PUP.SecurityXploded

Analysis Report

General information

Family Name: PUP.SecurityXploded
Signature status: No Signature

Known Samples

MD5: aa32a7002599fca0be506f2dd375970d
SHA1: 60a7d18e1e363e06fc6b1aa7b4d73e9490e03234
File Size: 528.90 KB, 528896 bytes
MD5: 0772a4049fc8739241ff2a5913f6f832
SHA1: 0bca20a30c8012d8df3b374aa89095375da24254
File Size: 1.78 MB, 1781556 bytes
MD5: c90dfa77f391a834347d65c5f3bd69ef
SHA1: e8fef39e59726ac089352e69ebae2c882b35758d
SHA256: 3A7C319E4CDC8CFEDBCB85D11AEB4AFAD1BD9C0235B99ABDCA5B10503E3E799F
File Size: 395.29 KB, 395286 bytes
MD5: cb872ef9500907ac81ab8d3a7dbd10d4
SHA1: d37e0af6b0d37ba6fe97b86f3c82407da3e5afbb
SHA256: 093E04FC519640E558368353546DAFC3EBB43401278C1829296C85BF4B32B757
File Size: 409.32 KB, 409318 bytes
MD5: 097ef33dc268686be2b29a20e06e46f3
SHA1: 94c01013eba7faa5ab37313276d9da78762f6680
SHA256: E74D617CC67DD722417BF096BD56F1857FBBD39871712AB2CC1AB42C2B2FA6C2
File Size: 1.24 MB, 1240576 bytes
Show More
MD5: 71aa7ff4a98de9303a54ae42e485a3ac
SHA1: 0e3b6df7ebf3f396c717892aa1ac187319286bf8
SHA256: 3D7253A75923224A3B8510DB26BF130D2C41C02881F5C5888F6C58F13E747900
File Size: 407.86 KB, 407861 bytes
MD5: e0c74da608d6d7cc27a014ac0d1007b8
SHA1: ed426da1e5b9794cbe25bb08a1fa4ba07db07ac8
SHA256: B1FCDEB5F89B4FA928F1BC888FF489D0876784AF1D08C6C4550C420522B9A64E
File Size: 688.13 KB, 688128 bytes
MD5: 895a87c7fc3e25e71aa72716b4893ac9
SHA1: e4528dc08ef40792133cdd8cc668649e9fa56d6e
SHA256: 81069377A926E20E439B707E36BCB7EE3506B2EC5C227BAE504B0494B7C7947A
File Size: 9.02 MB, 9019696 bytes
MD5: 8f852a23f448a1bc9971339e02562dc3
SHA1: 9f033b9bdcf2479b8f8580178aa12242dbc32c15
SHA256: 7723EB8192F5D68138C39825F38BB89EABE4DD044FE10A614E2A0DDF26EF792D
File Size: 1.78 MB, 1781556 bytes
MD5: ba320d9c515162006623fe56125aa313
SHA1: 90e43e171c5b9e07be6d7ffeaf6f336d186c02cb
SHA256: 1E0C9A0D8CBE1018F85C7BA5F80F6B9A7C46A9A38BCC57839E0EEDE16CAC4452
File Size: 197.63 KB, 197632 bytes
MD5: 2156499fc25b43e950e294945a2d6af8
SHA1: 9570e22737b928f729cebabb1394274004656f9c
SHA256: 3BD5AE63A2FCB43CF914A40712AF5B7C70F0360E06323623B8892BCC197534D5
File Size: 374.07 KB, 374070 bytes
MD5: d68b45b6e722bc4f27a3a0994fe2f002
SHA1: 705e79c65ee24dc8f48ca57429acec3d54d658dc
SHA256: D132941C054EEB41B3298C13FDBC5C94C5B8215224EFBC81B36C4D58A06F2D15
File Size: 416.53 KB, 416532 bytes
MD5: 3f22e8cf87aa7c6b1c66b6334d81c2dc
SHA1: 29f9b71ce53592bc0004b1de3b69adabcbcaa0d6
SHA256: 96F909C9A798C5195279FEF35DF288E0CB62CB7F043A4E09EF3505FEC5E9B4B1
File Size: 2.61 MB, 2606592 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Comments
  • Nagareshwar Talekar (tnagareshwar@gmail.com)
  • www.SecurityXploded.com
Company Name
  • SecurityXploded
  • SecurityXploded Inc
File Description
  • All-in-one Facebook History Viewer Software
  • Autorun File Remover
  • Browser Password Recovery Software
  • Command-line Tool to Change File Date and Time
  • Desktop Tool to Perform Quick Anti-virus Scan using VirusTotal
  • Free Tool to Block or Unblock Ads across all Web Browsers
  • Free Windows Encrypted File Discovery Software
  • LDAP Search Application
  • Process Network Port Monitoring Application
  • Show Windows
Show More
  • This installer database contains the logic and data required to install Simple Website Blocker.
  • This installer database contains the logic and data required to install Vista UAC Maker.
  • VirusTotal Scanner
File Version
  • 6.0.0.0
  • 6.0
  • 5.5
  • 5.0.0.0
  • 5.0
  • 3.5
  • 3.0
  • 2.0.0.0
  • 2, 5, 0, 1
  • 2, 2, 0, 1
Show More
  • 1.6
  • 1.0.0.0
  • 1.0
Internal Name
  • AutorunFileRemover.exe
  • FileTimeChanger
  • LDAP Search
  • ProcNetMonitor
  • ShowWindows
  • SimpleWebsiteBlocker
  • VirusTotalScanner.exe
  • VistaUACMaker
Legal Copyright
  • Copyright (C) 2006 - 2009
  • Copyright (C) 2007-2013 SecurityXploded, All rights reserved
  • Copyright (c) 2007-2016 SecurityXploded, All rights reserved.
  • Copyright (C) 2007-2017 SecurityXploded, All rights reserved
  • Copyright (C) 2010 SecurityXploded Inc, All rights reserved.
  • Copyright (C) 2017 SecurityXploded
  • Copyright (C) 2019 SecurityXploded
  • Copyright © 2007-2013 SecurityXploded, All rights reserved
  • Copyright © 2007-2014 SecurityXploded, All rights reserved
  • Copyright © 2007-2015 SecurityXploded, All rights reserved
Original File Name
  • SimpleWebsiteBlocker.aiui
  • VistaUACMaker.aiui
Original Filename
  • AutorunFileRemover.exe
  • FileTimeChanger.exe
  • LDAPSearch.exe
  • ProcNetMonitor.EXE
  • ShowWindows.exe
  • VirusTotalScanner.exe
Product Name
  • AutorunFileRemover
  • BrowserPasswordDecryptor
  • EncryptedFileScanner
  • FacebookHistorySpy
  • FileTimeChanger
  • LDAP Search Application
  • ProcNetMonitor
  • ShowWindows
  • Simple Website Blocker
  • UniversalAdBlocker
Show More
  • VirusTotalScanner
  • Vista UAC Maker
Product Version
  • 6.0.0.0
  • 6.0
  • 5.5
  • 5.0.0.0
  • 5.0
  • 3.5
  • 3.0
  • 2.0.0.0
  • 2, 5, 0, 1
  • 2, 2, 0, 1
Show More
  • 1.6
  • 1.0.0.0
  • 1.0

Digital Signatures

Signer Root Status
Plex, Inc. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch

File Traits

  • AdvInst
  • big overlay
  • HighEntropy
  • imgui
  • Installer Manifest
  • Installer Version
  • nosig nsis
  • Nullsoft Installer
  • x64
  • x86

Block Information

Total Blocks: 7,978
Potentially Malicious Blocks: 34
Whitelisted Blocks: 7,897
Unknown Blocks: 47

Visual Map

0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 0 0 0 0 ? x x 0 x ? x ? 0 0 x ? ? ? ? ? x ? 0 ? x x ? ? ? ? ? ? ? ? ? x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x x x 0 ? 0 0 0 0 0 x 0 x x 0 x x x 0 x x ? 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • 1stBrowser.A
  • Agent.M
  • Agent.MH
  • Agent.MI
  • Agent.MU
Show More
  • Autorun.LA
  • Downloader.Agent.EG
  • Downloader.Agent.EL
  • Downloader.Agent.LU
  • FakeAV.AU
  • Farfli.AV
  • KillAV.GA
  • Trojan.Downloader.Gen.BQ
  • Ursnif.C
  • Ursnif.XG

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsma786.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsnaa45.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsnaa45.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsnaa45.tmp\finish.ini Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsnaa45.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsnaa45.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsnaa45.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp5861.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5dd1.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\btmimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\confirm.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\finish.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\iswelcome.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw5cae.tmp\leftimg.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\shi3293.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\shi698e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dfhgnyoy\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Dfhgnyoy\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Dfhgnyoy\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Gpfetuov\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Gpfetuov\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Gpfetuov\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vcjmpnmu\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vcjmpnmu\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Vcjmpnmu\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
Show More
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Anti Debug
  • IsDebuggerPresent
  • OutputDebugString
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Keyboard Access
  • GetKeyState
Network Winsock2
  • WSAStartup
Network Winsock
  • getaddrinfo
  • gethostname

Shell Command Execution

"C:\Users\Dfhgnyoy\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Gpfetuov\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Vcjmpnmu\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Tlqqxdsa\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Pebtvvek\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\

Related Posts

Trending

Most Viewed

Loading...