PUP.DownloadSponsor
Table of Contents
Analysis Report
General information
| Family Name: | PUP.DownloadSponsor |
|---|---|
| Signature status: | Self Signed |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
1f82b0b84122f1605bdc684e12b511cc
SHA1:
cf0792ff73bbdc83c089a856b957f365a0d4452d
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
405cfba6efa0ec2769da397be6db437a
SHA1:
ac8606dd47fab2b182cf3a8b5b291a14ba699445
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
68012b5bef7c62c00c5b520c6f482c95
SHA1:
ae45527af010480c59049a964073c401efdeb825
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
7c7b38f0611084e03b7b90704ad250d5
SHA1:
f7314b123d0fb67fd1fe70b4491b7ea85f5ef5a9
SHA256:
B0FBC15233CBF296A79AAB9D882D17FC015755388B265C9F6C55E43BA5976C77
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
fbce50911172eb16aa218e0e08f41d85
SHA1:
3679b4a54bbed344e30261c567b9856e695b3348
SHA256:
62638749F40D9EAEA3DF6D26CFB269C1CB7CC22BC35F98BE1E1C35AF1F222ABB
File Size:
4.43 MB, 4425904 bytes
|
Show More
|
MD5:
6373b5a9a693225ff5c884a8d73db7b4
SHA1:
561464e42c843d1c91908a6e3a3f7de8ea5e2bc0
SHA256:
467DC4E41757473CF45038F1A6025DA2E1F6F811C6EBF697576B517AAA1554C6
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
34f18ae5c8c5518fbd368387cad4bf88
SHA1:
66478229194986c6f0d6cc01028d9b0ef4d2ac8b
SHA256:
F8BDAE398E64F97A1BF89032CBFE5861FCD3330352818C36F724B39FD2DCBFD7
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
8d688ccf414c712fae1a0dd91e34cfcc
SHA1:
a2299940d1505cafeed45b76b4c37b3e87d343c2
SHA256:
5E0B2A5A0CA1AB2097DE62796C688B8CEBB780C0BE70BF9B391EA944FA4F72BA
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
58a984542e02fcc41ce81d33dfe152c9
SHA1:
2e69d1fe55763b4813c97e42065f4c6dd1131c3e
SHA256:
46FFC0D9505FFAB59EEA6A71DAF2265DD4AB226B77FDAED725EC359A196E1A69
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
64f70553daf3d997fd7af36925898180
SHA1:
71ae8d9be58b17184f65588633e66a9a257d1c3d
SHA256:
6A3AB36569C47AC725EBB9850696F743438A5E19747A6F87689078DA3A53F64B
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
de827ccf516bd3ab52bad5458a583c82
SHA1:
9e65dcd310c157cf333d5143e69326bea9023f48
SHA256:
A4C1B030F6AA10C7189F83AA942B03431DFACAAEEB0180A367A7E85AC16A5D0F
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
3f02faaddeac8b56d70186604a697766
SHA1:
9f46bc555fcf9dcaa495ca4d1b56861b2a00d7e8
SHA256:
1794EDE898EBBEB55FDFA3DE258A247989626C196CF72089CCFB75AAEB4F0BAA
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
3049fd2d2a8426cd81a6db04e88f377a
SHA1:
4cf09c769feff1494a2de71fb0cc658595ec7176
SHA256:
0F81878103AD6A35FAF65538E3B15F2F5DA684E5AF1183DA1A7A8C71236B0E43
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
48b914fc0f8f74caa83decbd9c53986c
SHA1:
31ad0bf6ca4df06210b8477e4a2ee02e99a0b86e
SHA256:
D46C937733D53364E061DE2BC7D3C569C372CFBDE98494A2682BF335F5F66D90
File Size:
343.26 KB, 343264 bytes
|
|
MD5:
b8acd09bb2f6928435856627377f3567
SHA1:
d3b420cae200ca50d3aaa671609a507da68357ed
SHA256:
28E5A89F3266B5EAAA2AE8160A68ED6387969D771C1B6E403A6C2939462906EC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
aea404cfb8b5c10d8c721dab07ac88c9
SHA1:
01d4a0c0443dda9571f28f1d9fe62109eaf65187
SHA256:
29342E1C5FFB71001B7DC86101DC8A0A38CA04DCB711725C4F09246E122E2997
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
e64b5dcdee1970a2cd594bc5aa83e077
SHA1:
1f1c192611083c847ddab8b5302fe0d7829cf72f
SHA256:
D2832CD179BB480E49AA7F4F80FD6C53EB908E4284A45FF0B71EF1FD98D270D8
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
7c576a8283e2537e9228b3a2bed1937a
SHA1:
817c8057f84982b591c69c575fa8d75d88637473
SHA256:
FD0F1344563EF8FD21AC56A4C66C89147A88E115082F8609B19F90394FC9EA39
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
a874f77f46e788bf7328a02f8921fc5d
SHA1:
4fb47ca001f6035c4531aa8f696251d42998651c
SHA256:
A76C2064784A01853ABAB058EC81A3DE0C68C610ACFEA30F9A0B3D17D91B04EC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
7f055e188a6a0ff051e59a7b72264691
SHA1:
3e0d42aae60dbbec067f121c228b2bd49568f042
SHA256:
B9369C9CBC0652ADF4FC04229E8EFA81ED5274EBBFA3A3EACF8FE4847DCC7532
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
77370e7ac3e41223283a3d6256f7d5b8
SHA1:
bb4901b5bb6e2e1dd41ab56ecfb9d4a83bd60851
SHA256:
BDCFB2BCEC0D2BE748B35CD81274FBC45FB6B8C0FC6B2B35ED31BDCAB099D41B
File Size:
4.43 MB, 4425912 bytes
|
|
MD5:
7cbe624596761c47c3658a1087f7f315
SHA1:
42cf916580fba1c7648dfd30835cf2fe9b5f9e1c
SHA256:
B1CE530CF34DD8A747EA082D844A8FEF105B1D62AA736B166FD826D6A0EA05FE
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
7722eec773cc46ca61ef0a3056144338
SHA1:
e3242fe7c70df7555679c0cc3149c975286e6e91
SHA256:
1DF0C3585A433655E5B1B05C77C81E53BD441378A96DA3C295772EA3E5E6AC25
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
77409a57cc360297504f67812c21fe1a
SHA1:
4392ab77c0d313c11833d43aac91c557cfd25cbe
SHA256:
22E73509C711D2E7F90B3987411298732CD97AE0847507DF7AF8590742E1A5B8
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
b829e00df5d0e651685e37bfd169dac6
SHA1:
5b94062da64b8f93e817018ba189a5e1e84c6211
SHA256:
55D12ED28F90980F2960E7E400AEF0B302F11A476A7B636A7F78DE291D96361C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
1ed45d8943b2b3e181d7c57190e5f584
SHA1:
25e97003bcdeb003bfa10a782d2c9592f6be3b42
SHA256:
7CFB5CE3537A7848738638343F3926D5BF9DEC7F2F6439C20A90939AA772BDBC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
ebaf40199a2b30e3c7bcfae8818911ad
SHA1:
15016f825532e16962e45aecaea444a6e11f3813
SHA256:
5A4AECC1C9D384B2C006498538F650489B6456BBC467E067EBF185305672D18A
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
b28c06caea0b47d771c17b2bd0e624ce
SHA1:
b45f19a99e668d1d4c1fe4ad88efc0401b6b1729
SHA256:
2FBF1FF588FA88221A5BAC5605548AB9B819E006E25F4541C82081E6BB0EC0BF
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
30fd1ff7a4ed665e4f9f5d79d1dc1fc8
SHA1:
63a8975520ac6bff5d116fd77f25e2934a1b93d6
SHA256:
2ED25246B2DB29C0D17115C9D1FA95BED6357FC0D32A714AA56A0DBE1EA5FB74
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
bf1dd560d9919fc5f910a2cd3758c254
SHA1:
68fc7726d713a5bed6bf3d49d5e30fe4a50210cf
SHA256:
C0496AFCD347A4859988020609B3E7D8BD0DE326CB18732D172DCA531FF16667
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
bdf71c0edbb90574a5e2edf4497a186a
SHA1:
2c31acb46f6d295f0a3f1038a539372335a0b2c6
SHA256:
A170DE474D39E32A23B995426B2888F31347935EDA258C0A2EB609B330F5048A
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
76f31ce6ec7e4d4552b87aba12e93b1b
SHA1:
72d7c2da53a2cf44858cff569a00aa7e02572124
SHA256:
0561C612EB7E719F2D49B00EEB658CF9500F5FFE8960BF0A54AA490D8DEF675C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
91945b4b3b423ba81402c405048653f2
SHA1:
ca3e076e857dd1f893a7bd36f28ac9b414dc0e8e
SHA256:
0F1A502F52088B26509EB8DEE107FC7F97B9A6738CF2E7C04B82946DF3431F21
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
b3c8cea2206873341aa910e7590a2568
SHA1:
b22f2043226b57433db64798e0cd011e64c49b2c
SHA256:
EAE6FE389300EF05D84496BABCF60D182B3B1D59A81AF293CB52166DBA54AE3E
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
8b052a956145adb6839e7157f5c72542
SHA1:
23c170968377d44abf6bdf49a457038d5a43c8c0
SHA256:
72631B71069865D9D21D8046A4A642B1650F2696F058346D61EE3DB7E469150C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
1d332f770c569383cdd4d7608d9a3e54
SHA1:
8549e93725482e6c84cf16988f70caad1a16a930
SHA256:
5808AF9EBAFC499DC8F3E81E3C69062A469A61DC9F211BEB268396E294B2D3DD
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
71a2fb7b519266293a2b756948cc3ae2
SHA1:
8a64a784b08b2d6c0b621097a8bfea16786c27ff
SHA256:
98736772401311F7D2C3DDC662C8A64ADB012F26C175F2560ECA8966015DB6E7
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
a271baaadd60a4d1e9f8d15d6d596ae8
SHA1:
47c738ce6dea7519f416ef84d5fdd6de47fcc3c2
SHA256:
BE066D874AB7C5F3A65F7E5A399F33880D381E2F42D5263D9A32A901FF183F16
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
f35a862f674e31193b673512a8a47a0f
SHA1:
fb8b0e3d0004e2ad4b28200dd90b6b23a301d84f
SHA256:
FB190FE6328048661660738730AC82D108B741480409C9252E5F1D2B8E12E92B
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
10f368dc142dd8643c9c3d9852916dd1
SHA1:
851ecc863a08dc53d4d27fd9b732c5bc1547826d
SHA256:
53CE749F4CD6DB4C33CE35B58808B89473D9E4B523275AA3F872122AA033F7F1
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
b5e92dc638faa4242c4fad1f3099e691
SHA1:
4168f8ef9f9d3863ebe32f8892a8593162ee898d
SHA256:
B9EC859CA58A85D098E33CFAB64CF2827CE84FFA8D899EA54BEEE019DDD368FC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
607756e3ce19d5ba18c8bb208cf6b8a5
SHA1:
75a433f2ca468280e4b38f0a165a419a23a0243a
SHA256:
E3684F6D426538FC9851C981DEC373535341AF92B4D5121A5A7F80719EA26AC1
File Size:
182.93 KB, 182932 bytes
|
|
MD5:
acfa146d97070b2335dfffd3404e5ff0
SHA1:
082bc9413875c6675d632badc143ba7c85537f04
SHA256:
7E1B209B526A1AFC32171A11C57C0CF59C2FF30ED4B1EAE426FC612AFD67F8DB
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
f35bf8ce4248ca2420f381c544086eac
SHA1:
f024b71b5cb3ede97ffe17c8269ebf3e4f4bb6b2
SHA256:
08A777F0BF7A127370750767ABCC05DDF21ED6227B1C220B1977DC3945A49C8D
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
d8985f048132eca7e49585e6fa461195
SHA1:
0998c0ab36d8bbdd67ab9c1eb32be7e82037096a
SHA256:
0BF4815E06CD03BE29D0D52013C153FAA8B19F6C7DEA89870AA2C6EDE618468C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
fa101f80a00549d8607da3bda6aae007
SHA1:
1de11005e9652c67df450356ea6957f1fd1bd2f4
SHA256:
707C0C6899FB9806D30F053473AD2680903D8CE7958D48968F1A23347CD2609C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
bd729066febe20e635723089cd5ce396
SHA1:
6c096d1690c9f06a74f45533dc7f17d38b8d1a88
SHA256:
197B91D2BF2913F8E2BC1503A3BE840BBC4DAB3E27BC7EE73E6086EBF8224846
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
178ab10958c295c0376610eb51f8670b
SHA1:
b163211ba42ccfb06539f7863e0b8728d880426a
SHA256:
C9CFA4880B47F51FA2B54EBBCA91AC12CB8472FEF8709C595E284A336D124B31
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
9cff1aab8eff54409b24ecbd01ac58a4
SHA1:
1d12437b96f1579b8683c454f52c095cc171361c
SHA256:
99FB55CAC7A61229A3D7E0B5B62A45873801E055EAE1F4B50BB96BA3FF04E6BB
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
f833633f7de86d5472196bd14fa9b9bd
SHA1:
a3c13515398ccd829228c852774a4abd8673daf4
SHA256:
534C068E2A381B426D58114F6429D385B46AE3B825EE28AFEE993BDDFFFA4A4C
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
218ed5476ead08da6bc6671b8f15c5cf
SHA1:
30ad556a59446463f5bc2d6ce1994058ff973df2
SHA256:
AEBEC44360C8FAD003CA12F92E278B36716ABD985A5E1CCAD992326E5AD6D1CC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
bd364035c7f79323aa5ea2e11b04b385
SHA1:
9ed1be63209cb827d638aba2ce12635cd5ccb24e
SHA256:
D8C9ED792D00CD95A95CED70DEB3CBA636FA73BF2F71674F574E8459B62F990C
File Size:
319.49 KB, 319488 bytes
|
|
MD5:
a36744b122176951f81b82a42566ba7b
SHA1:
0eb475c8212c6004ed20d2412539ebe3d8d38eca
SHA256:
802A697112F791CA719F949665AE27B1241B90B00C288C1BA50C0233706D5143
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
1d537d22d87a0c93c22df6dd0564b02e
SHA1:
fa127e08c2cebf98d4e15797c2eddd0914acd71a
SHA256:
E768C5BCE625DF20BE7C496F9FDFA65B48FE438ACF60FD7BC74E14FAD2838987
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
16e6e0bd774b39eb8d071016f484f532
SHA1:
f0b2c2977c350beb949c251530ea9c8eb237bd0e
SHA256:
BE9E1EE1B3F9BFC8543AB5EAC8F58BD88DB0CD806CF7E6BE8A257CB8DE923C09
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
7761fe37e31f353cf4cd943465eaa00c
SHA1:
b029a7e6d5a3bfb11e12f855b5c2b98b04d83fa7
SHA256:
C968DB46121292535D4A163B200E24C60804EE706BDD673ECC22F5806706F0A6
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
113f6383aa77a33ba42e2f4a3faa67e8
SHA1:
6de7b47678d571e3a5721134abb1c3e3b4303835
SHA256:
5FDEDDBB71F2E33D7E85DD19E4FCA044E6F204B1C4ADE6166239C1A9A67400EC
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
a51b007e9e905413b8a13a54e2d54608
SHA1:
f4c0d3f9571587d3303395f57c7c00cd2d8cb17a
SHA256:
62DE38FB92CC555743814476C852B9B50B041CA943992FF78E66CA2FB519095A
File Size:
6.13 MB, 6126768 bytes
|
|
MD5:
7ff9c2557b176f19d9503491236c6b9f
SHA1:
761fbc66355edfd141d69ebd94ce306d4b956b78
SHA256:
D83D8A75A929F98B4EEFBB493F58440954A0A2C65C733D5AAE6DF06016A5F056
File Size:
4.43 MB, 4425904 bytes
|
|
MD5:
346ccd4e82beb5d0cf7384199ac93a4d
SHA1:
51bd4c21a347175541b2048a4a9cdeefefb58ecf
SHA256:
63ED8B8693A3E90A74649621A3475464BFC1474793CD375608BDA43A55E0EB66
File Size:
4.43 MB, 4425904 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is .NET application
- File is 32-bit executable
- File is 64-bit executable
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version | 1.0.0.0 |
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks | PortableApps.com is a Trademark of Rare Ideas, LLC. |
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| CHIP Communications GmbH | CHIP Communications GmbH | Self Signed |
| CHIP Communications GmbH | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Self Signed |
File Traits
- .NET
- .sdata
- 2+ executable sections
- Badsig nsis
- HighEntropy
- Installer Manifest
- Installer Version
- NewLateBinding
- nosig nsis
- Nullsoft Installer
Show More
- x64
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 7,653 |
|---|---|
| Potentially Malicious Blocks: | 489 |
| Whitelisted Blocks: | 7,164 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Delf.XA
- Downloader.VE
- Kryptik.DEK
- Kryptik.HJB
- Lokorrito.C
Show More
- Lumma.FA
- Rugmi.BA
- Rugmi.IA
- Rugmi.SA
- Stealer.OBC
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\134024768695944176.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsa11c.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsj4831.tmp | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsj4831.tmp\inetc.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsj4831.tmp\inetc.dll | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\nsj4831.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsj4831.tmp\system.dll | Synchronize,Write Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix | Cookie: | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix | Visited: | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Wodzxsaf\AppData\Local\Temp\nsj4831.tmp\ | RegNtPreCreateKey |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Show More
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey | |
| HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Process Shell Execute |
|
| Network Wininet |
|
| Syscall Use |
Show More
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"cmd /C" "netsh" "winsock" "reset"
|