Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.KeyViewer

PUP.KeyViewer

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.KeyViewer
Signature status: No Signature

Known Samples

MD5: dde142fbeb37c54679a0ea122a2011e4
SHA1: b7f8dfe6caa5d7f2e364cc66ad109a8c514e9c59
File Size: 51.16 KB, 51164 bytes
MD5: 5dacea3525718bbc1159b40b06831a13
SHA1: 0f01da459f776de9b9ac8e3acf6af335946d72a3
SHA256: 8B3AAFD9196A074EEE355D394BFFC84033762D5402F7048E49FA6B17CFC61F60
File Size: 26.11 KB, 26112 bytes
MD5: bdb00015b4bc13da57874cd499afff51
SHA1: 3054892b7d5d652a24b3818cfe90e07f96022368
SHA256: 914121E504FE31A8C19D925B570BA832AB3C429B120ECDFB9F0245E58AAE1A21
File Size: 51.16 KB, 51164 bytes
MD5: 48ec9aecff5ab939ea57ae69f264ad2f
SHA1: 4962bd97bb420df17a99c2ed62087739472873df
SHA256: C0FC2F52126BE2CC24E1C8556C835A8D538E5B1BC8D3806395801AED3A7BA7AE
File Size: 50.85 KB, 50848 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

  • Installer Manifest
  • nosig nsis
  • No Version Info
  • Nullsoft Installer
  • x86

Block Information

Total Blocks: 80
Potentially Malicious Blocks: 1
Whitelisted Blocks: 78
Unknown Blocks: 1

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.MH
  • Agent.MI
  • Agent.MU
  • Autorun.LA
  • Chapak.HBBB
Show More
  • FakeAV.AU
  • Makoob.A
  • Parite.F
  • Trojan.Downloader.Gen.BQ

Files Modified

File Attributes
c:\users\user\appdata\local\temp\nsgf481.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsgf481.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsgf481.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp5769.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp5769.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5769.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsqf470.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsze9d4.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsze9d4.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsze9d4.tmp\system.dll Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\microsoft\windows nt\currentversion\softwareprotectionplatform\activation::manual  RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dynbcegf\AppData\Local\Temp\nsp5769.tmp\ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 闩ȁ獖} RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
User Data Access
  • GetUserObjectInformation
Anti Debug
  • NtQuerySystemInformation

Shell Command Execution

C:\Users\Dynbcegf\AppData\Local\Temp\gkey.exe
C:\Users\Fbdifovb\AppData\Local\Temp\gkey.exe
C:\Users\Ndmqahzf\AppData\Local\Temp\gkey.exe

Trending

Most Viewed

Loading...