Multi-License Discount Quote

Change Region

English
Threat Database Adware Adware.MSIL.Dotdo.AD

Adware.MSIL.Dotdo.AD

By CagedTech in Adware

Threat Scorecard

Threat Level: 20 % (Normal)
Infected Computers: 38
First Seen: May 12, 2021
Last Seen: February 23, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Adware.MSIL.Dotdo.AD
Signature status: No Signature

Known Samples

MD5: eba4bd4f998273307fc6f69aa5f21bd8
SHA1: bf7a0d4530af51b63f3dff5533fa71a6c824273e
SHA256: 45D58F27248F7DF60F9B14D6483E201E82D5896258E27560C6A7420B70E0781D
File Size: 4.61 KB, 4608 bytes
MD5: d59e527d64571df05da4bd6b1b512066
SHA1: b30205058b712edb34d539246fc7910f1d39d519
SHA256: E6C907CD768DF08F814D0D7B9515419B5086F7080307D2C79140A5C856B7B7F9
File Size: 62.73 KB, 62732 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 3.4.9.83
File Description ConsoleApplication1
File Version 3.4.9.83
Internal Name ConsoleApplication1.exe
Original Filename ConsoleApplication1.exe
Product Version 3.4.9.83

File Traits

  • .NET
  • Default Version Info
  • x86

Files Modified

File Attributes
c:\users\user\appdata\local\temp\nsra767.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\kfnkj.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\kfnkj.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\kfnkj.exe.config Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\kfnkj.exe.config Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\zigcvaenlews.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\zigcvaenlews.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\zigcvaenlews.exe.config Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsra767.tmp\zigcvaenlews.exe.config Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 튥ꌵǜ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
User Data Access
  • GetUserObjectInformation
Anti Debug
  • IsDebuggerPresent
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ZwMapViewOfSection
Process Shell Execute
  • ShellExecuteEx
Process Terminate
  • TerminateProcess

Shell Command Execution

(NULL) "C:\Users\Atvxmbst\AppData\Local\Temp\nsrA767.tmp\zigcvaenlews.exe" "http://www.winfreycmh.PW/ee/64836224?3544456f3544456=1649378869081505400=1- 5283"

Trending

Most Viewed

Loading...