PUP.Atom
Table of Contents
Analysis Report
General information
| Family Name: | PUP.Atom |
|---|---|
| Signature status: | Modified signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
47502d3a6c9afdad1ecb538dff5ed5d8
SHA1:
da902f6d21c5627b62c2b434e117a192fe429435
File Size:
1.00 MB, 1001144 bytes
|
|
MD5:
d4c86a59a261c734f29d4ca688f4846c
SHA1:
73f5f5abc36876e367773bee6fdd5c3dccbe2e7f
File Size:
1.00 MB, 1001656 bytes
|
|
MD5:
0c9e2a2c1f3e788edc3eea23a0da2a82
SHA1:
1b3cabb4e0c4e30b456596969fcbae03405a7278
SHA256:
7005F68A794099F9249DD59DEFE457F43FD3058A2A0095EFEB1701A31E597FAE
File Size:
1.00 MB, 1001144 bytes
|
|
MD5:
b9e2fe73b1ef44dd13653f681573e0c4
SHA1:
248aab04e16e4505d66326441374433b9297139b
SHA256:
B483B8EF3C41455EB04C63888EEDE938F86C948E926571E0695D1CEE6D2D523C
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
36eb4eee1d9122d5bc5904a45979abdc
SHA1:
e309851331196fc3e80a8f8a99432e9131e0e9f1
SHA256:
86D77DA1FF49C45A0E95FBB5621009FEEAB85B832051823DA0913FF93B300354
File Size:
1.01 MB, 1010272 bytes
|
Show More
|
MD5:
35ddd0787844457601ef3661638f95e8
SHA1:
fe48a141cc80166509e94bc54026648749cd9a9b
SHA256:
FBA1D12B5A54DBC848CC6128621989CD61CED0F2429C314DCD7C1B65A397DDA4
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
1d617de7e4537ada7d64d63e1d71a9ab
SHA1:
b285bdd4a4ee89592af04b19cc628935b9a75a79
SHA256:
281DBE432C3C2868E7EA1E807DA85344C66118BA03F5DFBE10023BA2E7EEEF56
File Size:
1.01 MB, 1010272 bytes
|
|
MD5:
ae09726f37e79d57cbbcbae6320ebea8
SHA1:
655a220db4bbd22dca56d5c38079c6859711bb1d
SHA256:
C29B61FD7D3C7A771D01CCDE1E2ABB82444DCE0956D011C7675D12DB8D0E011B
File Size:
1.00 MB, 1001144 bytes
|
|
MD5:
969719942acf0c68a094ed97031d765e
SHA1:
26b732c034cd765a0783f978bf56604023335469
SHA256:
8C4D26104558311536910BEBC2910473551E4C89D9354CE48FC8553A056A1B81
File Size:
1.01 MB, 1010272 bytes
|
|
MD5:
19bab2da49fa7b25914328a977d1467c
SHA1:
9ae1c59fdde398db8e24dc26043908cd81a4e79e
SHA256:
2D9FE59DCC5909667148BF692FF8BBEB182532CE9B67DDFBA42174D8A00F95DD
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
b6d2d8848c66f3b695da8345eb72cdff
SHA1:
ca838e5edaf384517f0bcec72de211978e3706ea
SHA256:
7A2EC3C5683C79B433AEAE51858DF3F80229591565A145B33A83C533FE290C9D
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
1af17cd8ada4f02ec3eec43e89761593
SHA1:
95165ac3ac6fd6997ce48f736c00bef573709d68
SHA256:
94D6A9C59B8AA09BE76D703CE077D2978CD56D59726C09229A87FD4B7AABC389
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
5ebe095c8f25441f506cd9af23837c53
SHA1:
5e399c1513bae7a996e88f2af6ccb66baa6232de
SHA256:
C995417060F4068BF418771E6E24DA9DD3225C6C06036D0056C25534FA97E329
File Size:
1.01 MB, 1010272 bytes
|
|
MD5:
95b01fc2c42093e66dc171b784a5e89b
SHA1:
59555657b1fbe6debf02b039dd9aa3c28f2560ea
SHA256:
58A7665C41D9EE189A05040DE83580AC6E4028F9071BA6F1932F3EDEC28BC878
File Size:
1.00 MB, 1001144 bytes
|
|
MD5:
81be20fc474d9e10dc3c6fc96e955165
SHA1:
bc746740250a8bcad56b587c8c648e084eef30be
SHA256:
457C2E0B461F3D7B32B581CF8431208B96E69821F12B03FFBF17145F1DBD59CE
File Size:
1.00 MB, 1001656 bytes
|
|
MD5:
c32403d960ca8a529649cd58753de016
SHA1:
627b7b628da6f4a6c2a5c1930f4a8f210bf969dc
SHA256:
33E4865C7C667FB15B398B414801AE3BC658888C4BA131B54CE35F7E190B064D
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
36bb659b8301ff79ad2891df2c6ab049
SHA1:
96ee9aa77f6a9b9085d6bf10d911922fb89c4c8f
SHA256:
4567CD4A0940E88FE3F1CDE164E7DEB257D65301BFD086B27CE70F3801B4EE92
File Size:
1.21 MB, 1205856 bytes
|
|
MD5:
2dde394d0209c7513657c24b49fbe5f8
SHA1:
63739a8487ea54baf5bebd8cbcc59bb17e099940
SHA256:
C7437D434BD0AC1CD736A70C80D18503CD9579541F59C1EC75140E8A9A27B1DB
File Size:
1.01 MB, 1010272 bytes
|
|
MD5:
5c41960b46c2196afe89d04d4aaaaff6
SHA1:
095b3d71e5f91d3a3f47bce21c9dd6d162c78706
SHA256:
FD4E2967D36B2EE36B6C256BAE88E659FD685DE03C28EB22D30DD92628804B8B
File Size:
1.21 MB, 1205856 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description | Atom Browser |
| File Version |
|
| Internal Name | Atom Browser |
| Legal Copyright |
|
| Original Filename | Atom Browser |
| Product Name | Atom Browser |
| Product Version |
|
File Traits
- HighEntropy
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,412 |
|---|---|
| Potentially Malicious Blocks: | 459 |
| Whitelisted Blocks: | 2,953 |
| Unknown Blocks: | 0 |
Visual Map
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
x
x
0
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
x
0
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
0
0
x
x
x
x
0
0
x
0
x
x
x
x
x
x
x
x
0
x
x
x
0
x
0
0
x
0
0
0
0
x
x
0
x
x
x
0
0
x
0
0
x
0
0
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
x
0
x
0
x
x
x
0
x
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
0
0
0
0
0
0
0
x
0
x
x
0
0
0
0
x
0
0
x
x
x
x
x
x
x
0
0
0
0
0
x
x
0
0
x
x
x
x
0
0
0
x
x
0
x
x
x
x
1
x
x
x
x
0
x
x
x
0
0
0
0
0
x
x
0
x
0
0
x
x
x
0
0
0
x
0
0
x
x
0
x
0
x
x
x
x
x
x
x
x
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
x
0
0
x
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
x
0
0
0
0
0
0
x
x
x
0
0
0
0
x
0
x
x
0
x
0
x
0
x
x
x
x
x
x
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
0
x
x
x
0
0
x
x
0
x
x
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
x
0
x
x
x
x
0
0
0
0
x
x
0
0
0
x
x
x
x
x
x
0
x
x
0
0
0
0
0
x
0
0
0
x
x
0
x
x
x
0
x
0
x
0
x
0
0
x
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
x
x
x
x
x
x
x
0
0
0
x
x
x
x
x
x
x
0
x
0
0
x
x
x
x
0
x
x
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
x
x
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
x
x
0
0
0
0
x
0
0
0
0
0
x
0
0
0
0
0
x
x
x
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
x
x
x
0
0
0
0
0
0
x
x
x
x
0
0
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
x
0
0
x
0
0
0
x
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
0
0
0
0
0
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
x
0
0
x
0
x
x
x
x
x
x
x
0
x
x
x
x
x
x
0
0
x
0
x
x
0
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
x
x
0
0
0
0
0
0
0
x
0
0
x
x
x
x
x
0
x
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
x
x
0
x
x
x
0
x
x
x
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
2
2
2
0
0
0
0
0
1
0
0
0
0
0
2
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Rugmi.R
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\programdata\mail.ru\id | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\atom_loader.log | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\loader_ldir_2144937\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\loader_ldir_23656\da902f6d21c5627b62c2b434e117a192fe429435_0001001144.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\loader_ldir_3208156\1b3cabb4e0c4e30b456596969fcbae03405a7278_0001001144 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\loader_ldir_4480140\59555657b1fbe6debf02b039dd9aa3c28f2560ea_0001001144 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\loader_ldir_8945750\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\loader_ldir_920390\655a220db4bbd22dca56d5c38079c6859711bb1d_0001001144 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr1345828\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr1762593\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Show More
| c:\users\user\appdata\local\temp\mr2127703\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr2144203\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr2144265\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr2236390\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr2644812\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr2925453\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr6256781\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr7144546\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr7460828\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr81078\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\mr81281\loader.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\mail.ru\atominstaller::loaderguid | {5D2C8238-573C-4AA9-B6D8-CF00DBED4F3D} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {9E28411B-9536-4574-8A7E-6B16AF2F182D} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {4FE0F408-9F7F-4A43-B482-C11E564F9258} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {FF86EBDF-263A-462A-80A4-5D6A7D486CFB} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {D518BC92-99FD-4EDA-8CC3-3583E31CD864} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {5A2FDB00-0612-4E7D-968E-F016320AEBC1} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {9B2130C2-1D01-45F3-8A51-029BB6083556} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {3F38798B-8F88-49A5-8DA3-0058278A25C2} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {E6C664F1-746A-4FFB-B83C-51882784DB1A} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {4F163795-6DE3-400A-8A69-78F0DAF673B6} | RegNtPreCreateKey |
Show More
| HKCU\software\mail.ru\atominstaller::loaderguid | {23ED1E3F-F967-486A-9421-DEB53ACD4AF9} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {1996B3B7-27D0-4418-BDE4-A49DDCAC5F1C} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {2E46EBBB-EBE7-4FF0-919E-E4EC930CD66C} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {6765EFC4-1C5F-41E7-9469-EC62CCF5342D} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {09DBCAA4-3310-45B0-9F78-2BF9DB996D29} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {B143990A-BACD-4AC7-95C8-72533D37AEC9} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {2D0DCD0E-AF0E-4394-A3FA-18AE91CED7ED} | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKCU\software\mail.ru\atominstaller::loaderguid | {748A23CB-DDE0-4205-B0A8-074157A32C0A} | RegNtPreCreateKey |
| HKCU\software\mail.ru\atominstaller::loaderguid | {5A840A62-49B1-4806-BDCC-65324191DB79} | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Encryption Used |
|
| Network Winhttp |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\Users\Jaicovnb\AppData\Local\Temp\\loader_ldir_23656\da902f6d21c5627b62c2b434e117a192fe429435_0001001144.exe "C:\Users\Jaicovnb\AppData\Local\Temp\\loader_ldir_23656\da902f6d21c5627b62c2b434e117a192fe429435_0001001144.exe" --cp
|
C:\Users\Hmlahrec\AppData\Local\Temp\\loader_ldir_8945750\loader.exe "C:\Users\Hmlahrec\AppData\Local\Temp\\loader_ldir_8945750\loader.exe" --cp
|
C:\Users\Fqrgujqr\AppData\Local\Temp\\loader_ldir_3208156\1b3cabb4e0c4e30b456596969fcbae03405a7278_0001001144 "C:\Users\Fqrgujqr\AppData\Local\Temp\\loader_ldir_3208156\1b3cabb4e0c4e30b456596969fcbae03405a7278_0001001144" --cp
|
"c:\users\user\downloads\248aab04e16e4505d66326441374433b9297139b_0001205856" --cp
|
C:\Users\Ljivjcfn\AppData\Local\Temp\\mr81281\loader.exe "C:\Users\Ljivjcfn\AppData\Local\Temp\\mr81281\loader.exe" --cp
|
Show More
"c:\users\user\downloads\fe48a141cc80166509e94bc54026648749cd9a9b_0001205856" --cp
|
C:\Users\Gdfmiotg\AppData\Local\Temp\\mr2127703\loader.exe "C:\Users\Gdfmiotg\AppData\Local\Temp\\mr2127703\loader.exe" --cp
|
C:\Users\Pupjsbxk\AppData\Local\Temp\\loader_ldir_920390\655a220db4bbd22dca56d5c38079c6859711bb1d_0001001144 "C:\Users\Pupjsbxk\AppData\Local\Temp\\loader_ldir_920390\655a220db4bbd22dca56d5c38079c6859711bb1d_0001001144" --cp
|
C:\Users\Prqckeit\AppData\Local\Temp\\mr1345828\loader.exe "C:\Users\Prqckeit\AppData\Local\Temp\\mr1345828\loader.exe" --cp
|
"c:\users\user\downloads\9ae1c59fdde398db8e24dc26043908cd81a4e79e_0001205856" --cp
|
"c:\users\user\downloads\ca838e5edaf384517f0bcec72de211978e3706ea_0001205856" --cp
|
"c:\users\user\downloads\95165ac3ac6fd6997ce48f736c00bef573709d68_0001205856" --cp
|
C:\Users\Stwtiqyc\AppData\Local\Temp\\mr2144203\loader.exe "C:\Users\Stwtiqyc\AppData\Local\Temp\\mr2144203\loader.exe" --cp
|
C:\Users\Indaxlhw\AppData\Local\Temp\\loader_ldir_4480140\59555657b1fbe6debf02b039dd9aa3c28f2560ea_0001001144 "C:\Users\Indaxlhw\AppData\Local\Temp\\loader_ldir_4480140\59555657b1fbe6debf02b039dd9aa3c28f2560ea_0001001144" --cp
|
C:\Users\Bpmyhtst\AppData\Local\Temp\\loader_ldir_2144937\loader.exe "C:\Users\Bpmyhtst\AppData\Local\Temp\\loader_ldir_2144937\loader.exe" --cp
|
"c:\users\user\downloads\627b7b628da6f4a6c2a5c1930f4a8f210bf969dc_0001205856" --cp
|
"c:\users\user\downloads\96ee9aa77f6a9b9085d6bf10d911922fb89c4c8f_0001205856" --cp
|
C:\Users\Dkpsmtxi\AppData\Local\Temp\\mr2644812\loader.exe "C:\Users\Dkpsmtxi\AppData\Local\Temp\\mr2644812\loader.exe" --cp
|
"c:\users\user\downloads\095b3d71e5f91d3a3f47bce21c9dd6d162c78706_0001205856" --cp
|
