PUP.WebPlugin.A
Table of Contents
Analysis Report
General information
| Family Name: | PUP.WebPlugin.A |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
117d3fb499dd89d16561e5a13ac54b32
SHA1:
8fd7f6ecca9d3afcd1f57f7a985066a8e940784b
SHA256:
CEFA5776104DD0554743F72367A136D32C763F787CD44ACD90F39FF99FA9974B
File Size:
135.17 KB, 135168 bytes
|
|
MD5:
dcb5d8926a5e5c60f9d6cfc9ce0aa923
SHA1:
a2e0cc0b4e0d7efbb7fd1660d77aefdd53f00154
SHA256:
BDCD8D72167B89138A377296CAA0D1292368113469F61493D7692F16655B0748
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
cff8b00047385758c6e113cd1ca9d306
SHA1:
e4253e9db3949794cb979456ea4c0a5f769ec160
SHA256:
4D29513C87B5F7B5B77B0276E9F9DFC8EFB212079109BF397D1823A9D941D5A9
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
5da08804ae53cc9f81603f3f8f0705ca
SHA1:
bf8333f17d4a99d68ed611687e8e58a695bcdc4e
SHA256:
AC8E297D5A96DCABA04B8022826D7866ADE4BDCA8F735364691D6DED601884AB
File Size:
157.88 KB, 157880 bytes
|
|
MD5:
3cf977d61d9770ea46a816cf2f413e3c
SHA1:
0abcb492620eeaae68b8d4d1f2b7cc9ac2128dc4
SHA256:
D6930E412C0A2A6CA30B325F5F713B5F86034CF8AA51603990065E5311FA7EBB
File Size:
135.17 KB, 135168 bytes
|
Show More
|
MD5:
5ca6edaff7670aa0f8af7130e5e7622a
SHA1:
7f1f104d71dbb03bead62a7c35902ea63a91dc10
SHA256:
F9D7942E93437CDE32AEAA24048721CF377775C1DC0FF10A5028E0C854DB9E14
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
7c69ff07e937e970d614751776319075
SHA1:
005e9c57cacbacb9d9f16fff55001ea471175539
SHA256:
E2A270A2AC6F9EF59891FC00589BAD652A09AA78CD298BEF28C96667D93CF5B5
File Size:
143.88 KB, 143880 bytes
|
|
MD5:
d4c431fb4239a35eb41368d14c38de15
SHA1:
f65fcebe5ecf1fa1dbba09958f134fd43912623d
SHA256:
F7A4A5DD08D92C4988D258ADF73B987FB22E32D9873F47FE65A7EFD8B56D29D3
File Size:
145.15 KB, 145152 bytes
|
|
MD5:
5f02cb8252cacac0f94f1cefe3dfedf1
SHA1:
6f131e19bcf0b4c8290884d911cc90d2161b3dac
SHA256:
7841F47360706C56980C4A00C8B57D5CCFFE7C07A7E0AE936AC765B1E85149D8
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
ac0402850f7097129fd0e9041a058837
SHA1:
51d72022b6a06c579567b10d102f8e378ceb58b8
SHA256:
B0D051036D153DED95B01B78338BB7E672B7C9175A5484802FC2B07B54103354
File Size:
126.98 KB, 126976 bytes
|
|
MD5:
951c774184db54ec56a1bd180f1da3cb
SHA1:
9808485684b3464bc0634c8725b7e15efa70a8a3
SHA256:
6C0D6CB8E1AEEB6610AC8BA38AEB926E64C70B6A15D8C73703EDF77A5C00DD13
File Size:
145.16 KB, 145160 bytes
|
|
MD5:
38d8fa19104d2d053ecdf2fc8ffebfc8
SHA1:
ce20991750224314d5d3f6884881200868a946d2
SHA256:
1ED93111B00286598577DEE8817E4992154F5BEBE7F6355C251B6E8BEF8A6985
File Size:
2.84 MB, 2839473 bytes
|
|
MD5:
2e3dcd213c3d650e04ec3016183c7ae9
SHA1:
41f4fac0bedcce516216ca2f4b3b336b3d6a3bcd
SHA256:
AD3AC648C2F422F4F54042D90566AF29AF8F47DB8A490683C38172F2C5D3B348
File Size:
997.54 KB, 997543 bytes
|
|
MD5:
94e162ff22c33c57318b628779477039
SHA1:
fc3aad093d2a6d3fe2810d7e514c61e0bb62cb60
SHA256:
F71B61701CBCCC2BA73890521EEA44521BC741FF3EAC58AA41B7F499EFC556E9
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
88d40c4c5d9def97a603819cf5c9c1b9
SHA1:
fee0373f31139be00f853dd984bdd1257562f193
SHA256:
6A2A5783102FC0A29CDFE7327883F6889BB4F3AB2935584A97FCFB8A5D265DEE
File Size:
145.09 KB, 145088 bytes
|
|
MD5:
35e6e14a24d995e9341c94f107d87da8
SHA1:
9b5586615ca6460c43635d141e09ae31bdd6f866
SHA256:
F6739025C242001E3D13C72326527A9CBEAD9D83751C22367CEDF5B2269232CB
File Size:
149.26 KB, 149256 bytes
|
|
MD5:
53244420784f9f0b0261b2b64aeeceec
SHA1:
5fd51b7b1161370204b6c37f4996013709729b87
SHA256:
2DCF4FE2E7B45892042E6F19B23DE71C0C39C4C7A09DF79E8E460BE8CA14F2CB
File Size:
122.88 KB, 122880 bytes
|
|
MD5:
3a5d0d8f06ed501cf308006c3251240f
SHA1:
50313d9eabe4b81c247ceae8eb9889a17f91ff06
SHA256:
975F9A53299C37A723D398AB50A27ADADC2C31BA991A9E7494E0CC478ACD1156
File Size:
147.26 KB, 147264 bytes
|
|
MD5:
430a555c7700e120fe27d2d759941d6f
SHA1:
41c2b5897d420a2ec00a8686e035b6d8f7f9e062
SHA256:
E5DDC77AB297806553BF6CACE6218B90DE563A5241846234ABFA3E91AA709B05
File Size:
124.74 KB, 124744 bytes
|
|
MD5:
e2069b9774ddd32ce73058203b226401
SHA1:
4751e0f30b3043dded78536c5c92cca1ed67ae20
SHA256:
404647F1190D27698B3CDBE5751AA5BEC2717D1E51A43E8988E0064BAE831702
File Size:
122.88 KB, 122880 bytes
|
|
MD5:
6bdd008cf36b71354c6bf5ce76a71817
SHA1:
dacae409dd1e1e866a1f119cfe9a48c2e6e4d585
SHA256:
30EDF2AB999F055CAB5D5C140B839711952BE1E524376C56A3EC773E8EAE3935
File Size:
956.33 KB, 956328 bytes
|
|
MD5:
35cfc87a57a727032a66a39d7d658234
SHA1:
2c57b61c9a47685bea368a196ade15594aee4e38
SHA256:
C3F1337C6D09A83475802904AE9507BAC1A301E37074D31086E890F8D37D809C
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
7d7ba046b1ce7de56efd310e250d58d1
SHA1:
f3d0dfa49daf47af684f05b044097539fba5a495
SHA256:
D65F5D0E9E1F77D60FFC2D062BA0FA929CF68D34C3E624F641011C2DBE7C260A
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
67eea02b1d7450fbb9aefbe892be62fe
SHA1:
8bca0c904a1b2446b50da88e7c6388b4bbd21cac
SHA256:
7BF67884C3DD131BC3FCEF13C1EC0632D17334D3899744364A476BD8F458A0A7
File Size:
145.15 KB, 145152 bytes
|
|
MD5:
e50b0894819bb8639cd9209165ee7e76
SHA1:
7ce25bfb4fcb0d64d451420972ba689fc90a34a0
SHA256:
9FEBCA05C996576292DEAA195BCD7FD5149E22648E9BF4C73BA637BA64181B2B
File Size:
147.53 KB, 147531 bytes
|
|
MD5:
1416b8e46592c7d03b49b391bbb397a3
SHA1:
8ede78d4cb3d055abf2409369a12334371461b3f
SHA256:
EFAE99DE5F433FCBB781F71D0F36A5540F47B7F3A1FA2633586D401E7E7B7E26
File Size:
124.67 KB, 124672 bytes
|
|
MD5:
c9dcb307baaab5416d238ca2a3e2abda
SHA1:
2d0f24e83bd82c0e35bf0d015dc7e95f4e9b4e67
SHA256:
82E25733DE53B55252D652559AA7D38A439A22CAB22E138A829E62C9A94FDEC1
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
390aa970c759d0db6361e1896c033772
SHA1:
2199977d51861418c699d3af108e59c2ef6e4332
SHA256:
E93350EADAB502A9D58E6DB03074AF735BE677B2E0797A0BB1011A3CFD282B6D
File Size:
131.07 KB, 131072 bytes
|
|
MD5:
dd5d5dbd320ac4311314633fffff5691
SHA1:
94e9af88ba69c79fb6302ebe0ba7c0459dbe9d22
SHA256:
98A0DFF2C4A5B86868E058119D1EA76A6E62B0CFF87D251D6FA6AEBDFDF09076
File Size:
1.34 MB, 1335030 bytes
|
|
MD5:
4f6d9c9e6c17af0013130707478b2bcc
SHA1:
c53764981bfc367d0c2338b2da43a34eb3897cc6
SHA256:
1525801606666C48DCF46B04A6A943CB7C63DC27632CEB232BCB2C0CFBA63E88
File Size:
135.17 KB, 135168 bytes
|
|
MD5:
300b11af26f5305f41b6eacaa565b3a3
SHA1:
60d6b9e7227c8839b0d12e98b44fc789e3d587f2
SHA256:
8D418F02D3F170D2F96AF0E58AE6918732A4004D8B7C623F79F17253CF246AB1
File Size:
131.07 KB, 131072 bytes
|
|
MD5:
381cf9971a6f02bc015f90c5ea630bc1
SHA1:
a5b47582761ac5334c088a6f64dedcc0a1bae199
SHA256:
B9FFFF5E7CC5C1E99E2A41EF51CEF7BED779FCC5E4C1EF3DD2B4056C178E896C
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
99ee913404dcd536855ee7edd41fcb50
SHA1:
8fc585f4e081629aa155e3983073bb4e9a6f19e7
SHA256:
D4D1699027B962E11E8C9679F1EDCEB3730BA5C6897ABCB75C1B141F3D9E91A0
File Size:
124.67 KB, 124672 bytes
|
|
MD5:
5e38ce1b8b06d9cb694ad5acbad0586a
SHA1:
07eb203ab2de40bc3530f7528d2f40f36e326415
SHA256:
9B4A63F48D147828FBEC84B82D5F0B1196F535030979E4681E74704F340E5FF1
File Size:
143.36 KB, 143360 bytes
|
|
MD5:
d74d454b3072f459cc99c4c9bb8cfd61
SHA1:
600236be9f3a18dc781f4a2c517cbba78f1d0bf9
SHA256:
83EC59C9E42023B87DA064D7FED944E6820227D8C5C3A593EED8BC51F901D3F8
File Size:
135.17 KB, 135168 bytes
|
|
MD5:
f579a086e8a595a2aa1eb9391b2617d3
SHA1:
a4091b51dbf10e5ed44615c2008e2e78076a9264
SHA256:
A1C2C36AA5669F1FBC045184084F18D78E78BCFFB06263CCD47AA5C6AAF38B8A
File Size:
131.07 KB, 131072 bytes
|
|
MD5:
95b42e17899ef5d82cbdee45bb4a5313
SHA1:
6745c17ce18af1f6e54a2d8de18cc869f9fbcdd5
SHA256:
B45FF05CE3B2673663EF33770DBEEB55EDEA1513CEED05CA83C5EFD06DDA9EEB
File Size:
128.77 KB, 128768 bytes
|
|
MD5:
5eb50e9399e9e5d595548d8ed37a33be
SHA1:
46d20085e607779d923fed35e169e89a7d03b67f
SHA256:
88C50F2FD041F8D6296DBF7EAFB7FB2A285B4601B041B46CA6710A054570ACBC
File Size:
122.88 KB, 122880 bytes
|
|
MD5:
019a75919a2e7b573ff5ae5c1395b829
SHA1:
7d455f5e756fac010564baeefe5e05f8cbcce1ea
SHA256:
6BB3C674652F7014AF30AC38F252321126BD94462992685892BD14E1F164074A
File Size:
2.16 MB, 2155304 bytes
|
|
MD5:
01632ffc8cfd71a97a0480ec3ad6e269
SHA1:
a28d1e621200a826ab37d543ed29e82208e246fd
SHA256:
325E977E3AA695489CB9E0958E31A55D59D1DC74A05129E7F60D5DEDB4D29CBC
File Size:
1.13 MB, 1133921 bytes
|
|
MD5:
82fe9273ddb021a7009b7c2327bd1625
SHA1:
2d8e6fb1e0bde8f407fd62781bc20210b87e054d
SHA256:
C416BB36760DC5728030B11B641A5BC1DEABCBFD878D725E7D8196D30B761DC2
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
f758b7bde2315304472421d8d6c6dd1e
SHA1:
11344a83fb1835574538a7440e2a11b9a5481734
SHA256:
7FBD58732E607FD6FE227532BDA8C5F8F1EDEBA63BF923C022D6FA20BF15572C
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
84424740337c0e8a97a8155cd0fe3e71
SHA1:
4ad8ee87d6d0f9fe0f61a593a1758930af4160e4
SHA256:
ABA04A1A02B12D1EE918816FD38F5658D5302D3C80BD53011A9B60C1AF36D455
File Size:
135.17 KB, 135168 bytes
|
|
MD5:
0a531107997a6589f6e4da788a4ff933
SHA1:
19ac54bd8d3c9d0b03dee4e8e0bda7ca876fa466
SHA256:
8D903A8C11E6A277BC0E9DE1AB90E79621C7527A378B627E0C7212CF172AFE09
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
8f4b234af7ee5e4d72ee2c3e927c0309
SHA1:
1bdd4fcf181402e120bd0539cc449ca83c320817
SHA256:
B5045FAD2C543A658D74848EDB7A6AF27649F92700FEAFD0EA8DAA7844591EEA
File Size:
122.88 KB, 122880 bytes
|
|
MD5:
e92269ecdb8b45117397c1e51546b7eb
SHA1:
3718ca61079603e7c6fb2846cd2980900c411c99
SHA256:
3ADE47455BECEA5AA300F57E1F6C110BA1D9AAF8DE2435B2C9569850704C2095
File Size:
139.26 KB, 139264 bytes
|
|
MD5:
c17f2a8e9f77dca719222748615f6511
SHA1:
86980b7042c553d0f9419e4ab8c0d00c2985aef4
SHA256:
470332265C4B2B7C3DB01C8BE4ABD824D6428E0528A31C5178F2AFF85F86D787
File Size:
124.74 KB, 124744 bytes
|
|
MD5:
01aa1f9f2e368f96eaed5cceb4db7943
SHA1:
495576009c512d977e1f3c11545ff48c89a31ce6
SHA256:
77DE55DA3D2DB1F6A10CD291DF3D8E247F02A82EB24655BF2A976F47FB9E3A83
File Size:
118.78 KB, 118784 bytes
|
|
MD5:
d510f584a7b080cf764fb2d8daa630e8
SHA1:
28eb7427d49f20f20b55ad414b2a72ec81988f0c
SHA256:
EDD03DFD09D63A2AF6B6A1EB79039C6C7A0095712C4515D65DEDF59D9397A4AA
File Size:
1.07 MB, 1066656 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| File Description |
Show More
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| M I M E Type |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Zhejiang Dahua Technology CO.,LTD. | GlobalSign | Root Not Trusted |
| Zhejiang Dahua Technology CO.,LTD. | GlobalSign CodeSigning CA - G2 | Self Signed |
| Zhejiang Dahua Technology CO.,LTD. | GlobalSign CodeSigning CA - SHA256 - G2 | Hash Mismatch |
| Zhejiang Dahua Technology CO.,LTD. | GlobalSign CodeSigning CA - SHA256 - G2 | Self Signed |
| INTELBRAS SA INDUSTRIA DE TELECOMUNICACAO ELETRONICA BRASILEIRA | VeriSign Class 3 Public Primary Certification Authority - G5 | Root Not Trusted |
Show More
| Amcrest Technologies LLC | thawte Primary Root CA | Root Not Trusted |
File Traits
- dll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- WebPlugin.A
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe | Generic Read,Write Attributes |
| \device\namedpipe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\dhnetsdk.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\dhplay.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\dhsurveillancedll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\fileoperator.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\h264dec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\mjpegdec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\npmedia.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\npplugin.dll | Generic Write,Read Attributes |
Show More
| c:\program files (x86)\webrec\web30\webplugin\nptimegrid.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\postproc.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\timeaxesdll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\timegridexe.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\uninst.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\version.ini | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\videowindow.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\webactiveexe.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin\webactivex.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\dhnetsdk.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\dhplay.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\dhsurveillancedll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\fileoperator.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\h264dec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\dhnetsdk.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\dhplay.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\dhsurveillancedll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\fileoperator.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\h264dec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\mjpegdec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\npplugin.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\postproc.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\timeaxesdll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\version.ini | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\videowindow.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\hdcvi1000\webactivex.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\ivsdrawer.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\ivslogic.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\mjpegdec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\npplugin.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\postproc.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\timeaxesdll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\version.ini | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\videowindow.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webplugin_v2\webactivex.exe | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\aacdec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\dhnetsdk.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\dhplay.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\dhsurveillancedll.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\fisheye.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\fisheyectrl.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\h264dec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\ivsdrawer.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\mcl_fptz.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\mjpegdec.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\npplugin.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\postproc.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\python_nsibuild.nsi | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\python_nsibuild.nsi | Synchronize,Write Attributes |
| c:\program files (x86)\webrec\web30\webview_l\speech_enhance.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\version.ini | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\videowindow.dll | Generic Write,Read Attributes |
| c:\program files (x86)\webrec\web30\webview_l\webactivex.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsga5e0.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsha768.tmp\nsexec.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsr5db.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsse33e.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nst2b15.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsw662.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsx733d.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsxa823.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsye4e5.tmp\nsexec.dll | Generic Write,Read Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 鰯⨴ǜ | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 亘曆⨴ǜ | RegNtPreCreateKey |
| HKLM\software\wow6432node\mozillaplugins\@dvr/npplugin,version=3.1.0.4::path | C:\Program Files (x86)\webrec\WEB30\WebPlugin\npPlugin.dll | RegNtPreCreateKey |
| HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe | 멁觫ǜ | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
60 additional items are not displayed above. |
| Process Shell Execute |
|
| Anti Debug |
|
| User Data Access |
|
| Process Terminate |
|
| Process Manipulation Evasion |
|
| Network Winsock2 |
|
| Network Info Queried |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8fd7f6ecca9d3afcd1f57f7a985066a8e940784b_0000135168.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a2e0cc0b4e0d7efbb7fd1660d77aefdd53f00154_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e4253e9db3949794cb979456ea4c0a5f769ec160_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\bf8333f17d4a99d68ed611687e8e58a695bcdc4e_0000157880.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0abcb492620eeaae68b8d4d1f2b7cc9ac2128dc4_0000135168.,LiQMAxHB
|
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7f1f104d71dbb03bead62a7c35902ea63a91dc10_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\005e9c57cacbacb9d9f16fff55001ea471175539_0000143880.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f65fcebe5ecf1fa1dbba09958f134fd43912623d_0000145152.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6f131e19bcf0b4c8290884d911cc90d2161b3dac_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\51d72022b6a06c579567b10d102f8e378ceb58b8_0000126976.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9808485684b3464bc0634c8725b7e15efa70a8a3_0000145160.,LiQMAxHB
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /unregserver
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /unregserver
|
TASKKILL /F /IM WebActiveEXE.exe
|
TASKKILL /F /IM TimeGridEXE.exe
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\webActiveX.exe" /regserver
|
regsvr32 /s "atl.dll"
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\fc3aad093d2a6d3fe2810d7e514c61e0bb62cb60_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\fee0373f31139be00f853dd984bdd1257562f193_0000145088.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\9b5586615ca6460c43635d141e09ae31bdd6f866_0000149256.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5fd51b7b1161370204b6c37f4996013709729b87_0000122880.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\50313d9eabe4b81c247ceae8eb9889a17f91ff06_0000147264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\41c2b5897d420a2ec00a8686e035b6d8f7f9e062_0000124744.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4751e0f30b3043dded78536c5c92cca1ed67ae20_0000122880.,LiQMAxHB
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserver
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserver
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2c57b61c9a47685bea368a196ade15594aee4e38_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f3d0dfa49daf47af684f05b044097539fba5a495_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8bca0c904a1b2446b50da88e7c6388b4bbd21cac_0000145152.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7ce25bfb4fcb0d64d451420972ba689fc90a34a0_0000147531.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8ede78d4cb3d055abf2409369a12334371461b3f_0000124672.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2d0f24e83bd82c0e35bf0d015dc7e95f4e9b4e67_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2199977d51861418c699d3af108e59c2ef6e4332_0000131072.,LiQMAxHB
|
"C:\Program Files (x86)\webrec\WEB30\WebView_L\webActiveX.exe" /regserver
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c53764981bfc367d0c2338b2da43a34eb3897cc6_0000135168.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\60d6b9e7227c8839b0d12e98b44fc789e3d587f2_0000131072.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a5b47582761ac5334c088a6f64dedcc0a1bae199_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\8fc585f4e081629aa155e3983073bb4e9a6f19e7_0000124672.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\07eb203ab2de40bc3530f7528d2f40f36e326415_0000143360.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\600236be9f3a18dc781f4a2c517cbba78f1d0bf9_0000135168.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a4091b51dbf10e5ed44615c2008e2e78076a9264_0000131072.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6745c17ce18af1f6e54a2d8de18cc869f9fbcdd5_0000128768.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\46d20085e607779d923fed35e169e89a7d03b67f_0000122880.,LiQMAxHB
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin_V2\webActiveX.exe" /regserver
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\2d8e6fb1e0bde8f407fd62781bc20210b87e054d_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\11344a83fb1835574538a7440e2a11b9a5481734_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4ad8ee87d6d0f9fe0f61a593a1758930af4160e4_0000135168.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\19ac54bd8d3c9d0b03dee4e8e0bda7ca876fa466_0000118784.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\1bdd4fcf181402e120bd0539cc449ca83c320817_0000122880.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3718ca61079603e7c6fb2846cd2980900c411c99_0000139264.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\86980b7042c553d0f9419e4ab8c0d00c2985aef4_0000124744.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\495576009c512d977e1f3c11545ff48c89a31ce6_0000118784.,LiQMAxHB
|
"C:\Program Files (x86)\webrec\WEB30\WebPlugin_V2\HDCVI1000\webActiveX.exe" /regserver
|