AdLoad

AdLoad est un outil malveillant visant à introduire des logiciels publicitaires potentiellement ennuyeux dans votre système Mac. L'outil est en circulation depuis près de trois ans maintenant, ne montrant aucun signe de ralentissement. Sa longue durée est due à sa capacité à évoluer assez rapidement pour éviter d'être détecté. Tout au long de son évolution, AdLoad aurait abandonné des dizaines d'applications potentiellement indésirables (PUA) - Kreberisec, SearchDaemon, DataSearch, ApolloSearch, AphroditeResults et bien d'autres (voir la liste ci-dessous) - sur un nombre incalculable de systèmes MacOS dans le monde. Compte tenu de la nature de ces applications, AdLoad ne se comporte pas comme une menace typique de niveau grave. Cependant, son comportement persistant transforme toute tentative de suppression en une tâche assez difficile.

Un pirate de l’air ou un cheval de Troie?

AdLoad semble avoir un caractère douteux. D'une part, il partage les traits typiques des pirates de navigateur classiques. Il se présente sous la forme d'une fausse mise à jour logicielle ou d'un téléchargement au volant. D'un autre côté, certains chercheurs ont tendance à classer AdLoad comme une entité de type cheval de Troie en raison de sa fonctionnalité de porte dérobée permettant de planter toutes sortes de PUA dans un système Mac hôte.

Une fois dedans, AdLoad redirige l'activité de navigation Web des victimes vers des serveurs prédéterminés au moyen d'attaques man-in-the-middle. De telles redirections se produisent généralement chaque fois que les acteurs en charge souhaitent monétiser les revenus publicitaires en redirigeant les utilisateurs d'ordinateurs vers des sites infestés de publicités au paiement par clic (PPC). Bien que ce modèle publicitaire ne soit en aucun cas nuisible lorsqu'il est appliqué avec les moteurs de recherche les plus populaires sur le Web, il peut causer des problèmes s'il est exploité pour de mauvaises raisons. Ce dernier implique généralement des annonceurs qui paient des moteurs de recherche moins connus pour générer du trafic vers des sites Web à forte teneur en PPC et de nature pas trop savoureuse.

La diffusion d'AdLoad peut avoir lieu lors du chargement d'applications groupées ou de logiciels gratuits. Il peut y avoir des cas d'installation d'AdLoad via les invites de Flash Player, comme le montre l'image ci-dessous. Souvent, une telle invite d'installation de Flash Player est un site Web qui a chargé un script ou une page qui tente d'inciter les utilisateurs d'ordinateurs à télécharger et à installer les fichiers associés à AdLoad, permettant ainsi l'installation d'AdLoad où il peut alors bombarder les utilisateurs d'ordinateurs Mac avec pop- des publicités.

Exemple d'invite d'installation d'AdLoad via un message d'installation de Flash Player.

Malgré la longévité d'AdLoad, il reste difficile à détecter à ce jour, comme le montre VirusTotal, car l'adware plante divers fichiers dans un grand nombre de répertoires. La plupart des données sont déposées dans plusieurs dossiers de la section Bibliothèque locale. Ensuite, il exécute un ou plusieurs exécutables, qui établissent une connexion de bureau à distance via un script python. Outre les dossiers visibles dans la section Bibliothèque locale, AdLoad peut créer un dossier caché conçu pour maintenir le logiciel publicitaire en cours d'exécution.

Indicateurs d’une infection AdLoad

Comme tout autre logiciel publicitaire, AdLoad peut ralentir votre système, vous apporter d'innombrables publicités et vous conduire vers des sites Web que vous n'avez peut-être jamais vus auparavant. Les publicités peuvent proposer de fausses mises à jour logicielles, des téléchargements au volant, des produits et services attrayants. Méfiez-vous de ce dernier, cependant. Surtout s'ils semblent trop beaux pour être vrais.

PUA associés

AdLoad aurait apporté des dizaines de PUA à des ordinateurs ciblés basés sur MacOS. Certains de ces PUA incluent, mais ne sont pas limités à: WebSearchStride, TotalAdviseSearch, Sorimbrsec, SkilledProjectSearch, SearchRange, SearchNetCharacter, PositiveSearch, KeyWordsSearch, MajorChannelSearch, AlphaLookup, GoldResults, GlobalQuestSearch, LeadingSignSearch, OdysseusLookup, ExpertModuleSearch, TaboolView NetToolboxSearch, SimpleFunctionSearch, AresLookup, PublicAdviseSearch, MajorLetterSearch, SearchArchive, SearchRange, CalypsoLookup, BinarySignSearch, etc.
La liste ci-dessus n'est qu'un avant-goût du AdLoad Adware est capable d'apporter à la table. Si un ou plusieurs de ces noms vous disent quelque chose, il y a de fortes chances que vous ayez une infection AdLoad en cours et que vous deviez prendre des mesures.

Conseils de suppression

Pour commencer, vous pouvez suivre la procédure de suppression conventionnelle en mettant dans la corbeille toutes les applications suspectes ou inconnues que vous rencontrez dans votre dossier Applications. Ensuite, vous pouvez nettoyer tous les fichiers AdLoad résiduels que vous trouverez dans votre bibliothèque. Portez une attention particulière au dossier LaunchAgents en particulier. Cependant, n'oubliez pas de parcourir tous les dossiers de la bibliothèque. Bien que ces étapes puissent faire l'affaire, analyser votre système avec une solution anti-malware réputée ne nuira pas. Nous vous recommandons fortement de faire ce dernier, car AdLoad s'est avéré être persistant au-delà de toute mesure lorsqu'il est attaqué.

Bulletin d'analyse

Informations générales

Family Name:	Trojan.Adload
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: b8c7b6e43f4a0ab140bcc235c247bbc5 SHA1: 6dd3adec6fe76e7fa6b2e35b30c67504c12f066f Taille du fichier: 359.22 KB, 359220 bytes

MD5: c557fc3db4d9b52c025307e95f475747 SHA1: e782480fd9b8626ce246e6fc081acbc7fec6f9c6 Taille du fichier: 486.72 KB, 486720 bytes

MD5: ba3b39ca30a0e520b0ba7d56536b40db SHA1: 9813a9d9b3ffc2bef3a009058d8bafe9e865e695 Taille du fichier: 180.85 KB, 180848 bytes

MD5: e87b55334389949b93cb52ffb81455be SHA1: 0f3b83ea6aa235137442dcb9d91c545e97182c89 Taille du fichier: 121.50 KB, 121499 bytes

MD5: cf041587d8bb4bc19a9d9d18668cec92 SHA1: 3a22e93838d64693dccf30f97ec30371a5c48677 Taille du fichier: 486.82 KB, 486824 bytes

Show More

MD5: a81b99b2d91d0881e37966abe644ef79 SHA1: 058ef8b55fb5ebd390496295a49820c94e29cc2b Taille du fichier: 219.62 KB, 219618 bytes

MD5: caa93864eb9a4e503fa9edaebf9ea974 SHA1: bf7058261e6a7aa984364c1abdd554b2c645b14f SHA256: 46C35B73C288CCC7F74EF6F9CF9A183CF7AAFA95E8ACBA38FF87D0E2A0730286 Taille du fichier: 295.41 KB, 295414 bytes

MD5: d774ae8806f084a5ab7ff77941f4c013 SHA1: 6a69f07fc68cc99a7526f75ad84dd82e5a56972d SHA256: 7276422F1F14AF5208DAEBF5735A77F1DF84D6618BF98FCCDAECB6F7A5A6992A Taille du fichier: 250.54 KB, 250536 bytes

MD5: e187cfad80d4cbac3eed879e8017a47f SHA1: 2073a80cf1bd84ec032b2421bd34427cefb8499b SHA256: 9384096EF7D8C4E4805E63715A1ABED5D5C0D09CD46FBCB99CFC0972299F68AD Taille du fichier: 366.73 KB, 366725 bytes

MD5: 38997bbcfbeed4b71917e6f68622c7c5 SHA1: 12042ab1425fbe1b132f54c0daff5edd6c5fd1c4 SHA256: B73BCDA71F8227B34E4E46A064797DAE3AA7F6832A161DB9130A0B9199624338 Taille du fichier: 75.54 KB, 75544 bytes

MD5: 556ab3d9bf4ae37f72b201aacd3b18e0 SHA1: c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21 SHA256: C2B3D3A04E50C27F45177050B4939DD47448D36EDD6B71EE04756AFF822EA7A2 Taille du fichier: 5.54 MB, 5543000 bytes

MD5: e2301c49f57b249aa8f13691a927a443 SHA1: 0887e46f34bec87601f359efaa768e9271fb8d81 SHA256: 1EEC6282760C6B6BF8249E4DB797F64349C5F32825E70B6FF233C43123299B34 Taille du fichier: 559.67 KB, 559672 bytes

MD5: 838d3c6d2e5cba0145ffd763220b5561 SHA1: 5c7691cc827bc62bf04968657d823ad8cce67dd8 SHA256: 63E0A5824566D2A3D14E1CAF63F78276909F7CE3D48B20800134316FFC92D90B Taille du fichier: 308.22 KB, 308224 bytes

MD5: f966e7c6b8ce4e3838f49464276191c3 SHA1: ae60bce9e4cd5d8bfb513191a5145528c075dc20 SHA256: 6BD3E76959E607292DD0623386F31109FD4367136319B2EF3ED5855C270C2279 Taille du fichier: 501.41 KB, 501408 bytes

MD5: fa01b68ef2246c3a26a7ab26f2033890 SHA1: 5910d6a3f753828f1da4011e455459f26e9e4494 SHA256: 29E8575F2E5EEF6B180D49C94DC08E05E08CF59292010EE1E99CF8A2A98AE489 Taille du fichier: 3.08 MB, 3076827 bytes

MD5: 87042ba828a5ea209ea20c028227bea5 SHA1: 3000646dddff721b62346c5e86159ec4a1e185d0 SHA256: EC7861DEC5A5F1213378C08C2A30C45184511598B10E719E5033E955856D2D8C Taille du fichier: 53.48 KB, 53480 bytes

MD5: 19ee7986e20521f7048afbea19076024 SHA1: 314338c4716b627733e16ec458428c97f5c3feed SHA256: 6EF65BC0676BCA7EC2930883FE047C90DD75C0CC1E098F12A4CA6DDFF39E57F4 Taille du fichier: 3.26 MB, 3261524 bytes

MD5: 035ddd8703824c5d75f16499a0397893 SHA1: b17b8f3c3eafe88406fc71322630816084398e3e SHA256: 9E2AC28077C57DD7EA9D48ED145F82D9AA15CED005597084733D991D6EB04F47 Taille du fichier: 78.18 KB, 78184 bytes

MD5: c8c33ba616cb111ca64d6f5762138d47 SHA1: b170960f9b1f1e45954fa0314fbe2a7a8fe64139 SHA256: E8696EC1695EBE7989618810222E5D39D7086B12CDB72B4F7AB2E5254048BE9A Taille du fichier: 262.46 KB, 262460 bytes

MD5: 8393968220dbc0e75d79b783ad84cfdf SHA1: 2904fa1664f6c231ce58a6fdeb605480dbfc6bf9 SHA256: F48E40010ADA411B06F16D9BB6CDFFADE3358FB1EE47AF0E2D670290E6377DED Taille du fichier: 2.10 MB, 2097151 bytes

MD5: 9279118f57eefd978bac175ce2e91374 SHA1: a2284ab79d138526bc24218797a45f42dc72436c SHA256: 0B6E1613A3AF0816231D7A0CD922657C35CB2D8D92BBA897114D1331677B1745 Taille du fichier: 2.10 MB, 2097151 bytes

MD5: 58b1829fa5706235c1f6763151fd37c6 SHA1: 0202d25e874489c5e53da4788857f301e30fe5b9 SHA256: B7BD8DC7AB6E02A670A0194F10087AC2088D9E164BC513A4C4208C5C797925F3 Taille du fichier: 2.10 MB, 2097151 bytes

MD5: b160ce13f27f1e016b7bfc7a015f686b SHA1: bfb714891d12ffd43875e72908d8b9f4f576ad6e SHA256: FAC205247D3B19B5F82F5F4D1269A5C047B6C9AD9F21CC51B4B782C2B08A3B87 Taille du fichier: 757.62 KB, 757615 bytes

MD5: 3f6d037be2f2723aa38472ae981f10d6 SHA1: f5e8679a2df2c7d3f9e7473d6b0f749327998648 SHA256: 8B7D03E64B80E844D68FD6C7CEB5B75F29D4355A98E94F57F2C777D79DE8A327 Taille du fichier: 3.86 MB, 3861785 bytes

MD5: 103b48abc69e0b80838ee23f8f7bd049 SHA1: 906cfab568e241b6821c0671da2e8f5feb1bd6cc SHA256: 69E5CE6C7BB53FC89BA4DDE30B6FE9C48D14615F385A15A655AE6F6F24693E59 Taille du fichier: 486.82 KB, 486824 bytes

MD5: 0013d426df25b2b43160b412b3f6d35d SHA1: 0fdf0dfc916451bdeb0911af022c5e872f2a9176 SHA256: BBB456B10E07F2FC48BBF19808D9EA64E5ECB96179C9A5244E5539ED85397B45 Taille du fichier: 615.06 KB, 615062 bytes

MD5: 556a13a2d4fbe23a26f7b1a23df670a0 SHA1: 67de5186982e23a4572902516c27c47cc4bc8a78 SHA256: 1BF4A996925826849CEB0AA570AB32E9E98A42D4FDAF3A2141B314E9BADF8A80 Taille du fichier: 75.64 KB, 75641 bytes

MD5: 8f0b9c5e8b48a6b8525a469e5a9e48ec SHA1: 862793346177034b3b9d17bcfc055c5c200aa5f0 SHA256: DC7EDF6E31FBFD3EEC4876448878A1DEF6A3C97E9ED23BC4425912073BD012DE Taille du fichier: 63.09 KB, 63087 bytes

MD5: 341afc3c4e8aa0148493d13dfc8bed97 SHA1: afb649034e69ece6f16d0e3282d1b8391dbff44b SHA256: B41B8705F0CA2A4FB4B52D1F02E50143739DA97ED05DFAF245D037F8B5E88601 Taille du fichier: 1.39 MB, 1385717 bytes

MD5: 1fcac397bbe64f00e0865e36132fb2bf SHA1: ad6d5e8854479c27c130d17aeed9c097038f52d7 SHA256: CC08B1CDCE33AECD99BD0D1098D5D8696410EF2B44D21FFC492C498D09BC4525 Taille du fichier: 524.01 KB, 524008 bytes

MD5: 89f6ef362c41116d638264a9c89a7a7b SHA1: d1f4badf9eab3ac53a2a064db5812a5b4359cc79 SHA256: 1148D09D6B61BC7BE98F18685E86C3BC72515DC1CB1CC02AF7E0C8689F07E745 Taille du fichier: 2.52 MB, 2520394 bytes

MD5: 0683350ff975c4f831a33171e3dbd9e6 SHA1: a466bd7464b4a714c93b8230476541538cce0819 SHA256: 4E99617EED0547371F97D15D34A5CCB67410AAE911ED9A415D70782706A1DE09 Taille du fichier: 75.57 KB, 75573 bytes

MD5: 6965e133b0208698a13d6ce60f1ba18d SHA1: b31d5b3377fabd6ca2992dc2bc5030ac34760591 SHA256: 5CECC4B4432ABF9BB4D48E888E34EBC5B6A9BB92B55D537E78A3B1FB5BF7B31E Taille du fichier: 2.10 MB, 2097150 bytes

MD5: 862228ac7b458677ae8c5d69fccf7527 SHA1: b63c28e9e22ae19210e30a5d0557415704ffda1b SHA256: 651B492CE504A5519E2D7982666452FE81EBF564E4316967434BFE13D7CA5E2C Taille du fichier: 6.44 MB, 6436459 bytes

MD5: 340d30bb6fe363d782db84cbcd9bd8d6 SHA1: 0ab19e65df7f97d7d5eee65410668f31acd45a2d SHA256: EE20DA6F620ADA5B0D3A1622485654C90685448EABDBE57DBE043304F936522A Taille du fichier: 75.58 KB, 75585 bytes

MD5: e261f1fd2af901c9528e5ba353af961b SHA1: d924f6981ca26a655e79fa80664b7417ce024941 SHA256: 05DBD391C1A4FED6EED5CDA514DB1D59451FC1A4A9C7B0DF9120293DF680F799 Taille du fichier: 5.13 MB, 5128085 bytes

MD5: b963938a7479471dff48fafdcf1fc581 SHA1: 8cb445efb70e8a0c9ea7d83e94756c971726c458 SHA256: D5A69F8994A9BAF4DEEAE6048B1F67435B627DE735D160CBFAD6F1C0AFBE0EC9 Taille du fichier: 9.52 MB, 9521664 bytes

MD5: 74bfc6946298f496c2864bb0dd0678d9 SHA1: c6c3510874c8141f2344ddabb509f73e441f1d11 SHA256: 145BADFEF16B4E50AB8FCB11CCCF97231F474C84DE1BB9AA86EA3F83F45B15D3 Taille du fichier: 576.88 KB, 576881 bytes

MD5: 04cd4470d50c53becbc494cbd4d05f0d SHA1: 676f118214d9f4e9bc8c4af3b24ef4a1f685a8af SHA256: 317C1F7D13D27537BF164C35B2B42116A6DFDFA82933499C1A5A69B5DDB3C733 Taille du fichier: 180.82 KB, 180824 bytes

MD5: fff6509a917506c0c8f3e63b1e92e065 SHA1: b2223709995ef13d86ef43792b66198ceebcaaff SHA256: 940C99D764B8E14F79EB965480BB9C8DC756F00B63C2FB17494707C1BFBF2AC7 Taille du fichier: 72.36 KB, 72360 bytes

MD5: 7dc43c3d4fadd9d850cfb5d88758476d SHA1: 8f0069ea3701166d036a4638f16a1e8c32913e50 SHA256: 877353B77D8ADBA88F53123135F3D61CF12E1FAFF568A10503E3FFF7F78055CA Taille du fichier: 90.48 KB, 90480 bytes

MD5: 64e74f82f77c7bff955fc247f0ff1dfb SHA1: 8ad451a67d6ba18459b7757487d251add486696c SHA256: B31168B43D79786C2ED2580AF194B190A7A3D9251E86D8CEF63D020D18909221 Taille du fichier: 5.44 MB, 5444918 bytes

MD5: f5762a5a8fd972b3078dd827712589c8 SHA1: f3748b522571b3e8a4cf315d36b343a6c62e261a SHA256: D8D3F07F768BB3CCAB59CE1904BF3DCCE15D7F8560CE1E882025150F5371AB00 Taille du fichier: 75.31 KB, 75312 bytes

MD5: 9732db58d5037cd6c668c07cb1c052f6 SHA1: da24e92d5059a4515dbd9ac9b4477580a611b94d SHA256: 2A3699D65E78516B081E5CC96ECCA87D461E4A40A284F61EBF2D2F68EF2D4DB1 Taille du fichier: 66.30 KB, 66295 bytes

MD5: 1db7012130e5adccbf7a2cebb282546e SHA1: c47c6fe9f75371bc6f95213868bbf49548dba3f2 SHA256: C7FA63A15CECB240F52E4AFF62B373FCB89E18183E8A0EC3F838A66A6D7FC639 Taille du fichier: 506.78 KB, 506776 bytes

MD5: 3d855eae3381ee54b0ccf4fe6adcfe58 SHA1: d7a28e36180fd9d6487dd7bb4827e5a956ce9c01 SHA256: 05F51186D8D53E80810D7A3557A3A6C55D9D1C70904EFE82C288AE827D3A7A33 Taille du fichier: 855.44 KB, 855436 bytes

MD5: e909c819007b3a13ce352a16eca18482 SHA1: 442bffab50667069c8e642804bded7be61ce89a4 SHA256: 73577B5A5ED942866ACC37D8B013476A1898C06A9E1CF7AE1565CF161AB0BBE4 Taille du fichier: 168.76 KB, 168763 bytes

MD5: cc88c7273776e44a3ca8086bd449a3ce SHA1: 0eb726b9908c6604e43e2d3c6aee66e8ad376fb1 SHA256: AEF8AC717A27D3799E5CB9860BD2609F7AF38B873E117F0C0F3FDF4357BA644B Taille du fichier: 2.10 MB, 2097150 bytes

MD5: f4fa409e8dcf763261be4821d5b5dbae SHA1: a5cc82999d0dc71e423b539cc2ab8ea18ea0cb20 SHA256: B149AB50C318C2110407190B1E4E2FB3FBB5F25DBA8FF42470E79263E70222D2 Taille du fichier: 2.10 MB, 2097149 bytes

MD5: 46f32d34e2f10c27eff71f9cb48ea821 SHA1: 1d5f3f763e07aaa5321d51d2a5b8a5a9516e03c8 SHA256: 8EFE35CC76205E2432C54F0D80E5F6426118ED3C3DD93C8CD512927EFBAE07C3 Taille du fichier: 2.50 MB, 2498308 bytes

MD5: ee76e50aa55a192afdb8d6a5bafc0b2e SHA1: e144f39c30d297da781b305ac9f3d9fcbbc9ec6a SHA256: 7CE3B564226348E7E93E3018F01BAFF842730E8BB149E356F3B5A9F951FB372D Taille du fichier: 150.15 KB, 150145 bytes

MD5: cf3fd1ea59db4806b630621ea1e370a4 SHA1: a43e67b2ed4ece6d500c84c05a35cae2e13ab4d0 SHA256: 8ACB2697B60E553D1C9C2B86A3060901F1BB1A7427625CFB5E45810F12EDCE5C Taille du fichier: 474.29 KB, 474288 bytes

MD5: 1d939babe7fb2244435b0a8227f1d388 SHA1: 434f5de8b967b7c29066d993561cdcbc23cb2122 SHA256: B5107D8F82D2C12845979B69DE504782CBA9E6B905FBFA2656B778F064862F69 Taille du fichier: 509.11 KB, 509112 bytes

MD5: 9ffa67a732e852356a09d596b8cfefaf SHA1: 27bf14b10f8d8f531f02082a2d2f901d1ebbdc1e SHA256: B94E41E24EBC526B9BFDFAC30C7023AD2596F56E1B99C989DBC63D994F3C1FB0 Taille du fichier: 2.10 MB, 2097151 bytes

MD5: c0cf2bd5e5637f9c866b731a2e8f5c36 SHA1: eefacd0ddbb4caa17fc90eb1ab2e67ea3bbe6502 SHA256: 7357439E7DE4A3D53F30F2A2BFC6549EEE1CFAD8E361A6545C3E6153236D5D3B Taille du fichier: 5.32 MB, 5315633 bytes

MD5: d92a8adae34eb632e69f4aec188a5909 SHA1: b88eb9227d59f63c133d53190b43c808cf3f8b9a SHA256: 4FD2DCB55AD67FC08D4AA8AC853A615775255F6794C6F3849FCBF50D0423845D Taille du fichier: 79.19 KB, 79189 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

Show More

• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Show More

2 additional icons are not displayed above.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Nom	Évaluer
Comments	5Vgq1OA3fIVBIfRu 6lyiJjAbNPQTugozbwfIC This installation was built with Inno Setup. This installation was built with Inno Setup: http://www.innosetup.com
Company Name	5Vgq1OA3fI 6lyiJjAbNPQTugo Makhaon RPO Gaming Usługi Informatyczne 'Szansa' Gabriela Ciszyńska-Matuszek
File Description	46807GHF____ Setup Adobe PhotoShop CC Blanditiis Setup Dolores Setup Download da Internet DownloadUpdateInfo Setup earum b0a92a794d1c62de0231366a9c4d7e66 sit Free DWG Viewer Game of Whores v025 By MANITU Games.exe Setup Itaque Setup Show More K-Lite Mega Codec Pack KMPlayer Libreoffice Microsoft .NET Framework RPO Fire Setup SigmaTel Audio Similique Setup ZWToolbox Setup
File Version	9.4.5.7 4.0.4 3.6.8.3 1.10104.11217.12305 1.0.2 1.0.0.0 0.3
Internal Name	6lyiJjAbNPQTugozbwfICCuAE2
Legal Copyright	5Vgq1OA3fIVBIfRueB5B Copyright (C) 2003-2005 Makhaon Software, Inc.} Copyright © 2000-2015 Usługi Informatyczne 'Szansa' Gabriela Ciszyńska-Matuszek Copyright © 2023 Dolphin Copyright © 2023 Setup Copyright © 2024 Findue
Legal Trademarks	5Vgq1OA3fIVBIfRueB5BzcN8qnR 6lyiJjAbNPQTugozbwfI
Product Name	5Vgq1OA3fIVB 6lyiJjAbNPQTugozbw 46807GHF____ Adobe PhotoShop CC Aliquam Blanditiis Dolores Dolphin DownloadUpdateInfo Findue Show More Free DWG Viewer Game of Whores v025 By MANITU Games.exe Itaque K-Lite Mega Codec Pack KMPlayer Libreoffice Microsoft .NET Framework RPO Fire Setup SigmaTel Audio Similique TnwQvZevW26UA21k ZWToolbox
Product Version	v.Classic 9.13.17.7 5.0 4.10.5.4 4.3.6.3 4.0.4 3.5 2.4.9.4 2.0 1.10104.11217.12305 Show More 1.0.2 0.14.8.16 0.3

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
InstallShell (Clickshell Ltd.)	COMODO RSA Certification Authority	Root Not Trusted
MIDIA TECHNOLOGIES LLC	Go Daddy Class 2 Certification Authority	Root Not Trusted
Sono Control Inc	Go Daddy Secure Certification Authority	Self Signed
Tommy Tech LTD	Sectigo Public Code Signing Root R46	Root Not Trusted
MIDIA TECHNOLOGIES LLC	Starfield Class 2 Certification Authority	Root Not Trusted

Show More

GENCO LABS LLC	Starfield Secure Certification Authority	Root Not Trusted
Easeware Technology Limited	Symantec Class 3 Extended Validation Code Signing CA - G2	Hash Mismatch
Lespeed Technology Ltd.	Symantec Class 3 SHA256 Code Signing CA	Hash Mismatch
pdfforge GmbH	Thawte Code Signing CA - G2	Self Signed
Innovative Systems LLC	VeriSign Class 3 Code Signing 2010 CA	Self Signed
Sevas-S LLC	VeriSign Class 3 Code Signing 2010 CA	Self Signed

File Traits

• 2+ executable sections
• dll
• HighEntropy
• Inno
• InnoSetup Installer
• Installer Manifest
• Installer Version
• MZ (In Overlay)
• nosig nsis
• No Version Info

Show More

• Nullsoft Installer
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Agent.M
• Agent.MH
• Agent.MI
• Agent.MU
• Autorun.LA

Show More

• Autorun.X
• Delf.EA
• FakeAV.AU
• Parite.F
• Parite.P

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\harddisk0\dr0	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\program files (x86)\dolores\unins000.dat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\itaque\unins000.dat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\similique\unins000.dat	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics	Synchronize,Write Attributes
c:\programdata\synaptics\rcxc4cd.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics\synaptics.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\synaptics\synaptics.exe	Synchronize,Write Attributes
c:\programdata\synaptics\synaptics.exe	Synchronize,Write Data

Show More

c:\users\user\appdata\local\rmi\offer_downloader.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\5gvhvti.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\dummyfile.txt	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\fb-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\fb-viraltube.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3av31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3tnt5.tmp\eefacd0ddbb4caa17fc90eb1ab2e67ea3bbe6502_0005315633.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-4o7c0.tmp\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-759aa.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-759aa.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-759aa.tmp\idp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8f4vo.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bgk7g.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bgk7g.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-bgk7g.tmp\ratione.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-bgk7g.tmp\ratione.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\is-cbpba.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-cbpba.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-cc2s2.tmp\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-d3gt7.tmp\_isetup\_iscrypt.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-d3gt7.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-d7ldk.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-e9v94.tmp\8ad451a67d6ba18459b7757487d251add486696c_0005444918.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\is-hjh98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-m98dn.tmp\is-hk8gn.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-na100.tmp\_isetup\_iscrypt.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-na100.tmp\_isetup\_isdecmp.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-na100.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-na100.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_iscrypt.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_setup64.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-tdc56.tmp\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-v64ji.tmp\1d5f3f763e07aaa5321d51d2a5b8a5a9516e03c8_0002498308.tmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\nsweb.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\registry.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsbbdf7.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsca833.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca833.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsca833.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca8cf.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca8cf.tmp\nsweb.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca8cf.tmp\registry.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca8cf.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nscc4ac.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nscdf50.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nscdf9f.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nscdf9f.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nscdf9f.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsd54b9.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsda9b9.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsde0d.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsg5b22.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsgbe17.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsgbe17.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsgbe17.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsi5526.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsia8a0.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsiaa27.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsiaa27.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsiaa27.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nska302.tmp\modern-header.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nska302.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nska302.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskb724.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl3b55.tmp\b	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl3b55.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl3b55.tmp\roe5i9jnne	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl3b55.tmp\setup.exe	Synchronize,Write Data
c:\users\user\appdata\local\temp\nsl3b55.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cc5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\buttonevent.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\buttonevent.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsla341.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcaf.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcaf.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcaf.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcaf.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbcaf.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsm4f84.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsma7d4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsna8c0.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8c0.tmp\nsrandom.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8c0.tmp\nsweb.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso9a48.tmp\logex.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso9a48.tmp\services.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso9a48.tmp\userinfo.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp377d.tmp\b	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp377d.tmp\cutp8nakkb	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp377d.tmp\inetc.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp377d.tmp\setup.exe	Synchronize,Write Data
c:\users\user\appdata\local\temp\nsp377d.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\md5dll.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\nsisdl.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\xid.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini.log	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspbb95.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq15ec.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq308e.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq4ca4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq6183.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq61c3.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq61c3.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsq61c3.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsqbbe5.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsqbbe5.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsqbbe5.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsqbdb8.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsrbe56.tmp\modern-wizard.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrbe56.tmp\modern-wizard.bmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsrbe56.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc4bd.tmp\nsweb.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\button.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\ocsetuphlp.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\skinnedbutton.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstab4f.tmp\installoptions.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstab4f.tmp\iospecial.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

104 additional files are not displayed above.

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Données	API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Tj	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp	RegNtPreCreateKey

Show More

HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Uo	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix	Cookie:	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix	Visited:	RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo	vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.3570"hypervisor="Hypervisor detected (Micros	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	*1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::synaptics pointing device driver	C:\ProgramData\Synaptics\Synaptics.exe	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	闭 ȁ 獖}偫~엦1d ᵂċᵆċ r ֢	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	*1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P	RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo	vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.5794"hypervisor="Hypervisor detected (Micros	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4eb6d578499b1ccf5f581ead56be3d9b6744a5e5::blob	 ់㇤㹧ৢ䗾鍗૳ᳺ ứ霞輫穆轙⊩㢅즔S c愰ℰଆ虠ňŅᜇ〆〒ؐ⬊ĆĄ㞂ļ́ダ؟怉䢆蘁泽ĂሰူਆثЁ舁㰷āȃ쀀ᬰԆ腧Č〃〒ؐ⬊ĆĄ㞂ļ́翀Ā⨀　ب⬈Ćԅ̇؂⬈Ćԅ̇؃⬈Ćԅ̇؄⬈Ćԅ̇ँĀ⨀　ب⬈Ćԅ̇؂⬈Ćԅ	RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\4eb6d578499b1ccf5f581ead56be3d9b6744a5e5::blob		RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\root\certificates\be36a4562fb2ee05dbb3d32323adf445084ed656::blob	\ Ѐ 볝蚽㾜ࠛ컯퇄춈ᔻ ᰘ兘槹镹⍋ .Thawte Timestamping CA ਰࠆثԁ܅ࠃ 㚾嚤눯׮돛⏓괣䗴丈囖 晿煺硩騠ᑑ莝⃚ ꗨ뺘芄ﺎ炮ᔑ㔁뉶 ʥ	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetComputerName GetComputerNameEx GetUserName GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory ZwMapViewOfSection
Process Shell Execute	CreateProcess ShellExecuteEx
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen InternetOpenUrl InternetQueryOption InternetReadFile InternetSetOption
Keyboard Access	GetKeyState
Network Winsock2	WSAStartup WSAttemptAutodialName
Network Winsock	bind closesocket connect gethostbyname getsockname inet_addr recv send socket
Network Info Queried	GetAdaptersInfo
Service Control	OpenSCManager OpenService
Network Winhttp	WinHttpConnect WinHttpOpen WinHttpOpenRequest
Encryption Used	BCryptOpenAlgorithmProvider

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8FC6518A4AAC4BBAB9EFA51BED30CBC3,CD067BF2561F435F9FA7CBC4BDA2D109,FFD012E79F9845349DD5A2020A788861

RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8A64A2149AB84BF28721CF13E4FA57C7,327920F321744BF690746BFE0FF83873,FFD012E79F9845349DD5A2020A788861

"C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,F923245B4C4C41DD84992E564C74F2C5,958511D693AC49B3B7D9836B47A51407,62322D7CD20A42C192C8055BC765DB80

RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,27521B4AC5FB49ADBFB210D4D23C3685,D804B426A5BE4F19BCCEFDAAB8E38154,62322D7CD20A42C192C8055BC765DB80

Show More

C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\setup.exe

"C:\Users\Rhndaseb\AppData\Local\Temp\is-3AV31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp" /SL5="$10270,5157645,119296,c:\users\user\downloads\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000"

"C:\Users\Rhndaseb\AppData\Local\Temp\is-H164B.tmp\Non.exe" 6fc6ae7ad0e20df51a913ccabb2a36e4

RunDll32.exe "C:\Users\Mrozdasf\AppData\Local\Temp\nsl5B42.tmp\OCSetupHlp.dll",_RHPID994RHEng2@16 5980,9595210CF9E2400C90134CC2A18BB9F1,1276B8DBECA844DDBB5A15346776A41D,2509EDF23DD74C068F7FDBE1574BA62F

"C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

RunDll32.exe "C:\Users\Ofeohdal\AppData\Local\Temp\nsaB735.tmp\OCSetupHlp.dll",_OCPID994OpenCandy2@16 1856,3F167C7F69BD454191D1126D67ED7F5F,C5D8C87AB2F74FED9946893891DE1DAF,6D0D4CC7B2864887A794D688C45C35A4

"C:\Users\Cltgpxis\AppData\Local\Temp\is-HJH98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp" /SL5="$3013C,2422026,832512,c:\users\user\downloads\314338c4716b627733e16ec458428c97f5c3feed_0003261524"

"C:\Users\Zjfxqecu\AppData\Local\Temp\is-CC2S2.tmp\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785.tmp" /SL5="$50300,3455730,240640,c:\users\user\downloads\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785"

RunDll32.exe "C:\Users\Kitklmoi\AppData\Local\Temp\nsq308E.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 7612,2879BE44B157471DB9B3AB7758193E61,514502EEEEA64E19884D4FB0A2ADD04A,452E5715FC4A4CFBAE780DD8DEE2172D

RunDll32.exe "C:\Users\Kitklmoi\AppData\Local\Temp\nsq308E.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 7612,8F2B307B8B9F4E009F4988FA291B62B8,E23813372B8C40ED8AFC99F050910C84,452E5715FC4A4CFBAE780DD8DEE2172D

"C:\Users\Fykmzkok\AppData\Local\Temp\is-4O7C0.tmp\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062.tmp" /SL5="$A20260,220874,131584,c:\users\user\downloads\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062"

"C:\Users\Khjbmrmj\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\

C:\Users\Olxobqng\AppData\Local\Temp\nstE79B.tmp\setup.exe

"C:\Users\Xrqokjkv\AppData\Local\Temp\is-M98DN.tmp\is-HK8GN.tmp" /SL4 $3035E "c:\users\user\downloads\d1f4badf9eab3ac53a2a064db5812a5b4359cc79_0002520394" 2286371 52224

"C:\Users\Olegikiu\AppData\Local\Temp\is-TDC56.tmp\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459.tmp" /SL5="$702BA,5739916,721408,c:\users\user\downloads\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459"

runas c:\users\user\downloads\._cache_8cb445efb70e8a0c9ea7d83e94756c971726c458_0009521664

runas C:\ProgramData\Synaptics\Synaptics.exe InjUpdate

"C:\Users\Icfxxknw\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn_mb_1.exe

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\310714_is.exe

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_cr.exe

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_t3.exe /np 1 /is cfsp1br

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_a9.exe -silence -ptid=pcm

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_am2.exe /u http://www.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_br.exe

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_nj.exe

C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_gs.exe

"C:\Users\Hwyuvmcz\AppData\Local\Temp\is-E9V94.tmp\8ad451a67d6ba18459b7757487d251add486696c_0005444918.tmp" /SL5="$8031C,5045781,119296,c:\users\user\downloads\8ad451a67d6ba18459b7757487d251add486696c_0005444918"

C:\Users\Rakqsktn\AppData\Local\Temp\temp\310714_o.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu_mb_1.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\310714_is.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_cr.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_ps.exe /np 1 /is cfsp1br

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_a9.exe -silence -ptid=pcm

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_cp.exe /ci 12240

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_am2.exe /u http://www.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_br.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_nj.exe

C:\Users\Lqdtmesq\AppData\Local\Temp\Temp\O6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu\6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu6lyiJjAbNPQTugozbwfICCuAE2Wu_gs.exe

RunDll32.exe "C:\Users\Mrkkkhic\AppData\Local\Temp\nslBCAF.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 3248,201907CC350344608AC041E9FCCD8301,F58B4B6C8973481B96A9D03B783ED902,3B2DBDE8D132481F843D68684014A5E7

RunDll32.exe "C:\Users\Mrkkkhic\AppData\Local\Temp\nslBCAF.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 3248,62E41A6497F34BB094D6D7EB9FB5CC1C,F3DFE9F0CB634B669735D6C89B681012,3B2DBDE8D132481F843D68684014A5E7

C:\Users\Zghzmcfc\AppData\Local\Temp\nsp377D.tmp\setup.exe

C:\Users\Zghzmcfc\AppData\Local\Temp\nsl3B55.tmp\setup.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 1760

"C:\Users\Kkwtxfre\AppData\Local\Temp\is-V64JI.tmp\1d5f3f763e07aaa5321d51d2a5b8a5a9516e03c8_0002498308.tmp" /SL5="$40318,849408,0,c:\users\user\downloads\1d5f3f763e07aaa5321d51d2a5b8a5a9516e03c8_0002498308"

RunDll32.exe "C:\Users\Czyiblul\AppData\Local\Temp\nslA341.tmp\OCSetupHlp.dll",_OCPID994OpenCandy2@16 4872,2D1D1771131D4D719DE87F1278377A1F,5AA54D9183F6494594D62A443F564A64,0CEF9F92ABFA4016B59E6FF6CC70E3A6

"C:\Users\Vtyvxkcn\AppData\Local\Temp\is-3TNT5.tmp\eefacd0ddbb4caa17fc90eb1ab2e67ea3bbe6502_0005315633.tmp" /SL5="$11033A,4924479,118784,c:\users\user\downloads\eefacd0ddbb4caa17fc90eb1ab2e67ea3bbe6502_0005315633"

"C:\Users\Vtyvxkcn\AppData\Local\Temp\is-BGK7G.tmp\Ratione.exe" b0a92a794d1c62de0231366a9c4d7e66

"C:\Users\Spiqeizv\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

C:\Program Files (x86)\SrCse\srcse.exe -u