Multi-License Discount Quote

Change Region

English
Threat Database Adware EoRezo

EoRezo

By Sumo3000 in Adware

Threat Scorecard

Popularity Rank: 1,212
Threat Level: 20 % (Normal)
Infected Computers: 1,617,318
First Seen: April 28, 2010
Last Seen: February 6, 2026
OS(es) Affected: Windows

ScreenshotMicrosoft has classified EoRezo as an adware infection. This Browser Helper Object (a kind of browser add-on for Internet Explorer) is disguised as a beneficial application that claims to connect you with interesting a useful content. However, EoRezo's main purpose is to spam its victims with constant, annoying, pop-up advertisements. EoRezo also engages in other practices that have been linked to malware infections rather than to legitimate Windows applications. Despite EoRezo's claim that EoRezo is interactive and designed to lead you to the content targeted to your own preferences, EoRezo simply displays advertisements from a predefined list (most probably of websites and services that have payed for EoRezo's services in one way or another). According to ESG PC security researchers, EoRezo does not seem to contain any redeeming features. A careful look at this browser toolbar reveals that EoRezo is simply one more advertising tool, designed to infringe on your privacy and force you to view a variety of advertisements (generating revenue illegally in the process). Since EoRezo makes changes to the Windows Registry and to your system settings, removing EoRezo will necessarily involve using a reliable, fully-updated anti-malware application.

How EoRezo Can Affect Your Computer System

There are several things on EoRezo that have convinced malware analysts to regard EoRezo as a malware infection rather than a legitimate content-delivery system (such as StumbleUpon or the Reddit toolbar). Below, ESG PC security researchers have listed five ways in which EoRezo affects your computer system:

  1. EoRezo can connect to another server, in order to download its configuration files. This connection may happen without the user's authorization.
  2. This remote connection is a two-way street. EoRezo can send out information about your browsing habits and online activity to a remote server.
  3. EoRezo changes your home page settings and default search engine. This change can occur both on Internet Explorer and Mozilla Firefox (the two most popular Internet browsers).
  4. EoRezo connects to remote servers such as eorezo.com and alpha00001.com.
  5. EoRezo displays a constant barrage of advertisements in the form of annoying pop-up windows.

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor Detection
Panda Adware/BHO
AntiVir Adware/EoRezo.A.72
BitDefender Application.Generic.384998
Avast Win32:Eorezo-B [PUP]
AVG Generic5.GFU
Ikarus Win32.Malware
Microsoft Adware:Win32/EoRezo
AntiVir Adware/EoRezo.N.2
McAfee Artemis!45CF2095378A
AntiVir TR/Agent.974848.7
McAfee Artemis!06D4FED19763
AVG Generic4.BZWZ
Sophos Eorezo
AntiVir Adware/EoRezo.E.9
Comodo UnclassifiedMalware

SpyHunter Detects & Remove EoRezo

File System Details

EoRezo may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. bSeeG8Dtsj.exe 2b5765fa33cdf900c1fe19ad9e38a91a 2,016
2. da2-y93atm.exe 68518535700af96f78aab5ba356eb6be 929
3. c9-08bX_Uq.exe acb795c9a587100bbe9daf9b3de86fbe 699
4. LlrU&JD3QD.exe 89052d3fa007d7ac9bac7d2f794ffa46 681
5. 404wfJSXFb.exe dd0d67502265c9b55183dd0257489b19 619
6. Yq5gPZjCvX.exe 98b9644afd4de7674189556ca819b8e1 357
7. DTHLjesd0y.exe b88955cbf36ca817df7ab5d64415b056 344
8. 4571303.exe 44032440596aa42cbb4bae2ff902b25b 343
9. 2Vi3oO42mK.exe 6ced69cedb214f99015dc43a008e399f 272
10. trz6CF8.tmp c47c904c27b70bce5f4ca0a4d97ff659 266
11. &p#oqrzfgf.exe 205d9b12e59328c8e57ac92aa16ee3f8 187
12. LYFP.exe b70ba5c079f815e03a95e004723404ad 172
13. qV65-8lNN-.exe ba4fc752a7d74b9a67b7f6a1a8075660 154
14. 2brkriuga_.exe e280f49856c7cb7dd7de659742957ecd 138
15. owajxdaa'o.exe 5003ed514dae595cf15c0b68af607b62 86
16. j_&6_0k4jP.exe 1800c30708a43555338cfadda8cff829 72
17. z79hbçt-s#.exe 190f8a1dc601f30ad7e3768fbcf8ea6e 14
18. 714338509.exe f56bcfa60e398b14e1b746e68b9329e6 13
19. 710282148.exe f47425b1b9b9e6b8da09110c404858ae 6
20. 550802537.exe 5589be52bae041ddad72cc24e0845d08 6
21. 516459642.exe dd6c5e4a7cad80c8b4949f4d13952359 4
22. 247435605.exe 1179589e86eb3a7e03b6c89e2586ebfb 4
23. 582164585.exe b53bdabd915570eeb2f60a86761240f9 3
24. 458222505.exe 89b78aa279c12d96f31e3bddbd9740ac 3
25. C:\Documents and Settings\\Application Data\EoRezo\SoftwareUpdateHP.exe
26. C:\Program Files\eoRezo\EoEngine.exe
27. C:\Program Files\eoRezo\eoRezo.exe
More files

Registry Details

EoRezo may create the following registry entry or registry entries:
CLSID
{18AF7201-4F14-4BCF-93FE-45617CF259FF}
{8FF10FED-2F0A-4F7F-BE87-B04F1DCD4319}
{C10DC1F4-CCDF-4224-A24D-B23AFC3573C8}
{DF76E9B7-35EC-46FC-AF56-5B79DED9D64F}
File name without path
lightcleaner.lnk
lightcleanerlightcleaner.exe
lightcleanerlightcleaner.tmp
Lightening Media Player.lnk
LighteningMediaPlayerInstall.exe
Speedycar.lnk
Regexp file mask
%PROGRAMFILES%\filters\xec.exe
%PROGRAMFILES%\host\idscservice.exe
%PROGRAMFILES%\host\w_network.exe
%PROGRAMFILES%\host\wizzcaster.exe
%PROGRAMFILES(x86)%\app\Wizard.exe
%PROGRAMFILES(x86)%\filters\xec.exe
%PROGRAMFILES(x86)%\host\idscservice.exe
%PROGRAMFILES(x86)%\host\wizzcaster.exe
%PROGRAMFILES(x86)%\pf\oo.exe
%PROGRAMFILES(x86)%\Pipe\[NUMBERS].exe
%TEMP%\avboost[RANDOM CHARACTERS].exe
%TEMP%\speedycar[RANDOM CHARACTERS].exe
%TEMP%\texttotalk.exe
%USERPROFILE%\Desktop\texttotalk.lnk
%WINDIR%\System32\Tasks\GoogleUpdateSecurityTaskMachine_[RANDOM CHARACTERS]
HKEY..\..\..\..{RegistryKeys}
HKLM\SOFTWARE\Classes\AppID\EoEngineBHO.DLL
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011101220111013
HKLM\Software\EoRezo\"HostGUID"
SOFTWARE\Classes\cible
SOFTWARE\Classes\tsckmna
Software\EoRezo
Software\Lightcleaner
SOFTWARE\LighteningPlayer
Software\MAL\Speedycar
SOFTWARE\Microsoft\2ups
SOFTWARE\Microsoft\APreSam
SOFTWARE\Microsoft\avboostcampaign114
SOFTWARE\Microsoft\bestavicampaign563
Software\Microsoft\BigTime
SOFTWARE\MICROSOFT\campaign9961
SOFTWARE\Microsoft\DMunversion
SOFTWARE\Microsoft\DskFX
Software\Microsoft\Etsy
SOFTWARE\Microsoft\FstCar
SOFTWARE\Microsoft\MPrForShutT
Software\Microsoft\MPrForWeathI
Software\Microsoft\MTPreC_B
Software\Microsoft\MTPreC_Qn
SOFTWARE\MICROSOFT\multitimercampaign84170
SOFTWARE\Microsoft\PrAmNP
SOFTWARE\Microsoft\PShutdTime
SOFTWARE\Microsoft\shutdowntimecampaign5651
Software\Microsoft\ShutTPreAm
Software\Microsoft\ShutTPreIc
Software\Microsoft\ShutTPreJ
Software\Microsoft\ShutTPreShM
SOFTWARE\MICROSOFT\Speedycar
Software\MICROSOFT\TechnologyDesktopnew
SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32
SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS
SOFTWARE\Microsoft\Tracing\i_network_RASAPI32
SOFTWARE\Microsoft\Tracing\i_network_RASMANCS
SOFTWARE\Microsoft\Tracing\LighteningMediaPlayerInstall_RASAPI32
SOFTWARE\Microsoft\Tracing\LighteningMediaPlayerInstall_RASMANCS
SOFTWARE\Microsoft\Tracing\o_network_RASAPI32
SOFTWARE\Microsoft\Tracing\o_network_RASMANCS
SOFTWARE\Microsoft\Tracing\wizzcaster_RASAPI32
SOFTWARE\Microsoft\Tracing\wizzcaster_RASMANCS
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Speedycar
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WeatherInspect
SOFTWARE\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
SOFTWARE\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
Software\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}}
Software\Picture\PictureprocessingToolsV1.0
Software\Picture\seescenicelfc
Software\Picture\seescenicelfq
Software\Picture\seescenicelfu
SOFTWARE\T4pc
Software\UniversalCadast
SOFTWARE\Wow6432Node\EoRezo
SOFTWARE\Wow6432Node\Microsoft\DMunversion
SOFTWARE\Wow6432Node\Microsoft\PrAmNP
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Speedycar
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WeatherInspect
SOFTWARE\Wow6432Node\Microsoft\{1f7ee1a8-4436-4ffc-b97b-b5b01e87d3d2}
SOFTWARE\Wow6432Node\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}
Software\Wow6432Node\Microsoft\{94ebd7b5-82ae-449t-b679-3d04078ed154}}
SOFTWARE\Wow6432Node\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
SYSTEM\ControlSet001\Services\AppApcVerifier
SYSTEM\ControlSet002\Services\AppApcVerifier
SYSTEM\CurrentControlSet\Services\AppApcVerifier
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
bestDownloader_is1
comoBoss_is1
eoEngine_is1
eoRezo_is1
LighteningPlayer
maintenance software_is1
Speedycar_is1
texttotalk
WeatherInspect_is1

Directories

EoRezo may create the following directory or directories:

%ALLUSERSPROFILE%\AppApcVerifier
%ALLUSERSPROFILE%\Application Data\AppApcVerifier
%APPDATA%\EoRezo
%APPDATA%\lighteningplayer
%LOCALAPPDATA%\combroadcaster
%PROGRAMFILES%\Ajc
%PROGRAMFILES%\BeCleaner
%PROGRAMFILES%\Caster
%PROGRAMFILES%\ComoBo
%PROGRAMFILES%\EoRezo
%PROGRAMFILES%\KokoMoss
%PROGRAMFILES%\Koruko
%PROGRAMFILES%\LighteningPlayer
%PROGRAMFILES%\Speedycar
%PROGRAMFILES%\WeatherInspect
%PROGRAMFILES%\WinCaster
%PROGRAMFILES%\YEha
%PROGRAMFILES%\bestDownloader
%PROGRAMFILES%\browseextension
%PROGRAMFILES%\comoBoss
%PROGRAMFILES%\documentss
%PROGRAMFILES%\elansurfer
%PROGRAMFILES%\lightcleaner
%PROGRAMFILES%\texttotalk
%PROGRAMFILES%\tuto100_ar_21
%PROGRAMFILES(X86)%\Caster
%PROGRAMFILES(x86)%\Ajc
%PROGRAMFILES(x86)%\BeCleaner
%PROGRAMFILES(x86)%\ComoBo
%PROGRAMFILES(x86)%\EoRezo
%PROGRAMFILES(x86)%\KokoMoss
%PROGRAMFILES(x86)%\Koruko
%PROGRAMFILES(x86)%\LighteningPlayer
%PROGRAMFILES(x86)%\Parklands
%PROGRAMFILES(x86)%\Speedycar
%PROGRAMFILES(x86)%\WeatherInspect
%PROGRAMFILES(x86)%\WinCaster
%PROGRAMFILES(x86)%\YEha
%PROGRAMFILES(x86)%\bestDownloader
%PROGRAMFILES(x86)%\browseextension
%PROGRAMFILES(x86)%\comoBoss
%PROGRAMFILES(x86)%\documentss
%PROGRAMFILES(x86)%\elansurfer
%PROGRAMFILES(x86)%\lightcleaner
%PROGRAMFILES(x86)%\texttotalk
%PROGRAMFILES(x86)%\tuto100_ar_21
%TEMP%\bestDownloader
%UserProfile%\Local Settings\Application Data\combroadcaster

Analysis Report

General information

Family Name: Adware.eoRezo
Signature status: No Signature

Known Samples

MD5: b4452e060f29f9979c28f112ad79db19
SHA1: 061256a66b79ac9622e5dfa5e48bcdeac8c3dca8
File Size: 30.92 KB, 30920 bytes
MD5: 619912c8b4de42d7e88208e62363587c
SHA1: 58b272b4e1bf6c5d3b148bff61ee643b1ee084ce
File Size: 7.41 MB, 7410740 bytes
MD5: baaaecd3b4cb3dafec6e3e65b5001e3f
SHA1: ec226d4e3673a84e7167f5018e1b41270067184b
SHA256: 46E13EA71E2DBA5F655BA925C0BF59EA2CA986A312C1D2DEF97F135AAE4D2544
File Size: 220.16 KB, 220160 bytes
MD5: 22c9362220256f18b3bc92080c9c5d2a
SHA1: 90dd677915cbc6d58b17035c3305858024200323
SHA256: EB17C653F5217599527B7EA01E477F5224786A24B1EDCA0A620331CC9A262DB1
File Size: 161.79 KB, 161792 bytes
MD5: 4bf4a1a24674b6785cdfce70d4c09627
SHA1: 48b1853382eda339fdb0a0ceb6dc50af38761ab1
SHA256: CB41FC3F618259D8B9734BD068F5238F532C0D5D108C29A65C400E4CD309D367
File Size: 3.27 MB, 3272080 bytes
Show More
MD5: 382262f03a1868e55c3d5887cbaedee7
SHA1: bbe4e5835da701ccc98f66fe8bed3c00a07531ff
SHA256: 7170A58B395EB67BFB657E3B3F2D68D523BBF45D3F5D567FB65DC4479159148C
File Size: 6.39 MB, 6392163 bytes
MD5: 3b4558f8ddb168c1814ce60abe93ef55
SHA1: 5118ff18090d14b71307186e646aa0fa0b871faf
SHA256: 030EB7DD103DF757B651D88DDB54ED441070F1767044C7F8863416FFD259D9A6
File Size: 4.81 MB, 4810737 bytes
MD5: 027a8f08e292cb34d72e051b5e59bbe9
SHA1: 7f755a8ac6be709ee43c70fca6a31fa42c3139f4
SHA256: C28386E07A6BD12C4D6875FA027D7BF2457F8CB40424DB7B56BCBB43505B634D
File Size: 3.69 MB, 3690680 bytes
MD5: 56bd6fd4c318ab7f3a53028833898928
SHA1: 799d32d7aa589beb35cfa26620ca91b0db5ca768
SHA256: 74E06A558B533303670D2CBDC9249A8DD9E8065194762D9EDD73FA6DFD61C431
File Size: 3.32 MB, 3317728 bytes
MD5: 16df802e0306f46a332326ef8ee2154d
SHA1: 3e8540aab00a66431c0d4dca81d7471459709980
SHA256: 6A1F9DD602AC7FF809EAE6E3A2A3A8C1396E1C53C44FBAA3AF6E0E06832F4360
File Size: 26.11 KB, 26112 bytes
MD5: 19c3cfd1637b22f7106268007e05346c
SHA1: 98d78c68af2ff194eff8c948fdbc997afe7e4890
SHA256: 5AE1594119984CC0821C71B2D7C7A4015CF2EA7B34798E51D09ECBFD3E30C97D
File Size: 3.98 MB, 3981456 bytes
MD5: 1b5894ffbb972ad3a3e6b5c82efebbfa
SHA1: 97f8e593932874420b0c30fc5ed9b827d4ef2798
SHA256: 38CDE2AF66BC2BDA57C09957F6F88EDE3B7615CEA4D8852CF1019DC4F21F727C
File Size: 7.07 MB, 7069640 bytes
MD5: 8960b74f61505489f73b6f9f8d23804d
SHA1: f9fa5de637ba7f8a99af6d5f87e3bb93151118c9
SHA256: E849418867F727F1D271A9A000AE465398CDB1E2273B7D0F0BEF734225EDDD2A
File Size: 489.52 KB, 489518 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version
  • 2.8.2.8
  • 1.0.0.0
  • 0.3.8.8
Comments
  • G4%6CSAO
  • IntiZabbour
  • This installation was built with Inno Setup.
Company Name
  • csmedia.com
  • D%49SVJ6J
  • EoRezo
  • FreeSoftToday
  • free_soft_to_day
  • G4%6CSAO9
  • IntiZabbour
  • J.O.H.N.
File Description
  • CCleaner Setup
  • D
  • Desktop Improve 171.1.224 Setup
  • FreeSoftToday Setup
  • fst_br_78 Setup
  • G4
  • IntiZabbour
  • Max Driver Updater
File Version
  • Max Driver Updater
  • 8.6.7.6
  • 2.0.1.8
  • 1.0.0.0
Internal Name
  • AAAABBBBBB.exe
  • Iasa3.exe
  • noconf.exe
  • WizzInstaller.exe
Legal Copyright
  • Copyright © 2016
  • Copyright © 5887
  • Copyright © 6456
  • © csmedia.com
Original Filename
  • AAAABBBBBB.exe
  • Iasa3.exe
  • noconf.exe
  • WizzInstaller.exe
Product Name
  • D%49S
  • Desktop Improve 171.1.224
  • FreeSoftToday
  • fst_br_78
  • G
  • IntiZabbour
  • Max Driver Updater
Product Version
  • 8.6.7.6
  • 2.7.1086.16649
  • 2.0.1.8
  • 1.0.0.0

Digital Signatures

Signer Root Status
TUTO4PC COM INTERNATIONAL SL GlobalSign CodeSigning CA - G2 Self Signed
CONCEPTION SELECTION DISTRIBUTION INTERNATIONALE GlobalSign CodeSigning CA - SHA256 - G2 Hash Mismatch
CONCEPTION SELECTION DISTRIBUTION INTERNATIONALE GlobalSign CodeSigning CA - SHA256 - G2 Self Signed
L Agence Exclusive GlobalSign CodeSigning CA - SHA256 - G2 Self Signed
TUTO4PC COM INTERNATIONAL SL GlobalSign CodeSigning CA - SHA256 - G2 Self Signed

File Traits

  • .NET
  • big overlay
  • HighEntropy
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • No Version Info
  • RijndaelManaged
  • x64
Show More
  • x86

Block Information

Total Blocks: 565
Potentially Malicious Blocks: 25
Whitelisted Blocks: 240
Unknown Blocks: 300

Visual Map

0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 ? ? 0 ? ? 0 0 0 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 ? ? ? ? 0 ? ? ? ? 0 ? ? ? 0 ? 0 0 0 0 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? x ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? 0 ? ? ? ? ? ? ? 0 0 ? ? ? ? ? 0 ? ? ? ? 0 0 ? 0 ? 0 ? ? ? 0 ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 ? ? ? 0 0 0 0 0 ? 0 0 0 0 ? ? x 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? 0 ? ? ? ? ? ? 0 0 ? x x 0 ? ? ? 0 0 0 ? ? ? x ? x 0 ? 0 ? 0 ? 0 ? 0 ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 0 0 ? x x 0 0 ? x 0 x ? 0 0 ? ? 0 ? ? ? 0 ? ? ? ? ? ? 0 0 0 ? ? ? 0 0 ? ? ? 0 0 0 x 0 0 0 x 0 x 0 0 0 x 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 x 0 ? 0 0 x 0 0 ? ? x 0 ? 0 0 ? ? ? 0 0 x x ? ? 0 ? ? ? ? x ? 0 ? 0 ? ? 0 ? ? ? x x x ? ? ? ? ? x ? ? ? ? 0 ? 0 0 0 ? 0 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Eorezo.A

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\rec_pl_69\rec_pl_69\1.20\cnf.cyl Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-9p6tn.tmp\is-qj36v.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-q0b38.tmp\_isetup\_iscrypt.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-q0b38.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-q0b38.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-qsgbk.tmp\7f755a8ac6be709ee43c70fca6a31fa42c3139f4_0003690680.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-tpnsh.tmp\48b1853382eda339fdb0a0ceb6dc50af38761ab1_0003272080.tmp Generic Write,Read Attributes
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes
Show More
c:\windows\appcompat\programs\amcache.hve.log1 Read Data,Write Data
c:\windows\appcompat\programs\amcache.hve.log2 Read Data,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ffi倕懂ǜ RegNtPreCreateKey
HKLM\software\classes\jscript:: JScript Language RegNtPreCreateKey
HKLM\software\classes\jscript\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\livescript:: JScript Language RegNtPreCreateKey
HKLM\software\classes\livescript\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript:: JScript Language RegNtPreCreateKey
HKLM\software\classes\javascript\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript1.1:: JScript Language RegNtPreCreateKey
HKLM\software\classes\javascript1.1\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript1.2:: JScript Language RegNtPreCreateKey
Show More
HKLM\software\classes\javascript1.2\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript1.3:: JScript Language RegNtPreCreateKey
HKLM\software\classes\javascript1.3\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\ecmascript:: JScript Language RegNtPreCreateKey
HKLM\software\classes\ecmascript\clsid:: {f414c260-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}:: JScript Language RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\progid:: JScript RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32:: C:\WINDOWS\SysWow64\jscript.dll RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32::threadingmodel Both RegNtPreCreateKey
HKLM\software\classes\jscript author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\jscript author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\jscript.compact author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\jscript.compact author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\livescript author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\livescript author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\javascript author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript1.1 author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\javascript1.1 author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\javascript1.2 authorjavascript1.3 author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\javascript1.2 authorjavascript1.3 author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\ecmascript author:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\ecmascript author\clsid:: {f414c261-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}:: JScript Language Authoring RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\progid:: JScript Author RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32:: C:\WINDOWS\SysWow64\jscript.dll RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32::threadingmodel Both RegNtPreCreateKey
HKLM\software\classes\jscript.encode:: JScript Language Encoding RegNtPreCreateKey
HKLM\software\classes\jscript.encode\clsid:: {f414c262-6ac0-11cf-b6d1-00aa00bbbb58} RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}:: JScript Language Encoding RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\progid:: JScript.Encode RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32:: C:\WINDOWS\SysWow64\jscript.dll RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\inprocserver32::threadingmodel Both RegNtPreCreateKey
HKLM\software\classes\jscript.compact:: JScript Compact Profile (ECMA 327) RegNtPreCreateKey
HKLM\software\classes\jscript.compact\clsid:: {cc5bbec3-db4a-4bed-828d-08d78ee3e1ed} RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}:: JScript Compact Profile (ECMA 327) RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\progid:: JScript.Compact RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\inprocserver32:: C:\WINDOWS\SysWow64\jscript.dll RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\inprocserver32::threadingmodel Both RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data 鐄ȴ 鲱講洎ʫጉ嵑詛픋˹耀뫹躧隞̃☁耀꧌ìč RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
User Data Access
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAllocateReserveObject
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
Show More
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFindAtom
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRemoveIoCompletionEx
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetIoCompletionEx
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId

13 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Keyboard Access
  • GetKeyState
Other Suspicious
  • AdjustTokenPrivileges
Process Terminate
  • TerminateProcess
Network Winsock2
  • WSAStartup
Network Winsock
  • closesocket
  • getaddrinfo
  • socket

Shell Command Execution

C:\WINDOWS\system32\fondue.exe "C:\WINDOWS\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
"C:\Users\Walihcyy\AppData\Local\Temp\is-9P6TN.tmp\is-QJ36V.tmp" /SL4 $201EA "c:\users\user\downloads\58b272b4e1bf6c5d3b148bff61ee643b1ee084ce_0007410740.exe" 7157536 52736
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 744
"C:\Users\Opgkgfrd\AppData\Local\Temp\is-TPNSH.tmp\48b1853382eda339fdb0a0ceb6dc50af38761ab1_0003272080.tmp" /SL5="$40218,2997737,56832,c:\users\user\downloads\48b1853382eda339fdb0a0ceb6dc50af38761ab1_0003272080"
"C:\Users\Bxqnfxyr\AppData\Local\Temp\is-QSGBK.tmp\7f755a8ac6be709ee43c70fca6a31fa42c3139f4_0003690680.tmp" /SL5="$F016A,3188624,221696,c:\users\user\downloads\7f755a8ac6be709ee43c70fca6a31fa42c3139f4_0003690680"
Show More
"C:\WINDOWS\system32\taskkill.exe" /f /im maxdu.exe
WriteConsole: ERROR: The proce
open taskkill.exe /f /im "maxdu.exe"
"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\jscript.dll"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 756

Related Posts

Trending

Most Viewed

Loading...