Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.CrossRider.BC

PUP.CrossRider.BC

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.CrossRider.BC
Signature status: No Signature

Known Samples

MD5: 208de9821ab0e28b0a2cafc37b03b13b
SHA1: 3a6047b32c6e5a5cccbf7a430e5ac8149b1bd8a8
SHA256: DC5FABE948907E87B41AEF3290F4D5C89BA8442ABFAE6EF2EA405F234F419757
File Size: 2.71 MB, 2708682 bytes
MD5: 04426b71849ceb9bd7954e8680503fb5
SHA1: f73ea2e64568b296fd879571e8d5ee083e7f28ef
SHA256: E7E7EE89F5C0D68DCA77D804773425A7EB87D5B166799A635948DDF2CC3526B3
File Size: 83.46 KB, 83456 bytes
MD5: a739a7ba2bb1792a7412edbeb8d0f688
SHA1: 49070c6eee970484662e8576a7bb488996c4a0c9
SHA256: 204D7CA817ED39AB2C8728EBE134FADE818F321866B4B9DB55C38B5946D204EA
File Size: 3.05 MB, 3046502 bytes
MD5: 7eca038fea3ba836805e0e17be86aec2
SHA1: beb7ab4a82f1cf9a834b183bb38fe83577013a2f
SHA256: DDE6A21A1F9E9BD73D52FE19371C1947D80CDC4C51983C8BEBD03AD56F6232CD
File Size: 2.15 MB, 2147212 bytes
MD5: b1eb8b2c198db5ac4e292c14521b5047
SHA1: 33101adeca5d3b2d2b14d2792a2fd2dcf86acd16
SHA256: 3AC6FE1DF07BFF59B235EC2F551E1FD7576CFA35BA370BFE875C923A143927F4
File Size: 84.99 KB, 84992 bytes
Show More
MD5: 884f11510e054b86b0e98a124df110ab
SHA1: 52ff1e390423914574cd03802aeaa1deb987b586
SHA256: 47505203141D0029EBC21F0BC4CED2872236E6CB3BA4406561ED8DF96592D1DD
File Size: 85.50 KB, 85504 bytes
MD5: 52257fb835be406e0e81789bca4e64a2
SHA1: 062a837520c2c80888e3e31293704b340847b0c1
SHA256: 9FFFB80ED27D1E9CC77D7740B92B57BDC5C9597835376AAA7AAFA0B5D43276A9
File Size: 2.98 MB, 2980937 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • comment on Lbytbokjjdgmq
  • comment on Lmztcfgyzt
  • comment on Ykjswbf
Company Name
  • Aixrb LTD
  • Jwuunllgnt LTD
  • Llgbsqdvjj LTD
File Description
  • Hgjehn
  • Ldvxuqvalp
  • Lwhdrjgmt
File Version
  • 1.35.12.18
  • 1.34.3.28
Legal Copyright
  • Copyright Dgizoutrxibtyd
  • Copyright Oudehtsbdjhjsd
  • Copyright Shivo
Legal Trademarks
  • Fegcgfarlxkxa is a trademark of Ttpvjynlpzgo
  • Fvnyf is a trademark of Vjkesigvq
  • Mrfggqgrcqktx is a trademark of Dchcscjsqfmhm

File Traits

  • dll
  • HighEntropy
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\google\chrome\user data\default\preferences Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\google\chrome\user data\local state Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsf5a38.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf5a38.tmp\installerutils2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf5a38.tmp\md5dll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf5a38.tmp\nsisos.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf5a38.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf5a38.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\installerutils2.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsh26e0.tmp\md5dll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\nsisos.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh26e0.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh5e7d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsj5749.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsjb860.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\installerutils2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\md5dll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\nsisos.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsjb860.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq59e9.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr25e5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr26cf.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nss5ff4.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nstb84f.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsx6014.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6014.tmp\installerutils2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6014.tmp\nsisos.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6014.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6014.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6014.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb6e8.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Viesttab\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Viesttab\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Viesttab\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vdxzaraq\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vdxzaraq\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Vdxzaraq\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Yhcykhrh\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Yhcykhrh\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Yhcykhrh\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
Network Info Queried
  • GetAdaptersInfo
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetSetOption
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Anti Debug
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

"C:\Users\Viesttab\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f73ea2e64568b296fd879571e8d5ee083e7f28ef_0000083456.,LiQMAxHB
"C:\Users\Vdxzaraq\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Yhcykhrh\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\33101adeca5d3b2d2b14d2792a2fd2dcf86acd16_0000084992.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\52ff1e390423914574cd03802aeaa1deb987b586_0000085504.,LiQMAxHB
"C:\Users\Dlfzinqs\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\

Trending

Most Viewed

Loading...