Troj/Dloadr-DPB

Troj/Dloadr-DPB is a Trojan infection is distributed via a spam email message claiming to have been sent by ADP (a legitimate provider of payroll-related services). This malicious email message contains an HTML link that leads to a JavaScript redirect detected as Troj/JSRedir-H which in turn leads to a website containing the BlackHole Exploit Kit in order to install Troj/Dloadr-DPB. Troj/Dloadr-DPB has been associated with various JavaScript redirects, often sent out in spam email messages. To prevent a Troj/Dloadr-DPB infection, ESG security researchers strongly advise taking appropriate safety precautions when opening email messages and ensuring that you use reliable security software that is fully up to date.

Like most Trojans, Troj/Dloadr-DPB is not capable of spreading on its own from one computer to another. Troj/Dloadr-DPB relies on other Trojans, such as the JavaScript redirect mentioned above, and on social engineering techniques in order to infect computer systems. A Troj/Dloadr-DPB infection will usually not cause any explicit symptoms and, usually the computer user will not detect a problem until Troj/Dloadr-DPB has downloaded other, more visible malware onto the infected computer system. Although disabling JavaScript can stop the JavaScript redirects associated with Troj/Dloadr-DPB, it is often more convenient to use a reliable anti-malware program and common sense in order to prevent an infection.

What You Can Do to Prevent a Troj/Dloadr-DPB Infection

Like with most malware infections, prevention is the key in avoiding larger problems such as loss of sensitive data and irreparable damage to your operating system. ESG security analysts recommend taking the following measures in order to prevent a Troj/Dloadr-DPB infection:

1. Ensure that you have a reliable and fully updated spam filter installed at all times, and that its security settings are adjusted at their maximum level. The best way to prevent a Troj/Dloadr-DPB attack is to ensure that its malicious email message never lands in your inbox in the first place.
2. Never, under any circumstances, open file attachments or embedded links contained in unsolicited email messages, even if they appear to come from well-known companies or other supposedly reliable sources.
3. Use a reliable anti-malware scanner and a firewall. Both should be running at all times and maintained up to date with the latest virus definitions.
   

   Analysis Report

   General information

   Family Name:	HEUR.Malware.MPRESS.Generic
   Signature status:	No Signature

   Known Samples

   i

   Known Samples

   This section lists other file samples believed to be associated with this family.

   MD5: bb2adf653863d9bcdb56660babad7050 SHA1: 4db7d4ed846d5ed58f38ebfc405fb6be67b0b8a4 File Size: 9.20 MB, 9196701 bytes

   MD5: e58432e8dea69a051147b3932ccaf14c SHA1: 29814140a6dacc4c18795743d23a2c0987e0ae9f SHA256: 9722AC61BBDC8979798C2FB4A86BF127D06A761CD283FC6F33ED10A5EFA3DAF5 File Size: 395.78 KB, 395776 bytes

   MD5: ec5303f9d93530e3662f94a3b9fd645c SHA1: 129cdfcadb94e34a9751758bf7213e39e42bbf3b SHA256: 897925D9738316CFB49ACC60BFA3DAED1B5775984CED61205A2543657765D49B File Size: 549.72 KB, 549721 bytes

   MD5: d2f481563a76ef3cdf02825f0360ad08 SHA1: 6bf4d72ea47ad04a68f26fbaf4b505642e0571c5 SHA256: 289A093431EE86D9CF6091530D57C0A631FFCEBDA0F6D421E8E14D76A480A6F5 File Size: 1.35 MB, 1351168 bytes

   MD5: 9ebf463a1f6b0c763c46b542df602f66 SHA1: a3b01442afab8c788c7c634c0bcd68add57a542a SHA256: C896545312872695A95A11F270032E9EC6F6037A4C2501D3A3A3E2F13688874B File Size: 359.42 KB, 359424 bytes

   Show More

   MD5: 7794c3bb5d832d4cc67e151e8b7f0413 SHA1: 3dbe34b70c87060395956427a07db9f67a6146f8 SHA256: 0192A6CFF437BBFCE9907324B12DE05B674C16B6DF63AAB3569EB39957CAA8FD File Size: 551.94 KB, 551936 bytes

   Windows Portable Executable Attributes

   i

   Windows Portable Executable Attributes

   This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

   • File doesn't have "Rich" header
   • File doesn't have debug information
   • File doesn't have exports table
   • File doesn't have relocations information
   • File doesn't have security information
   • File has been packed
   • File is 32-bit executable
   • File is 64-bit executable
   • File is either console or GUI application
   • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

   Show More

   • File is Native application (NOT .NET application)
   • File is not packed
   • IMAGE_FILE_DLL is not set inside PE header (Executable)
   • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

   File Icons

   i

   File Icons

   This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   

   Windows PE Version Information

   i

   Windows PE Version Information

   This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

   Name	Value
   Comments	Modified by an unpaid evaluation copy of Resource Tuner 2. http://www.heaventools.com Silentall Unattended Installer 理顺盘符哦
   Company Name	CREATED BY: BOYTECH DISKLESS Oracle Corporation Silentall Unattended Installer
   File Description	ICAFE8 DISKLESS TRAY Internet Download Manager VirtualBox Interface 理顺盘符,问题反馈QQ3012262930
   File Version	2022,09,22,1 6.42.3.3 6.19.10.24 4.0.6.71344
   Internal Name	IcafeServicesTray VBoxSVC.exe
   Legal Copyright	CopyRight (C) 2005-2015. All Rights Reserved Copyright (C) 2009-2011 Oracle Corporation QQ3012262930 © 2023 ronaldinho424
   Original Filename	IcafeServicesTray.exe orderdvr.exe VBoxSVC.exe
   Product Name	IcafeServicesTray.exe Oracle VM VirtualBox orderdvr.exe Silentall Unattended Installer
   Product Version	9.1.8.0 6.42.3.3 6.19.10.24 4.0.6.r71344
   Internalname	orderdvr.exe

   File Traits

   • 2+ executable sections
   • HighEntropy
   • imgui
   • Installer Version
   • MPRESS
   • MPRESS Win32
   • Native MPRESS x86
   • packed
   • x64
   • x86

   Block Information

   i

   Block Information

   During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

   Total Blocks:	6
   Potentially Malicious Blocks:	0
   Whitelisted Blocks:	5
   Unknown Blocks:	1

   Visual Map

   0 0 0 ? 0 0

   0 - Probable Safe Block
   ? - Unknown Block
   x - Potentially Malicious Block

   Similar Families

   i

   Similar Families

   This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

   • AutoHotkey.A
   • Bitcoinminer.R
   • MPRESS Packer
   • Strictor.A

   Files Modified

   i

   Files Modified

   This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

   File	Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm0.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm0.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm1.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm1.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm10.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm10.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm100.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm100.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm101.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm101.tmp	Synchronize,Write Attributes

   Show More

   c:\users\user\appdata\local\temp\7zipsfx.000\idm102.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm102.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm103.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm103.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm104.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm104.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm105.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm105.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm106.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm106.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm107.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm107.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm108.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm108.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm109.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm109.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm11.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm11.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm110.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm110.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm111.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm111.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm112.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm112.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm113.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm113.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm114.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm114.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm115.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm115.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm116.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm116.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm117.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm117.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm118.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm118.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm119.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm119.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm12.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm12.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm120.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm120.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm121.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm121.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm122.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm122.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm123.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm123.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm124.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm124.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm125.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm125.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm126.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm126.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm127.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm127.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm128.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm128.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm129.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm129.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm13.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm13.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm130.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm130.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm131.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm131.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm132.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm132.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm133.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm133.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm134.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm134.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm135.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm135.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm136.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm136.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm137.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm137.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm138.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm138.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm139.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm139.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm14.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm14.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm140.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm140.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm141.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm141.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm142.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm142.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm143.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm143.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm144.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm144.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm145.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm145.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm146.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm146.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm147.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm147.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm148.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm148.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm149.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm149.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm15.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm15.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm150.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm150.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm151.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm151.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm152.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm152.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm153.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm153.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm154.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm154.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm155.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm155.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm156.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm156.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm157.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm157.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm158.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm158.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm159.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm159.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm16.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm16.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm160.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm160.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm161.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm161.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm162.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm162.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm163.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm163.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm164.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm164.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm165.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm165.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm166.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm166.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm167.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm167.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm168.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm168.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm169.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm169.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm17.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm17.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm170.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm170.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm171.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm171.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm172.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm172.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm173.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm173.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm174.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm174.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm175.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm175.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm176.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm176.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm177.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm177.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm178.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm178.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm179.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm179.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm18.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm18.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm180.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm180.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm181.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm181.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm182.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm182.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm183.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm183.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm184.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm184.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm185.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm185.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm186.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm186.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm187.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm187.tmp	Synchronize,Write Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm188.tmp	Generic Write,Read Attributes
   c:\users\user\appdata\local\temp\7zipsfx.000\idm188.tmp	Synchronize,Write Attributes

   180 additional files are not displayed above.

   Registry Modifications

   i

   Registry Modifications

   This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

   Key::Value	Data	API Name
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
   HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey

   Windows API Usage

   i

   Windows API Usage

   This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

   Category	API
   Anti Debug	IsDebuggerPresent
   User Data Access	GetUserObjectInformation
   Process Manipulation Evasion	NtUnmapViewOfSection
   Process Shell Execute	ShellExecuteEx
   Syscall Use	ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtSetEvent ntdll.dll!NtTestAlert ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState

   Shell Command Execution

   i

   Shell Command Execution

   This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

   (NULL) Setup.exe