PUP.MSIL.DownloadSponsor.A

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.MSIL.DownloadSponsor.A
Signature status:	No Signature

Known Samples

MD5: e39e057b7cd467d6bcf7a2f0c66ff421

SHA1: ddea05ae47ebd453981c8e5748dd8838680c790e

SHA256: 6281B812B9C9D1B23DF9BD204B34D3C9D44F35A4AAF739AB6C8E437333BAB8C5

File Size: 253.95 KB, 253952 bytes

MD5: e03d94fbfd0724d9090079b89faa8961

SHA1: bd20065545494a9a4680dc36ab6ed0b1c36dae5b

SHA256: F0B53378AA56A9CE9E7E23305FBB0BC349CCB81B837CD05025A2C980AF5884B2

File Size: 512.00 KB, 512000 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File is .NET application
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.0.0
Comments	OCSClient v5.0 Presetup für OnlineContent
Company Name	OCS www.download-sponsor.de
File Description	OCS
File Version	1.00 1.0.0.0
Internal Name	OCS.exe ocsclient
Legal Copyright	Copyright @ www.download-sponsor.de Copyright © Project OCS
Original Filename	OCS.exe ocsclient.exe
Product Name	OCS OCSClient
Product Version	1.00 1.0.0.0

File Traits

.NET
.sdata
Installer Version
NewLateBinding
x86

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\ocs\icsharpcode.sharpziplib.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\ocs\ocs_v6a.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\~df01f4b0a8c745a690.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\ocs\ocs\1.0.0.0\ocs_v6a.log	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\ocs::cid	35d2160d-4d30-4533-b9b2-807f14f3d7e3	RegNtPreCreateKey
HKCU\software\ocs::cid	5d3ac2f4-f86e-40a8-8d41-d7352bfc39d9	RegNtPreCreateKey
HKCU\software\ocs::pid	freewarede	RegNtPreCreateKey
HKCU\software\ocs::lastpid	freewarede	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateKey Show More ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadToken ntdll.dll!NtPowerInformation ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetValueKey ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWriteFile UNKNOWN
User Data Access	GetUserObjectInformation
Anti Debug	IsDebuggerPresent OutputDebugString
Other Suspicious	SetWindowsHookEx
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Encryption Used	CryptAcquireContext

Shell Command Execution


							C:\Users\Hgaiuozb\AppData\Local\Temp\OCS\ocs_v6a.exe -install -h356209 -freewarede -f467d56c062440edbca37875dc2fefa9 - -

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.MSIL.DownloadSponsor.A

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

LinkedIn Collaboration Email Scam

Your Microsoft Outlook Email Client Is Outdated...

TSADBOT

Most Viewed

Pornktube.porn

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen