Search Protect By Client Connect Ltd
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 1,582 |
| Threat Level: | 50 % (Medium) |
| Infected Computers: | 166,067 |
| First Seen: | July 7, 2014 |
| Last Seen: | January 29, 2026 |
| OS(es) Affected: | Windows |
Search Protect By Client Connect Ltd is another variation of the Search Protect program, which is a potentially unwanted program that was once by Conduit. Search Protect may cause various issues on a computer where it may display advertisements or cause redirects to unwanted pages. The Search Protect ads or redirects may be an automatic process once it is loaded on your system. Various components or add-ons could cause your web browser to load alternate home pages or cause various ads to appear that also redirect you to unwanted pages. Removing the Search Protect program from your system may require using an antispyware application.
Table of Contents
Aliases
12 security vendors flagged this file as malicious.
| Antivirus Vendor | Detection |
|---|---|
| GData | Win64.Application.SearchProtect.AB@gen |
| McAfee-GW-Edition | Artemis |
| McAfee | Artemis!A2C9DD9C88B8 |
| AVG | Generic.ABF |
| Fortinet | Riskware/ClientConnect |
| AVG | SearchProtect.1DD |
| Fortinet | Riskware/Searchprotect |
| AhnLab-V3 | PUP/Win32.SearchProtect |
| Sophos | Conduit Search Protect |
| Kaspersky | not-a-virus:RiskTool.Win32.SearchProtect.a |
| K7AntiVirus | Trojan ( 0049ef011 ) |
| CAT-QuickHeal | RiskTool.SearchProtect.r6 (Not a Virus) |
SpyHunter Detects & Remove Search Protect By Client Connect Ltd
File System Details
Search Protect By Client Connect Ltd may create the following file(s):
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | faci.dll | 0941826430da4938a6745cd1f7256f62 | 386 |
| 2. | avabvbxvh.exe | f5126cc817a0638a77f1ef3ddfe22f8e | 206 |
| 3. | bvxvbxvd.exe | 6eba3875b25e18788606ffa677a6153f | 173 |
| 4. | avabvbavad.exe | 8f2072a82910e649893e10b9139b2860 | 164 |
| 5. | avabvbyvyc.exe | f47af1d980bcfef7219d3c9c8b87555d | 111 |
| 6. | bvugqqrp.exe | 8694c0666ebc8818a1a8afbb3612cbcc | 8 |
| 7. | bvvpcehm.exe | 63a2562ee3ea6aa8b5c628fb1e00d26d | 7 |
| 8. | bvyvavay.exe | 3fecacabe8cd7a900ea2423d6765f040 | 7 |
| 9. | bvxvdxvx.exe | dd4fb04bfa36fd6aed06bcc4ddd2cfd4 | 6 |
| 10. | cltmng.exe | 941663f8a1a09853bd7bb17116187e9f | 2 |
| 11. | cltmngui.exe | 05d73dd302f1202841aaa88cfa7db648 | 2 |
| 12. | SPtool.dll | 26bd15bcb0a42ab62516bc01aa4f4217 | 1 |
| 13. | VC64Loader.dll | 1d135869fdf9f776318f20ec9484d530 | 1 |
| 14. | VC64LO~1.DLL | 6b7349fbc281478ac4dcda3181ca462e | 1 |
| 15. | VC64Loader.dll | b75d0a03a452440433579b1e996b9da6 | 1 |
| 16. | VC64LO~1.DLL | 3fdf8b112abd4ac8d9eb805375117120 | 1 |
| 17. | VC64LO~1.DLL | 0cf7da44b71d607966b2dc361e60245e | 1 |
| 18. | VC32Loader.dll | a0bbbd15e2b7f3c65c8dd26baaa8b316 | 1 |
| 19. | VC64LO~1.DLL | 865877482eb789e5c886339047c16ff6 | 1 |
| 20. | VC64Loader.dll | c1d32b1462f6c92c507b157ea00caaba | 1 |
| 21. | CltMngSvc.exe | 50ce1e27440dc18eb5252955a74e62ec | 1 |
| 22. | VC32LO~1.DLL | 91ac133097d92c10f3632172ae14c2d6 | 1 |
| 23. | SPPD.sys | 68d7304239069573a46d384cd71f5ec3 | 1 |
| 24. | VC32Loader.dll | 20a8b186142a0f70e3e89e04cf3c34ea | 1 |
| 25. | VC64LO~1.DLL | c598cc2ada03e90b588957e9a2ff7715 | 1 |
| 26. | VC32LO~1.DLL | 8c81ca4fe5deb7bdad504896864d5b49 | 1 |
Registry Details
Search Protect By Client Connect Ltd may create the following registry entry or registry entries:
CLSID
{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
File name without path
OrbiterInstaller[1].exe
Regexp file mask
%PROGRAMFILES%\SearchProtect\Main\bin\CltMngSvc.exe
%PROGRAMFILES%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
%PROGRAMFILES(x86)%\SearchProtect\Main\bin\CltMngSvc.exe
%PROGRAMFILES(x86)%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
%PROGRAMFILES(x86)%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
%PROGRAMFILES(x86)%\SearchProtect\SearchProtect\bin\VC64Loader.dll
%WINDIR%\AppPatch\AppPatch64\VCLdr64.dll
%WINDIR%\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
%WINDIR%\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
%WINDIR%\AppPatch\nbin\VC32Loader.dll
%WINDIR%\system32\SearchProtectService.exe
%WinDir%\System32\Tasks\avaavaevy[RANDOM CHARACTERS]
%WinDir%\System32\Tasks\avaavxvyex
%WinDir%\System32\Tasks\avabvbavad
%WinDir%\System32\Tasks\avabvbxvh
%WinDir%\System32\Tasks\avabvbyvyb
%WinDir%\System32\Tasks\avabvbyvyc
%WinDir%\System32\Tasks\avabvdxvy
%WinDir%\System32\Tasks\avabvexvac
%WINDIR%\System32\Tasks\avabvyxvdy
%WINDIR%\System32\Tasks\avaxvavya
%WinDir%\System32\Tasks\avaxvbxvgx
%windir%\System32\Tasks\avayvaxvaa
%WinDir%\System32\Tasks\bvxvaxxvyd
%WinDir%\System32\Tasks\bvxvbvef
%WinDir%\System32\Tasks\bvxvbxvd
%WinDir%\System32\Tasks\bvxvbxxvaa
%WinDir%\System32\Tasks\bvxvbyxvaa
%WinDir%\System32\Tasks\bvxvcxxvaf
%WinDir%\System32\Tasks\bvxvcyxvyy
%WinDir%\System32\Tasks\bvxvdxvx
%WinDir%\System32\Tasks\bvxvexvbg
%WinDir%\System32\Tasks\bvxvgxvyy
%WinDir%\System32\Tasks\bvxvyxvgy
%WinDir%\System32\Tasks\bvxvyxxvcy
%WinDir%\System32\Tasks\bvyvavay
%WinDir%\System32\Tasks\bvyvbvhx
%WinDir%\System32\Tasks\bvyvbvyb
%WinDir%\System32\Tasks\bvyvbvyf
%WINDIR%\SysWOW64\SearchProtectService.exe
%WinDir%\Tasks\avaavxvyex[RANDOM CHARACTERS]
%WinDir%\Tasks\avabvbxvh[RANDOM CHARACTERS]
%WinDir%\Tasks\avaxvbxvgx[RANDOM CHARACTERS]
%WinDir%\Tasks\bvxvcxxvaf.job
%WinDir%\Tasks\bvxvdxvx[RANDOM CHARACTERS]
Software\Conduit_Search_Protect
Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchProtect
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\chrome.exe\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\chrome.exe\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\explorer.xxx\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\explorer.zza\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\firefox.exe\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\iexplore.exe\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\Layers\VC32Ldr
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\software_removal_tool.exe\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\software_reporter_tool.exe\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avaavxvyex
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvbavad
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvbxvh
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvbyvyb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvbyvyc
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvdxvy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvexvac
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvyxvdy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avaxvbxvgx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvavc
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvaxxvyd
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvbvef
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvbxvd
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvbxxvaa
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvbyxvaa
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvcxxvaf
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvcyxvyy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvdxvx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvexvbg
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvgxvyy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvyxvec
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvyxvgy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvxvyxxvcy
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvyvavay
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvyvbvhx
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvyvbvyb
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\bvyvbvyf
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\ORBTR
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sonocontrol
Software\Microsoft\Windows\CurrentVersion\Run\SearchProtect
SOFTWARE\ORBTR
Software\SearchProtect
Software\SearchProtectIN4T
Software\SearchProtectINT
Software\SearchProtectINT2
Software\SearchProtectWS
SOFTWARE\SPPDCOM
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\ORBTR
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\sonocontrol
SOFTWARE\Wow6432Node\ORBTR
SOFTWARE\Wow6432Node\SearchProtect
SOFTWARE\Wow6432Node\SPPDCOM
SYSTEM\ControlSet001\Enum\Root\LEGACY_SPPD
SYSTEM\ControlSet001\services\CltMngSvc
SYSTEM\ControlSet001\services\Orbiter
SYSTEM\ControlSet001\services\SPPD
SYSTEM\ControlSet001\services\SPS
SYSTEM\ControlSet002\Enum\Root\LEGACY_SPPD
SYSTEM\ControlSet002\services\CltMngSvc
SYSTEM\ControlSet002\services\Orbiter
SYSTEM\ControlSet002\services\SPPD
SYSTEM\ControlSet002\services\SPS
SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPPD
SYSTEM\CurrentControlSet\services\CltMngSvc
SYSTEM\CurrentControlSet\services\Orbiter
SYSTEM\CurrentControlSet\services\SPPD
SYSTEM\CurrentControlSet\services\SPS
SearchProtect
Setup Support for SearchProtect
{2AEF02C3-5159-4C81-A688-8D954F0DEE56}_NewSearch
Directories
Search Protect By Client Connect Ltd may create the following directory or directories:
| %AppData%\SearchProtect |
| %LOCALAPPDATA%\GuardboxEngine |
| %LOCALAPPDATA%\NextSearch |
| %LOCALAPPDATA%\avaavaevy |
| %LOCALAPPDATA%\avaavxvyex |
| %LOCALAPPDATA%\avabvbavad |
| %LOCALAPPDATA%\avabvbxvh |
| %LOCALAPPDATA%\avabvbyvyb |
| %LOCALAPPDATA%\avabvbyvyc |
| %LOCALAPPDATA%\avabvcxvyx |
| %LOCALAPPDATA%\avabvdxvy |
| %LOCALAPPDATA%\avabvexvac |
| %LOCALAPPDATA%\avabvyxvdy |
| %LOCALAPPDATA%\avaxvbxvgx |
| %LOCALAPPDATA%\avayvaxxvae |
| %LOCALAPPDATA%\avayvxvaxc |
| %LOCALAPPDATA%\bvxvavc |
| %LOCALAPPDATA%\bvxvaxxvyd |
| %LOCALAPPDATA%\bvxvbvbh |
| %LOCALAPPDATA%\bvxvbvef |
| %LOCALAPPDATA%\bvxvbxvd |
| %LOCALAPPDATA%\bvxvbxxvaa |
| %LOCALAPPDATA%\bvxvbyxvaa |
| %LOCALAPPDATA%\bvxvcxxvaf |
| %LOCALAPPDATA%\bvxvcyxvyy |
| %LOCALAPPDATA%\bvxvdxvx |
| %LOCALAPPDATA%\bvxvexvbg |
| %LOCALAPPDATA%\bvxvgxvyy |
| %LOCALAPPDATA%\bvxvhxvh |
| %LOCALAPPDATA%\bvxvyxvec |
| %LOCALAPPDATA%\bvxvyxvgy |
| %LOCALAPPDATA%\bvxvyxxvcy |
| %LOCALAPPDATA%\bvyvavay |
| %LOCALAPPDATA%\bvyvbvhx |
| %LOCALAPPDATA%\bvyvbvyb |
| %LOCALAPPDATA%\bvyvbvyf |
| %LOCALAPPDATA%\bvyvcvbb |
| %LOCALAPPDATA%\bvyvdvag |
| %LOCALAPPDATA%\bvyvdvyh |
| %LocalAppData%\SearchProtect |
| %PROGRAMFILES%\GuardboxEngine |
| %PROGRAMFILES%\NextSearch |
| %PROGRAMFILES%\ORBTR |
| %PROGRAMFILES%\Search-Protect |
| %PROGRAMFILES%\SearchProtect |
| %PROGRAMFILES%\Setup Support for SearchProtect |
| %PROGRAMFILES(x86)%\GuardboxEngine |
| %PROGRAMFILES(x86)%\NextSearch |
| %PROGRAMFILES(x86)%\ORBTR |
| %PROGRAMFILES(x86)%\Search-Protect |
| %PROGRAMFILES(x86)%\SearchProtect |
| %PROGRAMFILES(x86)%\Setup Support for SearchProtect |
| %PROGRAMFILES(x86)%\sp-downloader |
| %USERPROFILE%\Configuración local\Datos de programa\SearchProtect |
| %USERPROFILE%\Configurações Locais\Dados de aplicativos\SearchProtect |
| %USERPROFILE%\Impostazioni locali\Dati applicazioni\SearchProtect |
| %USERPROFILE%\Local Settings\Application Data\avabvbxvh |
| %USERPROFILE%\Lokale Einstellungen\Anwendungsdaten\SearchProtect |
| %USERPROFILE%\Ustawienia lokalne\Dane aplikacji\SearchProtect |
| %UserProfile%\Local Settings\Application Data\GuardboxEngine |
| %UserProfile%\Local Settings\Application Data\SearchProtect |
| %UserProfile%\Local Settings\Application Data\avaavaevy |
| %UserProfile%\Local Settings\Application Data\avaavxvyex |
| %UserProfile%\Local Settings\Application Data\avabvbavad |
| %UserProfile%\Local Settings\Application Data\avabvexvac |
| %UserProfile%\Local Settings\Application Data\avaxvbxvgx |
| %UserProfile%\Local Settings\Application Data\avayvaxxvae |
| %UserProfile%\Local Settings\Application Data\avayvxvaxc |
| %UserProfile%\Local Settings\Application Data\bvxvbvef |
| %UserProfile%\Local Settings\Application Data\bvxvdxvx |
| %UserProfile%\Local Settings\Application Data\bvxvexvbg |
| %UserProfile%\Local Settings\Application Data\bvxvgxvyy |
| %UserProfile%\Local Settings\Application Data\bvxvhxvh |
| %UserProfile%\Local Settings\Application Data\bvxvyxvec |
| %UserProfile%\Local Settings\Application Data\bvxvyxxvcy |
| %WINDIR%\SysWOW64\config\systemprofile\AppData\Local\SearchProtect |
| %WINDIR%\System32\config\systemprofile\AppData\Local\SearchProtect |
| %WinDir%\SysWOW64\SearchProtect |
| %WinDir%\System32\SearchProtect |
Analysis Report
General information
| Family Name: | Search Protect |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c8977c7700601fcf3980fbd78c7ff1e9
SHA1:
b27a52385211645234cb5ff24b9b3eb102c4e823
File Size:
198.41 KB, 198405 bytes
|
|
MD5:
3b83bf2fe3752186ef9b9cbf6d181a05
SHA1:
b40df683a6398d80aca08aa246d1b19d81db42b2
SHA256:
8E3C8086E861FF34B6D54D28CCAF5FA9B2C8736788BC241077CF551B02F8AD67
File Size:
1.82 MB, 1824480 bytes
|
|
MD5:
e7e0fc2fa970eaf007d495e66c752e8d
SHA1:
295a79a8e1430e29e2c327d9a202b2c523288fd6
SHA256:
7C447059371CA35895489EFC406AA51585406545DBA92FA36CDDEE5EF68AEA3B
File Size:
156.86 KB, 156864 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
Show More
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Legal Copyright |
|
| Legal Trademarks |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Yahoo! Inc. | VeriSign Class 3 Code Signing 2004 CA | Root Not Trusted |
| Lavasoft Limited | VeriSign Class 3 Code Signing 2010 CA | Self Signed |
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\adaware-manifest.xml | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\adaware-toolbar.xml | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\adawaretb_uninstall_log.txt | Read Attributes,Synchronize,Append data |
| c:\users\user\appdata\local\temp\adawaretb_uninstall_log.txt | Read Attributes,Synchronize,Write Data |
| c:\users\user\appdata\local\temp\nshcff8.tmp\langdll.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nshcff8.tmp\logex.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nshcff8.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nshcff8.tmp\uac.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nshcff8.tmp\xml.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\finish.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Show More
| c:\users\user\appdata\local\temp\nsk49b8.tmp\finish.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\installoptions.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\privacy.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\privacy.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\toolbar.bmp | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\welcome.ini | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\nsk49b8.tmp\welcome.ini | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsqcc8c.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsqcd76.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsrcfe7.tmp | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete |
| c:\users\user\appdata\local\temp\nsvcd96.tmp\ad-aware security add-on uninstall.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\nsvcd96.tmp\logex.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsvcd96.tmp\system.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\nsvcd96.tmp\uac.dat | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\uncmdline.txt | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\uncmdline.txt | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\wow6432node\yahoo::ntatest | 1 | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe | RegNtPreCreateKey |
| HKLM\system\controlset001\control\session manager::pendingfilerenameoperations | \??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe��\??\C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp | RegNtPreCreateKey |
| HKLM\software\wow6432node\adawaretb::campaignidie | I | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Keyboard Access |
|
| Process Shell Execute |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"C:\Users\Tamxoess\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
|
"C:\Users\Tamxoess\AppData\Local\Temp\nsvCD96.tmp\Ad-Aware Security Add-on uninstall.exe" /NCRC _?=c:\users\user\downloads
|
