Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.Rostpay

PUP.Rostpay

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.Rostpay
Signature status: Self Signed

Known Samples

MD5: ac5ffc6e945471ce5e631f5fa8853d5a
SHA1: 78f51682ec3d075aa90f49fe934ec77680d1e37a
SHA256: 5A5A8EA05CCBC2CF33B2FFA7B09A725CABFA86BAC080458F4F80A572BAE83AEC
File Size: 7.76 MB, 7758000 bytes
MD5: fe6d9186c3be67f5661c86d55dc1bf33
SHA1: 975d3fcd37d7cb5239757470f2b94b8d4d7405e7
SHA256: 33CEB17AC30DB78E5A91E3DED8010F067B7BAA0A7A80E8E33364045F535330AB
File Size: 758.43 KB, 758432 bytes
MD5: 10d5e0c01c37feacdd69fbcd4f2ad4f1
SHA1: c280fc57f552bca496cbd9d1a46d9f680db63346
SHA256: 5C7A205BFF8FD72A9A34C174A52DDC877EACBF3E1BC7BCB404A946C43D13D957
File Size: 7.74 MB, 7737000 bytes
MD5: 173fdd215a7e9f6caaabd75f10b6ec4a
SHA1: b74160a1bda85ed09d2f59f938f46c62ff37b9d2
SHA256: 712EEAC66BC59CC51A3A890D3AEC48E1ED97D68E3806593FE3BD7C270ABDC0C4
File Size: 810.21 KB, 810208 bytes
MD5: b7c964df941ee81d2021f8cfcdd3eb36
SHA1: e78522141cd34839b5da4335cd4ec12a410c7183
SHA256: 460C1A45E7F59C45442F4B00EA2F285FA7E8EEDCB84C641FD48D9EB7630C4ECA
File Size: 405.94 KB, 405944 bytes
Show More
MD5: fe06b4a4f28a8e90a9cfea1a6cf96514
SHA1: 3cd7a54d98a690de05d542c7cf0bd34e6da7f764
SHA256: 6F43E26CE179CDC26183B68B4D52F871DFFF124B5E4F0B3248F5D51917C5C6BF
File Size: 679.35 KB, 679352 bytes
MD5: 6b1d6be3150406a3633d785c8abfe4e8
SHA1: 77b2b86809cb2e3b661c5b50134b62ad88738285
SHA256: 1725404999237BA66D4A89E9D7D07DE654DDB27BBF98DCACA1F9D7C1EA78A19D
File Size: 170.61 KB, 170608 bytes
MD5: 22001ad127ffda4b576cdd30f3bb351c
SHA1: 8c9127b121f2471812b10ec3f687d8028de66196
SHA256: B5C6E13641B390780F027CE790112D0752BED8A22DC63769A5F8EACE02CB5243
File Size: 758.95 KB, 758952 bytes
MD5: 3289ef4bb9a1a6a2209824936c18b07a
SHA1: 7b9f2e23c806d15459ca66f9af97196e4a3c9aca
SHA256: D5B61BB9E95BC958A0AEB97A82B3698E60B3843309AD06045907CEEDBF55875F
File Size: 7.76 MB, 7756968 bytes
MD5: 99dc0b5660cf3da522c85490dafef5d7
SHA1: 8701dc38388607a40e889a689d12be8fe5e07626
SHA256: 78D39EAB3D1F87E4A81D1C51A79C7320040DC2B04C7263109A56451C87945F52
File Size: 1.13 MB, 1130488 bytes
MD5: cfaf40e456edbb76b62b17506b857fef
SHA1: 8c2483d65a69efd125e64d15e6a65e2a4b18f2de
SHA256: 28F5DC88E24FD6ACAF364E61E1520626B943BFDD5F236A8D04504B4B8C585269
File Size: 759.46 KB, 759456 bytes
MD5: 1b06359502dbfad35ce773cbbee4bce2
SHA1: 7c8c15d97625d67f4c5b8a72b4f1408b46927737
SHA256: 357526C2D0CA1A382AE650AC8384808E9B37A6981D0A5F574BA7B4419BFFAB7D
File Size: 724.70 KB, 724704 bytes
MD5: 8ba3b468bdc9415215747264798ab6bb
SHA1: 4d39eed72e4cecb37de9a527cf160ccdf1b34660
SHA256: 9CC13C32352209EFE968D1F650C01593D48A73410309AAFF110A0BF5B80154B0
File Size: 297.91 KB, 297912 bytes
MD5: 8484379ec79a05c574da7a65d474af9b
SHA1: bd54dffd47be626084d3fa9d075e8c89a3dc067a
SHA256: F7B7250878A19313A823A8B12B61F81056E8652DF39D78167382159ABC9658E1
File Size: 1.79 MB, 1788872 bytes
MD5: 7f029213ae5954357922ae11ce2aa12e
SHA1: e6a3bc795df35ffcfcfcc614cf6e74e0ad08264a
SHA256: C73FB60E8E71F6F8D9F1B1ADCC32949CBCA351FB438E88B2B4A1AFC12420B4D3
File Size: 1.78 MB, 1778632 bytes
MD5: 1e2a89380ef83f62ffc6b5d8e18faf99
SHA1: 9fc43a6cead44c293219b2fd82ec507802ef5ed8
SHA256: C586260CFE3C13267D678B53B97E64A521F86A45A730BBCDCCEC51467BD909DA
File Size: 758.44 KB, 758440 bytes
MD5: 5792a1c0df45da3a1dea7509dbb8a9ec
SHA1: 9cdd592ec7a01cc68b80f3127b929011e356cb24
SHA256: 9870A589C56AB0183FE0733F74745705AAA99C4D1F913D3A4526251D764D0A2B
File Size: 1.14 MB, 1139640 bytes
MD5: f8bd63199dae08b32884ab6c0d3a6cee
SHA1: f020ab8104388ddb129b98ac01ea9f4ed06250e4
SHA256: 54C8F7B32BCBEDBD5A4BE65C3E33B664E50A8298FCB12D30ABACFBE98AAA1D74
File Size: 750.24 KB, 750240 bytes
MD5: 1554c9f8207f50b030b27f4234d21252
SHA1: bd12243b589830da55f2166c701224f9b1f45a51
SHA256: 6BF758DC6F14667FDF1A67D183EE92550BFF552892BAA2BBC9AF2FE7087629DD
File Size: 68.02 KB, 68024 bytes
MD5: 5d91b2d24f03f8d1e31ba39fdb8d42fc
SHA1: f455c67ca0f1e34ab1e452d920853bac97b1b52c
SHA256: BDA6795326156E5F275A0235B0D71F2A8CD105D3117076D154845E2C5516F663
File Size: 755.37 KB, 755368 bytes
MD5: ef8fc4a7d9b3da34826beca088bd93dc
SHA1: 2314b89d7512ff25f5cb73dc56ebd82f7ee54dad
SHA256: DB32840D4BF501110A2AAE685C2A1C88CE0CFC8B44951F51FA7C5BCB42C7E931
File Size: 759.46 KB, 759456 bytes
MD5: 90459bf879cda2ffdd39cfd309c97a2b
SHA1: cdeb71bc1c3d0563df8fb24e41c231408de5f6a3
SHA256: 6848192A3683DCBE4663A3C3F77C424B0E3B2A11519E9F50BE920CBB80E991E9
File Size: 301.50 KB, 301496 bytes
MD5: 31dbc51b4b5f5b44c6cd2474d0a2dd94
SHA1: 7b12fa933f73d2fb2738f0aa200d58106b01c83b
SHA256: 42EE0CA9AE8F7D486058FA77491EDEB61D7F409009E38516D88B99218777D9F1
File Size: 7.76 MB, 7756456 bytes
MD5: f2c577161e11f1cac0ac2bfc015a6e59
SHA1: 5f2c25f1b71d3a0258f3870daee3a7275f77f4ed
SHA256: 749CE37BDDCD00DD0BC6C1BD5232BA5749A3A9F44AC08B895D3DF610B13DF398
File Size: 1.79 MB, 1794504 bytes
MD5: 33b7b790a80319bc27f5d4a36b5314e5
SHA1: f7d2c9ae1713ceab8f561fc4ca4046ffc357f534
SHA256: 51CC065F531CE8D9C0C9E2741FAA15C5A23AF1702C9A585A4ABA8C00D487D0F5
File Size: 216.58 KB, 216576 bytes
MD5: 5abb4a3be7f4225836064f86b7fcf2c0
SHA1: f27dc8ca8d5e46620b4d1810991f3961b8a3f8e8
SHA256: 864D4ADE68D5D4F7AD6783626B7C563D5C3F505EA4F89E8C0582EB0A550672F2
File Size: 7.76 MB, 7755432 bytes
MD5: ef516fd6b84fc09bcb9d1f76a8f204a6
SHA1: bcf29baab8daf8fb6331542ee26cca281b9e84ff
SHA256: 777F311F734834C6AD4C8E403AAF752F3DFAA9D8D56A8A718DE2CFF8087D35BD
File Size: 7.76 MB, 7756968 bytes
MD5: 70e14e25344a012d25c6bd62bcd5b136
SHA1: 095c4d1a481b7497d530df3d3b1a26f5e9832310
SHA256: B168557456D21E6EC38E1B9ABE727BBD9ECD075FBB00FF124030F5E289421578
File Size: 987.06 KB, 987064 bytes
MD5: b9e87fbd9b60dfc61f74aa7675e67177
SHA1: 5ff87bf7da65165b29360c8f6cc44adc5ccefca2
SHA256: 86E8FE3B5F8ADF418CBB65AD6B32EFFCAEBAD893C637199901C54147F38727F3
File Size: 68.02 KB, 68024 bytes
MD5: cdbd968476859585320dc05d10d6e321
SHA1: ee9270a0853ba7bbeb38dab58eebd91fdd6461d1
SHA256: E317E5AF67380551F8CFEA923C7F35F531F85A2D0820BC1FB69E9712CC290275
File Size: 826.08 KB, 826080 bytes
MD5: bbe50f050c7fb4a833ef8ec48b59e5cd
SHA1: d7cf3cf327a25b2cd507106cfda1b0ee587905a5
SHA256: 9CD82A50053EE9555D2B2DD68ACD0A52D998BF6299CDD46554EE1A57770CF6FE
File Size: 827.10 KB, 827104 bytes
MD5: ad02d0e77edd49816c0df9b14ee31550
SHA1: 162a6c00291180b80b0a8422e8ca086cb9223664
SHA256: 34C2D460BDEA5D64B5356E155B1C41D699BD5BA63FB0F46B2546D81CFF4C56D7
File Size: 1.06 MB, 1064904 bytes
MD5: 783bba2f44bfaae2ed3837bb863c0922
SHA1: 258d45f6e803e1c83ededc4da3b62ee81abebe69
SHA256: CD41969FAC2D2A9BC8EFAC4CF78FFF32307544791EBB7075B848D5FEBC732433
File Size: 1.20 MB, 1196984 bytes
MD5: 07c97ddbb21f10447bf2afc683433815
SHA1: 78e654eb61209a5e888557bb286322d6aa533676
SHA256: 887A3DCF45784C45A1446A4859144FC63A9C03728AB7901A2511F85B5C3EB129
File Size: 1.78 MB, 1779656 bytes
MD5: f43420d448452358a72be07a524731b6
SHA1: 6cd2c4a9ded844a2b005b000222897c10991b1b4
SHA256: BC4A329BCFC63DABCFA45FCEC71AFDB5D526240041D4AA2099328FFF0EE7A4E9
File Size: 656.84 KB, 656840 bytes
MD5: 747f8f2447f31a08e0a1bd0977617fa8
SHA1: d33c206c4157438fe1843b1e763d5ea234d15f9f
SHA256: 2ADD351CDB2C738BC964EB889B5A0E6A5EF05D92C84623323126A17857C164F3
File Size: 3.96 MB, 3958966 bytes
MD5: b69f6e674b4babe623facfc31e750878
SHA1: ad82273b0df8a4cc715b60c7a846c3a98673c2a4
SHA256: 47E036DAE2D0EB54EA04CC4E3D57065967D8CF928B4A6FF84F1DF2ED8A66BAC4
File Size: 1.31 MB, 1309112 bytes
MD5: d10683564f67b0832bb220a75c7d9476
SHA1: 9ec384556497e436c973c286e1c3ac4ec95dcfef
SHA256: 5FC499AE9F6A2B3EEB343339D857061F9A20C5D785FC7A461CF5F43D02D922E1
File Size: 755.88 KB, 755880 bytes
MD5: e37b82ec4528c8e1ab7e3d0421986d7a
SHA1: f16bd68a1f2ae77c3fc237d9ddfaf214d8a70516
SHA256: 95EC4FF28A85C892D3DB92093D4D57A41AA153EABB476DC07AE1FBEBE7613DB5
File Size: 734.66 KB, 734664 bytes
MD5: e459542a1c723070799940d02fce0fcf
SHA1: 11ab8f215c7e6f99ebc9a20b6acac1bac8acf2fa
SHA256: 99BD03960AD63658B8DB9E20F9C414484646D5DE9AA45A2B91A50FDDF4A004EC
File Size: 7.76 MB, 7761064 bytes
MD5: 4846e1823ad2a75fc83258cf1e789748
SHA1: 50c21e68f7303f31d64eafe3ec3014c2a40a28f2
SHA256: E859B84E82C4B3B5EE4C82D0942FBC1135D72C69FC1A58290E91C905E17A0BD7
File Size: 7.00 MB, 6996656 bytes
MD5: db2bdbc5810b00e5075d7c2418547a41
SHA1: 13f3701e0393e4ce879bdc76ca425c9020c48ce4
SHA256: B5148BF1FC433CEDFAD9F925FCC8E8ED71A486303B55C1FEC7939BFF20BF10C3
File Size: 585.67 KB, 585672 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version
  • 4.5.3.0
  • 4.5.1.0
  • 4.4.8.0
  • 4.3.7.0
  • 4.3.5.0
  • 4.3.2.0
  • 4.2.6.0
  • 4.2.4.0
  • 4.1.1.0
  • 4.1.0.0
Show More
  • 4.0.9.0
  • 4.0.8.0
  • 4.0.7.0
  • 4.0.4.0
  • 4.0.3.0
  • 4.0.2.0
  • 4.0.1.0
  • 3.0.13.0
  • 2.1.5.0
  • 2.0.11.0
  • 2.0.9.0
  • 2.0.8.0
  • 2.0.4.0
  • 2.0.3.0
  • 1.2.2.0
  • 1.0.15.0
  • 1.0.0.0
Comments
  • Desktop implementation of Steam's mobile authenticator app
  • Install any useful software with a single click
Company Name
  • Microsoft
  • ROSTPAY LTD
  • ROSTPAY LTD.
  • Yandex LLC
  • ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ РОСТПЭЙ
File Description
  • DllHelper
  • DriverHub
  • DriverHub Installer
  • Install DriverHub
  • Install Tesla Browser
  • Install Wowpaper
  • Steam Desktop Authenticator
  • Uninstall Carambis Cleaner
  • Uninstall Carambis Driver Updater
  • Uninstall DriverHub
Show More
  • Uninstall UnzipTool
  • Voice assistant
  • Wowpaper
  • ZipSoft
  • ZipSoftMini
  • СSharpPin
File Version
  • 5.0.0.1903
  • 4.5.3.0
  • 4.5.1.0
  • 4.4.8.0
  • 4.3.7.0
  • 4.3.5.0
  • 4.3.2.0
  • 4.2.6.0
  • 4.2.4.0
  • 4.1.1.0
Show More
  • 4.1.0.0
  • 4.0.9.0
  • 4.0.8.0
  • 4.0.7.0
  • 4.0.4.0
  • 4.0.3.0
  • 4.0.2.0
  • 4.0.1.0
  • 3.4.23
  • 3.4.22
  • 3.4.20
  • 3.4.18
  • 3.4.12
  • 3.0.13.0
  • 2.1.5.0
  • 2.0.11.0
  • 2.0.9.0
  • 2.0.8.0
  • 2.0.4.0
  • 2.0.3.0
  • 1.3.17.1264
  • 1.2.2.0
  • 1.1.1.1712
  • 1.00
  • 1.0.15
  • 1.0.0.0
Internal Name
  • CleanerUninstaller.exe
  • DllHelper.exe
  • DriverHub.exe
  • DriverHubInstaller
  • DriverHubInstaller.exe
  • DriverHubUninstaller
  • DriverHubUninstaller.exe
  • DriverUpdaterUninstaller.exe
  • Steam Desktop Authenticator.dll
  • TeslaBrowserInstaller.exe
Show More
  • UnzipToolUninstaller.exe
  • Win
  • winsearchbar
  • Wowpaper.exe
  • WpaperInstaller.exe
  • ZipSoft.exe
  • ZipSoftMini.exe
  • СSharpPin.exe
Legal Copyright
  • Copyright (C) 2016 YANDEX LLC. All rights reserved.
  • Copyright 2017
  • Copyright © 2025
  • ROSTPAY LTD. All rights reserved.
  • © ROSTPAY LTD. All rights reserved.
  • © ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ РОСТПЭЙ. All rights reserved.
Original Filename
  • CleanerUninstaller.exe
  • DllHelper.exe
  • DriverHub.exe
  • DriverHubInstaller.exe
  • DriverHubUninstaller.exe
  • DriverUpdaterUninstaller.exe
  • Steam Desktop Authenticator.dll
  • TeslaBrowserInstaller.exe
  • UnzipToolUninstaller.exe
  • Win.exe
Show More
  • Wowpaper.exe
  • WpaperInstaller.exe
  • ZipSoft.exe
  • ZipSoftMini.exe
  • СSharpPin.exe
Product Name
  • Carambis Cleaner
  • Carambis Driver Updater
  • DllHelper
  • DriverHub
  • Steam Desktop Authenticator
  • Tesla Browser
  • UnzipTool
  • Voice assistant
  • Win
  • Wowpaper
Show More
  • ZipSoft
  • СSharpPin
Product Version
  • 5.0.0.1903
  • 4.5.3.0
  • 4.5.1.0
  • 4.4.8.0
  • 4.3.7.0
  • 4.3.5.0
  • 4.3.2.0
  • 4.2.6.0
  • 4.2.4.0
  • 4.1.1.0
Show More
  • 4.1.0.0
  • 4.0.9.0
  • 4.0.8.0
  • 4.0.7.0
  • 4.0.4.0
  • 4.0.3.0
  • 4.0.2.0
  • 4.0.1.0
  • 3.4.23
  • 3.4.22
  • 3.4.20
  • 3.4.18
  • 3.4.12
  • 3.0.13.0
  • 2.1.5.0
  • 2.0.11.0
  • 2.0.9.0
  • 2.0.8.0
  • 2.0.4.0
  • 2.0.3.0
  • 1.3.17.1264
  • 1.2.2.0
  • 1.1.1.1712
  • 1.00
  • 1.0.15
  • 1.0.0.0

Digital Signatures

Signer Root Status
YANDEX LLC GlobalSign CodeSigning CA - G3 Self Signed
YANDEX LLC GlobalSign CodeSigning CA - SHA256 - G3 Self Signed
ROSTPAY LLC GlobalSign GCC R45 EV CodeSigning CA 2020 Self Signed
ОБЩЕСТВО С ОГРАНИЧЕННОЙ ОТВЕТСТВЕННОСТЬЮ РОСТПЭЙ GlobalSign GCC R45 EV CodeSigning CA 2020 Self Signed
ROSTPAY Starfield Secure Certificate Authority - G2 Self Signed

File Traits

  • HighEntropy
  • x86

Block Information

Total Blocks: 1,976
Potentially Malicious Blocks: 1,122
Whitelisted Blocks: 842
Unknown Blocks: 12

Visual Map

0 0 0 0 0 0 0 0 0 x 0 0 x x x x x x x x x x x x x 0 x x 0 0 x 0 0 x 0 x x 0 0 x 0 0 x 0 x x 0 0 x 0 0 x 0 x x 0 0 x 0 0 x 0 x x 0 0 x 0 0 x 0 x x 0 0 x 0 0 x x x x x x x x x x 0 x 0 x x 0 0 x x x x 0 x 0 x x x x x x 0 0 0 x 0 0 x x x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 x x x x x x x x x x x x x x 0 x x x x x x x 0 0 0 x x x 0 x x x x x x x x x 0 x 0 x 0 x x 0 x x x x x 0 x 0 x 0 x x x x 0 x x x 0 x x x 0 x x x x x x 0 x x x x x x x x x x x x x x x x x x x 0 x 0 0 0 x 0 0 x x x x x x x x 0 0 0 x x x x x x x x x x 0 x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x 0 x x x x 0 0 x 0 x 0 x x x x x x x x x x 0 x 0 x x x 0 x x x x x 0 0 x x 0 x x x x x x x x 0 x x x x 0 0 0 x x x x x 0 0 0 x x 0 x x x 0 x x x x 0 0 0 0 0 0 x x x x 0 0 x x x x 0 x x x x x x x x x 0 0 0 0 x x x x 0 0 0 x x 0 0 x 0 0 x x 0 0 x 0 x x x x 0 x x x x x x x x x x 0 0 x x x x x x 0 0 x 0 x x x 0 x x x x x x x 0 x x x x x x x x 0 x x x x x x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 x x x x 0 x x x x x x x x x x x 0 x x 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x x x x 0 0 0 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x 0 x x x 0 x 0 0 0 x x x x 0 x x 0 x x x x x x x x x x x 0 x x x x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 x x x 0 0 x x x 0 0 0 0 x 0 x x 0 x 0 0 0 0 0 x 0 0 0 0 x x x 0 x x x x 0 x x x x x x 0 0 x x x x 0 x x 0 x x 0 0 x x 0 0 0 0 x 0 x 0 0 x x x x x x x 0 x x x x x 0 x x x x x 0 x x x x x x 0 0 x x x 0 x x 0 0 x x x 0 x x x 0 x x x x 0 x x x x x x x x x x x 0 0 0 x x 0 x x x 0 0 0 0 x 0 0 x x x x x x x x x x 0 0 0 x x x x x x x x x x x x x 0 x 0 0 0 0 0 0 0 x x x x x x x x x x x x x x 0 x x x x 0 x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 x x x x x 0 x x x x x x x x x x x x 0 0 0 0 x x x x 0 x 0 0 0 x x x 0 0 0 0 0 x 0 0 x x x x 0 0 0 0 x x 0 x 0 0 0 x x x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 x 0 0 0 x x 0 0 0 x 0 x x x 0 x 0 x 0 x x x x x x 0 0 x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 x x x x x x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 x x 0 x x x x x 0 0 x x x 0 0 0 x x 0 0 x 0 0 0 x x 0 0 0 x 0 x 0 0 x x 0 x x x 0 x x x x x x x x x x x x x x x 0 0 0 0 0 0 x x x 0 x 0 0 0 0 0 x 0 x 0 x 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 x 0 0 0 x x 0 x x x 0 x x x x 0 x x x x x x x x x x x x 0 x x 0 0 x x x 0 0 x x x x x x x x x x x x x x 0 x x 0 0 0 x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 x x 0 x x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 x x x x x x 0 x x 0 x 0 x x x x x x x 0 0 x x x x x x ? ? 0 0 0 x 0 0 ? x 0 ? 0 0 0 0 ? 0 0 ? ? ? 0 0 x ? x 0 0 0 x 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x 0 x x 0 0 0 0 0 0 0 x 0 0 x 0 0 0 x 0 x 0 x 0 x 0 x 0 x x 0 x 0 x 0 x 0 0 x x 0 0 x x 0 0 x 0 x x x x x x x 0 x x x x x x x x 0 x 0 x x x 0 0 0 x x x x x x x x x x 0 x 0 x 0 x 0 x 0 x 0 x 0 x x x x 0 x 0 0 x x 0 x 0 0 0 0 0 x 0 x 0 x 0 0 x 0 0 0 0 x 0 0 0 x x 0 x x x x 0 0 x x 0 0 0 x 0 x x x x x 0 x 0 0 0 0 0 0 x x x 0 0 0 x x x x x x x 0 x x x x 0 0 0 x x x 0 x x x x x x x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 x x 0 0 0 x x 0 0 x x 0 x x 0 0 x x 0 x x x x 0 x 0 x x x x 0 x x x x 0 0 x x x 0 0 x 0 0 0 x x 0 0 0 x 0 0 x 0 0 x 0 x 0 0 0 0 0 x 0 x x 0 0 0 x x 0 x x x x x x x x 0 x x x x x x x 0 0 0 x 0 0 0 0 x 0 0 0 0 0 0 0 0 x 0 x x x x x x x 0 x x x x x x 0 0 0 0 0 x 0 0 0 0 x 0 0 x 0 0 x x x x x x x x 0 x x x x x 0 0 x x 0 x 0 x x x 0 0 x 0 x 0 x x x 0 x x 0 0 x x 0 x x 0 x x x x x 0 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 0 x 0 x 0 x 0 0 0 0 x x 0 x 0 x 0 x x x 0 0 x x 0 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x x 0 x 0 0 0 x ? 0 x 0 x 0 x 0 x 0 x 0 0 x 0 0 x x 0 0 0 0 0 x 0 0 0 0 0 0 x 0 x 0 x x 0 0 x 0 0 0 x x 0 0 x 0 0 x 0 x x x 0 x x 0 0 x 0 0 x 0 0 x x 0 x 0 x 0 0 0 x 0 x 0 x 0 x 0 x 0 0 x 0 x
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • MSIL.Rostpay.A
  • Remcos.IK

Files Modified

File Attributes
c:\users\user\appdata\local\temp\nsa442a.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsn4ad2.tmp\installer_translate.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsn4ad2.tmp\installer_translate.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn4ad2.tmp\modern-header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn4ad2.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn4ad2.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr46ab.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\yandex\searchband\8701dc38388607a40e889a689d12be8fe5e07626_0001130488.log Generic Write,Read Attributes
c:\users\user\appdata\local\zipsoft\sessionw.log Generic Write,Read Attributes
Show More
c:\users\user\appdata\roaming\wowpaper\error.log Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\zipsoft::appid {265e35b8-00ab-45f9-9ca3-06d715f03176} RegNtPreCreateKey
HKCU\software\zipsoft::arch 10.0/x64 RegNtPreCreateKey
HKCU\software\zipsoft::appid {0c041921-7966-45fa-9c90-ea2e99347d06} RegNtPreCreateKey

Windows API Usage

Category API
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Encryption Used
  • BCryptOpenAlgorithmProvider
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
Show More
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Shell Execute
  • CreateProcess
Keyboard Access
  • GetKeyState

Shell Command Execution

"C:\Users\Nlzekwgn\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\

Related Posts

Trending

Most Viewed

Loading...