Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.ScreenMate

PUP.ScreenMate

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.ScreenMate
Signature status: No Signature

Known Samples

MD5: 5e6752723bf3c4b63ed0f8c5a19e80ab
SHA1: 1788f8686971f5d11f3c157afcb0a4a596afa177
SHA256: 8378975D4406DF44B3A06541A61D073259E6F70DF9F13885687CA49992297220
File Size: 586.98 KB, 586976 bytes
MD5: 7c55a2a78042f7e29b19f7454845d57d
SHA1: 712b14cd7270c412a7b8cc0f56978199d89d4900
SHA256: 30A7F4C834F6C3751A3398CF8EFF837A28C822412263F3956E70524CD8391C89
File Size: 231.02 KB, 231024 bytes
MD5: da8dda495f61fb5d231df6445765ce96
SHA1: 46936a5876bc3618c12aff32075b6e0b1c4af024
SHA256: 84AE59D85472E39A653FCEDCC3190C691E3C33EE352DA273E7E8CB7048FA5F7B
File Size: 278.98 KB, 278984 bytes
MD5: 5a9f1bb7462bb026b1c6e28cba6d8be2
SHA1: db2131b7e3d15c5b2e8eb92acd032d9562c9ddab
SHA256: 17BEDA77F2EFE6DD7350D49D5669C175CC1D07CA665A3157E3001AD952FFB1F7
File Size: 1.63 MB, 1627424 bytes
MD5: 7fc8c8bfd60c8455d4b7465a1e16a564
SHA1: bfddfee7ed977e0ec240b80f33027c30bc293e89
SHA256: B7FE2EB8F35C6B4A91CE925B1AD8606A6E3D47C7F5B72EF4DCE5732DC109C5CB
File Size: 253.26 KB, 253257 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Digital Signatures

Signer Root Status
AdTools, Inc. AdTools, Inc. Root Not Trusted
AdTools, Inc. AdTools, Inc. Hash Mismatch
AdTools, Inc. VeriSign Class 3 Code Signing 2001-4 CA Root Not Trusted
ThinkDesktop LLC VeriSign Class 3 Code Signing 2004 CA Root Not Trusted

Files Modified

File Attributes
c:\delall.bat Generic Write,Read Attributes
c:\program files (x86)\network world idemand\a39e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\network world idemand\a39e.tmp Synchronize,Write Attributes
c:\program files\screenmates\felix ii\module2.felix Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\network world idemand\a38e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\network world idemand\a38e.tmp Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\adtools, inc.\userinfo::identifier 8ffffb46-7eec-41aa-a13f-8c8c6874225d RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 蕎㽴䷧ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Network Wininet
  • InternetOpen

Shell Command Execution

\DelAll.bat
WriteConsole: '\DelAll.bat' is

Related Posts

Trending

Most Viewed

Loading...