Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.ImLoader

PUP.ImLoader

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.ImLoader
Signature status: Root Not Trusted

Known Samples

MD5: 271216d7e2782c12a678f6ef02b676f8
SHA1: d1e8fc0673698dcd8f2c034a303eb59ead54778d
File Size: 9.50 MB, 9495936 bytes
MD5: 4986978e6a19c79708589f35aebc44bd
SHA1: c8225336bfb2d0f1035e59fdd77dd50031850269
File Size: 6.09 MB, 6091912 bytes
MD5: 00256098d4ddf70c56764b10cae9d25e
SHA1: cc497b4832189dfcb982babbf73cf04f31a97827
File Size: 2.59 MB, 2586760 bytes
MD5: f0fe82b5b096608ffbabf413a97879fa
SHA1: 633ca95d4d7877ade6f785d01402098288b969e0
SHA256: E50E847520A7DA8AE48A8D5FFC73CF059D42FB19521729E66E2F7E660F2958FB
File Size: 480.04 KB, 480040 bytes
MD5: ea8dc9dd31f3892d95c1fa6ffce6102f
SHA1: c0683b41a3990e86d811a0135e8b7a3a49c7bafd
SHA256: 291B68B3A5A716D14912460F9A61502E74C4ABB9EB43B476983E2FFCBD6F8BDE
File Size: 8.30 MB, 8302200 bytes
Show More
MD5: 6b03cd71c65cb84cf98639419e82decc
SHA1: a07c98c6d5ba0236741dcb0b0a1e1a728d7a0a07
SHA256: E20C8C180860B4F6284F756869B83EAE62D59C3B0F159C154580658292458D4F
File Size: 221.18 KB, 221184 bytes
MD5: 157278ed3f2737da741b024300996bc5
SHA1: e623aa24e51b94e223550a0b8c5dff71929940f8
SHA256: 79D60749EBE8BD993F5F9D121011183DBB0D51BA0DCC629AFCC4AA738F3C8EA1
File Size: 623.46 KB, 623464 bytes
MD5: 4f6ba7c43efc3e8d8625868f424404b1
SHA1: 2599fcdcc5eea5e1fb2fca133824d38a9e36794e
SHA256: 35703A847E5C468AC4B3492126EC8F1C68F67EAAFA822A08A8FF1B39F38EE1E4
File Size: 371.81 KB, 371808 bytes
MD5: 29b0a57bd14994b77d92cf29f8cdab71
SHA1: 36261cdd2d665604fa6a91669f93f1c4435335ab
SHA256: 0A58736CA36396BE0EAB8DE700AA9D889FB536B58665D89F9B74DA2E8DA7B7AD
File Size: 474.43 KB, 474432 bytes
MD5: 297974018946726a8a283481e96b193e
SHA1: 3e3ea4e4b64d3ff87d745830981cd1a29d5d778c
SHA256: 4A7B0C08C29193D24D01F089A5AB16AD7487BA230E7D108F20D3DA1122964898
File Size: 5.49 MB, 5489800 bytes
MD5: 89f85f44a552df3590e062226d5af493
SHA1: c94dcfdd0fc9bc5071b63dabb2abd9c3f5ba96a7
SHA256: 08F2B81B878F1BE8D333E403BD1BB0B83C3AE32EE45C01468E43A808201E977A
File Size: 427.38 KB, 427376 bytes
MD5: 8a6f0af8ea113f7649f410977ef579e1
SHA1: 06e6bd43e768209cea00890292141bf2dfc33bb4
SHA256: 32BA83025992F68557D68CA90BDD8306304E4A34E302066139F81E5CE034D2D1
File Size: 5.18 MB, 5180688 bytes
MD5: 34fe0e41d2679a1df03c95c80ec38343
SHA1: cf78288754b4f1bc75c2a8a25862f491523db607
SHA256: AFED856D07035EFC2FABF199A678AED14F7865BC5B5C72E20F0340F354F92E24
File Size: 8.20 MB, 8196712 bytes
MD5: d165a9df07770aa99cf4db7df052e5ac
SHA1: cb05cf2b0c5c662edbd151eacfb068379f1264b3
SHA256: B008424DDDFE1494240C7B1DFEF0C7D1EE8F190892782D7556729EB217FB0604
File Size: 5.72 MB, 5719176 bytes
MD5: 0947f1389aef4ee2203b0531c21da93e
SHA1: 7d512c5110fc26112d786eb0039ac7f1b5dba1c7
SHA256: 408CDDFCB9899CC5ED0790BC045FF4047676746ACE597BA7E8CA4378E5CAE955
File Size: 575.73 KB, 575728 bytes
MD5: 0eec944172b75e7d1e363e8b47d11e82
SHA1: c610373465d2f4fed733bccbee29f37a3cb77f94
SHA256: 1744E20F3ED429F70D84B55C07F5A5AA6DAE66BCB7E58B7B3A98927763F9C4AF
File Size: 221.18 KB, 221184 bytes
MD5: 91467cf78182be6cf7c6b2404d4dbf3d
SHA1: acf1d5e262cd90cf7ec5bbf456140cff25e4ebef
SHA256: FA43F4BB4D11BF30E3EF6F7756E917A894CDA0D766335A1A3F8D543E023CE009
File Size: 324.99 KB, 324992 bytes
MD5: 11b9455002f076b58f27b493ebd3db10
SHA1: 1b4d7ee194ed02e909f538de1942239b01cf7c0f
SHA256: F263F6A3EE53FFCC38C73ECB967ED49373E82B771539AFD4BC01BE05A75B1B01
File Size: 9.62 MB, 9615976 bytes
MD5: a19cd78fa3b184fbb7499da8bbf3f3ae
SHA1: 069ac88f1ee45164e790e55abbc608416156652a
SHA256: B2DBEB46D18B485E71253AB024D5CDA9F5F1C94BE0B5AD2387080327AC7AEE12
File Size: 356.39 KB, 356395 bytes
MD5: ccdcdc1bf67d7860a536f1a222fb9f8c
SHA1: 7e3316d44c80d6bd629f8f6c240b9270cf1461e5
SHA256: BE53E35EE988542ADFE127D8B1175DEBA66422FA4450CEB4F51CD0C0EB021AA6
File Size: 8.15 MB, 8150136 bytes
MD5: dff9b301236d14e7a4613fc80683202a
SHA1: f09e21c195e4d0ed940067a2adc0925d17d1d7b8
SHA256: A181F6634FCA54E3258A7A4193102AAA9BD113D0D724D56008F764FF39D490A7
File Size: 475.43 KB, 475432 bytes
MD5: a64d9fc59166c6572de297013c029ae7
SHA1: f2636ca4892bd42b07f008ee41cdd76387cbd5c5
SHA256: 5813BA988E7784CA919A9EDFE1FE1A6C44D8370EAD08DACDC15F7B24EF0476B4
File Size: 7.96 MB, 7957096 bytes
MD5: 9f86b4e87ed278570d95de25d37f264f
SHA1: 0064f13e94f6e9a1e155fc92396def56b5ea75cb
SHA256: AC7C205A04C0A9CEBA05EF59A25FD2BCBAF932C4F29C8A9C035533CD80E648D9
File Size: 474.94 KB, 474944 bytes
MD5: 20f587c2ce55782b6fecfb60aeacb7f2
SHA1: 2b7eb7a4509b22b9e40ef73586c16d54a55d71d2
SHA256: 084A2DA4AB0A75E613143055C1FDD4D5A6B65C7DCE046B3B61055B55BF093537
File Size: 9.84 MB, 9841768 bytes
MD5: 915f3e572fbb629c7c22fccc89fc7d1f
SHA1: 28baf7f5526cab902fb6e8020e5c4afff7f4554e
SHA256: E981F9F194B8E098C8EF056D42CDCB3E5B6407ED9A5F138D2EC784862321BCD2
File Size: 4.23 MB, 4230928 bytes
MD5: 5c8e47d540adea7c606a88e642e71113
SHA1: 6e559a1475333b6bf00b17bb2323948169ff3c54
SHA256: 8F17E488D8EA55CF5D9611492CA495E8BD184D1EE09C2D1F95D073272CD1CBA4
File Size: 478.23 KB, 478227 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • IncrediMail
  • IncrediMail LTD
  • IncrediMail Ltd.
  • Magneto Software
  • Verticon
File Description
  • Flash Player Wrapper
  • Global Network Inventory Scanner
  • HiYo Installer
  • HiYo installer
  • IncrediMail
  • IncrediMail ImSetup Application
  • IncrediMail Installer
  • IncrediMail installer
  • IncrediMail setup
  • Setup Launcher
File Version
  • 8, 0, 0, 1338
  • 8, 0, 0, 1337
  • 8, 0, 0, 1298
  • 8, 0, 0, 1282
  • 8, 0, 0, 1270
  • 8,0,0,1036
  • 7, 0, 0, 1785
  • 7, 0, 0, 1712
  • 7, 0, 0, 1693
  • 7, 0, 0, 1579
Show More
  • 6.2.9.5006
  • 5.6.8.3226
  • 5.3.1.2750
  • 5.3.1.2740
  • 4, 5, 0, 2089
  • 4, 1, 0, 4
  • 1.0
  • 1, 0, 0, 10
Internal Build Number 62562
Internal Name
  • GNI Scanner
  • HiYo_Install
  • ImSetup
  • IncrediMail Installer
  • Setup
  • SfxLoader
  • wflash3
Legal Copyright
  • Copyright (C) 2001
  • Copyright (C) 2007 Macrovision Corporation
  • Copyright (C) 2008
  • Copyright (C) 2010
  • CopyrightВ© Magneto Software
  • incredimail
Original Filename
  • gniscan.exe
  • HiYo_Install.exe
  • ImSetup.EXE
  • IncrediMail_Install.exe
  • Setup.exe
  • SfxLoader.exe
Product Name
  • Global Network Inventory
  • HiYo installer
  • ImSetup Application
  • IncrediMail
  • IncrediMail Installer
  • IncrediMail installer
Product Version
  • 8, 0, 0, 1338
  • 8, 0, 0, 1337
  • 8, 0, 0, 1298
  • 8, 0, 0, 1282
  • 8, 0, 0, 1270
  • 8,0,0,1036
  • 7, 0, 0, 1785
  • 7, 0, 0, 1712
  • 7, 0, 0, 1693
  • 7, 0, 0, 1579
Show More
  • 6.2.9.5006
  • 4, 5, 0, 2089
  • 4, 1, 0, 4
Ights Reserved. @ OriginalFilename
L Copyright Copyright (C) 2009 IncrediMail Ltd. All rights reserved.
Uct Name Flash Player Wrapper
1008 VarFileInfo

Digital Signatures

Signer Root Status
QIHU 360 SOFTWARE CO. LIMITED Symantec Class 3 SHA256 Code Signing CA Hash Mismatch
IncrediMail Ltd. VeriSign Class 3 Code Signing 2001 CA Root Not Trusted
IncrediMail Ltd. VeriSign Class 3 Code Signing 2001-4 CA Root Not Trusted
IncrediMail Ltd. VeriSign Class 3 Code Signing 2004 CA Root Not Trusted
IncrediMail Ltd. VeriSign Class 3 Code Signing 2004 CA Hash Mismatch
Show More
IncrediMail Ltd. VeriSign Class 3 Code Signing 2004 CA Self Signed
IncrediMail Ltd. VeriSign Class 3 Code Signing 2009-2 CA Hash Mismatch
IncrediMail Ltd. VeriSign Class 3 Code Signing 2009-2 CA Self Signed
QIHU 360 SOFTWARE CO. LIMITED VeriSign Class 3 Code Signing 2010 CA Hash Mismatch

File Traits

  • HighEntropy
  • Installer Version
  • x86

Block Information

Total Blocks: 139
Potentially Malicious Blocks: 4
Whitelisted Blocks: 56
Unknown Blocks: 79

Visual Map

? ? 0 ? ? ? ? 0 ? ? 0 ? ? ? 0 0 0 0 0 0 x 0 0 ? 0 ? ? ? ? 0 ? ? ? x ? ? 0 ? ? ? ? 0 0 0 ? ? ? 0 ? 0 0 0 ? 0 0 0 ? ? 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 ? 0 ? x ? 0 0 0 0 1 1 0 0 0 0 ? ? ? ? ? ? ? ? ? ? 1 ? 0 x 0 0 ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? ? 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Delf.XB
  • Injector.FHBH
  • Injector.KDG
  • Injector.KFTA
  • Injector.PMB
Show More
  • Injector.XN
  • Kryptik.YFH
  • Kryptik.YFK
  • NetBus.A
  • Sqwire.AA
  • Trojan.Injector.Gen.FBD

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\low\sfxbeginner_log_formutex_1260.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\low\sfxbeginner_log_formutex_2436.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\low\sfxbeginner_log_formutex_5592.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\low\sfxbeginnerlog.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\1702116\actionengine.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\ars.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\arscookies.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\autoupdateengine.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\basicparameters.xml Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\1702116\basicproductparams.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\basicproductutils.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\basicscript.7z Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\basicscript.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\api.css Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\api.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\jquery-1.3.2.min.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\jquery.localisation.min.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-ar.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-da.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-de.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-el.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-en.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-es.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-fi.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-fr.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-he.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-hu.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-it.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-nb.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-nl.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-pl.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-pt.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-ru.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-sv.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings-tr.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\language\splash-strings.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\loading_center.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\loading_icon.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\loading_left.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\loading_right.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\splash.css Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\splash.html Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\splash.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\gui\translation.js Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\instlangs.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\settings-ar.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\settings-en.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\settings-he.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-ar.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-da.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-de.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-el.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-en.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-es.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-fi.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-fr.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-he.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-hu.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-it.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-nb.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-nl.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-pl.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-pt.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-ru.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-sv.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\language\strings-tr.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\productscorrelations.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\statistics.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\terms.7z Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\uninstallsearchguard.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1702116\utilities.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_msi5166._is Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glb1091.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glb2d22.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glb4a86.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glb7776.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glba728.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glba7c4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glba802.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glbba0e.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glbd038.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glbd365.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glbe314.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glc11e9.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glc2f16.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glc4c0d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glc78ed.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glca8cd.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glca96a.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glca9a8.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glcbbc3.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glcd1fd.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glcd4cc.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glce40e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\glf1df4.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glf1df4.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glf3b02.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glf3b02.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glf5857.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glf5857.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glf8536.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glf8536.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfb4b9.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfb4b9.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfb575.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfb575.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfb5f2.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfb5f2.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfc7ce.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfc7ce.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfde27.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfde27.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glfe0c9.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glfe0c9.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glff049.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\glff049.tmp Synchronize,Write Data
c:\users\user\appdata\local\temp\glg1db4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glg3ae2.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glg57c9.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glg8516.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgb499.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgb545.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgb5d2.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgc79f.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgddf7.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glge099.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glgf029.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glj1209.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glj2f46.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glj4c3d.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glj792c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glja8fd.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glja9a9.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glja9d8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\gljbbf3.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\gljd23c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\gljd4ec.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glje42f.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glk140e.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glk314a.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glk4e41.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glk7b21.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkab02.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkab9e.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkabdd.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkbde8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkd431.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glkd6e1.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glke633.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glmd8f6.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\glme848.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\iminstaller\hiyo\arguments.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\iminstaller\hiyo\globaltable.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\iminstaller\hiyo\status.xml Generic Write,Read Attributes
c:\users\user\appdata\local\temp\iminstaller\incredimail\injectparams.xml Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\incredimail\incredimail_terms.txt Synchronize,Write Attributes
c:\users\user\appdata\local\temp\incredimail\incredimail_terms.txt Synchronize,Write Data
c:\users\user\appdata\local\temp\incredimail\incredimail_termsansi.txt Synchronize,Write Attributes
c:\users\user\appdata\local\temp\incredimail\incredimail_termsansi.txt Synchronize,Write Data
c:\users\user\appdata\local\temp\incredimail\~glh0001.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibe47.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibe47.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibec5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibec5.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibef5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibef5.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibf15.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibf15.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\rgibf45.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rgibf45.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\tmp4352$.tmp Generic Write,Read Attributes,Delete
c:\users\user\appdata\local\temp\~glh0000.tmp Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\0064f13e94f6e9a1e155fc92396def56b5ea75cb_0000474944.log Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\36261cdd2d665604fa6a91669f93f1c4435335ab_0000474432.log Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\633ca95d4d7877ade6f785d01402098288b969e0_0000480040.log Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\6e559a1475333b6bf00b17bb2323948169ff3c54_0000478227.log Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\c94dcfdd0fc9bc5071b63dabb2abd9c3f5ba96a7_0000427376.log Generic Write,Read Attributes
c:\users\user\local settings\temp\iminstaller\f09e21c195e4d0ed940067a2adc0925d17d1d7b8_0000475432.log Generic Write,Read Attributes
c:\windows\syswow64\glbsinst.%$d Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\iminstaller\incredimail::sessionguid 51faf072-2bbf-4063-9f46-36c1dc5cf5ea RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 봐㜄彂ǜ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\advanced inf setup\ie complist::ie.hkcuzoneinfo RegNtPreCreateKey
HKCU\software\hiyo::sessionguid 95a41785-9490-460f-9e51-38292a4f1482 RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\firewallcontrolpanel.dll,-12122 Windows Defender Firewall RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\hiyo::installationfallbackmode  RegNtPreCreateKey
HKCU\software\iminstaller\incredimail::sessionguid a6c4b285-7787-46a4-ab9c-9a518dc016a9 RegNtPreCreateKey
HKCU\software\iminstaller\incredimail::sessionguid 2be4aa51-90d6-4ab8-a541-4f1e049db9f1 RegNtPreCreateKey
HKCU\software\iminstaller\incredimail::sessionguid 3af55b4d-17fb-4812-9c8b-211a21bc961c RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen

Shell Command Execution

C:\Users\Ydvjreop\AppData\Local\Temp\GLB1091.tmp C:\Users\Ydvjreop\AppData\Local\Temp\GLB1091.tmp 4736 c:\users\user\DOWNLO~1\D1E8FC~1.EXE
C:\Users\Isoprpbz\AppData\Local\Temp\GLBE314.tmp C:\Users\Isoprpbz\AppData\Local\Temp\GLBE314.tmp 4736 c:\users\user\DOWNLO~1\C82253~1.EXE
C:\Users\Qsregxpn\AppData\Local\Temp\GLBD365.tmp C:\Users\Qsregxpn\AppData\Local\Temp\GLBD365.tmp 4736 c:\users\user\DOWNLO~1\CC497B~1.EXE
C:\Users\Bowizmzx\AppData\Local\Temp\GLB4A86.tmp C:\Users\Bowizmzx\AppData\Local\Temp\GLB4A86.tmp 4736 c:\users\user\DOWNLO~1\C0683B~1
(NULL) icacls C:\Users\Obsqucne\AppData\Local\Temp\Low /setintegritylevel (OI)(CI)low
Show More
WriteConsole: processed file:
WriteConsole: Successfully pro
C:\Users\Dormhndg\AppData\Local\Temp\GLB2D22.tmp C:\Users\Dormhndg\AppData\Local\Temp\GLB2D22.tmp 4736 c:\users\user\DOWNLO~1\3E3EA4~1
C:\Users\Ynfsibca\AppData\Local\Temp\GLBD038.tmp C:\Users\Ynfsibca\AppData\Local\Temp\GLBD038.tmp 4736 c:\users\user\DOWNLO~1\CF7828~1
C:\Users\Eqjmdvzz\AppData\Local\Temp\GLBBA0E.tmp C:\Users\Eqjmdvzz\AppData\Local\Temp\GLBBA0E.tmp 4736 c:\users\user\DOWNLO~1\CB05CF~1
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\acf1d5e262cd90cf7ec5bbf456140cff25e4ebef_0000324992.,LiQMAxHB
C:\Users\Zmjqzuji\AppData\Local\Temp\GLBA728.tmp C:\Users\Zmjqzuji\AppData\Local\Temp\GLBA728.tmp 4736 c:\users\user\DOWNLO~1\1B4D7E~1
C:\Users\Ejwvbkmr\AppData\Local\Temp\GLBA802.tmp C:\Users\Ejwvbkmr\AppData\Local\Temp\GLBA802.tmp 4736 c:\users\user\DOWNLO~1\7E3316~1
C:\Users\Uqjbxlwk\AppData\Local\Temp\GLBA7C4.tmp C:\Users\Uqjbxlwk\AppData\Local\Temp\GLBA7C4.tmp 4736 c:\users\user\DOWNLO~1\F2636C~1
C:\Users\Udpwegfl\AppData\Local\Temp\GLB7776.tmp C:\Users\Udpwegfl\AppData\Local\Temp\GLB7776.tmp 4736 c:\users\user\DOWNLO~1\2B7EB7~1

Trending

Most Viewed

Loading...