Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Multikey

PUP.Multikey

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Multikey
Signature status: No Signature

Known Samples

MD5: 0f545cf7092b341482a5d2e81084f38b
SHA1: 660a0182e0b5364fde23f0f38d3579197c447725
SHA256: 15FFA33D545E68AA45E0A0E7E6491748786C0BE21D0C51E8F3EFA7B2D9C408BD
File Size: 480.26 KB, 480256 bytes
MD5: a2c19058a54e6f90ed1ed41a6228dce6
SHA1: 29700c0ec01dd60cb8a482471da44855666f1385
SHA256: 28D666DC7711CC5A8E2556E4B512B664853C2A8ABA79A083518221BC5EDE8FC9
File Size: 5.69 MB, 5691110 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name Created for People
File Description MultiKey Driver Installing for Windows 64bit
File Version
  • 1.00
  • 0,7,2,0
Internal Name
  • Delcam Installer x64
  • TJprojMain
Legal Copyright (C) 2016, Created for People
Original Filename TJprojMain.exe
Product Name
  • MultiKey Installer for Delcam
  • Project1
Product Version
  • 1.00
  • 0.7.2.0

File Traits

  • 2+ executable sections
  • BINinO
  • HighEntropy
  • x64

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\bf97.tmp\choose.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\cursorsize.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\dcam.paf Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\delcam.reg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\devcon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\infclean.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\install64.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\mkicon.ico Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\bf97.tmp\multikey.cat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\multikey.inf Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bf97.tmp\multikey.sys Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 頔ٟ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ௥ڔ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 婤ڢ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ઐڳ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 夅ہ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ꜕ۏ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe ᱀ۥ唶ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\cmd.exe 쵘۵唶ǜ RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateNamedPipeFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
Show More
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTerminateProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Other Suspicious
  • SetWindowsHookEx

Shell Command Execution

"\BF97.tmp\install64.bat"
C:\WINDOWS\system32\mode.com mode con:cols=72 lines=24
c:\BF97.tmp\cursorsize.exe cursorsize 0
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "5.1"
Show More
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "5.2"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "6.0"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "6.1"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "6.2"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "6.3"
C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /S /D /c" ver "
C:\WINDOWS\system32\find.exe find /i "10.0"
c:\BF97.tmp\choose.exe choose -c 1234 -q -n

Trending

Most Viewed

Loading...