Multi-License Discount Quote

Change Region

English
Threat Database Adware Adware.KorAd

Adware.KorAd

By LoneStar in Adware

Threat Scorecard

Popularity Rank: 4,205
Threat Level: 20 % (Normal)
Infected Computers: 25,255
First Seen: November 29, 2015
Last Seen: December 14, 2025
OS(es) Affected: Windows

Adware.KorAd is an adware infection that has been linked to various symptoms ranging from innocuous or irritating to extremely disruptive. Adware.KorAd can cause pop-up advertisements, browser redirects, and system performance issues. The main goal of Adware.KorAd is to display advertisements on the affected Web browser. Despite the fact that Adware.KorAd is usually associated with a browser toolbar marketed as a useful tool, these types of browser toolbars are usually categorized as PUPs, or Potentially Unwanted Programs, because of the many irritating symptoms typically associated with them. Despite its claims, Adware.KorAd is specifically designed to expose computer users to marketing material and advertisements rather than to provide any type of useful service.

Why Adware.KorAd and Similar Content May Be Considered Harmful

Adware.KorAd should be removed immediately from the affected Web browser. One of the main reasons for this is that Adware.KorAd and content associated with Adware.KorAd may be installed as a Web browser extension or add-on. Adware.KorAd may spy on your online activity, save data related to your Web browsing habits and history, and then sell this data to marketers or use it to deliver advertisements to your Web browser. These concerns have made PC security researchers become worried about Adware.KorAd and its effects on your computer. It is important to note that any supposed services offered by Adware.KorAd may be found on free alternatives that do not expose your computer to potentially unsafe content or profit at your expense.

What Makes PUPs Like Adware.KorAd Different from Malware

Adware.KorAd is classified as a PUP, meaning that Adware.KorAd is not as threatening or difficult to remove as Trojans or other forms of threats. However, this does not mean that Adware.KorAd's symptoms are any less irritating or disruptive. In fact, a Web browser affected by Adware.KorAd may become nearly impossible to use. This is also especially true because Adware.KorAd may not be installed alone. If Adware.KorAd is installed on your Web browser, it is highly likely that other content similar to Adware.KorAd has been installed on your Web browser as well. This may result in significant system performance issues and a noticeable slowing down of your Internet connection.

SpyHunter Detects & Remove Adware.KorAd

File System Details

Adware.KorAd may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. AnToolUpdate.exe f322e5e14cb697de088905093d482499 3,393
2. ancamcorderupdate.exe baae2beaf4ce8833b0ca494b014d5d99 407
3. RollingPop_S.exe eedfe1a35eded5bac95c404b18d63a38 377
4. CertKeySvc.exe 4ece80d354e6df69d56fec38b7887392 291
5. ancameraupdate.exe fd94426fb63fbdb95b85db64ca5c0b55 242
6. anrecorderup.exe 1361fc100634758941da78aa93748975 159
7. HipPop_S.exe 23a118c4a0b736d88da09b5137686168 70
8. _ISZone.exe ca69e174e4852bf006368d483e5a7709 56
9. vcodecopen.exe 927e56b4642b6a58d73193cfd0587dcb 28
10. _ISZoneUpdate.exe 552bcc406267996062b834e6b37a6927 17
11. TopFind.exe f2d417cf967e0ae60451aacbc138262e 16
12. CertKey.exe 8a427bab0210b9ebf71d9d3e143d0171 14
13. Enumerate_gt10_hinst.exe 4ef35ce215ed616f817acf2c836d3179 10
14. RollingPop_E[1].exe 31e44acf8f3bea44b4b7625fb8b43688 7
15. RollingPop_E.exe 51f75c706855c1fb779568acf7b5a331 2
16. HipPop_E.exe aa4ecfc68dbbd5373003c6d2e17bc63a 1
17. ISZoneInstall_66_156.exe 258eee58c29fb3972dc092d4fb184f11 1
18. ISZoneUpdate.exe 51708968c0fd709a36211ea754a58909 1
19. ISZone.exe 2a60b24404a69ae752ce5091ddcbbc31 1
20. uninst.exe 28fcf77bea4250bba1d2d8e74e0f7812 1
More files

Registry Details

Adware.KorAd may create the following registry entry or registry entries:
CLSID
{06F5FFD1-C190-40E9-83D4-9A943BB1771C}
{122DB512-8B45-45B4-B2A6-865C803883BD}
{F1A015C9-8106-4120-9D18-21BAEDAB20FF}
Regexp file mask
%allusersprofile%\plugins\wngplog.exe
%APPDATA%\FVPlus\FVPlus.exe
%WINDIR%\mcsmscmw{5,6}.exe
HKEY..\..\..\..{RegistryKeys}
Software\AnCamCorder
Software\AnCamera
Software\Antools
SOFTWARE\Classes\Iekey.iekeybho
SOFTWARE\Classes\Iekey.iekeybho.1
Software\DreamTong
Software\KeywordMap
Software\Microsoft\Internet Explorer\Approved Extensions\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}
Software\Microsoft\Internet Explorer\DOMStorage\ancamera.co.kr
SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}
Software\Microsoft\Windows\CurrentVersion\Run\DtsGuard
Software\Microsoft\Windows\CurrentVersion\Run\DtsMainCon
Software\Microsoft\Windows\CurrentVersion\Run\searchlike
Software\mopop
Software\searchlike
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F1A015C9-8106-4120-9D18-21BAEDAB20FF}
SYSTEM\ControlSet001\services\srvmopop
SYSTEM\ControlSet002\services\srvmopop
SYSTEM\CurrentControlSet\services\srvmopop
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
AnCamCorder
AnCamera
Antools
Micro OpenPop
searchlike
Windows Internet Explorer Smart Service4.0

Directories

Adware.KorAd may create the following directory or directories:

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Ahnsoft
%ALLUSERSPROFILE%\netbean
%APPDATA%\DreamTong
%APPDATA%\HipPop
%APPDATA%\IEsearchtool
%APPDATA%\KMPHelper
%APPDATA%\Microadpop
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Ahnsoft
%APPDATA%\MultiCodec
%APPDATA%\Windows NewsGo
%APPDATA%\filedown_new
%APPDATA%\iconmania
%APPDATA%\newgoplus
%APPDATA%\purwa
%APPDATA%\servicehost
%APPDATA%\smartaddress
%APPDATA%\vCodec
%APPDATA%\windoguide
%LOCALAPPDATA%\NewsGo
%LOCALAPPDATA%\Windows BT Icons
%LOCALAPPDATA%\searchlike
%LOCALAPPDATA%\windows mbt icons
%PROGRAMFILES%\AHNSOFT
%PROGRAMFILES%\ISZone
%PROGRAMFILES%\Windows Facilitate
%PROGRAMFILES%\hyperc
%PROGRAMFILES%\windoguide
%PROGRAMFILES(X86)%\AHNSOFT
%PROGRAMFILES(X86)%\ISZone
%PROGRAMFILES(x86)%\Windows Facilitate
%PROGRAMFILES(x86)%\hyperc
%PROGRAMFILES(x86)%\windoguide
%PUBLIC%\InkDiet
%UserProfile%\Local Settings\Application Data\Windows BT Icons
%UserProfile%\Local Settings\Application Data\searchlike
%appdata%\FileDoumi
%appdata%\KeywordMap
%appdata%\MOpop
%appdata%\OutTab
%appdata%\RollingPop
%appdata%\VPro Defender
%appdata%\relatedpop

Analysis Report

General information

Family Name: Adware.KorAd
Signature status: Root Not Trusted

Known Samples

MD5: 0ea77f4f3e7d371fb43dfbc78662f321
SHA1: 18ff57c98a05a6096b12fe1309f1fe6ec3827115
File Size: 1.24 MB, 1241064 bytes
MD5: 042dc7e37bf1614d8acc6f9248f4c174
SHA1: 706d25bae227a7f52d7d411b85bcd05f8d2e77e4
SHA256: FA512E94AEF6B4D679E21ADA759783A6B3349F53DD99F9BBD21015BDCC999079
File Size: 3.72 MB, 3716424 bytes
MD5: 26c1cdb837c4698fe0a10005fc61921e
SHA1: 63c9937335d45b338cb4bbd6bb7874a8fbc8ffa2
SHA256: 4814ADC638071B96BF7DCFCCAEDEBB9E7FC7F2583E6823E93CFF9D7345BCCC3E
File Size: 3.33 MB, 3331976 bytes
MD5: 6c8dc1880824205aa3413ddcbabb7661
SHA1: 33e5610bdd19521e4fd5061d358f90316efca86f
SHA256: E35B9B65BCAF7EABAB2BBA32EF18343D71D4E0F97B631A05A5E8EC3225A7CC79
File Size: 58.12 KB, 58123 bytes
MD5: a9913594c76ad1a89a45b3f47ea21cbe
SHA1: e09165ee0708fb0b75c32ef20d9328032142fe9e
SHA256: 3A64DD95C948A50D54C64C53E10952D7648C4DE520B5BD6D8C4E9A9BC74B49D2
File Size: 4.60 MB, 4604304 bytes
Show More
MD5: e0de2f25876c9bedb4d9e1209415db73
SHA1: 30f326813557a8a3efe3259ed5ff2e67b6c98ff5
SHA256: E6B08DDC31147B1F47B9DA3B9A4A4476E15ACD3F0979D3E840D7BF004AC78FE7
File Size: 3.04 MB, 3039712 bytes
MD5: c351b020a2bb034cc91a51a12e8bfdb5
SHA1: 0b9def16f07f8087a9a705c200eb640bca3ab943
SHA256: 80121153C5CBCF770494566814E8D7648831A9742C9410E4CC9CB6613E96A986
File Size: 1.41 MB, 1413024 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments This installation was built with Inno Setup.
Company Name
  • TODO: <Company name>
  • ㈜드림소프트
  • 고클린
File Description
  • EdgeApp
  • KMPHelper Setup
  • NewsGo Media Inc.
  • SendHomeSetup Module
  • 고클린
File Version
  • 1.0.0.1
  • 1, 0, 0, 1
Internal Name
  • EdgeApp.exe
  • GoClean.exe
  • newsconf
  • SendHomeSetup
Legal Copyright
  • Copyright (C) 2016 NewsGo Co Ltd.
  • Copyright (c) Goclean. All rights reserved.
  • Copyright 2025
  • TODO: (c) <Company name>. All rights reserved.
Original Filename
  • EdgeApp.exe
  • GoClean.exe
  • NewsConf.exe
  • SendHomeSetup.exe
Product Name
  • KMPHelper
  • SendHomeSetup Module
  • TODO: <Product name>
  • Windows NewsGo
  • 고클린
Product Version
  • 1.0.0.1
  • 1.0
  • 1, 0, 0, 1

Digital Signatures

Signer Root Status
Media Ground AAA Certificate Services Root Not Trusted
Irongate Inc DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
Media Ground DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
THEJMEDIA Co., Ltd. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
드림소프트 thawte Primary Root CA Root Not Trusted

Block Information

Total Blocks: 2,960
Potentially Malicious Blocks: 15
Whitelisted Blocks: 2,803
Unknown Blocks: 142

Visual Map

0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 1 0 0 0 0 0 x ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? ? 0 ? ? ? ? ? 0 ? 0 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? x ? ? 0 0 0 ? ? 1 ? ? ? 0 0 ? 0 ? ? ? ? ? ? x ? ? 0 x ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? 0 ? ? 0 ? 0 ? 0 ? ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 ? ? 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 0 0 0 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 ? 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x x 0 0 0 0 0 x x 0 0 0 0 0 0 0 ? ? 0 0 0 ? ? ? ? ? ? 0 0 0 0 0 ? ? ? ? ? ? ? 0 0 ? 0 ? 0 ? ? ? ? 0 ? x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 2 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 2 2 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 2
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.AITA
  • Agent.FRFD
  • Farfli.NB
  • Lotok.F
  • OpenSUpdater.TD
Show More
  • PC Accelerator.H
  • Rugmi.GI

Files Modified

File Attributes
c:\users\user\appdata\local\temp\is-iffom.tmp\e09165ee0708fb0b75c32ef20d9328032142fe9e_0004604304.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-p9qcq.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsu3d44.tmp\dllwaitforkillprogram.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu3d44.tmp\dllweb.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu3d44.tmp\iefunctions.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu3d44.tmp\killprocdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\newsgo::installparam RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Zkiqkhky\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Zkiqkhky\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Zkiqkhky\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
Show More
HKCU\software\goclean\30f326813557a8a3efe3259ed5ff2e67b6c98ff5_0003039712\goclean::recentexectime 2025.11.19 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserObjectInformation
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Network Urlomon
  • URLDownloadToFile
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
Keyboard Access
  • GetKeyState
Network Winsock2
  • WSAStartup
Network Winsock
  • bind
  • connect
  • gethostbyname
  • inet_addr
  • recv
  • send
  • setsockopt
  • socket

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\706d25bae227a7f52d7d411b85bcd05f8d2e77e4_0003716424.,LiQMAxHB
"C:\Users\Zkiqkhky\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Uufsxwpm\AppData\Local\Temp\is-IFFOM.tmp\e09165ee0708fb0b75c32ef20d9328032142fe9e_0004604304.tmp" /SL5="$4018E,4204966,121856,c:\users\user\downloads\e09165ee0708fb0b75c32ef20d9328032142fe9e_0004604304"

Trending

Most Viewed

Loading...