PUP.AirInstall
Table of Contents
Analysis Report
General information
| Family Name: | PUP.AirInstall |
|---|---|
| Packers: | UPX |
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
ed219d98d6c3f55bf6e509bc509dfe57
SHA1:
ef312785e7b8776038c56432e229d9a1931fd9a7
SHA256:
B6F9D373584160C43AF346FCCD533AC7077F2258E3109F248EFD5C86DC5A3C87
File Size:
861.60 KB, 861600 bytes
|
|
MD5:
cbe40caa150d3767355f489cbead438b
SHA1:
b28b31124b5951f482cd123b5f9055e3dbc116f9
SHA256:
ACF51E1EF6ADFD21E722584C4A6D25E3C26E4EF2AFD4F3BB40664E8AD8273AA0
File Size:
929.18 KB, 929176 bytes
|
|
MD5:
8606c28e38dd2cf37a882b2a1e8cdbee
SHA1:
1db009b808e93ff04356205abc5621b4f0cbe144
SHA256:
3030635BA1A0E1974735B67C2083D081E825429C111764DC0B5D8D4E6A85C2FB
File Size:
776.10 KB, 776104 bytes
|
|
MD5:
f85d42ae3d424f6f04a09b1d0dd24e44
SHA1:
42649b1460f4d94fda09081c5addf532f71da04c
SHA256:
E67A17534CCC3B775823D3601B949A433E9D6EB170D6E2A48F34818A832ACEEC
File Size:
835.49 KB, 835488 bytes
|
|
MD5:
047f9acb7b9ceacc634633a58b938d49
SHA1:
715ff52a0d96ab9eda0e0e865c24cc3e3a2e207b
SHA256:
01B71678E57115531D728C9E4511F74FDBFDF1C7CA5358CB26A6F0E9179CCB45
File Size:
172.62 KB, 172616 bytes
|
Show More
|
MD5:
8111f66b14fd6ae10d4f70afe72e389b
SHA1:
b0d17d31f19b1f01d605bcedc17aa517279c9910
SHA256:
A381BABFA32B9D05F367CF45DDA6DDE241C28B43A36698477680B9DCBDA13690
File Size:
1.12 MB, 1115280 bytes
|
|
MD5:
d2715c71f622c3433f659a3783a1a9c6
SHA1:
4215d4e0ef89af1970bc75632b9f763c9c473067
SHA256:
29CD764A927382A9967022C6395A5383ABC79F26CE317715997694B37D9670DF
File Size:
1.59 MB, 1592936 bytes
|
|
MD5:
53e3244560ea435006bae5adf92c03ea
SHA1:
5e56807c163c1ad65035a0b6794ce13a1ee28c7e
SHA256:
70DEFFF56329006113EA104275CD38DC9F7B400F439274AB7E16ADFD587E7FF2
File Size:
1.18 MB, 1183864 bytes
|
|
MD5:
40bc6f99303f65dec809d327fe6080c5
SHA1:
f4222861faea02f2fc949c7358f385d79a285314
SHA256:
6B3681EE199BE3FE9FDE3EC31FD44A28F68DF503BE48ADC5439B6465BF1EF288
File Size:
955.54 KB, 955544 bytes
|
|
MD5:
547fad749511dd92556aea811e4cdf27
SHA1:
c95c7feb3a0088de32fa1525e655cacbbaa3c1fb
SHA256:
F1D422D8F5B3208622E954EE60B3B69BD41822A3772B51C9F0611BA2FA1299D3
File Size:
512.03 KB, 512032 bytes
|
|
MD5:
55eb3977d5a772f72d98ff64c9b1d777
SHA1:
dc83c8099487e83b9fea381f4b74095c36bf7967
SHA256:
053F982A262231D4867C697454EDF1C3CF3393321486141F537759DB0710C4AC
File Size:
872.87 KB, 872872 bytes
|
|
MD5:
5f0b6db901313fde69523589a3d33e9a
SHA1:
489ed59f8c45e1f991db3057d3c0d70ba2004364
SHA256:
01F18639C04AAA0B0ADA1CBF6F5FF71C727A3BE08D00956F73263C71A0038101
File Size:
1.06 MB, 1057112 bytes
|
|
MD5:
9730bb4a0c458b7b764a5e188897b367
SHA1:
f61993b5bde22eaf3a55651e8b081bd8b29f0c50
SHA256:
EB29FD9124170C0995E8B49FDB4CF79210099FCF6BBA2FA1800F8FC303B4F3CB
File Size:
929.69 KB, 929688 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Air Software | Air Software | Self Signed |
| Download Helper | COMODO RSA Code Signing CA | Self Signed |
| Install Manager | Install Manager | Self Signed |
| Download Manager | UTN-USERFirst-Object | Root Not Trusted |
| Air Software | VeriSign Class 3 Public Primary Certification Authority - G5 | Root Not Trusted |
Show More
| Installer Setup | VeriSign Class 3 Public Primary Certification Authority - G5 | Root Not Trusted |
| Download Helper | thawte SHA256 Code Signing CA | Self Signed |
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 8,091 |
|---|---|
| Potentially Malicious Blocks: | 455 |
| Whitelisted Blocks: | 7,636 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
x
x
x
0
x
x
0
x
x
0
0
0
0
x
0
0
x
x
0
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
x
x
0
x
x
x
x
x
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
x
x
0
0
x
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
0
x
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
0
x
0
x
x
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
x
x
0
0
0
0
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
0
0
x
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
x
0
x
0
x
x
x
x
x
0
0
x
x
x
0
0
0
0
0
0
0
x
0
x
x
0
0
x
x
0
x
0
x
x
x
0
x
0
x
0
0
x
x
x
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
x
x
x
x
0
0
x
x
0
0
0
x
0
0
0
x
0
0
0
x
x
x
x
x
x
0
x
x
x
x
0
x
0
x
x
0
0
x
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
0
0
0
0
x
x
x
0
x
x
x
x
x
x
0
0
0
0
x
x
0
x
0
x
x
x
x
x
x
x
x
0
0
x
x
x
x
0
0
x
0
x
0
x
x
x
x
x
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
x
0
x
x
x
x
0
0
0
x
x
x
0
0
0
0
0
0
x
x
0
0
x
0
0
x
0
x
0
x
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
2
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
2
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
1
1
1
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
1
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
1
1
0
1
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.FDJ
- Agent.LDE
- Agent.OFHA
- AirInstaller.A
- AutoHotkey.A
Show More
- Bitcoinminer.R
- Chapak.DA
- Convagent.I
- Draobo.A
- Eorezo.EC
- Farfli.AG
- Farfli.HD
- Farfli.LE
- Laban.C
- MPRESS Packer
- Marte.Z
- Rugmi.O
- Sicos.A
- Strictor.A
- Tyuyan.B
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\gmdasllogger | Generic Write,Read Attributes |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\3rdparty | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data.js | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data.js | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data0.js | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\data0.js | Synchronize,Write Attributes |
Show More
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\0.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\0.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\1 | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\1 | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\2.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\img\2.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\index.html | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\index.html | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\setup.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\setup.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\formcontrols.css | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\formcontrols.css | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\layout.css | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\layout.css | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\main.css | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\main.css | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\pie.htc | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\css\pie.htc | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\button_disabled.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\button_disabled.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\button_normal.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\button_normal.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\checkbox.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\checkbox.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\hr.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\hr.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\page.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\page.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\progress.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\progress.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\radio.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\radio.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\select.png | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\select.png | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_arrow_down.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_arrow_down.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_arrow_up.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_arrow_up.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_bottom.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_bottom.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_middle.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_middle.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_top.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_drag_top.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_track.gif | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\img\windows_track.gif | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js\app.js | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js\app.js | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js\formcontrols.min.js | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\web\js\formcontrols.min.js | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\is-4p6ir.tmp\_isetup\_setup64.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-4p6ir.tmp\_isetup\_shfoldr.dll | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\is-s9e0l.tmp\5e56807c163c1ad65035a0b6794ce13a1ee28c7e_0001183864.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nslbcfd.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsqbd1d.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsqbd1d.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsqbd1d.tmp\system.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\setup.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52��*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62��*1\??\C:\P | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Other Suspicious |
|
| Network Wininet |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Keyboard Access |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Users\Rhszcinf\AppData\Local\Temp\setup.exe relaunch
|
C:\Users\Tngujnjz\AppData\Local\Temp\setup.exe relaunch
|
"C:\Users\Dvhsdrzl\AppData\Local\Temp\is-S9E0L.tmp\5e56807c163c1ad65035a0b6794ce13a1ee28c7e_0001183864.tmp" /SL5="$3022C,926661,56832,c:\users\user\downloads\5e56807c163c1ad65035a0b6794ce13a1ee28c7e_0001183864"
|
"aeac2814-61bf-4a12-8b11-c5ea3cfa382c\Setup.exe" "C:\Users\Bbluhopk\AppData\Local\Temp\aeac2814-61bf-4a12-8b11-c5ea3cfa382c\index.html"
|
C:\Users\Hzejbckk\AppData\Local\Temp\setup.exe relaunch
|
Show More
C:\Users\Lnbgyqbj\AppData\Local\Temp\setup.exe relaunch
|
