Multi-License Discount Quote

Change Region

English Português
Threat Database Mac Malware CrossRider

CrossRider

By CagedTech in Mac Malware, Potentially Unwanted Programs
Translate To:

Threat Scorecard

Popularity Rank: 1,010
Threat Level: 10 % (Normal)
Infected Computers: 702,633
First Seen: August 14, 2013
Last Seen: February 2, 2026
OS(es) Affected: Windows

CrossRider Web Apps is a Potentially Unwanted Program (PUP) that should be deleted as quickly as possible with the collaboration of a strong security program. Malware analysts have heard from PC users that report that their security programs detected CrossRider and indicated that CrossRider may be problematic. PCs affected by CrossRider Web Apps may slow down, crash, freeze and present other symptoms. Computer users also may observe that their Web browser behaves abnormally, and that unrecognized components are present on their computers. PC security analysts have observed that CrossRider may interfere with other Web browser add-ons on an affected computer. It is also notable that CrossRider may be difficult to remove. Computer users attempting to remove CrossRider may come across difficulties if they attempt to remove CrossRider as they would remove any other Web browser extension. Removing CrossRider may require special measures and the use of a security program that is fully up-to-date.

CrossRider and Similar Problematic Web Browser Add-Ons

PUPs may not be as destructive or severe as threats. However, most PUPs (CrossRider included) may cause symptoms that are most associated with threats. For example, CrossRider may cause pop-up advertisements, Web browser redirects and performance issues on computers CrossRider affects. There are many ways in which PUPs may spread, including typical threat distribution methods. However, the main way in which PUPs like CrossRider are distributed is by bundling them with other software. In most cases, CrossRider will be bundled with freeware or shareware from questionable sources, but in some cases, CrossRider may be bundled along with legitimate software being installed on a different installer or source.

Problems Associated with CrossRider and Other PUPs

As soon as CrossRider is installed, CrossRider may make changes to your Web browser settings. PC security analysts have noted that CrossRider may cause performance issues, such as causing the infected Web browser to crash, slow down or freeze. PUPs like CrossRider also may prevent other add-ons installed on the affected computer from functioning properly. Malware researchers have observed that CrossRider may be bundled along with numerous other PUPs which, when put together, may greatly tax your computer's resources. Because of these reasons, PC security analysts strongly recommend dealing with CrossRider and similar PUPs as soon as possible.

How to Deal with CrossRider

If CrossRider is installed on your computer, malware analysts advise the use of a known security program that is both fully up-to-date and capable of removing PUPs. In many cases, security software may be incapable of detecting PUPs since these programs may be geared towards more severe threats, such as worms, Trojans, viruses and rootkits. This has meant that many threat developers have increased their efforts into producing PUPs like CrossRider rather than full blown threat infections. This may result in substantial profits from advertising and affiliate marketing tactics. In most cases, computer users may find it difficult to remove CrossRider using their Web browser's extension or add-on manager – however, CrossRider and similar PUPs may be removed using the Add and Remove Programs option in the Windows Control Panel. But, even after removing CrossRider, it may be necessary to undo any unwanted changes made by CrossRider to your Web browser settings. For example, PC users may be obliged to revert their default search engine and homepage to CrossRider manually. After removing CrossRider, PC security analysts recommend using a strong anti-malware program that is fully up-to-date to perform a full scan of the affected computer. This step is crucial to ensure that CrossRider has not allowed other PUPs or more severe forms of threats to enter and affect the victim's computer.

Although a significant portion of computers infected by CrossRider is running on Windows, it is important to note that the adware has a separate version for Mac devices. The Mac version fulfills the same purpose, but it does have some extra features that are used to exploit the security features of OSX. The adware family also is known under the aliases Crossrider and SurfBuyer. However, apart from serving as adware, the CrossRider application also may partake in more suspicious behavior. The CrossRider tool is capable of spawning a bogus login prompt. The operators of the CrossRider application will use this feature to collect the login credentials of the user. Fortunately, the authors of the CrossRider tool do not use the collected credentials to carry out an unsafe operation. However, they utilize the collected credentials to plant additional components on the user's Mac without their knowledge or consent. This is not normal behavior that any genuine application would partake in. However, the adware can be modified to inject harmful payloads in the compromised system, which will make it far more threatening.

Users whose system is running OSX 10.11 or above, will have the CrossRider application displaying the fraudulent login prompt we mentioned to gather your administrator credentials and then plant new components on your computer. According to reports, among these new components is a bogus copy of the Safari Web browser that has a variety of add-ons installed on it. The browser extensions in question serve to spawn advertisements whenever the user is browsing the Web. To avoid raising suspicion, the fake variant of the Safari Web browser will replace the original version in all the menus on the system. However, users who are running versions of OSX older than 10.10 will not see the bogus prompt. Instead of spawning the fake prompt, the CrossRider application will run a script named 'install.sh.' This script serves to modify the active extensions present on the Safari and Google Chrome Web browsers. The CrossRider program will do this in the background to avoid raising red flags. The CrossRider application may end up collecting information from the infected computer, such as IP address, OS version, Web browser version, username, and the list of applications present on the user's Mac. The CrossRider program also can detect the version of the security tools on the Mac.

The CrossRider application is clearly not just regular adware. Make sure that your Mac is protected by a reputable anti-virus tool that will keep your machine and your data safe.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
AVG Crossrider.WFB
Panda Trj/Genetic.gen
Antiy-AVL Trojan[Downloader:HEUR]/Win32.AGeneric
Fortinet W32/AppRider.CT
McAfee-GW-Edition BehavesLike.Win32.ShopperPro.th
Sophos AppRider (PUA)
Kaspersky not-a-virus:HEUR:AdWare.Win32.CrossRider.gen
ClamAV Win.Trojan.Troldesh-2
Symantec Trojan.Gen.2
F-Prot W32/S-d60a457c!Eldorado
McAfee Artemis!DC24DF79A82D
Fortinet Riskware/CrossRider
McAfee Artemis!7016A5D74459
AhnLab-V3 PUP/Win32.CrossRider
F-Secure Gen:Variant.Adware.Mikey

SpyHunter Detects & Remove CrossRider

File System Details

CrossRider may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. DCytaiesmt_smtyc_setup.exe ea0ca98847dc1a403ffec3be116e8b2f 3,135
2. 2cac6850-ffcf-4e74-a8a7-4b644c0a229f-1-6.exe 4b9ec41cadd5b9b6def12fbdeb4cb95a 1,579
3. 2cac6850-ffcf-4e74-a8a7-4b644c0a229f-1-7.exe fafb2ae235f914d74044af7aa31831f4 1,392
4. cf2f0c60-8b09-4897-ab0e-5643a89cf068-1-6.exe eadc29cedbb6bf00e84ae866c637f9bf 776
5. w3NjmMN5jwhw9pYvby.exe 3a1d89b89c9d62951957f0839578dd9b 773
6. 4fa2116b-e112-49ed-9d9c-a5989d8ac246-1-6.exe 79d5efe13857da28a0f4ec1738ed002c 642
7. cf2f0c60-8b09-4897-ab0e-5643a89cf068-1-7.exe 40980117fd3fd681dc6306816eba07db 612
8. 2cac6850-ffcf-4e74-a8a7-4b644c0a229f-5.exe 7bf342d7a2fe1f5a1cc03a87e8606f62 538
9. 2ae81b89-e7fe-4ba1-8c55-04e02cb19118-1-6.exe 3f52805670502af0b57a04d1dc9eefc8 534
10. 2cac6850-ffcf-4e74-a8a7-4b644c0a229f-6.exe 202d0e52dcc36fba2ff8c73d10218c49 532
11. 2cac6850-ffcf-4e74-a8a7-4b644c0a229f-10.exe 556bf18a659978b748cb5a3404ccac41 505
12. WMo6KeWiTVRt1VLTZ5v.exe 1bcc1f03714c5734db3e02eaca0e07e6 466
13. c4YZaBBAZ8u5FRuWDcsj.exe ab6818a7ff17230a6e5119f6cdd1f85b 333
14. j2soiQ34cnwW0 fe8abceb645d8571b81c599d18846ae3 316
15. shopperamaisdabest_helper_service.exe 7057bd7392002f0522aec901d92bcb3d 307
16. 9f16ff19-5066-4529-83c9-5ba1bafb0295-3.exe 69d16d185e7d0abfa4782c37ee51dfbc 199
17. 9f16ff19-5066-4529-83c9-5ba1bafb0295-4.exe 6a332a302128ad2952bcf760dd0fde8f 193
18. 31bcb83d-30ea-44b4-ad08-0311a30b4210-12.exe 2eaada9912138acd7374b8d549cdf295 79
19. ff8b367c-d6dc-48e6-9f3a-ceec62f7c5eb-12.exe edac749b875141edd94be72f57a444da 70
20. 388e1ece-aa85-4c5e-970f-40347719777e-12.exe ea98a95e48f6ebb77613718875e4d6de 53
21. ipMpK2Wj.exe c6d6a6d0267d124cb8d5076b9672fd28 12
22. JG.exe 05eccfb9cbbd401a115b4b44fa453d92 7
23. CCKxnhguMk.exe c7c516caad688d159d293d439ec5d426 6
24. DCnsq681F.tmp d7982f444bbe30ea82a8805d207aa1bd 5
25. kong_games_notification_service.exe b03fb6166e87328e5c8348b7986263e0 2
26. kong_games_updating_service.exe 3245cf5a3996ae901336dd286e555d9e 2
27. hosts-bho.dll 153c17029119f51589baa333e4a4fa1e 2
28. dk.exe da23bdd9c13d7fae63f720a1185a93b6 1
29. hosts-bg.exe 33fa2184f8cbe1325a5cc699873d0d45 1
More files

Registry Details

CrossRider may create the following registry entry or registry entries:
CLSID
{02A96331-0CA6-40E2-A87D-C224601985EB}
{3278F5CF-48F3-4253-A6BB-004CE84AF492}
{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
{5645E0E7-FC12-43BF-A6E4-F9751942B298}
{577975B8-C40E-43E6-B0DE-4C6B44088B52}
{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
{CFC47BB5-5FB5-4AD0-8427-6AA04334A3FC}
{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
{E0ADB535-D7B5-4D8B-B15D-578BDD20D76A}
{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
File name without path
https_d19tqk5t6qcjac.cloudfront.net_0.localstorage
https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal
HKEY..\..\..\..{RegistryKeys}
SOFTWARE\_CrossriderRegNamePlaceHolder_
SOFTWARE\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
Software\AppDataLow\Software\Crossrider
Software\ArenaHD
SOFTWARE\Cinema_Plus-1.2V21.07
Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\_CrossriderRegNamePlaceHolder_
Software\Cr_Installer
Software\Crossrider
SOFTWARE\HD4Good
SOFTWARE\HighDefAction
Software\InstalledBrowserExtensions\215 Apps
Software\InstalledBrowserExtensions\32846
Software\InstalledBrowserExtensions\34087
Software\InstalledBrowserExtensions\App+Service
Software\InstalledBrowserExtensions\BrowserAppSPlus
Software\InstalledBrowserExtensions\Buca Apps
Software\InstalledBrowserExtensions\NewPlayerVideo+
SOFTWARE\MediaPlayRS3
SOFTWARE\MedPlayvidV3.1
SOFTWARE\MyBrowser 1.0.2V31.10
SOFTWARE\OpedBrowsrVersion5-nv
SOFTWARE\OpedBrowsrVersion5-nv-ie
SOFTWARE\Wow6432Node\AppDataLow\Software\Crossrider
SOFTWARE\Wow6432Node\ArenaHD
SOFTWARE\Wow6432Node\Cinema_Plus-1.2V21.07
SOFTWARE\Wow6432Node\Crossrider
SOFTWARE\Wow6432Node\HD4Good
SOFTWARE\Wow6432Node\HighDefAction
SOFTWARE\Wow6432Node\InstalledBrowserExtensions\32846
SOFTWARE\Wow6432Node\InstalledBrowserExtensions\34087
SOFTWARE\Wow6432Node\MediaPlayRS3
SOFTWARE\Wow6432Node\MedPlayvidV3.1
SOFTWARE\Wow6432Node\MyBrowser 1.0.2V31.10
SOFTWARE\Wow6432Node\YorkNewCin
Software\YorkNewCin
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
Cinema_Plus-1.2V21.07
HD4Good
MediaPlayerVid2.4
MediaPlayRS3
MedPlayvidV3.1
MyBrowser 1.0.2V31.10

Directories

CrossRider may create the following directory or directories:

%LOCALAPPDATA%\download balance
%PROGRAMFILES%\48 dresses
%PROGRAMFILES%\BrowsrPlus4
%PROGRAMFILES%\CrossriderWebApps
%PROGRAMFILES%\MedPlayvidV3.1
%PROGRAMFILES%\MyBrowser 1.0.2V31.10
%PROGRAMFILES%\compare for fun
%PROGRAMFILES%\dr games
%PROGRAMFILES%\dress4u
%PROGRAMFILES%\ext coupons
%PROGRAMFILES%\fun coupons
%PROGRAMFILES%\helper king
%PROGRAMFILES%\shopping blast
%PROGRAMFILES%\web disco
%PROGRAMFILES%\winter web
%PROGRAMFILES(X86)%\MedPlayvidV3.1
%PROGRAMFILES(X86)%\MyBrowser 1.0.2V31.10
%PROGRAMFILES(x86)%\48 dresses
%PROGRAMFILES(x86)%\CrossriderWebApps
%PROGRAMFILES(x86)%\HQVidual2y-v2.5V11.11
%PROGRAMFILES(x86)%\compare for fun
%PROGRAMFILES(x86)%\dr games
%PROGRAMFILES(x86)%\dress4u
%PROGRAMFILES(x86)%\ext coupons
%PROGRAMFILES(x86)%\fun coupons
%PROGRAMFILES(x86)%\helper king
%PROGRAMFILES(x86)%\shopping blast
%PROGRAMFILES(x86)%\web disco
%PROGRAMFILES(x86)%\winter web
%programfiles%\OpedBrowsrVersion5

URLs

CrossRider may call the following URLs:

app.gencloudex.com/static
crossriderManifest
crossriderapp

Analysis Report

General information

Family Name: PUP.CrossRider
Signature status: Self Signed

Known Samples

MD5: 75a60fbd2c14ecdc228c5312c744eb29
SHA1: 196e1407a28e9f9463f55922118a74a39b299d40
File Size: 4.85 MB, 4845480 bytes
MD5: ee92be5b8acd09c28efaafc42db61323
SHA1: 4f6584f6c8c751b2c4bbaf1d3862d05669aaad2f
File Size: 1.93 MB, 1930128 bytes
MD5: 3c3a40d85c52deaf2731dfb970c4addd
SHA1: edca175a2f56273deaa96f0c94c23a567ed1d4dd
File Size: 447.66 KB, 447664 bytes
MD5: 4269c1c918de6ab0c40e9f4702c15827
SHA1: 1f50b1d1ea8ae1c9239b338481c21431afe78f68
SHA256: 9F9F6B15604E54388D68A7612AD8BE6B6FE88337DB23B9FCC5D451817AB4CD7D
File Size: 1.51 MB, 1509352 bytes
MD5: 9dad17902cd037281af3388f9c213422
SHA1: 451f31b5be3fefd1ce60241785471b8ec7846612
SHA256: 2F8238E13CA3F27D93DABC143CF0B2D48119D2D222B48226CE744005D6EB6672
File Size: 8.60 MB, 8596680 bytes
Show More
MD5: b1125e88b8f1f8ab502dee8886417810
SHA1: 9307c7f5cb85cd58c911b187a89b05dbabb718d1
SHA256: 3A337E0728A5B38A439108E9A8AD3544FC503876C8460C1003CFA728F8B0D3A6
File Size: 5.50 MB, 5497456 bytes
MD5: 07639fa994522806ce788758472cc094
SHA1: 0e8eb7eba180b95c98f48f270263193252db9bdc
SHA256: 7ADB9945597E344E2F5C556E91D53A6C1C4F1B01FD3733E2BC3F7848EFEFEC0A
File Size: 942.10 KB, 942096 bytes
MD5: 78c1cfb804029bcf43a60778f3d47011
SHA1: 6fa4acc4ed78ea356f8a19ba6920d1a8fcde9ccd
SHA256: 10FC7DE4AEDD10F232156416FC8D3DF9736574C7BDC5DEC07D71DFDECBD301FC
File Size: 8.38 MB, 8381760 bytes
MD5: 5f3aa3af2e0f1e6e44beaa2fd2d716e0
SHA1: aadee76d55da762241766957b215d3d8a97ffc64
SHA256: 8A29030814571A902FDF754542245B00F36C94429A15563CED2F9AC71AEAF468
File Size: 193.50 KB, 193496 bytes
MD5: 9bb4f985b026b180e98b903a5b122488
SHA1: 53a73a59517fa5ca0ab56f5ed0904b9b10285dcf
SHA256: 430C56923C78A05D1978F37802E0B0E132F43BE7811FE310112C3BA7507CF65F
File Size: 3.72 MB, 3723376 bytes
MD5: acd3f9b0ceafc73b17d71f675231f9bd
SHA1: 5de5122773930eec19d8cde073d630a11415acc4
SHA256: 803124D3CEC399D6EA8217F88B42E14568B9EF91B6798235EF1D2D3543D36D0A
File Size: 5.53 MB, 5526008 bytes
MD5: 35257f9d591cd2bdc3146e3033d5af68
SHA1: 32ca1161b68d11fe2227ee429c7f7cbe08eaa925
SHA256: 8F9832C939DD8346B114C3B1BA6E1FFC13C6342B3F0A0CD1579F3C38869DC613
File Size: 4.12 MB, 4119376 bytes
MD5: e1af259f4598900647ebcb516f5f5eaf
SHA1: 23f4a604f62c726644245df8ddd8c98d2b43c669
SHA256: F275D6CFE779AAD00FE895FB2EB7311748E115FB000DD0AD067544271AC99C6B
File Size: 801.76 KB, 801760 bytes
MD5: be44c52d88bdae4442707dd99dae93c1
SHA1: c3808c33cdf2df9b38f7a723fb6bed17f22fbcbb
SHA256: F885C0B2B995D14BEF1F650849C02FA270DA0D084486AA85E347DFE2B2CEBDD2
File Size: 1.15 MB, 1148376 bytes
MD5: 9670d791dc62035e45f928b1e34b3a8a
SHA1: 5c2dfd99c78634be628099bfe6936252333b14ae
SHA256: 1409932038ACA4D2DA55935FBBC398633FF64C2628871BF8E179486448662E35
File Size: 87.97 KB, 87968 bytes
MD5: f012720c76b779ee8ddc59caa3d04e56
SHA1: 74a93f8557b0707b68ba6ca4e5cbb92a898362b8
SHA256: 2B59578088583C53F99094139D033B61FEA6270DA2E2E2F7BD0E8336CDEF8F3C
File Size: 400.90 KB, 400896 bytes
MD5: 6258afba4d411d9ac89fc2ef235a8229
SHA1: df72b592a3e393ea2ff331ae5b635a8d47542546
SHA256: ACF1B3CE21CA7840BA81D3815E58C1B28D90DD4757314EA373325A4492FDFC56
File Size: 131.43 KB, 131432 bytes
MD5: bc50ade845d59c87b665ba09ba16fd83
SHA1: e0240a003c75c4c04195264755ee1c1ce462858b
SHA256: DF8EE128CE6C5A38626A7128C732D9BB4A0CDBB39795913511C859AAF1803C3A
File Size: 177.64 KB, 177640 bytes
MD5: 518b27d806a14efcc42271fa6bcdc003
SHA1: b335e0abbd6252b778d7cfb972cd2644a042d72d
SHA256: 4A52AABBE04F0C13677506C5137E6F565BE32FAB555E51F7A63CFC161C43AB1E
File Size: 1.35 MB, 1350624 bytes
MD5: 63693b210e8b7cd08783a40f86ca47a9
SHA1: 1389facbac7230ad84e29bc50275100e057ffb8e
SHA256: 578C3C3850C28A2ABD544A6A0F970A751DF4076AAA5766CA5C0B3D1D44561602
File Size: 1.16 MB, 1156608 bytes
MD5: 4557ba420cbb5b06daa1e159530e06aa
SHA1: 5a1c16fcc07b22747538079078bb9c3fb22fcce9
SHA256: 348C66F97C2F8F120AAE227083FFD334A8FB62B7D1EBA0809402258E74774CA3
File Size: 207.44 KB, 207440 bytes
MD5: f9131a16e26ed856088440ead8370af1
SHA1: a5e446eb734f6dc7b45f526069872e6e1a18b059
SHA256: B57E3A3C9F9E861765710637B72E1E83DC7299465069422F3B431DC41718700E
File Size: 531.71 KB, 531712 bytes
MD5: 993e8aef6c2f654f80dd6b9d5f534470
SHA1: 7f797e17f7d47016f14ecdcde486575698c5509b
SHA256: 8FB57DD424E04A5FCD8C7EA62468EEBFC58907FA1C3B679A4DAA367158375B13
File Size: 4.85 MB, 4853120 bytes
MD5: bda29c8133583e0adf15e459331c72a2
SHA1: c971ed7e4e95c29b6384a7a85491a9beaf0d298e
SHA256: 4D35CC731D5C5072CAC06F283E09AEDB59EA93189BD73E168F4F5180AA6DF551
File Size: 1.94 MB, 1943016 bytes
MD5: 3c4beb34b8e6c3f82469ffc6f52941d0
SHA1: 745c64db0995b6696aff4cf39bd779807226d192
SHA256: 4F01D4588D3D7070DEB40EBDA3808B3662DD4BED964288D26786D1C31233AD5A
File Size: 962.04 KB, 962040 bytes
MD5: ebdcdd62bd88b2da770ca7a6d7410638
SHA1: 8bfd23d4a5053c46a70bbf18e5519b515c80ef8b
SHA256: A5BC47E67A4D20F7734138A615EE7230DB53853A29D17F7841D4A0026E8E4604
File Size: 1.55 MB, 1554920 bytes
MD5: ca01f66419ebb773b224aa40f4799b93
SHA1: 5514ce5df9c3a3352d20f597f26fdfc2c6f99579
SHA256: 693485D11E57929614581C8422156827F914C8D0AAE2F10579AC08235127FB7B
File Size: 1.49 MB, 1488896 bytes
MD5: cde3e10b15e0a72a5607aed66b73d365
SHA1: 731af9fee20a7515658566bcbba5a79206701261
SHA256: 976733271B69C2FEBCAB686FA298001202FC58635F15EC41C3F04FDE423AF963
File Size: 1.93 MB, 1934312 bytes
MD5: d36ee43cb27b3f5f5ab20c5d6410ce88
SHA1: 67bfc7ff6e6196c3a2382c6ee674b7f838ef43fc
SHA256: D50F464CECD074DD59B65A2F62118CE9A3CC2653017AD70D4E54A62DFBFA18C3
File Size: 1.97 MB, 1973224 bytes
MD5: e2b372c63ea61517a634a0c60a598f4d
SHA1: dd2f3242516755f7371113e2904b3d962d593f11
SHA256: C5E121D75F8488ABDE0BFDAF5F31B0DF1A3D238DDC8B3B68D141983CA3B7568F
File Size: 1.35 MB, 1349632 bytes
MD5: 9cb43b57be3b4f208c8f7562959aae4a
SHA1: 6fa91c84b9e12e7c6f5e3bde2f84165cd69501c2
SHA256: 24FE1277341889253F1892804D18F6366C892751B955F66AEC4162F91AC163E7
File Size: 174.57 KB, 174568 bytes
MD5: 4ae21dfacc2677f2653dfe9ea65ffe47
SHA1: 189396285207f11306aac0f0edd37aa95d90ef4d
SHA256: 40236C8C1F9596FBDB185F1C507A4710B0635F4983F4AAA525EF1B74ADE23BA5
File Size: 120.17 KB, 120168 bytes
MD5: 6f8dbe0da7f126d949c3a94ade5284bc
SHA1: 8072daac716fe64391c203785668b3c78b90f1b5
SHA256: 05EA2CB0F98E9A4F2C5A0367FDD7F129BFC580CA605338222244CA1847964068
File Size: 873.95 KB, 873952 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 0.0.9492.30569
  • 0.0.9120.28821
  • 0.0.8522.2260
Comments
  • Open Rails NewYear MG Transport Simulator
  • Open Rails Transport Simulator
Company Name
  • browser
  • Browser
  • Cinema HDV30.12
  • Cinema ProV01.01
  • CinPlusV19.12
  • DiscountFrenzy
  • Europa Casino
  • HDuality-V2.5V19.12
  • Hpchq
  • HQ-VideoV25.12
Show More
  • Microsoft Corporation
  • Open Rails
  • Playtech
  • Qwerty
  • Titanbet.it Casino
  • Tpczrxtwlf
  • Webby
File Description
  • Browser-AppsEd2.2 exe
  • BrowsersApp_Pro_v1.1 exe
  • CinemaHd For Pro 2.4cV01.01 exe
  • CinemaHd For Pro 2.4cV30.12 exe
  • CinPlus-2.4cV19.12 exe
  • Direct3D HLSL Compiler for Redistribution
  • Europa Casino Installer
  • Expekt Poker
  • HDQuality-V2.5V19.12 BHO
  • Hkgtl
Show More
  • HQ-Video-Pro-2.1cV25.12 exe
  • I - Cinema exe
  • iWebar BHO
  • Lgjclmruwolhm
  • Open Rails Activity Runner
  • Titanbet.it Casino Installer
  • TornPlusTV_version1.11 exe
  • Xfaggu
  • Zfmevbyelc
File Version
  • 1000.1000.1000.1000
  • 23.4.12.2
  • 14.2.8.9
  • 10.0.20348.1 (WinBuild.160101.0800)
  • 9.4.20.0
  • 1.1.1.35
  • 1.1.1.32
  • 1.1.1.1
  • 1.0.0.0
  • 0.0.9492.30569
Show More
  • 0.0.9120.28821
  • 0.0.8522.2260
Internal Name
  • Browser-AppsEd2.2
  • BrowsersApp_Pro_v1.1
  • CasinoDownloader2
  • CinemaHd For Pro 2.4cV01.01
  • CinemaHd For Pro 2.4cV30.12
  • CinPlus-2.4cV19.12
  • d3dcompiler_47.dll
  • HDQuality-V2.5V19.12
  • HQ-Video-Pro-2.1cV25.12
  • I - Cinema
Show More
  • iWebar
  • RunActivity.exe
  • TornPlusTV_version1.11
Legal Copyright
  • Copyright (C) 2001-2009 Playtech
  • Copyright 2011
  • Copyright 2014
  • Copyright 2016
  • Copyright © 2009 - 2019
  • Copyright © 2009 - 2022
  • Copyright © 2009 - 2022 Open Rails
  • Enamdkzkwt
  • Ymqctsy
  • © Microsoft Corporation. All rights reserved.
Original Filename
  • Browser-AppsEd2.2.exe
  • BrowsersApp_Pro_v1.1.exe
  • CasinoDownloader2.exe
  • CinemaHd For Pro 2.4cV01.01.exe
  • CinemaHd For Pro 2.4cV30.12.exe
  • CinPlus-2.4cV19.12.exe
  • d3dcompiler_47.dll
  • HDQuality-V2.5V19.12.dll
  • HQ-Video-Pro-2.1cV25.12.exe
  • I - Cinema.exe
Show More
  • iWebar.dll
  • RunActivity.exe
  • TornPlusTV_version1.11.exe
Product Name
  • Browser-AppsEd2.2
  • BrowsersApp_Pro_v1.1
  • CinemaHd For Pro 2.4cV01.01
  • CinemaHd For Pro 2.4cV30.12
  • CinPlus-2.4cV19.12
  • Europa Casino
  • HDQuality-V2.5V19.12
  • HQ-Video-Pro-2.1cV25.12
  • I - Cinema
  • iWebar
Show More
  • Microsoft® Windows® Operating System
  • Open Rails
  • Open Rails FR
  • Open Rails NewYear MG
  • Playtech Software Installer
  • Titanbet.it Casino
  • TornPlusTV_version1.11
  • Wptmtrpoi
  • Ykczvshgaqeeho
Product Version
  • 1000.1000.1000.1000
  • 10.0.20348.1
  • 9.4.20.0
  • 2.0.0.2
  • 0.1.3
  • 0.0.9492.30569+96c68f8244156390b66a220094be59a73f27c627
  • 0.0.9120.28821

Digital Signatures

Signer Root Status
Red Sky Sp. z o.o. DigiCert Assured ID Code Signing CA-1 Hash Mismatch
Playtech PLC DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
Digit Network (Extreme White Limited) Digit Network (Extreme White Limited) Self Signed
Microsoft Corporation Microsoft Code Signing PCA 2010 Self Signed
PLAYTECH LIMITED PLAYTECH LIMITED Self Signed
Show More
Robokid Technologies Robokid Technologies Self Signed
VASSANA KONGSOONGNERN Thawte Code Signing CA - G2 Self Signed
Airplane Networks (BrightCircle Investments Limited) UTN-USERFirst-Object Root Not Trusted
Armageddon Labs (BrightCircle Investments Limited) UTN-USERFirst-Object Root Not Trusted
Berta Dress Apps (Bright Circle Investments Ltd) UTN-USERFirst-Object Root Not Trusted
ColoColo Apps (Bright Circle Investments Ltd) UTN-USERFirst-Object Root Not Trusted
Kimahri Software inc. UTN-USERFirst-Object Root Not Trusted
Morgan Enter Mode UTN-USERFirst-Object Root Not Trusted
Motoko Group UTN-USERFirst-Object Root Not Trusted
Numlock Apps UTN-USERFirst-Object Root Not Trusted
PLAYTECH LIMITED VeriSign Class 3 Code Signing 2004 CA Root Not Trusted
Playtech PLC VeriSign Class 3 Public Primary Certification Authority - G5 Root Not Trusted

File Traits

  • .NET
  • dll
  • HighEntropy
  • x64
  • x86

Block Information

Total Blocks: 3,009
Potentially Malicious Blocks: 871
Whitelisted Blocks: 1,686
Unknown Blocks: 452

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? 0 0 ? ? 0 x ? 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x x x x x 0 x 0 x x x x ? 0 x ? x x x ? x x x 0 ? ? ? x x 0 x ? 0 x ? 1 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 x 0 x x ? 0 0 x ? ? ? ? 0 1 x 0 0 0 ? ? 0 x x x 0 0 ? ? x x x x ? ? ? 0 ? ? ? 0 x x 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 x x ? ? 0 x ? ? ? ? ? x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x ? ? x x ? 0 ? 1 x 0 0 0 0 ? ? ? 0 ? 0 0 ? ? ? 0 ? 0 0 0 0 ? ? 0 0 0 0 1 x ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? x x x x x ? x ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 ? 0 ? 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 x 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 x ? x ? 0 0 0 0 0 0 0 x ? ? ? ? ? 0 x x 0 x 0 0 ? ? 0 0 ? ? ? x ? ? x ? x 0 0 0 0 0 0 0 0 1 x ? 0 ? x 0 ? ? ? ? x 0 0 ? x ? x x 0 0 ? ? ? 0 ? ? ? ? x x ? ? x x ? x 0 0 ? x ? x x x x ? x 0 0 0 0 0 x 0 0 ? ? x ? 0 0 0 0 0 1 0 0 0 ? ? ? 0 ? 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 ? ? ? ? ? ? 0 ? x ? 1 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 ? 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 x 0 0 0 0 ? 0 ? 0 ? ? ? ? ? x x x 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? ? x ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? 0 0 0 ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 1 ? ? ? ? 0 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 ? 0 x ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 ? ? 0 0 0 0 0 0 x 0 ? ? ? ? ? ? ? 0 ? ? 0 0 0 0 0 ? 0 ? ? ? 0 ? ? ? ? 0 ? ? ? 0 ? ? 0 ? ? ? ? ? ? 0 x 0 ? 0 x ? 0 0 ? ? x ? ? ? 0 ? 0 0 ? ? ? ? 0 0 ? 0 0 ? ? 0 0 ? ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x ? ? x ? x x x x x x 0 0 ? 0 0 0 ? 0 0 ? 1 ? ? ? ? ? x ? 0 0 0 ? ? ? 0 0 ? x ? ? ? ? ? 0 0 x ? ? ? ? 0 ? ? ? ? x ? ? ? ? ? ? ? ? 0 0 0 0 ? 0 0 ? ? ? ? ? ? ? 0 x ? x ? x ? ? ? ? ? ? ? 0 ? ? 0 0 ? ? x x ? x 0 0 ? ? 0 0 ? 0 0 0 ? 0 0 ? 0 ? 0 ? 0 ? ? ? ? ? ? 0 ? ? 0 ? 0 ? 0 ? ? ? x x x x x x x x x x x x x x x ? ? ? 0 0 x ? ? 0 ? ? ? 0 ? ? ? 0 ? 0 ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? x ? x 0 x x x ? ? ? x ? x x ? ? ? x x ? ? ? ? x ? ? ? ? ? x ? ? ? ? ? 0 ? ? x x 0 ? ? ? x ? ? x ? 0 x x 0 ? x x x x ? 0 ? 0 ? 0 ? x ? x ? x ? ? ? ? ? ? x x ? ? x x x x ? x ? ? ? ? ? ? ? x 0 ? x ? ? 0 ? ? ? ? ? ? x ? ? ? ? x x ? ? ? x x 0 ? x x ? ? ? 0 ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? x ? ? x ? ? 0 x 0 0 ? x x x x x x x x ? x ? x 0 ? 0 ? ? ? ? ? x ? x x x 0 0 x x ? ? ? ? ? ? ? ? ? 0 ? x ? x x x ? x x ? 0 0 0 0 1 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • CrossRider.B
  • CrossRider.C
  • CrossRider.D
  • CrossRider.EB
  • Dofoil.F

Files Modified

File Attributes
c:\end Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsa592e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsb5cd7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsd5565.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsde94d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nse4861.tmp\banner.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse4861.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse4861.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf58ff.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsf594e.tmp\avg.htm Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\nsf594e.tmp\complist.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf594e.tmp\dag Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf594e.tmp\inetc3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf594e.tmp\load_0.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf594e.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf594e.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\fallbackfiles Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096_icon.ico Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096_icon.ico Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096_splash.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096_splash.png Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsf6c6.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\installerutils2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\md5dll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\nsisos.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsfbb5a.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh5f68.tmp\nsislog.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh5f68.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh5f68.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32b.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nshb32c.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\nktwbqcj.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\nktwbqcj.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\ssoys.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\ssoys.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\wrapperutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nshb32c.tmp\wrapperutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\banner.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\eula.rtf Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\nsrichedit.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\slides\installer_screen_cut1.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\slides\installer_screen_cut2.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\slides\installer_screen_cut3.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\slides\slides.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj5576.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk591f.tmp\pntixvfvyr.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk591f.tmp\qtmfoybvc.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk591f.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk591f.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk591f.tmp\wrapperutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\banner.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\eula.rtf Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\nsrichedit.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\slides\installer_screen_cut1.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\slides\installer_screen_cut2.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\slides\installer_screen_cut3.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\slides\slides.dat Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskba8d.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso4860.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsp6b5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq68ae.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsqbb3a.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsr5ce8.tmp\mskrb.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5ce8.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5ce8.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5ce8.tmp\wrapperutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsr5ce8.tmp\xngvgtmsqefe.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss52c6.tmp\nyrlrnmjpfvz.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss52c6.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss52c6.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss52c6.tmp\wrapperutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nss52c6.tmp\xppiibkbmks.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste94e.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\fallbackfiles Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040_icon.ico Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040_icon.ico Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040_splash.png Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040_splash.png Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste94e.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsuba7c.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsw68cf.tmp\installerutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw68cf.tmp\nsislog.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw68cf.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw68cf.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx5287.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsx5f48.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\plus-hd-1.6installer_1755675007.log Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\plus-hd-1.6installer_1755675007.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\plus-hd-4.4installer_1757985976.log Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\wow6432node\tempo:: tempo RegNtPreCreateKey
HKLM\software\classes\appid\{c007dadd-132a-624c-088e-59ee6cf0711f}::id0  % RegNtPreCreateKey
Show More
HKCU\software\1clickdownload::uid 319481074 RegNtPreCreateKey
HKCU\software\1clickdownload::lastinstall0 1hy RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Idhcbivd\AppData\Local\Temp\nshB32C.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Giupczzc\AppData\Local\Temp\nsf6C6.tmp\ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\currentversion\appcontainer\storage\windows_ie_ac_001\software\hdquality-v2.5v19.12::activeappid 0 RegNtPreCreateKey
HKCU\software\appdatalow\software\hdquality-v2.5v19.12::activeappid 0 RegNtPreCreateKey
HKCU\software\appdatalow\software\allyrics-1\log::74a93f8557b0707b68ba6ca4e5cbb92a898362b8_000040 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\currentversion\appcontainer\storage\windows_ie_ac_001\software\iwebar::activeappid 0 RegNtPreCreateKey
HKCU\software\appdatalow\software\iwebar::activeappid 0 RegNtPreCreateKey

Windows API Usage

Category API
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetQueryOption
  • InternetReadFile
  • InternetSetOption
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Network Info Queried
  • GetAdaptersInfo
Network Winhttp
  • WinHttpOpen
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
Show More
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtPowerInformation
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC

45 additional items are not displayed above.

Network Urlomon
  • URLDownloadToFile
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

"C:\Users\Idhcbivd\AppData\Local\Temp\nshB32C.tmp\Ssoys.exe"
"C:\Users\Nejebukr\AppData\Local\Temp\nsr5CE8.tmp\Xngvgtmsqefe.exe"
C:\Users\Giupczzc\AppData\Local\Temp\nsf6C6.tmp\internal0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096.exe /baseInstaller='c:/users/user/downloads/0e8eb7eba180b95c98f48f270263193252db9bdc_0000942096' /fallbackfolder='C:/Users/Giupczzc/AppData/Local/Temp/nsf6C6.tmp/fallbackfiles/'
"C:\Users\Qktvxmaf\AppData\Local\Temp\nsk591F.tmp\Qtmfoybvc.exe"
"C:\Users\Teacgrni\AppData\Local\Temp\nss52C6.tmp\Nyrlrnmjpfvz.exe"
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\32ca1161b68d11fe2227ee429c7f7cbe08eaa925_0004119376.,LiQMAxHB
open c:\users\user\downloads\utils.exe /parent='5c2dfd99c78634be628099bfe6936252333b14ae_0000087968,sandboxtool.exe,sandboxhandler.exe,cmd.exe,svchost.exe'
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\74a93f8557b0707b68ba6ca4e5cbb92a898362b8_0000400896.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\df72b592a3e393ea2ff331ae5b635a8d47542546_0000131432.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e0240a003c75c4c04195264755ee1c1ce462858b_0000177640.,LiQMAxHB
C:\Users\Fklrecvy\AppData\Local\Temp\nstE94E.tmp\internal745c64db0995b6696aff4cf39bd779807226d192_0000962040.exe /baseInstaller='c:/users/user/downloads/745c64db0995b6696aff4cf39bd779807226d192_0000962040' /fallbackfolder='C:/Users/Fklrecvy/AppData/Local/Temp/nstE94E.tmp/fallbackfiles/'
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6fa91c84b9e12e7c6f5e3bde2f84165cd69501c2_0000174568.,LiQMAxHB
open c:\users\user\downloads\utils.exe /parent='189396285207f11306aac0f0edd37aa95d90ef4d_0000120168,sandboxtool.exe,sandboxhandler.exe,cmd.exe,explorer.exe'

Related Posts

Trending

Most Viewed

Loading...