Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.SparkOnSoft

PUP.SparkOnSoft

By CagedTech in Potentially Unwanted Programs

Analysis Report

General information

Family Name: PUP.SparkOnSoft
Signature status: No Signature

Known Samples

MD5: ca7aee4051ba32dc74eafa1d2f74513c
SHA1: 80eea992a773237bb601d75058f862f7feaffeba
SHA256: D878E829C49EB5FD247EE15633E949B20270F6E0B93971DE59532B70E64B98EB
File Size: 9.13 MB, 9133552 bytes
MD5: c0a9127f8ced890563d9f38dddd29469
SHA1: ab268ba34430904cbf7f944281f9d00fef83cb1b
SHA256: B524281FE3F466EC5AF4D147BE1ADF96B076A3AC14AB2AD2F1122AA4F5DFB45A
File Size: 2.83 MB, 2828583 bytes
MD5: a1312895bb804a7c52ece6edd72bc8ce
SHA1: 3361cd48c2d2c6e35c94389718f4fc3f072ee620
SHA256: D95F2642DD2E1E1160FB86ADDE91A28C0A5B2DE2CED5F45004C19C24C61BCBA0
File Size: 749.12 KB, 749120 bytes
MD5: 5cb9fe5d3f190a6e1d83df1b82cb4f1d
SHA1: 1fd9df2e381f1f1b060fb0d6e57b915ad35774dc
SHA256: 6A5400F9E6694A262CB57007BE91E2DBCF98DA77C041A9556B1A8120C084FD7E
File Size: 2.80 MB, 2801408 bytes
MD5: 3c4c8e054a99286792d4843b87155342
SHA1: 6ffdbfe79c0df9b2f8b1df80eec7c9f36f5c7a4c
SHA256: 25ED1C694ABD1B26690DC86CD6F2C293A23DC9A6E300620D77DC49927D3F63A0
File Size: 1.66 MB, 1655864 bytes
Show More
MD5: 9fb769484a284808ba7f1bdc486a1927
SHA1: 699e41de3393c9509ceef07a2ddc3d4599f01ae8
SHA256: FEDEC49876C2AA8DCF13B78297F5B4D9C437F1509862ABB02E3980FCA9E3AD7D
File Size: 2.97 MB, 2966000 bytes
MD5: 065ee5084a584caf62b66475f93e15f4
SHA1: 23180e8671cf435bc244a8d9eb1e2ddbd3b02534
SHA256: 5FA0684AEED9A7AE766BB4CE17D4C0FEDDDDB80B1433D21C39497BC153D97DE5
File Size: 2.86 MB, 2855560 bytes
MD5: 8d71fb862b8b1cc8cd182b281cbf473e
SHA1: 51d89e5df160d052f30cee7fd509d551225488d4
SHA256: D61282F7D90A6C3C3E5D883B43AEF8B715863DA7E19F9469F6E5F020CDF0FC0B
File Size: 473.67 KB, 473667 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 1.8.0.23
  • 1.6.0.24
Comments
  • PCHelperAISetup
  • This installation was built with Inno Setup.
Company Name
  • Hawk Integrated Inc
  • Mainstay Crypto LLC
  • Secure PC Software LLC
  • The libjpeg-turbo Project
File Description
  • BuyBricksSetup
  • InstallRecipe
  • PCHelperAISetup
  • PDF Proton
  • PDF_Spark Setup
  • TurboJPEG API DLL
File Version
  • 2.0.0.1
  • 1.8.0.23
  • 1.6.0.24
  • 1.3.2.2
  • 1.0.0.9
  • 0,4,0,0
Internal Name
  • BuyBricksAISetup.exe
  • PCHelperAISetup.exe
  • turbojpeg
Legal Copyright
  • Copyright Hawk Integrated Inc 2025
  • Copyright © 1991-2024 The libjpeg-turbo Project and many others
  • Copyright © 1991-2025 The libjpeg-turbo Project and many others
  • Copyright © 2025
  • Mainstay Crypto LLC 2025
Original Filename
  • BuyBricksAISetup.exe
  • PCHelperAISetup.exe
  • turbojpeg.dll
Product Name
  • BuyBricksSetup
  • InstallRecipe
  • libjpeg-turbo
  • PCHelperAISetup
  • PDF Proton
  • PDF_Spark
Product Version
  • 3.1.2
  • 3.1.0
  • 1.8.0.23
  • 1.6.0.24
  • 1.0.0.9

Digital Signatures

Signer Root Status
Rush Delivery, LLC GlobalSign GCC R45 EV CodeSigning CA 2020 Self Signed
Mainstay Crypto LLC Microsoft Identity Verification Root Certificate Authority 2020 Root Not Trusted
Secure PC Software LLC SSL.com EV Code Signing Intermediate CA RSA R3 Self Signed
Smart Contract LLC Sectigo Public Code Signing Root R46 Root Not Trusted

File Traits

  • 2+ executable sections
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • nosig nsis
  • Nullsoft Installer
  • VirtualQueryEx
  • x86

Block Information

Total Blocks: 101
Potentially Malicious Blocks: 0
Whitelisted Blocks: 101
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Brute.BHA
  • Chapak.HBX
  • CobaltStrike.GI
  • CobaltStrike.GIA
  • MSIL.MediaArena.K
Show More
  • MSIL.TelegramBot.S
  • MSIL.TelegramBot.T
  • MSILZilla.TC
  • Trojan.Agent.Gen.VN

Files Modified

File Attributes
c:\users\user\appdata\local\sb\bb\installconfig.txt Generic Write,Read Attributes
c:\users\user\appdata\local\sb\bb\metadata.txt Generic Write,Read Attributes
c:\users\user\appdata\local\sb\ph\installconfig.txt Generic Write,Read Attributes
c:\users\user\appdata\local\sb\ph\metadata.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\3bb504e0-4f89-11d3-9a0c-0305e82c33lulp\bb\appsettings.json Generic Write,Read Attributes
c:\users\user\appdata\local\temp\3bb504e0-4f89-11d3-9a0c-0305e82c33lulp\bbinstaller.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\89fc1d58-f4a6-44cc-97e7-9637516da167ax05\ph\appsettings.json Generic Write,Read Attributes
c:\users\user\appdata\local\temp\89fc1d58-f4a6-44cc-97e7-9637516da167ax05\phinstaller.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bb09561d420844ffb050b8378eb0acd3\pchelperai.installerupdaterlib.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bb09561d420844ffb050b8378eb0acd3\pchelperai.installerupdaterlib.dll.lock Generic Write,Read Attributes,Delete
Show More
c:\users\user\appdata\local\temp\nsr764f.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr7660.tmp\banner.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr7660.tmp\nsisunz.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr7660.tmp\recipelocale.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\sb\ph::instanceid 765e0d61-c34f-4cd9-818d-9afb014ee068 RegNtPreCreateKey
HKCU\software\sb\ph::macid 42c4b0e3-fc98-141c-9afb-f4c8996fb924 RegNtPreCreateKey
HKCU\software\sb\ph::firstlaunchdate 2026-03-09 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\sb\bb::instanceid 7667ae7d-2e97-4be6-9568-f80ad832fce5 RegNtPreCreateKey
HKCU\software\sb\bb::macid 42c4b0e3-fc98-141c-9afb-f4c8996fb924 RegNtPreCreateKey
HKCU\software\sb\bb::firstlaunchdate 2026-03-15 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerName
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
Service Control
  • OpenSCManager
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Network Winsock2
  • WSAConnect
  • WSASend
  • WSASocket
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • freeaddrinfo
  • getaddrinfo
  • recv
  • send
  • setsockopt
Network Winhttp
  • WinHttpOpen
Network Info Queried
  • GetAdaptersAddresses
  • GetNetworkParams
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDuplicateToken
Show More
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\699e41de3393c9509ceef07a2ddc3d4599f01ae8_0002966000.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\23180e8671cf435bc244a8d9eb1e2ddbd3b02534_0002855560.,LiQMAxHB
"C:\Users\Blqkerew\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\

Trending

Most Viewed

Loading...