AdLoad

O AdLoad é uma ferramenta maliciosa destinada a introduzir adware potencialmente irritante no seu sistema Mac. A ferramenta está em circulação há quase três anos e não mostra sinais de desaceleração. Seu longo mandato se deve à sua capacidade de evoluir com rapidez suficiente para evitar a detecção. Ao longo de sua evolução, o AdLoad descartou dezenas de Aplicativos Potencialmente Indesejados (PUAs) - Kreberisec, SearchDaemon, DataSearch, ApolloSearch, AphroditeResults e muitos outros (veja a lista abaixo) - em um incontável número de sistemas MacOS em todo o mundo. Considerando a natureza desses aplicativos, o AdLoad não se comporta como uma ameaça típica do nível grave. No entanto, seu comportamento persistente torna qualquer tentativa de remoção uma tarefa bastante desafiadora.

Um Sequestrador ou um Trojan?

O AdLoad parece ter uma natureza duvidosa. Por um lado, ele compartilha as características típicas dos sequestradores de navegador clássicos. Ele vem disfarçado como uma atualização de software falsa ou como um download drive-by. Por outro lado, alguns pesquisadores tendem a classificar o AdLoad como uma entidade semelhante a um Trojan por causa da sua funcionalidade de backdoor para plantar todos os tipos de PUAs no host de um sistema Mac.

Uma vez dentro, o AdLoad redireciona a atividade de navegação na Web das vítimas para servidores predeterminados por meio de ataques man-in-the-middle. Esses redirecionamentos geralmente ocorrem sempre que os autores responsáveis desejam monetizar a receita de anúncios redirecionando os usuários de computador para sites infestados de anúncios pay-per-click (PPC). Embora esse modelo de publicidade não seja de forma alguma prejudicial quando aplicado com os mecanismos de busca mais populares da Web, ele pode causar problemas se for explorado pelos motivos errados. O último geralmente envolve anunciantes que pagam mecanismos de pesquisa menos conhecidos para direcionar o tráfego para sites pesados de PPC de natureza não muito saudável.

Apesar da longevidade do AdLoad, ele continua difícil de se detectar até hoje, conforme mostrado no VirusTotal, pois o adware planta vários arquivos em um grande número de diretórios. A maioria dos dados cai em várias pastas na seção Biblioteca local. Em seguida, ele executa um ou mais executáveis, que estabelecem uma conexão de área de trabalho remota por meio de um script python. Além das pastas visíveis na seção da Biblioteca local, o AdLoad pode criar uma pasta oculta projetada para manter o adware em execução.

Indicadores de uma Infecção pelo AdLoad

Como qualquer outra peça de adware, o AdLoad pode diminuir a velocidade do seu sistema, trazer inúmeros anúncios e levá-lo a sites que você nunca viu antes. Os anúncios podem oferecer atualizações de software falsas, downloads drive-by, produtos e serviços atraentes. Cuidado com o último, no entanto, especialmente se eles parecem bons demais para ser verdade.

PUAs Associados

A AdLoad supostamente trouxe dezenas de PUAs para os computadores baseados em MacOS. Alguns desses PUAs incluem, mas não estão limitados a: WebSearchStride, TotalAdviseSearch, Sorimbrsec, SkilledProjectSearch, SearchRange, SearchNetCharacter, PositiveSearch, KeyWordsSearch, MajorChannelSearch, AlphaLookup, GoldResults, GlobalQuestSearch, LeadingSignSearch, OdysseusLookup, ExpertModuleSearch, VirtualToolboxSearch, TabSearch, UpgradeSearchView, ResultsSync, NetToolboxSearch, SimpleFunctionSearch, AresLookup, PublicAdviseSearch, MajorLetterSearch, SearchArchive, SearchRange, CalypsoLookup, BinarySignSearch e assim por diante.
A lista acima é apenas uma amostra doque o AdLoad Adware é capaz de trazer para a mesa. Se um ou mais desses nomes soam conhecidos para você, é provável que você esteja com uma infecção pelo AdLoad em andamento e precise agir.

Dicas de Remoção

Para começar, você pode seguir o procedimento de remoção convencional trazendo para o Lixo quaisquer aplicativos suspeitos ou desconhecidos que encontrar na pasta Aplicativos. Em seguida, você pode limpar quaisquer arquivos AdLoad residuais que encontrar na sua Biblioteca. Preste uma atenção especial à pasta LaunchAgents em particular. Ainda assim, não se esqueça de passar por todas as pastas da Biblioteca. Embora essas etapas possam resolver o problema, examinar o seu sistema com uma solução anti-malware confiável não prejudicará. Recomendamos fortemente que você faça o último, pois o AdLoad provou ser persistente além da medida quando atacado.

AdLoad capturas de tela

Relatório de análise

Informação geral

Family Name:	Trojan.Adload
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: b8c7b6e43f4a0ab140bcc235c247bbc5 SHA1: 6dd3adec6fe76e7fa6b2e35b30c67504c12f066f Tamanho do Arquivo: 359.22 KB, 359220 bytes

MD5: c557fc3db4d9b52c025307e95f475747 SHA1: e782480fd9b8626ce246e6fc081acbc7fec6f9c6 Tamanho do Arquivo: 486.72 KB, 486720 bytes

MD5: ba3b39ca30a0e520b0ba7d56536b40db SHA1: 9813a9d9b3ffc2bef3a009058d8bafe9e865e695 Tamanho do Arquivo: 180.85 KB, 180848 bytes

MD5: e87b55334389949b93cb52ffb81455be SHA1: 0f3b83ea6aa235137442dcb9d91c545e97182c89 Tamanho do Arquivo: 121.50 KB, 121499 bytes

MD5: cf041587d8bb4bc19a9d9d18668cec92 SHA1: 3a22e93838d64693dccf30f97ec30371a5c48677 Tamanho do Arquivo: 486.82 KB, 486824 bytes

Show More

MD5: a81b99b2d91d0881e37966abe644ef79 SHA1: 058ef8b55fb5ebd390496295a49820c94e29cc2b Tamanho do Arquivo: 219.62 KB, 219618 bytes

MD5: caa93864eb9a4e503fa9edaebf9ea974 SHA1: bf7058261e6a7aa984364c1abdd554b2c645b14f SHA256: 46C35B73C288CCC7F74EF6F9CF9A183CF7AAFA95E8ACBA38FF87D0E2A0730286 Tamanho do Arquivo: 295.41 KB, 295414 bytes

MD5: d774ae8806f084a5ab7ff77941f4c013 SHA1: 6a69f07fc68cc99a7526f75ad84dd82e5a56972d SHA256: 7276422F1F14AF5208DAEBF5735A77F1DF84D6618BF98FCCDAECB6F7A5A6992A Tamanho do Arquivo: 250.54 KB, 250536 bytes

MD5: e187cfad80d4cbac3eed879e8017a47f SHA1: 2073a80cf1bd84ec032b2421bd34427cefb8499b SHA256: 9384096EF7D8C4E4805E63715A1ABED5D5C0D09CD46FBCB99CFC0972299F68AD Tamanho do Arquivo: 366.73 KB, 366725 bytes

MD5: 38997bbcfbeed4b71917e6f68622c7c5 SHA1: 12042ab1425fbe1b132f54c0daff5edd6c5fd1c4 SHA256: B73BCDA71F8227B34E4E46A064797DAE3AA7F6832A161DB9130A0B9199624338 Tamanho do Arquivo: 75.54 KB, 75544 bytes

MD5: 556ab3d9bf4ae37f72b201aacd3b18e0 SHA1: c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21 SHA256: C2B3D3A04E50C27F45177050B4939DD47448D36EDD6B71EE04756AFF822EA7A2 Tamanho do Arquivo: 5.54 MB, 5543000 bytes

MD5: e2301c49f57b249aa8f13691a927a443 SHA1: 0887e46f34bec87601f359efaa768e9271fb8d81 SHA256: 1EEC6282760C6B6BF8249E4DB797F64349C5F32825E70B6FF233C43123299B34 Tamanho do Arquivo: 559.67 KB, 559672 bytes

MD5: 838d3c6d2e5cba0145ffd763220b5561 SHA1: 5c7691cc827bc62bf04968657d823ad8cce67dd8 SHA256: 63E0A5824566D2A3D14E1CAF63F78276909F7CE3D48B20800134316FFC92D90B Tamanho do Arquivo: 308.22 KB, 308224 bytes

MD5: f966e7c6b8ce4e3838f49464276191c3 SHA1: ae60bce9e4cd5d8bfb513191a5145528c075dc20 SHA256: 6BD3E76959E607292DD0623386F31109FD4367136319B2EF3ED5855C270C2279 Tamanho do Arquivo: 501.41 KB, 501408 bytes

MD5: fa01b68ef2246c3a26a7ab26f2033890 SHA1: 5910d6a3f753828f1da4011e455459f26e9e4494 SHA256: 29E8575F2E5EEF6B180D49C94DC08E05E08CF59292010EE1E99CF8A2A98AE489 Tamanho do Arquivo: 3.08 MB, 3076827 bytes

MD5: 87042ba828a5ea209ea20c028227bea5 SHA1: 3000646dddff721b62346c5e86159ec4a1e185d0 SHA256: EC7861DEC5A5F1213378C08C2A30C45184511598B10E719E5033E955856D2D8C Tamanho do Arquivo: 53.48 KB, 53480 bytes

MD5: 19ee7986e20521f7048afbea19076024 SHA1: 314338c4716b627733e16ec458428c97f5c3feed SHA256: 6EF65BC0676BCA7EC2930883FE047C90DD75C0CC1E098F12A4CA6DDFF39E57F4 Tamanho do Arquivo: 3.26 MB, 3261524 bytes

MD5: 035ddd8703824c5d75f16499a0397893 SHA1: b17b8f3c3eafe88406fc71322630816084398e3e SHA256: 9E2AC28077C57DD7EA9D48ED145F82D9AA15CED005597084733D991D6EB04F47 Tamanho do Arquivo: 78.18 KB, 78184 bytes

MD5: c8c33ba616cb111ca64d6f5762138d47 SHA1: b170960f9b1f1e45954fa0314fbe2a7a8fe64139 SHA256: E8696EC1695EBE7989618810222E5D39D7086B12CDB72B4F7AB2E5254048BE9A Tamanho do Arquivo: 262.46 KB, 262460 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Show More

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Nome	Valor
Comments	This installation was built with Inno Setup.
File Description	Adobe PhotoShop CC Blanditiis Setup Game of Whores v025 By MANITU Games.exe Setup K-Lite Mega Codec Pack Libreoffice Microsoft .NET Framework
File Version	4.0.4 1.0.2 1.0.0.0
Legal Copyright	Copyright © 2023 Dolphin Copyright © 2024 Findue
Product Name	Adobe PhotoShop CC Blanditiis Dolphin Findue Game of Whores v025 By MANITU Games.exe K-Lite Mega Codec Pack Libreoffice Microsoft .NET Framework
Product Version	5.0 4.10.5.4 4.0.4 1.0.2

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Tommy Tech LTD	Sectigo Public Code Signing Root R46	Root Not Trusted
MIDIA TECHNOLOGIES LLC	Starfield Class 2 Certification Authority	Root Not Trusted
Innovative Systems LLC	VeriSign Class 3 Code Signing 2010 CA	Self Signed
Sevas-S LLC	VeriSign Class 3 Code Signing 2010 CA	Self Signed

File Traits

• Installer Manifest
• nosig nsis
• No Version Info
• Nullsoft Installer
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Agent.M
• Agent.MH
• Agent.MI
• Agent.MU
• Autorun.LA

Show More

• FakeAV.AU

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\rmi\offer_downloader.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\dummyfile.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3av31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8f4vo.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\is-hjh98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp	Generic Write,Read Attributes

Show More

c:\users\user\appdata\local\temp\nsab735.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nscc4ac.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsd54b9.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsde0d.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsg5b22.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsi5526.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskb724.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl402b.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cc5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\buttonevent.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsm4f84.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\md5dll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\nsisdl.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\xid.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq15ec.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq4ca4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nssc4bd.tmp\nsweb.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\b	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\inetc.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\jav6nswuyi	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\jav6nswuyi_deleted_	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\setup.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\setup.exe	Synchronize,Write Data
c:\users\user\appdata\local\temp\nswfa4c.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy1d10.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsyb3d8.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\uac.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\uac.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Dados	API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Tj	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey

Show More

HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Uo	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo	vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.3570"hypervisor="Hypervisor detected (Micros	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen InternetQueryOption InternetReadFile InternetSetOption
Keyboard Access	GetKeyState
Network Winsock2	WSAStartup
Network Winsock	closesocket connect gethostbyname inet_addr recv send socket
Network Info Queried	GetAdaptersInfo

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8FC6518A4AAC4BBAB9EFA51BED30CBC3,CD067BF2561F435F9FA7CBC4BDA2D109,FFD012E79F9845349DD5A2020A788861

RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8A64A2149AB84BF28721CF13E4FA57C7,327920F321744BF690746BFE0FF83873,FFD012E79F9845349DD5A2020A788861

"C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,F923245B4C4C41DD84992E564C74F2C5,958511D693AC49B3B7D9836B47A51407,62322D7CD20A42C192C8055BC765DB80

RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,27521B4AC5FB49ADBFB210D4D23C3685,D804B426A5BE4F19BCCEFDAAB8E38154,62322D7CD20A42C192C8055BC765DB80

Show More

C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\setup.exe

"C:\Users\Rhndaseb\AppData\Local\Temp\is-3AV31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp" /SL5="$10270,5157645,119296,c:\users\user\downloads\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000"

"C:\Users\Rhndaseb\AppData\Local\Temp\is-H164B.tmp\Non.exe" 6fc6ae7ad0e20df51a913ccabb2a36e4

RunDll32.exe "C:\Users\Mrozdasf\AppData\Local\Temp\nsl5B42.tmp\OCSetupHlp.dll",_RHPID994RHEng2@16 5980,9595210CF9E2400C90134CC2A18BB9F1,1276B8DBECA844DDBB5A15346776A41D,2509EDF23DD74C068F7FDBE1574BA62F

"C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

RunDll32.exe "C:\Users\Ofeohdal\AppData\Local\Temp\nsaB735.tmp\OCSetupHlp.dll",_OCPID994OpenCandy2@16 1856,3F167C7F69BD454191D1126D67ED7F5F,C5D8C87AB2F74FED9946893891DE1DAF,6D0D4CC7B2864887A794D688C45C35A4

"C:\Users\Cltgpxis\AppData\Local\Temp\is-HJH98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp" /SL5="$3013C,2422026,832512,c:\users\user\downloads\314338c4716b627733e16ec458428c97f5c3feed_0003261524"