Multi-License Discount Quote

Change Region

English
Threat Database Adware Adware.OpenSUpdater.NA

Adware.OpenSUpdater.NA

By CagedTech in Adware

Threat Scorecard

Popularity Rank: 6,301
Threat Level: 20 % (Normal)
Infected Computers: 2,873
First Seen: July 6, 2021
Last Seen: June 19, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Adware.OpenSUpdater.NA
Signature status: Self Signed

Known Samples

MD5: cc192c10399a3fe91b80ee051a86c342
SHA1: 4ddfd7b8203b2abab32b116d34662c5084dd75a4
SHA256: 2F967F12DCCB3041332DC5C8D305B5D4B7F6AF65D6799EDF480C339F8F965DF4
File Size: 1.02 MB, 1023896 bytes
MD5: 7cfc261d5c90a1290b539851a4bf52f5
SHA1: b222f78442823bbbf0a7e5998871ba2c73034b5e
SHA256: DC5364035F503289EB113B2E0818B3A8D012B77FC926DDA38446FDC142270227
File Size: 9.09 MB, 9086408 bytes
MD5: 84e7a3e5e34b6d04834893e56ed0f068
SHA1: ec9b46b4fc4c16a077562b81f32eaa4291d8c18c
SHA256: 8B3D645458ACEDC1F47610902D3999FB004D890391A3CBBE42AD98523EF5A9B0
File Size: 144.99 KB, 144989 bytes
MD5: ee2b9963746d2ee9f92ea57b9bfff2fd
SHA1: 96b0ce405db47f26b3da7d4e6f8e2892534db8f4
SHA256: AA3A73303793BBAAE27453A6E84C4D30EFDD83918D736DF1333B66406F4D824E
File Size: 9.09 MB, 9086408 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Open Source
  • REWARD Tool
File Description
  • ETHM - Setup
  • REWARD Tool
File Version
  • 1.0.0.0
  • 0.9.41
Internal Name
  • ETHM
  • REWARDTool.exe
Legal Copyright
  • 2015 - Open Source
  • REWARD Tool Company.
Original Filename
  • -
  • REWARDTool.exe
Product Name
  • ETHM - Setup
  • REWARD Tool
Product Version
  • 1.0.0.0
  • 0.9.41

Digital Signatures

Signer Root Status
LLC "SOFT DATA SISTEM" COMODO RSA Code Signing CA Self Signed
Craftmate Oy DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed

File Traits

  • dll
  • HighEntropy
  • x86

Block Information

Total Blocks: 25,959
Potentially Malicious Blocks: 3,007
Whitelisted Blocks: 20,949
Unknown Blocks: 2,003

Visual Map

0 x x 0 x x ? x x 0 x x x ? x 0 0 ? x ? 0 x ? ? ? ? ? ? ? x 0 0 0 0 0 0 0 0 0 ? ? ? x ? ? x x ? ? ? ? x ? x 0 0 ? ? ? ? ? ? ? ? ? x 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x ? ? x ? ? ? x 0 0 0 0 0 ? 0 ? ? ? ? x 0 x 0 ? ? ? x x ? ? ? ? 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 x x x ? 0 0 0 ? x ? x x x x x x x ? 0 0 ? ? ? ? 0 ? ? ? ? x 0 ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? x ? 0 x ? ? ? x x x 0 0 x x x x ? x ? x ? ? ? ? ? 0 0 ? ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 0 ? ? ? ? ? ? x ? ? x x x x ? ? x ? x x ? ? ? 0 0 0 x 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x ? x ? ? x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? x ? ? ? ? ? ? ? ? x ? ? ? x 0 x x ? x ? ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? x ? 0 ? ? 0 0 0 ? ? ? ? x ? ? ? x x ? ? ? ? ? 0 ? x ? ? ? ? ? ? ? ? ? 0 0 0 0 x 0 x 0 0 x 0 0 0 0 0 x 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 ? 0 0 0 ? 0 0 0 0 x x x x 0 0 0 0 ? 0 0 ? 0 ? ? 0 ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 ? ? ? 0 0 0 0 ? x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 ? x 0 0 0 0 0 0 0 0 x 0 0 0 0 ? 0 0 0 0 ? 0 0 0 x 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 x ? x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 ? x 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 x x 0 0 0 0 0 0 0 x 0 ? 0 ? x 0 0 0 0 0 ? x ? ? 0 0 0 0 0 0 0 ? ? ? 0 0 ? 0 x 0 0 ? 0 x 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 x 0 0 x x ? 0 0 x ? 0 ? 0 x 0 0 ? ? 0 0 0 ? 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 x ? 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x x ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 x 0 x x 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 x 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x x x 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x x 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 x 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x ? 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 x 0 0 0 0 0 ? ? x 0 ? ? ? 0 0 0 0 0 0 0 x x x 0 x x x 0 0 0 0 0 0 0 x
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsc184e.tmp\cpufeatures.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc184e.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc184e.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc184e.tmp\registry.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc184e.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc184e.tmp\userinfo.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nscd730.tmp\wmiinspector.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\cpuminer\ethminer\clinfo.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\cpuminer\ethminer\ethm.exe Generic Write,Read Attributes
c:\users\user\appdata\roaming\cpuminer\ethminer\license.txt Generic Write,Read Attributes
c:\users\user\appdata\roaming\cpuminer\ethminer\start.cmd Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe :'حC� RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ��{٭C� RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 �l�8��8��B�8 �� �6 �v �Z 7� xy �� �aT�B���������%���5����Bx�<�!!wz"Wc#�#��$kF$��%:�%�&� '�!(�(X�(�) ;*J*9*�"+�[,=�,��/9�/��1`1�1HO1�D5,]5�05�G9ߔ<.:>3� RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecute
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
User Data Access
  • GetUserName
  • GetUserObjectInformation
Process Terminate
  • TerminateProcess
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Service Control
  • OpenSCManager
  • OpenService

Shell Command Execution

"C:\Users\Ndagkaxt\AppData\Roaming\cpuminer\ethminer\clinfo.exe"
"C:\Users\Ndagkaxt\AppData\Roaming\cpuminer\ethminer\ethm.exe" --ndevs
runas c:\users\user\downloads\b222f78442823bbbf0a7e5998871ba2c73034b5e_0009086408 -dam /tx
"C:\Users\Twcufpnw\AppData\Local\Temp\~nsuA.tmp\Au_.exe" _?=c:\users\user\downloads\

Related Posts

Trending

Most Viewed

Loading...