Multi-License Discount Quote
Threat Database Potentially Unwanted Programs MediaArena

MediaArena

By Mezo in Potentially Unwanted Programs, Adware, Browser Hijackers
Translate To:

Threat Scorecard

Popularity Rank: 9,835
Threat Level: 10 % (Normal)
Infected Computers: 826
First Seen: April 28, 2023
Last Seen: January 26, 2026
OS(es) Affected: Windows

PUA:Win32/MediaArena is an intrusive program that aims to get installed on a computer and perform various unwanted actions. MediaArena could take control of the user's Internet browser or deliver dubious advertisements on the system. MediaArena could be detected as a stand-alone program or a browser extension that is typically installed on the computer without the user's knowledge or permission. Once activated, this PUP (Potentially Unwanted Program) may start displaying pop-up advertisements and redirecting the user to different websites when it detects that the user is browsing the Internet. This can disrupt the entire browsing experience and, more importantly, take users to unsafe destinations.

In addition, PUA:Win32/MediaArena may collect the user's personal information and browsing history, which could be utilized for fraudulent purposes, such as identity theft or targeted advertising. This PUP must be removed as soon as possible to protect the user's privacy and security.

Users are Unlikely to Install MediaArena Knowingly

The distribution of PUPs like MediaArena often involves dubious tactics that aim to deceive and manipulate users into installing unwanted software on their devices. One such tactic is bundling, where PUPs are packaged alongside legitimate software and installed without the user's knowledge or consent. This is often done by hiding the PUP in the installation process and using confusing or misleading language in the installation prompts.

Another tactic is deceptive advertising, where PUPs are advertised as legitimate software or as valuable tools that will enhance the user's experience. In reality, these programs often perform unwanted actions such as displaying advertisements, redirecting the user's browser or collecting sensitive information.

Additionally, some PUPs may use social engineering tactics, such as fake security alerts or warnings, to convince users to download and install the unwanted software. This can trick users into thinking that their devices are infected with malware or that their privacy is at risk, leading them to install the PUP in an attempt to fix the problem.

Furthermore, some PUPs may use manipulative methods to prevent users from uninstalling them, such as hiding their files and processes or creating multiple entries in the device's Registry. This can make it challenging for PC users to remove the unwanted software and regain control of their devices.

Overall, the distribution of PUPs involves a range of dubious tactics that can harm users by compromising their privacy, security and overall experience with their devices. It is crucial for users to be cautious and vigilant when downloading and installing software and always wade through the terms and conditions before agreeing to install any program.

Analysis Report

General information

Family Name: PUP.MSIL.MediaArena.A
Signature status: Root Not Trusted

Known Samples

MD5: 83fb0a86a3845edcdeb7f65511840514
SHA1: 11b8d0e313a200cf8e78ada1dfabe43c1d0098c4
File Size: 5.08 MB, 5076168 bytes
MD5: 0160d22c9f4954bcc793df96842112e9
SHA1: b71feb22c1e16d6e2af0245397de3fd4ec933639
File Size: 1.13 MB, 1129256 bytes
MD5: 6595d937af13ceba5c2501bae4e1fbda
SHA1: b804e025dc0eb31ed62f6bd27968b761a53a4d60
File Size: 8.09 MB, 8086728 bytes
MD5: 0dd8680503ead8fb01af9c784f85af5a
SHA1: 1077fe05962a392e62cfe1cee86de7239a7e7a66
File Size: 5.09 MB, 5085904 bytes
MD5: ce7bc74e84d7abfe7001f235a6635c31
SHA1: eee7dcf28b9a9fc9b783beb653e3e5214fbcbce9
SHA256: A999BF5510CD2C84535F7EA66A3EFD4A8662B2BA5831171955246FB013E4A2DB
File Size: 5.14 MB, 5143760 bytes
Show More
MD5: b256bf137ff3d258cce6b3f740dff749
SHA1: ee42851109e6217578d072eb4464f18d9283fe8b
SHA256: D01F4DA2A3F1EAEA0867C201D27AE18D9C892E37AEDFDA779828F4350F5E4364
File Size: 1.07 MB, 1068744 bytes
MD5: 8186602fae208e37c948ea456ec337ed
SHA1: 827d47c449d8a4198a3e91d0a0bee838db063d44
SHA256: 51286ED430AC1F061BD01C6A7127BE2B0C3BBC01A7AF8EF4D00BA5E35687B279
File Size: 2.73 MB, 2726848 bytes
MD5: f6fd206a287157fa51e3008dceb0f4cc
SHA1: 794fc64b51eb7b0b33b9bbc21aa2e5354aac4182
SHA256: FA06715B49252CF98E70A19949726F65A92D8C112BEEDC191DBEECDD77CC759A
File Size: 4.40 MB, 4399312 bytes
MD5: 3383b63b7f56ee792a0d4ae2d572a334
SHA1: 00c3f7f233a31178092bea3d8e6ddd871c72b8f5
SHA256: 8EEEBFF49329456FDF6C7AD7A2E3F1D0D6D8441653D4C07EBB038755ECB74111
File Size: 5.38 MB, 5382352 bytes
MD5: 7184f52a1e3b998cd8a858d03c291be1
SHA1: 7971c05fe5ecc115d012c62bafe6676b22790c8b
SHA256: 88003BEE57CB07236582FE9983C0FF6E85272522681BEC39413623BC40BBDD97
File Size: 1.35 MB, 1346856 bytes
MD5: 8104e595f2013aaf74471ed651b91d84
SHA1: 1a1d04910602ac317e9df6851fbaa50dac3f1d07
SHA256: F402850745EA36C9FD28CB0EA5D96261FE62270FAF72DEF308B8BBCD774ECBAC
File Size: 5.08 MB, 5075656 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 1.3.5.0
  • 1.3.2.0
  • 1.3.1.0
  • 1.3.0.0
  • 1.2.3.0
  • 1.1.7.0
  • 1.1.4.0
  • 1.1.0.0
  • 1.0.4.0
  • 1.0.0.3
Comments
  • EDUp
  • PDFConverty
  • PDFdoconline
  • PDF SuperHero
  • PdfToDocPro
File Description
  • PDFConverty
  • PDFdoconline
  • PDF SuperHero
  • PdfToDocPro
File Version
  • 1.3.5
  • 1.3.2
  • 1.3.1
  • 1.3.0
  • 1.2.3.0
  • 1.1.7.0
  • 1.1.4
  • 1.1.0
  • 1.0.4
  • 1.0.0.3
Internal Name
  • EdUpte.exe
  • PDFConvertyexe.exe
  • PDFdoconlineexe.exe
  • PDFexe.exe
  • PDFSuperHero.exe
  • PDFtoDocExe.exe
Legal Copyright
  • Copyright © 2021
  • Copyright © 2022
  • Copyright © 2023
  • Copyright © 2024
Original Filename
  • EdUpte.exe
  • PDFConvertyexe.exe
  • PDFdoconlineexe.exe
  • PDFexe.exe
  • PDFSuperHero.exe
  • PDFtoDocExe.exe
Product Name
  • PDFConverty
  • PDFdoconline
  • PDF SuperHero
  • PdfToDocPro
Product Version
  • 1.3.5
  • 1.3.2
  • 1.3.1
  • 1.3.0
  • 1.2.3.0
  • 1.1.7.0
  • 1.1.4
  • 1.1.0
  • 1.0.4
  • 1.0.0.3

Digital Signatures

Signer Root Status
STANIS LTD GlobalSign Code Signing Root R45 Root Not Trusted
VIEWBIX LTD GlobalSign Code Signing Root R45 Root Not Trusted
RESOFT LTD. GlobalSign GCC R45 EV CodeSigning CA 2020 Self Signed

Block Information

Total Blocks: 2,400
Potentially Malicious Blocks: 75
Whitelisted Blocks: 2,247
Unknown Blocks: 78

Visual Map

? 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? ? ? ? 0 ? ? x x x ? ? ? ? ? ? x ? ? ? 0 ? ? 0 x 0 x 0 0 0 x ? 0 x 0 0 ? x 0 ? ? 0 x 0 x ? ? ? 0 ? 0 0 x x 0 x ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 x ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 x 0 0 0 x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Agent.DFAY
  • MSIL.AsyncRAT.AR
  • MSIL.Downloader.AFE
  • MSIL.Krypt.ABTPHE
  • MSIL.Krypt.EAI
Show More
  • MSIL.Krypt.EAIA
  • MSIL.Krypt.ECPA
  • MSIL.Mardom.LJ
  • MSIL.Mardom.TB
  • MSIL.Mardom.TI
  • MSIL.MediaArena.B
  • Marsilia.D
  • Ymacco.O

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.133977152550516330.4988.defaultappdomain.b804e025dc0eb31ed62f6bd27968b761a53a4d60_0008086728 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.133978914206746551.640.defaultappdomain.1077fe05962a392e62cfe1cee86de7239a7e7a66_0005085904 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134003805850133026.5988.defaultappdomain.eee7dcf28b9a9fc9b783beb653e3e5214fbcbce9_0005143760 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134076064135536806.8112.defaultappdomain.00c3f7f233a31178092bea3d8e6ddd871c72b8f5_0005382352 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134084429275605227.6708.defaultappdomain.794fc64b51eb7b0b33b9bbc21aa2e5354aac4182_0004399312 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134102786144714767.6664.defaultappdomain.7971c05fe5ecc115d012c62bafe6676b22790c8b_0001346856 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134139690800102792.3452.defaultappdomain.1a1d04910602ac317e9df6851fbaa50dac3f1d07_0005075656 Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
Show More
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\it-searches\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\krembosearch\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\mambosearch\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfconverty\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\bc.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\arrow-right.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\background.png Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\check-circle.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\close-icon.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\logo.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\pattern.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\images\pattern2.svg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\index.html Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\js\script.js Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\logo.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfdoconline\resources\logo.png Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdfsuperhero\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\pdftodocpro\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\promisearch\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\searchazak\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\searchbazak\icon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\__psscriptpolicytest_0micz41t.fby.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_4csz4htk.gm4.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_aqzczxy1.xf1.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_beusauym.xdq.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_bfq0glza.evm.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_lbt3i3o1.n5z.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_mdf2dukg.cgb.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_nuduxoad.cfy.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_t54qk5aa.41w.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_uka010kv.cq4.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_volbwdnw.1rq.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_wgcdy0lx.ran.ps1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_wpidh4rn.ts0.psm1 Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_zudps1kf.0ps.psm1 Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43::blob 캇笋สI壡魱꠷犓쩭큛켍༜瀲퍙뉴ꚜ엣ꘊS@㸰ἰआ虠ňﶆɬ、〒ؐ⬊ĆĄ㞂ļ́ダ؛朅ಁ́ሰူਆثЁ舁㰷āȃ쀀 4㈰ࠆثԁ܅ȃࠆثԁ܅̃ࠆثԁ܅Ѓࠆثԁ܅ăࠆثԁ܅ࠃb 逾떙币䢏lᆝ﨡㖺襚槟Ṗ옽尲 RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43::blob RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4efc31460c619ecae59c1bce2c008036d94c84b8::blob RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4efc31460c619ecae59c1bce2c008036d94c84b8::blob RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 鄋﯂崓ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ඎ轡轖ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserNameEx
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Other Suspicious
  • AdjustTokenPrivileges
Network Winsock2
  • WSAConnect
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Encryption Used
  • BCryptOpenAlgorithmProvider
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
Show More
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExcludeClipRect
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtSelectClipRgn
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFlush
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW

100 additional items are not displayed above.

Shell Command Execution

C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
"C:\WINDOWS\system32\systeminfo.exe" /fo LIST

Related Posts

Trending

Most Viewed

Loading...