – всичко това заради малък екран в средата на съветника за настройка за нещо друго.
Премахване на RelevantKnowledge
RelevantKnowledge може да се деинсталира чрез контролния панел; обаче RelevantKnowledge често се съобщава, че е доста объркана деинсталиране. С други думи, RelevantKnowledge оставя нещата зад себе си и може да не деинсталира всичко, което е настроил RelevantKnowledge. Поради това, заедно с натрапчивия характер на това, което RelevantKnowledge събира и съмнителната история на RelevantKnowledge за стимули и методи за инсталиране, RelevantKnowledge има репутацията на шпионски софтуер, независимо от публичното съществуване на RelevantKnowledge.
Може да се наложи да използвате софтуер за сигурност, за да премахнете RelevantKnowledge напълно. Като цяло е добра идея да бъдете много предпазливи относно софтуера, който идва в комплект с безплатния софтуер, за да сте сигурни, че разбирате напълно какво инсталирате. Ако не сте добре с това, което прави RelevantKnowledge, внимавайте да се отървете от него. 
Псевдоними
15 доставчици на сигурност сигнализираха този файл за злонамерен.
| Antivirus Vendor | Откриване |
|---|---|
| Comodo | ApplicUnwnt |
| K7AntiVirus | Unwanted-Program ( 00454f261 ) |
| Ikarus | AdWare.Agent |
| AntiVir | Adware/Relevant.G.1 |
| F-Prot | W32/MalwareF.BTCN |
| Ikarus | not-a-virus.AdWare.RelevantKnowledge |
| Antiy-AVL | Trojan/Win32.Buzus.gen |
| F-Secure | Gen:Adware.Heur.oq0@Ri0L15ai |
| NOD32 | a variant of Win32/Adware.MarketScore.A |
| Avast | Win32:Relevant-W [PUP] |
| F-Prot | W64/Relevant.A.gen!Eldorado |
| F-Prot | W32/Relevant.B.gen!Eldorado |
| Fortinet | Adware/Marketscore |
| AhnLab-V3 | Win-Adware/Relevant.381968 |
| AntiVir | ADSPY/NaviPromo.J |
SpyHunter открива и премахва Релевантни знания
Подробности за файловата система
Релевантни знания може да създаде следния файл(ове):
| # | Име на файл | MD5 |
Откривания
Откривания: Броят на потвърдените и предполагаеми случаи на определена заплаха, открити на заразени компютри, както се съобщава от SpyHunter.
|
|---|---|---|---|
| 1. | pmls64.dll | bf28695cebfdcf2d038544fb359a25ff | 346,010 |
| 2. | pmls.dll | a415904cfeb2ca79617596bf8f460add | 151,078 |
| 3. | pmservice.exe | 66b3990b7e76c23bbca1e20f821bb923 | 133,307 |
| 4. | pmropn.exe | 9b81532c317fd0fe7bcf8fcc578ecfb5 | 14,899 |
| 5. | pmropn64.exe | 27cf40b379c2c410a94a5829c25141a1 | 13,144 |
| 6. | free shortcut remover update.exe | 98fd767876d8906e29a3128b2b8d43f2 | 11,426 |
| 7. | 4baee42194386bf9ec758717968ff1273113fe8b0113a4d63a2a72fb0d0b5908.exe | f05c01b0017d23c5eee0003522423ba7 | 1,361 |
| 8. | 7be0c0d8767d0721ccc1f21fd19832b17f0b4548a0eaa2ec9160f862a7e91f31.exe | 7aa3b379c752bca29e976c20ac8602d3 | 17 |
| 9. | 11088e6c98e75b7241391b941d18e28bdc629db815a50cbfe0f89d6007f5ddbb.exe | a6263197228b08b66cda379d0a881066 | 0 |
| 10. | 1759b35695e107ed90c3407dea508b7755eebb9a0a11ead2cc46cadf5ce7c043.exe | fc7f9f222f7b3bb4970b1b0e1e23c267 | 0 |
| 11. | 176d1d3b509b5483a06c445c8b124cea2df148bcc2bfd67eb6e580e046b0a28b.exe | 0465243241685106efa24f323075b86a | 0 |
| 12. | 180d5c479ba4f710c94f32ef7d5580d1fb3cbd283794a6c1b14822ddd5a056d2.exe | 4d1c2f8555fc6816850c8d236d0bcec5 | 0 |
| 13. | 2748a1f619f4ef2bda18962e5d779167153f96dbaa631127e391680af40247d0.exe | 6121dbae46a742059cb12b7177ae891a | 0 |
| 14. | 2941921f8011db542040419a69c4ab22564b05b5d011f91d0adf749acf5a8be9.exe | 8e679932164c600ebbd02bd12f50090f | 0 |
| 15. | 2a980811c0dc7d5e216b811b4d3dfcb0a31cc6b0ca3525e389465c4cbbf10d91.exe | 8a5e85da25b62474a7c338459c02282b | 0 |
| 16. | 335506c31b20c766ce3dfd96bc310913bdd8d3418f4511835fa0c02195fd8045.exe | 4cf6df5013e5e32e75cadf0491f8a546 | 0 |
| 17. | 342436f7117dc1462bcce6308bb0a6dfdca5d1b13d5baac5b0f6fbe024560ad4.exe | 7c099ecebac8fbb1fbc76529f70e614b | 0 |
| 18. | 376f761a10a021bb85ff963b3296c2d24781cb8e7784530b5b776cba11cfdd9a.exe | bf5043fad6ca03c3adea623ed9fc2d01 | 0 |
| 19. | 41ed6f2401d252b04b1256681319513481afb395639d8d69a952c247baf65c1b.exe | 22afac2d92b581f54f51a0e8d0bc5fd5 | 0 |
| 20. | 4533f258329ed771bc4ee7baccc3d1c49fb5177e5ba2b47c6ff64ba9a64ff2bd.exe | 57bcaaab0f52b258b86c012e3ba1f4e0 | 0 |
| 21. | 492555f00f169c0313a2f2475413e5a8a20d56e7961281199442a11d02027f11.exe | b4594c4351373dff7a7d625c18b26013 | 0 |
| 22. | 4c4cc87b563faa67758c77981e4c355a063d921b1eebe01b8625f0ce34a90313.exe | b9b8a6c81a57fe19eaa612a606ebc685 | 0 |
| 23. | 501fb612e7ee56f028d23c8bc8fd0cd25267a614d9c816dee8cbe2bea72879ab.exe | 20c4e0e55ef3246d3460c5545f6f8113 | 0 |
| 24. | 5179ef9d4b5156867fcc27603d8d8bba55a5785625202814c6874b71ebb273b5.exe | a365b824bd165a27ed993a1dda1e7dc1 | 0 |
| 25. | 730137216397b85b88fe7f495a48da96180626cc2ec8df671c8e557698739d86.exe | 421e1a7a9f09f52b9a34b8e198e8db30 | 0 |
| 26. | 81d289332f71305d5451e3d4e94171e644c41c9c47eaa886da1753460ebda133.exe | 219d99c19ab97e26ab7ad5d7c2104e53 | 0 |
| 27. | 8c569cbcac09c770448d637ed19094329e25e0ff3f0d84d54e647ff1fddc61c4.exe | 3ae26d41e83f8d0f1de0e43f5b4d8c7e | 0 |
| 28. | rkban | 6c41be2fb73b484e73afe4bbfbc08b84 | 0 |
Подробности за регистъра
Релевантни знания може да създаде следния запис или записи в регистъра:
File name without path
rewards.opinionsquare[1].xml
Regexp file mask
%WINDIR%\system32\pmls.dll
%WINDIR%\system32\pmls64.dll
%WINDIR%\system32\prls64.dll
%WINDIR%\system32\rlls.dl_
%WINDIR%\system32\rlls.dll
%WINDIR%\system32\rlls64.dl_
%WINDIR%\system32\rlls64.dll
%WINDIR%\SysWOW64\pmls.dll
%WINDIR%\SysWOW64\rlls.dl_
Software\GUPPY\RKSURVEY
SOFTWARE\imalcom
Software\Microsoft\Internet Explorer\DOMStorage\opinionsquare.com
SOFTWARE\Microsoft\Tracing\rkinstall_RASAPI32
SOFTWARE\Microsoft\Tracing\rkinstall_RASMANCS
SOFTWARE\Microsoft\Tracing\rkinstaller_RASAPI32
SOFTWARE\Microsoft\Tracing\rkinstaller_RASMANCS
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PremierOpinion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RelevantKnowledge
SOFTWARE\Wow6432Node\imalcom
SYSTEM\ControlSet001\Services\OpinionSquare
SYSTEM\ControlSet001\Services\PermissionResearch
SYSTEM\ControlSet001\services\PremierOpinion
SYSTEM\ControlSet001\Services\RelevantKnowledge
SYSTEM\ControlSet002\Services\OpinionSquare
SYSTEM\ControlSet002\services\PremierOpinion
SYSTEM\CurrentControlSet\Services\OpinionSquare
SYSTEM\CurrentControlSet\Services\PermissionResearch
SYSTEM\CurrentControlSet\services\PremierOpinion
SYSTEM\CurrentControlSet\Services\RelevantKnowledge
Run keys
RelevantKnowledge
{4FFDD113-2C3C-453E-845C-D5DD6DB90CEF}_is1
{d08d9f98-1c78-4704-87e6-368b0023d831}
{eeb86aef-4a5d-4b75-9d74-f16d438fc286}
Справочници
Релевантни знания може да създаде следната директория или директории:
| %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\OpinionSquare |
| %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PermissionResearch |
| %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\PremierOpinion |
| %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge |
| %ALLUSERSPROFILE%\Start Menu\Programs\RelevantKnowledge |
| %APPDATA%\Microsoft\Windows\Start Menu\Programs\RelevantKnowledge |
| %PROGRAMFILES%\PermissionResearch |
| %PROGRAMFILES(x86)%\PermissionResearch |
| %PROGRAMFILES(x86)%\tns-global |
| %ProgramFiles%\OpinionSquare |
| %ProgramFiles%\PremierOpinion |
| %ProgramFiles%\relevantknowledge |
| %ProgramFiles(x86)%\OpinionSquare |
| %ProgramFiles(x86)%\RelevantKnowledge |
| %appdata%\relevantknowledge |
| %temp%\PremierOpinion |
Доклад за анализ
Главна информация
| Family Name: | Adware.RelevantKnowledge |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
7adb806323c20e37e2f0a38a244bd257
SHA1:
6732dfa107d8220418c64a9fc8a4d9faacb1b9c8
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
289a6799d6b06cd95426719a7a6fa174
SHA1:
e0410ae4970afaa8b0832be9424a6af40365074f
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
55eb7356cae6fc33497e52d97300f24f
SHA1:
b57fded19d5f8970070d7b65f89cc39ca8a9608f
Размер на файла:
4.03 MB, 4032320 bytes
|
|
MD5:
25517d2e1fe1398966a8adf9a0517bfd
SHA1:
c397ff387c923d46b5a34cb800bb37e64c58ee8b
Размер на файла:
4.44 MB, 4436687 bytes
|
|
MD5:
7ab467597773dfe75011608d7c68c30f
SHA1:
83ff4e4ff1e2fa18bf3816c0a88d3bfd6d9be03d
Размер на файла:
4.03 MB, 4032320 bytes
|
Show More
|
MD5:
89354ab46fd3c86b7dc8d8106a9c8f36
SHA1:
b346304edb814328fb6722831f11d938276e638c
SHA256:
A8755089E12E3630D71B744BEEB69625E87F20246626803115F8D0BAD5BE4B63
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
a08cf96668d28640a491e62de2804d9f
SHA1:
e254734bd77f3fa6f67e7f60b3f5993832b04114
SHA256:
BEDCA175CC24AFDB37A72A1010472B4265EDF4AB41B6C8576741865E9F6ACE85
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
2243e3395e67316b417b71e318f00e3f
SHA1:
54375804cdf8f0b2502af6ffa14dad4923ea699c
SHA256:
18CDD08D61082C4829065F8FD0994BE3F1A77A39F65C32420F5D9BF8274A75ED
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
3d722f6828fe0335205f5297ef372ff5
SHA1:
a9341788bef4e592d7d2fcfee37d717603b473e1
SHA256:
0A15207C22DAE739039E1384A488D2F82B9D2245BF466CC70D26A01375475885
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
13d4fdb27433b4271a4ecd8f895dfdbf
SHA1:
bba77edda1052efdc1a12ed531c1908cca265f9c
SHA256:
4B3D05F6F1CAD6153D7613B1C6F4C751816A2A1BFF83BA33292BCBFEB30EB63C
Размер на файла:
7.46 MB, 7461859 bytes
|
|
MD5:
b985863e57aa7aefcd7fb497fafd1f5a
SHA1:
1599c1a04106e9eef31dc94e013f8c6400cd8805
SHA256:
879014927ECFB9AA6E42F190EA4D4089161933F22B7114A32F8DDC0CC560EB28
Размер на файла:
2.14 MB, 2141162 bytes
|
|
MD5:
464b25f9f28303e43bffed42cfede9fb
SHA1:
71353e42c1a6eae6d92d8d8f3214633c7928f0fd
SHA256:
280BF0BDACB0693FE88092E83EE4D2AD82903C0545FEE3A3993BF643E8D3F69F
Размер на файла:
4.44 MB, 4436687 bytes
|
|
MD5:
e37f71139077d08b887b35278660c6d1
SHA1:
71d9e90e5fca7aa8a9b961122e9431b6d74d3618
SHA256:
4875448693E5488369566303BBF1260280897ECE15C4ACC80DE64AE4C7D73D09
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
49588a95e6609563cf68694815da5440
SHA1:
a1481718c38d7fe83077af85f9c9183bed21ba4e
SHA256:
446D61C1764DD017DFC903754FF164B097A2A55151A5F3CB5B45F89D413AB745
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
2cce5f7bb08c718c800250e3f85dac6b
SHA1:
ef92499a7bdb1cf7405c45d5572b64d2cfd08a71
SHA256:
F6F49166778B09788715B9B594308EC8C73AB26007E0BB8C5077CEC95A8FE6E0
Размер на файла:
4.61 MB, 4612184 bytes
|
|
MD5:
fd6009049384ea8933791bb1432d7851
SHA1:
5a132f1cba909b90b64f42625c429a3b85af9bcc
SHA256:
8FBEA18A1C8812E8BEC77CE7990C412F7576D6712EE155F31C46EB42C45F17DD
Размер на файла:
972.06 KB, 972056 bytes
|
|
MD5:
e5df7505d76d312dc5ac5c4564188599
SHA1:
51d6608cf7a6e1602d030476f2e9be8440a7e872
SHA256:
9727DE0EF297390616AB4300C73EF49CD6F220CD0874C456B9805E7AC8D37A1E
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
2ab15ff4b229a5be82fc04c20a68dd10
SHA1:
e751e6ff670f4aa6340f30cdeb44c49bb80af788
SHA256:
0D59B8057326F693DF06E831E7E77BCD39A501D764F2110FDC23E7B9CBD75099
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
24d64ceb00853e8cb7793b58b28363bf
SHA1:
b71d696f3dae1cd229eba11508e3ff807aefcffe
SHA256:
205D4058AF96C96474ECDB4A5ED4D2940CAB3CF8E1AB7039BD3B55884EDFD365
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
66c581d869bb964e74a26636b31f0cc6
SHA1:
f456867bafd264471a45ad116f413c26fed88db9
SHA256:
C5C20FB8599D14EF4F8F7E2DB7D5A58C27D822A1C23A0478E2CA25F0688963B6
Размер на файла:
971.54 KB, 971544 bytes
|
|
MD5:
7f7f37d1a9b4d8bc7a4f3a1243c379cd
SHA1:
75cfb0fd47dafe51e95be5c8ed16392f956d261a
SHA256:
59B70026B0264706DBF3DCA9F7C43777BB3294C8FD741229CE276FE67EBA621A
Размер на файла:
223.51 KB, 223512 bytes
|
|
MD5:
1f3b2ab13f584b99fe0f0f81d9dca5e4
SHA1:
9c4aa98ae929effa5e2c1a57681c421ddb353d2c
SHA256:
4937FB251B0E0FDD64E1720AD8B2A7730C2CFD8E969A13CD7CC4347ED4EBAFF0
Размер на файла:
223.51 KB, 223512 bytes
|
|
MD5:
9905a66ecf70c23e965cd6320f052bf5
SHA1:
91fe5bf17d497fabd4279e869d3abd5af14481b6
SHA256:
BA35E2DBBC68729A0676D7E957F6079932FCBDE8B297890A4A4B6808516112E2
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
4e8f54665c395c9feba502a0739b2922
SHA1:
0c648fc2bc8532e785b4f962dab6e5f24e57f18a
SHA256:
4BD8D49EC2BC559E5574EC7C98A20BEF43178242D825481C6CB5D4DC7837BC50
Размер на файла:
3.12 MB, 3119472 bytes
|
|
MD5:
a9115fb5fc903998845d8b14fb35d2e3
SHA1:
2fe0832d7041939c8120d9314c0a0371419215c3
SHA256:
CD86103DCF0DD1EEF7029AFEEAA6912478639C8E0D1C543D5F5C36DA337F7F2B
Размер на файла:
2.09 MB, 2087906 bytes
|
|
MD5:
c98be5ce34050ee4a81aaf2808545a35
SHA1:
b558641e5feb20e4eb3e342ccb09814551a61df5
SHA256:
05D899FD6C40702E346F6AD22968EDE1C9D13D0937F644228E00270138B1EDA5
Размер на файла:
1.04 MB, 1041408 bytes
|
|
MD5:
afdb9f6cd041ab5ce5fe53bc53615c2c
SHA1:
f8598d39ccd2d024adf2e9fedecca2a2967842e5
SHA256:
69079FDFBFE8A23096EF62C5459B7B2D855B32769B51E982A2FD13809D494492
Размер на файла:
8.35 MB, 8352768 bytes
|
|
MD5:
905c59948e628daefe9f2bcb0bb2a2af
SHA1:
0db2c101df8d3312a7849058cdd75024622717ba
SHA256:
DC74582F1F397EF3CC35FA97B86FDEF0DA0D162CF7D4458020D22E4155546D0A
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
20eb40af892fabf7e74d1e64081ca481
SHA1:
6683863abaefb1f8d9b201f5af316731655ea4b5
SHA256:
F76C45AC8440C5A36096D7956BDF933BFFF268469D1A73573C7F001F790DAFA1
Размер на файла:
4.84 MB, 4844208 bytes
|
|
MD5:
b9c15f13cc41340e20b5a186fbe7b955
SHA1:
3984f8956d06e6d315c715dd9cb9738b95442d1d
SHA256:
0D599EEE60F9D359FBBDE8375B6B0206FFCF7575B1F7924C718A78E7EF9B720B
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
2f0b79476337fe7621f2e1332645241c
SHA1:
c84769cb274c89a0530f912a1af88e25373cbda7
SHA256:
847AF760FE5C26F75FF7E010991A1AB9C5718F5E8E3B7F029211A334BBFC7F7E
Размер на файла:
1.07 MB, 1068861 bytes
|
|
MD5:
da4ac444f3c8325572bc88bd1125a699
SHA1:
4eea95f272dfd4e2b7b9ff75447bb64e3ac37975
SHA256:
BD6805E0ACBAE901592586900EB0587B53E6390765257E22A7ED6236D6DBC34A
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
315095ca3924afb85a747b9c372d9624
SHA1:
79fe00d2f314f70fcfbb3df9df6e2f155db889bd
SHA256:
F61100471C0F8F4DC819306BA1243A5A1A0F2FF364E5CC88EC5361E03E1C6813
Размер на файла:
4.03 MB, 4032288 bytes
|
|
MD5:
4dc582bca66d523ed80ce00f6d8b4577
SHA1:
a0488570772718c149e5fbd1ce177930d74cee5b
SHA256:
10BA1C7A0A9906032CD2CD990DA449C122FB6E59A98472603EEF4237279D7E71
Размер на файла:
3.44 MB, 3438315 bytes
|
|
MD5:
22bd2d12e7ab3e832d86862d174408d7
SHA1:
245b87d039f094866b1d6da426633a25cf347b59
SHA256:
7EAA697CEC6097FFC91239F8BEFBA5EF94036C72C3EFC4A60FA78F91EA2C2821
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
b2570ae4d7bf2efd60730d54b8552abe
SHA1:
2c0edcd67dd51cd419bf9feb388ceabb68fc8f3f
SHA256:
B9759CB1410FF1C154778F14E985F746DC0D2048F2C02D2CFD6528333F1737E7
Размер на файла:
4.03 MB, 4032320 bytes
|
|
MD5:
db6b31e1f9410c6798f3857d94a01532
SHA1:
d01036dd354933bd37b885d729aad259b79fa61a
SHA256:
03BDC9EDF2DB450A6ECCD2DF4F9F7B61FFFA72B249019F45C5DA361B584468FE
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
5b50a8bedfcea32b918fe9894da2e648
SHA1:
2362bb5eae8de5f18210e5f0846c188c84a3bf07
SHA256:
CF196D72427361AA2136EF232BFD9BEA9116EE8B2F829039C808639F61D81B69
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
4f692b80f4e28301e62e422432527a00
SHA1:
e8ff4664c0ae189768d0c41ce1244e255f5002dd
SHA256:
5699ECD65B4D7E5CB452E0018CF8B92593EAAA7DB994F352A279B823BEA2036A
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
4da0fadf5599d35a72497564620d5c21
SHA1:
988e05fd38ef56ccc48029c10f300fe935b88129
SHA256:
AE90BDB210AD4F6DC9C2997BFCEAC529B325777432168726F308389430FBCDD4
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
1ecf3866ef03369e5e40fe66f1593001
SHA1:
ddf35c0238dd107178aaa2212fd08baff69a801f
SHA256:
EB336544F0D17A9085690D209F4CB8284D5F1A5187A10ADBA1C64F2DFE5D8191
Размер на файла:
4.03 MB, 4032320 bytes
|
|
MD5:
973adc4aa699620fb888d0c392f1d488
SHA1:
3e4a8b8fc872e5fb999d1d315a8413e3f88d3ba6
SHA256:
C1DF08C92CA33081D9C19A9C0341630A5FE7BE0505C0A744D7C22158AD90764A
Размер на файла:
7.70 MB, 7697639 bytes
|
|
MD5:
2de70f5829bcbcb70bc24c4b8841f077
SHA1:
62f9a917280faeba51338f2e583968c58d0318de
SHA256:
8233BB28BC0A4075BBCB25A14E999C967F869F3E8A2749FBF8B5E31600AA9D95
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
a931da58e2f073a4caccd46e7b1d4855
SHA1:
58af359924d63c47c80452bcef1e5aa7e1260c6d
SHA256:
C764B8B2150B0107DDE07BE06AEA7173AB3AC6DBC6DA16E15F7A58333E6FB351
Размер на файла:
4.03 MB, 4032320 bytes
|
|
MD5:
8eb9eb5c81b439a03810d31106b0663f
SHA1:
fad90dd7a0c207cc92c6416d8acef3dfc41f21a2
SHA256:
34156DF9B062C80463E77E45D0D0439A546E79EC112A1F2AFE2AEC5B2E2BCC68
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
9a91210038a72e6e1b8b06094991d2aa
SHA1:
d88907cf90ca08ac4cd591de3713d244f3853c9b
SHA256:
1AB003A28A8FE44B064C7F6587E3FBBE9AE91ADA40E0968ACC3D4BA59B410DEC
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
d74ae0f5548a32937207b0d14cd8a970
SHA1:
45efe6630b008b59e7ab972376351317e8248494
SHA256:
6961D193A0B1001CC12DB45F57B24436A471966A19177752E5286EB44EE7C39A
Размер на файла:
4.03 MB, 4032320 bytes
|
|
MD5:
ba18651c4a25021e414d29c4a3b32996
SHA1:
cf399a12d066526e3c56dd416a5259aaf57c9da0
SHA256:
DD2E4C74E684A72BEDF15ECE2264F254750A35DB77B93E8FEC46419F38E1CD2C
Размер на файла:
1.13 MB, 1127752 bytes
|
|
MD5:
c8a1427076e2f5d4fe03bfe8adc3278a
SHA1:
ec8d7feb5642d6ad476cea35b8f84dce70b11aae
SHA256:
79A47ECCC2597306C14A2E2DF091224C86BC81F4E58FB595854090F963B2DC08
Размер на файла:
4.03 MB, 4032312 bytes
|
|
MD5:
7f2d75689d59a76e2a8643ddaba0921e
SHA1:
c8407065c01716ecf7e9e4bb97f05911987a801b
SHA256:
0FA9AF16589F1E96B39F9AD3D5B582B6193D69B9E0F5DA0028F293E6E1695667
Размер на файла:
7.78 MB, 7784776 bytes
|
|
MD5:
999ac1b10ffec80d06ac8dbc61dfeda6
SHA1:
3189fd81376058398976e692f1682006b5049129
SHA256:
A2661CB119B7362F236CA230A2530F061E8868544AA36B8610955B1859E82ABD
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
4a8123a699f08f7e9a78b5fff5054dd9
SHA1:
29266860d9c68b299523acd6762ef9e3404114a4
SHA256:
608206E74DA34950EBA485596122EC9CBF75711BF2AD0CE420798E883347E552
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
db60c6f1f5ae34ce450565cfd8ce9eaf
SHA1:
df98f34ab41b7a17f3e2cedd3180213674477e9e
SHA256:
3A52188470DA51568CA8A406571C94079DC9487800205DF8BD1D1F410B9E866C
Размер на файла:
7.78 MB, 7784776 bytes
|
|
MD5:
8af7f195b6b0cb79689806397c6fc2b5
SHA1:
46f572289af39c70ff5f369eebdbc48d486e3d3e
SHA256:
1B1C40D023089EC6822785B4890DBC988EA70E64B315BFB70328618E0E800494
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
89e5669346315012d262cb6a494bd912
SHA1:
bf103f30a71e0378b43d3ecd541703dae9211c27
SHA256:
F161CCADAD0B0EAE920D499F1DC51AD62D10664CDDDCA839E36A92C6239E965D
Размер на файла:
7.83 MB, 7829574 bytes
|
|
MD5:
26bbb545e16fd405c9e975567da303e0
SHA1:
41c5ef8151b8d8b851ad5ebf43aebb3475655e65
SHA256:
B75BB37DFBA4ABDE583A2CF3228B8F82027C1E94EFD35AA2A0A0D0CA062BCA95
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
4be353a21822240111f6f754bd493d8c
SHA1:
8210a2993fae39ce95c05a24dfc10597c148ba75
SHA256:
D2BD38C24C774CB4B6121430F4CFA7B088A5C1A513F02EC43EDDEEDA7A5CD8A5
Размер на файла:
1.13 MB, 1127752 bytes
|
|
MD5:
fcd54d271c5b3f0e785f64ad9f1a95c7
SHA1:
caad4ba175a0c4e468303598c364c1893650426b
SHA256:
5F87DBA226C5B48B3FAAF7971F59012DA8005CE971BCFBB6AA6AFD726E6996D0
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
4e1e5db4f5c1d7f22bb24dc83579b5ed
SHA1:
e6555e3618ace36c38087462ff8f8e2ba16ac55a
SHA256:
D3BB754CB9F4BD53245AACFA94F7076B2969DCE4F463B3683207EDE372545385
Размер на файла:
4.03 MB, 4032296 bytes
|
|
MD5:
ed74f579509577d3732102db29ef334e
SHA1:
714762f97211f716a7434722caa0cf4c52afbfa2
SHA256:
63170E93F36FC0314612970082CBF9D82379C16F0637C7B7C151929C760E85A5
Размер на файла:
4.84 MB, 4844360 bytes
|
|
MD5:
8937845e75da674ec6763994a1ce7686
SHA1:
694fd652bd06e7b7b60f805f4b0e9c6e11a879e5
SHA256:
EF079D40DE586F4FB67EB4A903173405687145CA7CDF8976DB9CA2DB94CDED69
Размер на файла:
5.50 MB, 5505000 bytes
|
|
MD5:
89dc37f5f05ad6e36b297ba82e00a02d
SHA1:
4ffa53654e57a3fdd4a87c09a353cef3d15280ed
SHA256:
6C94F931A40C8710E0C5D745868733D1C5BF0085254033B8F9CB11CD58EFB663
Размер на файла:
4.03 MB, 4032304 bytes
|
|
MD5:
08bfe2c821ec9e2127d6615dacb75d30
SHA1:
0a166f2869cdac43a1179322ff2946eff4e8ea65
SHA256:
30DDDFDFE2321F7EBB73B50E4C22B4E6A757263615FAA8EFFF333487F7ADAC4D
Размер на файла:
4.44 MB, 4436687 bytes
|
|
MD5:
57233ca73131538fa72c47d987002b99
SHA1:
529a9f259ff8eb3ed358c72aef19272a588fc90f
SHA256:
7D07CBB4217D5AC3CF09070DFA593936D7226C69DA20FD87B6034496FCD86B7E
Размер на файла:
905.54 KB, 905544 bytes
|
|
MD5:
5420e8f8b7cf1e5a34785002b3507067
SHA1:
715370be45dd794668a217c80d4363744c3eadd2
SHA256:
2236FE131AD4B6C9888342CD0BD10AEBA48C8A28A2A5F755B4CE1F29B1F35B89
Размер на файла:
4.03 MB, 4032328 bytes
|
|
MD5:
3a5139e4fb850acebc9b853f982791dd
SHA1:
7babc99d87ba753abdd7c40291974e87a054710c
SHA256:
CEB87069F699DDF595122AA7839D1ED29613952FD14482A2866CD75B53A06A6E
Размер на файла:
1.35 MB, 1351488 bytes
|
|
MD5:
11cb7ec458b056304028e800efb2fdfb
SHA1:
69e29f3bc4347f4c0876a48e08afcc7a8a674c09
SHA256:
A57832A74B2C0AD565D22E57287DED4379C7DD11CAC099584CCEBEFB435A0335
Размер на файла:
4.84 MB, 4844360 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Име | Стойност |
|---|---|
| Comments | This installation was built with Inno Setup. |
| Company Name |
|
| File Description |
Show More
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
Show More
|
| Original Filename |
|
| Product Name |
Show More
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| ChrisPC Software SRL | COMODO RSA Code Signing CA | Hash Mismatch |
| ChrisPC Software SRL | COMODO RSA Code Signing CA | Self Signed |
| TMRG, Inc | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
| VOICEFIVE, INC | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| VOICEFIVE, INC | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
Show More
| VoiceFive, Inc. | Sectigo RSA Code Signing CA | Root Not Trusted |
| VOICEFIVE, INC. | USERTrust RSA Certification Authority | Root Not Trusted |
| VOICEFIVE, INC. | USERTrust RSA Certification Authority | Hash Mismatch |
| TMRG Inc. | VeriSign Class 3 Code Signing 2010 CA | Root Not Trusted |
File Traits
- .adata
- 2+ executable sections
- HighEntropy
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 13,666 |
|---|---|
| Potentially Malicious Blocks: | 50 |
| Whitelisted Blocks: | 9,808 |
| Unknown Blocks: | 3,808 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
0
?
0
0
0
?
?
0
?
0
?
0
?
?
0
0
?
0
0
0
0
0
?
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
?
?
?
?
0
?
?
0
0
0
0
?
0
?
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
0
?
?
0
0
x
?
?
?
0
0
0
0
0
?
?
?
?
0
0
x
0
?
0
0
?
0
0
0
0
?
?
0
0
0
?
?
?
?
?
0
?
?
0
?
?
0
?
?
?
?
?
?
?
?
?
0
?
?
0
0
?
?
?
?
?
0
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
0
?
?
?
?
0
0
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
0
0
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
?
0
x
?
?
?
?
?
0
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
0
0
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
0
0
?
0
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
?
?
?
?
?
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
0
0
?
x
0
0
0
0
0
0
?
0
?
0
?
0
0
0
0
x
?
0
0
?
?
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
x
?
?
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
?
?
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
x
?
x
?
?
?
0
?
?
?
?
?
?
?
x
0
0
0
0
?
?
?
0
0
0
0
0
0
0
0
0
0
?
?
0
0
?
0
?
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
x
0
0
0
0
0
?
?
?
?
0
?
0
?
?
?
x
0
x
?
?
?
?
?
?
?
0
0
0
x
?
0
0
?
?
0
0
0
0
0
0
0
0
?
?
?
?
?
0
0
0
?
0
?
?
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
?
?
0
?
0
0
?
?
?
?
0
0
0
?
?
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
x
0
0
0
?
?
?
?
?
0
0
0
?
?
?
?
?
?
?
?
?
0
?
?
x
?
?
?
0
?
?
0
0
0
0
0
0
0
0
?
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
?
0
0
1
?
1
?
?
?
0
0
?
?
x
?
?
?
?
?
?
?
0
?
0
0
?
?
?
?
?
?
?
0
0
0
?
0
?
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
1
0
0
?
0
?
0
?
0
0
0
0
0
0
?
0
?
0
?
?
?
?
0
?
?
?
?
?
0
?
?
0
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
?
0
0
0
?
0
0
?
0
?
?
0
?
0
?
?
?
?
0
0
0
0
0
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
?
?
0
0
0
0
0
?
0
0
0
0
0
?
?
?
?
?
0
0
?
0
0
0
?
?
0
0
0
0
0
?
?
?
0
0
0
?
0
0
0
0
0
0
0
0
0
1
0
?
0
?
0
0
0
0
0
0
?
?
0
0
0
?
0
?
0
0
0
?
0
?
0
0
0
0
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
0
?
0
0
0
?
?
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
?
0
?
0
?
0
0
?
0
0
?
?
?
0
0
0
0
0
0
0
0
?
0
?
?
?
0
?
?
0
?
?
0
?
?
?
0
0
0
0
0
?
0
0
?
?
?
0
?
?
?
?
?
?
?
?
0
0
?
0
0
?
?
0
?
0
0
0
0
0
0
?
0
0
0
?
0
0
0
?
1
?
0
0
0
?
0
?
?
0
0
0
0
?
?
?
0
?
0
?
0
0
0
?
?
0
0
0
?
?
0
?
?
0
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
0
0
?
?
?
?
?
?
0
?
0
?
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
?
?
?
0
?
0
0
0
?
0
0
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
0
0
?
0
?
0
0
0
0
0
?
0
0
?
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
?
?
0
0
0
0
?
0
?
?
?
0
0
?
?
0
0
?
?
?
?
0
?
?
?
0
?
?
?
?
?
0
0
0
?
?
?
?
?
0
0
?
0
0
0
0
0
?
0
0
0
0
?
?
?
0
?
?
?
?
?
0
?
?
?
?
0
?
0
?
?
?
?
?
?
?
?
0
0
0
0
?
0
0
?
?
0
0
1
0
?
0
?
0
0
?
0
0
?
0
0
0
0
?
0
?
?
?
?
?
?
0
?
?
0
?
0
?
?
0
?
?
?
?
0
?
0
0
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\program files\common files\system\symsrv.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\csm48b6.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-6pdga.tmp\bba77edda1052efdc1a12ed531c1908cca265f9c_0007461859.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-gj87o.tmp\1599c1a04106e9eef31dc94e013f8c6400cd8805_0002141162.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-h8tko.tmp\ef92499a7bdb1cf7405c45d5572b64d2cfd08a71_0004612184.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-hi951.tmp\694fd652bd06e7b7b60f805f4b0e9c6e11a879e5_0005505000.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\is-o6aic.tmp\2fe0832d7041939c8120d9314c0a0371419215c3_0002087906.tmp | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Данни | API Name |
|---|---|---|
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\6732dfa107d8220418c64a9fc8a4d9faacb1b9c8_0004032328.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\6732dfa107d8220418c64a9fc8a4d9faacb1b9c8_0004032328.exe��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e0410ae4970afaa8b0832be9424a6af40365074f_0004032312.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e0410ae4970afaa8b0832be9424a6af40365074f_0004032312.exe��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b57fded19d5f8970070d7b65f89cc39ca8a9608f_0004032320.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b57fded19d5f8970070d7b65f89cc39ca8a9608f_0004032320.exe��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\83ff4e4ff1e2fa18bf3816c0a88d3bfd6d9be03d_0004032320 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\83ff4e4ff1e2fa18bf3816c0a88d3bfd6d9be03d_0004032320��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b346304edb814328fb6722831f11d938276e638c_0004032304 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b346304edb814328fb6722831f11d938276e638c_0004032304��\??\c:\users\user\downloads | RegNtPreCreateKey |
Show More
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e254734bd77f3fa6f67e7f60b3f5993832b04114_0004032312 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e254734bd77f3fa6f67e7f60b3f5993832b04114_0004032312��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\54375804cdf8f0b2502af6ffa14dad4923ea699c_0004032328 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\54375804cdf8f0b2502af6ffa14dad4923ea699c_0004032328��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\a9341788bef4e592d7d2fcfee37d717603b473e1_0004032328 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\a9341788bef4e592d7d2fcfee37d717603b473e1_0004032328��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\71d9e90e5fca7aa8a9b961122e9431b6d74d3618_0004032312 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\71d9e90e5fca7aa8a9b961122e9431b6d74d3618_0004032312��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\a1481718c38d7fe83077af85f9c9183bed21ba4e_0004032312 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\a1481718c38d7fe83077af85f9c9183bed21ba4e_0004032312��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\51d6608cf7a6e1602d030476f2e9be8440a7e872_0004032304 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\51d6608cf7a6e1602d030476f2e9be8440a7e872_0004032304��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e751e6ff670f4aa6340f30cdeb44c49bb80af788_0004032304 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\e751e6ff670f4aa6340f30cdeb44c49bb80af788_0004032304��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b71d696f3dae1cd229eba11508e3ff807aefcffe_0004032328 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b71d696f3dae1cd229eba11508e3ff807aefcffe_0004032328��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\91fe5bf17d497fabd4279e869d3abd5af14481b6_0004032328 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\91fe5bf17d497fabd4279e869d3abd5af14481b6_0004032328��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\0c648fc2bc8532e785b4f962dab6e5f24e57f18a_0003119472 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\0c648fc2bc8532e785b4f962dab6e5f24e57f18a_0003119472��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\b558641e5feb20e4eb3e342ccb09814551a61df5_0001041408 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\0db2c101df8d3312a7849058cdd75024622717ba_0004032328 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\0db2c101df8d3312a7849058cdd75024622717ba_0004032328��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\3984f8956d06e6d315c715dd9cb9738b95442d1d_0004032312 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\3984f8956d06e6d315c715dd9cb9738b95442d1d_0004032312��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\4eea95f272dfd4e2b7b9ff75447bb64e3ac37975_0004032304 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\4eea95f272dfd4e2b7b9ff75447bb64e3ac37975_0004032304��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\79fe00d2f314f70fcfbb3df9df6e2f155db889bd_0004032288 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\c:\users\user\downloads\79fe00d2f314f70fcfbb3df9df6e2f155db889bd_0004032288��\??\c:\users\user\downloads | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Windows\SystemTemp\77e37ce0-8214-4414-aced-551c5ae204d7.tmp��\??\C:\Windows\SystemTemp\e28eadcf-6ab0-4d8c-8821-7ce9a6aba1 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Windows\SystemTemp\a9dd6c3f-d641-4292-855a-e9c09c1b694b.tmp��\??\C:\Windows\SystemTemp\85968c61-a19d-4e7b-a80f-d2a1fc3c08 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9��\??\C:\Windows\SystemTemp\b1a39cca-eadf-4949-a384-a0ef6a3b3fd2.tmp��\ | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\113346\5328\c\users\user\downloads\45efe6630b008b59e7ab972376351317e8248494_0004032320 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\sandbox_live\tmp\113346\5328\c\users\user\downloads\45efe6630b008b59e7ab972376351317e8248494_0004032320��*1\??\C:\sandb | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352��*1\??\C:\P | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Network Winsock2 |
|
| User Data Access |
|
| Service Control |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Syscall Use |
Show More
7 additional items are not displayed above. |
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Eewpjikk\AppData\Local\Temp\is-6PDGA.tmp\bba77edda1052efdc1a12ed531c1908cca265f9c_0007461859.tmp" /SL5="$60054,7191642,54272,c:\users\user\downloads\bba77edda1052efdc1a12ed531c1908cca265f9c_0007461859"
|
"C:\Users\Cfwktkne\AppData\Local\Temp\is-GJ87O.tmp\1599c1a04106e9eef31dc94e013f8c6400cd8805_0002141162.tmp" /SL5="$80062,1806518,135168,c:\users\user\downloads\1599c1a04106e9eef31dc94e013f8c6400cd8805_0002141162"
|
"C:\Users\Fsrftbmr\AppData\Local\Temp\is-H8TKO.tmp\ef92499a7bdb1cf7405c45d5572b64d2cfd08a71_0004612184.tmp" /SL5="$1026A,4248524,201728,c:\users\user\downloads\ef92499a7bdb1cf7405c45d5572b64d2cfd08a71_0004612184"
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\75cfb0fd47dafe51e95be5c8ed16392f956d261a_0000223512.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9c4aa98ae929effa5e2c1a57681c421ddb353d2c_0000223512.,LiQMAxHB
|
Show More
"C:\Users\Nsnriywa\AppData\Local\Temp\is-O6AIC.tmp\2fe0832d7041939c8120d9314c0a0371419215c3_0002087906.tmp" /SL5="$60068,1758256,211456,c:\users\user\downloads\2fe0832d7041939c8120d9314c0a0371419215c3_0002087906"
|
"C:\Users\Ivacuyiy\AppData\Local\Temp\is-HI951.tmp\694fd652bd06e7b7b60f805f4b0e9c6e11a879e5_0005505000.tmp" /SL5="$4034C,5038395,121344,c:\users\user\downloads\694fd652bd06e7b7b60f805f4b0e9c6e11a879e5_0005505000"
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\529a9f259ff8eb3ed358c72aef19272a588fc90f_0000905544.,LiQMAxHB
|
