Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.SearchSuite.C

PUP.SearchSuite.C

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.SearchSuite.C
Signature status: No Signature

Known Samples

MD5: f96b0b0e0451b527cd2890708fd522d1
SHA1: 527ddd229a03a3c147cdf114532ca30e8c6825f0
File Size: 117.89 KB, 117895 bytes
MD5: 5af261b14373fa1662eca4137feaeede
SHA1: c1ce2a8c142824624e69441c74d63e89470e8858
SHA256: DFD045B47037BFB708678372013C4281F817C38AE1F02146C8FBD6184C2D48A6
File Size: 564.26 KB, 564264 bytes
MD5: 581105e7e8823295ddd6c293fa7f65cf
SHA1: 0f9974e635bea8915e1ba34a9db9d5e716ed55ab
SHA256: 781D3E96C656A8790975AB46D4D01A43E19088DCED291A8C0863E431C9A5D511
File Size: 1.30 MB, 1296016 bytes
MD5: 1e79938cc341b1097e16de47caf84d58
SHA1: da30def711df8041aa480c858ad22d40e811b7c4
SHA256: 5B8A1283932E800CFE98FB8D96A0BFE042B1F757E8C0715E8FB771716EB12301
File Size: 289.22 KB, 289216 bytes
MD5: ff0d3d1f7b12234c01b4bff3b527283c
SHA1: 9dc148df45b1b41d0af3d7826a43ea99bd91b6e2
SHA256: FDD2E16D07B628D13215EBDF0B85A397E748F8D7AD3AEC5A82A2044753EE4C3F
File Size: 113.98 KB, 113984 bytes
Show More
MD5: 9a5f5c8449df8f34719bb931eb21e5cc
SHA1: 006f919b306b44a61edf0b9309ff72953358efee
SHA256: D5466042FF4FC5695B6E353724EFBDD5CED0E42F65B2EF4C491AD26525660E97
File Size: 192.18 KB, 192176 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
Show More
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • iMesh Inc
  • Koyote-Lab Inc
  • Torch Media, Inc
  • Viber Media Inc
File Description
  • Free FLV Converter Uninstall
  • Music Toolbar Uninstall
  • Torch Browser Uninstall
  • Viber Install
  • Viber Uninstall
File Version
  • 33.0.0.7209
  • 5.0.0.12627
  • 3.0.0.134678
  • 1.0.0.129246
Legal Copyright
  • Copyright (c) 2005 - 2014
  • Copyright (c) 2012
  • Copyright (C) 2014 Torch Media Inc.
Product Name
  • Free FLV Converter
  • iMesh
  • Torch
  • Viber
Product Version
  • 33.0.0.7209
  • 5.0.0.12627
  • 3.0.0.134678
  • 1.0.0.129246

Digital Signatures

Signer Root Status
Torch Media Inc. Thawte Code Signing CA - G2 Self Signed
Viber Media S.a.r.l Thawte Code Signing CA - G2 Hash Mismatch
Viber Media S.a.r.l Thawte Code Signing CA - G2 Self Signed
iMesh Inc. Thawte Code Signing CA - G2 Self Signed

File Traits

  • Badsig nsis
  • big overlay
  • HighEntropy
  • Installer Manifest
  • Installer Version
  • nosig nsis
  • No Version Info
  • x86

Block Information

Similar Families

  • AdGazelle.A
  • Downloader.Agent.TJ
  • Mobogenie
  • SearchSuite.C
  • Zusy.CA

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\programdata\datamngr Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb4800.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb4800.tmp\registry.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4800.tmp\registry.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb4800.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb4800.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsdf0df.tmp\modern-header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdf0df.tmp\nsdialogs.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsdf0df.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdf0df.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl46b7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsn6582.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn6582.tmp\registry.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn6582.tmp\registry.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn6582.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn6582.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nspc221.tmp\modern-header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspc221.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspc221.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspc221.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspc221.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\applicationid.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\findprocdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\killprocdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\modern-header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\registry.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu2b62.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw47e0.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsy6572.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
extensions\chrome.manifest Generic Write,Read Attributes
extensions\components\datamngrhlpff29.dll Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Kasnudru\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Kasnudru\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Kasnudru\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\software\wow6432node\datamngr\general\patches::1 1 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cvhiympy\AppData\Local\Temp\nsn6582.tmp\registry.dll RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cvhiympy\AppData\Local\Temp\nsn6582.tmp\registry.dll\??\C:\Users\Cvhiympy\AppData\Local\Temp\nsn6582.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Qnmiruan\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Qnmiruan\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Qnmiruan\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Ltlezpxb\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Ltlezpxb\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Use RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\datamngr\general::oldpver RegNtPreCreateKey
HKLM\software\wow6432node\datamngr\general::clid {BC5A4AEF-85A0-4E6B-99E7-C443D5164EFD} RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\runonce::removeimeshdatamngr cmd.exe /c RD /S /Q "" RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Windows\SystemTemp\77e37ce0-8214-4414-aced-551c5ae204d7.tmp\??\C:\Windows\SystemTemp\e28eadcf-6ab0-4d8c-8821-7ce9a6aba1 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⁛ᬈ刹ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
Keyboard Access
  • GetKeyState
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Terminate
  • TerminateProcess
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Network Winsock2
  • WSAStartup

Shell Command Execution

"C:\Users\Kasnudru\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Qnmiruan\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Ltlezpxb\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Hcfthxpx\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\Users\Hcfthxpx\AppData\Local\Torch\Application\33.0.0.7209\Installer\setup.exe --uninstall
Show More
netsh advfirewall firewall delete rule name="hola_plugin.exe" program="C:\Users\Hcfthxpx\AppData\Local\Torch\Plugins\Hola\hola_plugin.exe"

Trending

Most Viewed

Loading...