Multi-License Discount Quote

Change Region

English
Threat Database Trojans Floxif

Floxif

By GoldSparrow in Trojans

Threat Scorecard

Popularity Rank: 2,169
Threat Level: 80 % (High)
Infected Computers: 53,653
First Seen: January 4, 2013
Last Seen: February 6, 2026
OS(es) Affected: Windows

Floxif is a Trojan that was known to be spread using a corrupted version of CCleaner recently. CCleaner is a legitimate program that is used to help computer users perform maintenance tasks on their computers. However, a corrupted version of this utility has led to more than 2 million computers becoming infected with Floxif. As soon as Floxif was installed on the victim's computer, it started gathering information about the infected computer and sending it to the Floxif's controllers, allowing con artists to gain access to the victim's data.

The Name of an Honest Progam Being Used to Dishonest Actions

The makers of CCleaner announced officially that their program had been modified by cybercriminals to install Floxif on the victims' computers. One of the reasons why the Floxif attack was so effective was because the corrupted version of Floxif was being delivered with a valid digital certificate. Once installed, Floxif was designed to send con artists technical data about the infected computers, such as running programs, installed software, the victim's computer's name and addresses. It does seem that Floxif itself also led to other threat infections on the victim's computers. Essentially, Floxif delivers data to on artist, which allows them to deliver additional Trojan payloads. CCleaner was corrupted on August 15, 2017, and it wasn't reported to computer users until September 12, 2017. Because of this, computer users that downloaded CCleaner in that period may have installed Floxif on their computers unknowingly.

How Floxif Carries out Its Attack

Floxif runs in the background. Floxif uses the infected computer's resources, such as CPU processing and online bandwidth, and connects to its Command and Control server through the IP address 216.126.225.148. Floxif also receives data, including additional threats, which it could then install on the victim's computer. Not only individual computer users were the intended victims of Floxif. Floxif also was meant to compromise major technology and communications companies in the United States, Germany, Taiwan, Japan, and the United Kingdom, including such high-profile targets as Cisco, MSI, Oracle, Google, Linksys and Epson. Floxif has been delivered to high-profile targets, which include some banks and government computer networks. Possible victims of the Floxif attack have been notified, and steps are being taken to ascertain the extent of the Floxif attack.

Further Details about a Floxif Infection

The reason why Floxif managed to infect 2.27 million people (at the last estimate) is that the con artists were able to modify CCleaner's main executable, making it quite difficult to realize that the attack was going on. At least 20 computers owned by high-profile technology companies have been infected with Floxif. Updating CCleaner to its latest version should remove Floxif. A security program that is fully up-to-date can scan your computer if you have downloaded CCleaner or there's a possibility that Floxif has infected your computer. You should take some steps to limit the damage of a possible Floxif infection on your computer:

  1. Make sure that your copy of CCleaner is updated to version 5.34 or higher. The corrupted version of this program is version 5.33.
  2. Use a security program to run a full scan of your computer.
  3. Change all of your passwords and other sensitive data.
  4. Take steps to check that your online accounts, particularly your online banking accounts, have not presented suspicious activity or been compromised in any way. Your social media and email accounts also may have been compromised and used to deliver spam messages.

SpyHunter Detects & Remove Floxif

File System Details

Floxif may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. symsrv.dll 1458e1451cf701b363c99cfb81317789 2,196
More files

Analysis Report

General information

Family Name: Trojan.Floxif
Signature status: No Signature

Known Samples

MD5: c689097a67a94ac20c1f517e351e91c7
SHA1: 7315078bc73ee2fe8fd46ee94d18390b61a1177b
File Size: 628.07 KB, 628073 bytes
MD5: a0f19aeef075e45b9bdde145987aef8d
SHA1: b3fef0e72a2993edcacf296891b4e9c45237a6e8
File Size: 1.69 MB, 1694830 bytes
MD5: 2ea1298542e778ec21fc1e5e50ed4368
SHA1: 8534d8487a5bf6039cb297610332950bd11eb3c0
File Size: 3.69 MB, 3689370 bytes
MD5: b605efb7d82e9598b1180aa3cb66527c
SHA1: c73005302f63328aef2fb7f401b242aa0b149a73
File Size: 1.19 MB, 1194812 bytes
MD5: 00079de8b0a8936c8599ee48c7f8b2d8
SHA1: 5feb073b087204fe3fa4534a176e2f92d185bcf2
File Size: 149.96 KB, 149959 bytes
Show More
MD5: 20e901dda0cfa2f7d13750e5c15234db
SHA1: af49f90f047b3e820e20b5f8d1d055a05ecc2638
File Size: 4.41 MB, 4411663 bytes
MD5: cc7876e8de11a680f4c3c42832e53f8c
SHA1: 8e10fd460a4d7d3b2fac30b71000bdd6db0c5aa0
File Size: 886.15 KB, 886147 bytes
MD5: d68d8cc06c73607e2ed9c8086f0ae05a
SHA1: 51f52128c0e1c18da0cf267a6656ff4366c31b49
File Size: 9.94 MB, 9941823 bytes
MD5: 24c0902972b6143a18778396707a6bc8
SHA1: 136158a37aea8fd26eb7fa6f68dfcdc512585a72
SHA256: 502BE78A1A154DCB0E4A1E1B3F51D422C44EC8B62599FF0C59D242B9AB15E261
File Size: 55.81 KB, 55808 bytes
MD5: 4cf46615b9c96360dd1f86714d6a616b
SHA1: 0980221ea8ec2038f7ce2fce2cbd7562984b839b
SHA256: AE3A34789971EDBE22A0D7845DD711F139A18E21C932EAB377BB6E05D0E502B0
File Size: 464.99 KB, 464991 bytes
MD5: 330addd7553165862a78dd04eaf836c4
SHA1: c9eb64d8470533c5cec0b2ec831dab76cbf1093e
SHA256: 1D069120832F876B8A1AA3711424ACE5F4E4E209FE3A7F3BB232D7DB2E375A43
File Size: 8.31 MB, 8311829 bytes
MD5: 5ebac72bd8c68a5133c33518ad214fa2
SHA1: 394f2e7d46a769602bbc8cbcfc12ed542f9ee6fa
SHA256: 6D77700ED0460AD73278C64273CDA2B6686C9844949DC7713500FED15F46813A
File Size: 2.07 MB, 2068052 bytes
MD5: 2ea5b351e21bf9450a1008ba0c39c981
SHA1: a956f9d15250f5170973ce85c0031640adcc01e3
SHA256: 2388C2CA75E71EB352D254A7B4814D36FACA8CD0330922EE91E943B437807501
File Size: 2.64 MB, 2643552 bytes
MD5: 4127387856a04c50fe78433cd116f2e8
SHA1: 6c79b0fe034707483a05d8024b13d290f093a537
SHA256: 715480DD674E2796CBB7F09966BBE00128343897560394E9F85F58C035C4C244
File Size: 592.46 KB, 592460 bytes
MD5: 2659a2e684dcfead9f1fe964d3327f5b
SHA1: 368b362645d9a14736a37f6add72b06bc0514765
SHA256: 4521C75C164316DB5DF981FE2434E31522865DA42C7CB6AC0A42E2DEFF59E8D8
File Size: 416.24 KB, 416242 bytes
MD5: 480c668a328c8b9505e29063e32e7a21
SHA1: 11f1ac814554e15b93640f8bab72ec69c6e492c9
SHA256: 869D31847B472716EEE73AF29CA3B45C1990A4D420D4D57829A674A62A351150
File Size: 498.17 KB, 498165 bytes
MD5: e7f8f9866ec61bf451568d75c4eff967
SHA1: 97135bcb119b4138598fbd0f1115b18557b629b1
SHA256: ED5BFB0DC8994EC55E4C68740028E8F66D8F794D6CC3E0EDE9E1E628B71A7D13
File Size: 5.57 MB, 5573863 bytes
MD5: 6d37c6dd009b5536a58a0dc724cdbb93
SHA1: 7c07cb5472ae391dcabcd1438aae05697af15e31
SHA256: 37DE39688373ED33E938ACA28DF7E8F641A4639E1A8AE13683C1899360C417B4
File Size: 3.14 MB, 3137404 bytes
MD5: 7765774ec068fb6c5b9d46eb3d4c9bb1
SHA1: 72f8627ea495a916e677eb0e352d59881b9fb245
SHA256: 3D5E1B1435C444F0FB92C25D9723E1605716FF1F3033D7BA1121740DCB6857E4
File Size: 4.89 MB, 4890055 bytes
MD5: 61a4ac3c300995c06e145f3fc47c497d
SHA1: b7235bb39b5c5ca5c7c0bb8237a88209a5e93165
SHA256: 69C9F48302E192853876775798C4EBBDF3847C2A82453C642856FDF7B878AD1E
File Size: 801.57 KB, 801573 bytes
MD5: 369e8bdd49f13783048963bacd0a069c
SHA1: e088689658d3cfd5130def2faad24afab5560a11
SHA256: 66124F6390BFD4F3CB941174D8832F62E71FF9BE8F7DE03A7ECEB1E229EAB4E3
File Size: 3.24 MB, 3243320 bytes
MD5: 47874b6bf6bf32dfd495030f3efb8cdb
SHA1: 7fd586937b4862422a79d5f4dc2aff0e88089356
SHA256: CC6AE10F9B35CDBF85621497184A9F13F77CBFF59F0347F706AAB1BA96C63C88
File Size: 162.94 KB, 162944 bytes
MD5: 26eaf9ecad407214ddbe6088a2105914
SHA1: 1e5789c940754fda3410093d5903892667c13644
SHA256: 5AFD5961A1851303992A64B01DF320AF424A322C54A8D1BE111FBCE1EDED7EAC
File Size: 2.21 MB, 2208521 bytes
MD5: 97467627d7d539fb232be044d5d8b927
SHA1: 655a28a70ff4861c72c5cb212c8b3b7d7783b426
SHA256: 9BF934C556B19B32E09D6A558BEA752546CE34CE9D45C7C5AA8A9C3C20E6DFDD
File Size: 469.94 KB, 469935 bytes
MD5: 7447d452c0d7e86ec4db902ce0b37655
SHA1: c0a9a0ee20b6cc54e9b205e425318824fdc15223
SHA256: 656E365D665CC79EB57A973594B35E12523D3603B93A3B010F9AA290AA345E1B
File Size: 1.82 MB, 1816326 bytes
MD5: 38b265312dc2df9e920954dd85ed4afd
SHA1: d89cdbb07958948edb1da0c0f2675d594e87ca6a
SHA256: 4B67F18028C8527AFD97611356FFA7371EBEA6FB9539F557FC4F5B8DB1BC379A
File Size: 267.77 KB, 267767 bytes
MD5: f3cd26a0fd93a95cd01010323aaaa1d5
SHA1: 9c63febf7a2022da4e239456c8a20a928ed016e9
SHA256: F5CA89A39B81D4F3128BBCF2D23C36197C2A6B31CE8C7FA10BCA180EDCC373E5
File Size: 5.98 MB, 5976236 bytes
MD5: 03cf638627ea3a67771360c2ee356d66
SHA1: 22299ff9aec5b9f6b97456928c3d919c123a1ca7
SHA256: 7652A8E88A6FAE5E0F1439049C729387FD0BD2C1F3BE002EDEE98CDA9B388FB5
File Size: 681.20 KB, 681200 bytes
MD5: 38d7006302dfb0728f29c9aadae72a60
SHA1: f1b41ba61c2ee594ea5364296c7a0650a8d2dc68
SHA256: FD4010DDDBD9CC57D8DFCC4CA5CC175C9B769C7A5871C38E365028836F86F326
File Size: 269.73 KB, 269730 bytes
MD5: 036098368c9f89d2b4d4a6d36ac436d2
SHA1: 8c840e7773a3f1b779be987e53454b3e60c51483
SHA256: C693594B52B42780DB1817B80202BF73C03EDF41F4961B630AA0EC7AC90BF60A
File Size: 3.82 MB, 3820235 bytes
MD5: 9eada605af1fe4a7b7ff9dbc2a973be5
SHA1: 00f3b41c698b4c82cb95d6b102129496cc7e32e0
SHA256: 2F06EEAFB8FB2FB3C4BC0E5E853E085F41CABDBB07A8DB89C49E958A1FBD2FAC
File Size: 267.77 KB, 267767 bytes
MD5: e1120523b1f0f4d8b6bfb85f4054bfa8
SHA1: 0c19806abb83f544546d62f11aa9f0f9ab2ea35c
SHA256: 6519ADE8762FB1D27C06A01C1013A31897EE78BA4991ECB268729E621287DF25
File Size: 481.10 KB, 481103 bytes
MD5: bf3b75e3ddb5aa466e2af8e0168d6cee
SHA1: 24d64c3bda8be71de299f9001487b9c2e1972335
SHA256: 6170C403243E57157918367067F620D093D552EAD1485E76B2AC190CAC0AA3AC
File Size: 3.61 MB, 3606752 bytes
MD5: fad81a39e7d764a614239168d86139e5
SHA1: f573933ae37ea1bfee57d1caa4a7c4a519b338a3
SHA256: 4B744136D1D0492F22CBA29033C55A3DD37E1A721C8E175FBFB39A1D38F8EFF1
File Size: 151.03 KB, 151027 bytes
MD5: 810c6b9820cb07a1d64891d5faba6cb1
SHA1: 1088bd6336c80de5a569b67f0212605180c564fb
SHA256: D8ED2E4AF02927CD667AAF0ABACD54259924E084F6923F97E4047C9C8499A903
File Size: 1.39 MB, 1387816 bytes
MD5: 0d13a3a3254923c42ff09d413f7ee0e5
SHA1: 63754eb17cf586875f313791135fe1ce869a21d6
SHA256: 069F2525FEFD9506D2166DB30422131CC3DD6E0740142E62C328D612C5696E71
File Size: 719.77 KB, 719768 bytes
MD5: 094f864e10a9161e1bba528c0fef1285
SHA1: 772e01e64a1dd60f19b797ba527855cec49b7873
SHA256: 8AD230C4A95A2A4F9DAC7300E59459CEC335461936F20FDE8067F239958BBC9F
File Size: 134.09 KB, 134087 bytes
MD5: 2fd60a2e0100817fb311a9a7a7818839
SHA1: feac6b3c1b64607ed3e9593865fcf2df971a1c78
SHA256: 3F25D2BEC6E870D0E93FE5DF3175289FFF939E93419205F1397C52BF1C6535C3
File Size: 218.95 KB, 218951 bytes
MD5: ae2fb1ea144fa33f95f40f0ca50da041
SHA1: 2c640f87531d2b6c604afff843ae1ef5ef5fd3c3
SHA256: BFE686A53E26702CA1C6972AEA5766650E574C58AC22E68BF135331941A3CF7E
File Size: 270.51 KB, 270511 bytes
MD5: 2873c812ad242d9769193d99a68cdd5d
SHA1: 890b6e1466e38f27ba3d760ea6aac07160d48b58
SHA256: A120625E7D631F5A796A006DB00B20A4E4941BE620AD14FB9865347B3D3B9D98
File Size: 230.83 KB, 230830 bytes
MD5: eb5a6aa86fd5f3339ef0f81a9f37dca0
SHA1: 859e83cc6012f446fff2da7be47a39271562761c
SHA256: 781BAE42A189023168446678F46BA22DBB5054B3CC7AD328D37C6C3027D55F57
File Size: 3.06 MB, 3055837 bytes
MD5: ba2a5ecf04a62a231bb5c7bd6aa1036d
SHA1: ac97c54f1759294d4988e3510f628f335afe91e2
SHA256: F25B54A718022B104B61A9B75032A8FD9203417A928DCDFE45B23BBA89B2CED9
File Size: 680.90 KB, 680903 bytes
MD5: 790ae9028c19a5d7a7e177e48a1159c1
SHA1: 74cc4521c278f1b7987bed8282e72b251498f69e
SHA256: 097F6A4FDA10468C22626B8CF74804023ED4B78A125E4CFED52F4CA4DCE74096
File Size: 847.63 KB, 847629 bytes
MD5: dba3b48660f7ebfa570e04f975270bb0
SHA1: 01efb2ba2ee2d1f4e5b5f8753f79de323d4d1bae
SHA256: 17091023689B26DE4B6B72FB360836DCEF69C70BAACF965CB3205D13288787CB
File Size: 719.77 KB, 719768 bytes
MD5: 21fb1eb1cda734d2ea95a06d00d1f3c4
SHA1: 5c9583a2fbe838582885d25de7019311aaf303b9
SHA256: 51B3A0E134BF9CE6EDD0381E38A22CFD91C7AE5AA6D11B1A6C6E6C229ECA584F
File Size: 41.47 KB, 41472 bytes
MD5: e245922ef9d0b998e07b3677c2a22096
SHA1: f89ba91e712ffbd473794d1e2eaf590af1ed2caf
SHA256: 12FA19AE4CDE2A0ECEA5E880F59A388FC4FB0CA2EA8AA05A388CF57831DB29F9
File Size: 801.24 KB, 801235 bytes
MD5: 4968710b8815823abb94601456d16d97
SHA1: 4e5b380961ef337827a7f15af6b342b97bfb1ede
SHA256: 4B62D3FD31FBC44EDA026F29FF0D976A9EACA7132F3EC3D11F2A6D65C53D8B5A
File Size: 719.77 KB, 719768 bytes
MD5: f6efca1114ea6fb2d688ce7e7af9c147
SHA1: afa8f19a9bad61df549a5c6fb10d3210fa0208f4
SHA256: E67502A42C195D9D65F7FC3B3E2D1FD4704F065BF32A20C069336CC0D55088C7
File Size: 5.83 MB, 5825680 bytes
MD5: 676c9ddcad92a558388c8ee4effc8261
SHA1: c65a14297557e5e0b273de0d840ff73d6940d755
SHA256: 956BFC89CF5F7419C5D67587A864934835711A1C581CA7397F4790FC3A63C261
File Size: 787.40 KB, 787399 bytes
MD5: 8d7ad44ac640c85e7f59e95f4eb63c08
SHA1: 0d45b1bec46bb42e9648b751f3ed2e7e30d5f984
SHA256: D2E288431617B200C279314C78094C272A81241815CB75025129439C045C83DA
File Size: 1.53 MB, 1525457 bytes
MD5: d174b6b4e118ff12f66710d467c17a94
SHA1: f1279be8a920ddd1376e05e41e41a0b85d71b926
SHA256: 6C28A3542BDBD7CEF57FA1538F43CFD472E435042140DDF7C01217B7949F7E58
File Size: 332.44 KB, 332443 bytes
MD5: b2ea21ba72c723ae64609738b11c4957
SHA1: f230016c72351743a959b72ff38711b3c13899c4
SHA256: 1D1B388A0235F7F499EAF92CA57AF1D0640DEC873749528F4A1D19F32F54FB49
File Size: 6.10 MB, 6104007 bytes
MD5: f52d27360feb24c1b68e424d596def83
SHA1: cb2662a7f1d2757d9ab9969d718e08b35c8a0a48
SHA256: E8D7DBABF58B077CC3DE3CE7AAA55E7C787DC759AABD54B3CB38ECA87104306A
File Size: 1.08 MB, 1075008 bytes
MD5: 667ae7f2b141fb4f1b108ae9fcb36589
SHA1: d965096bdf9b2a1a6db6d9072fa5ca12ec5ce90a
SHA256: 6DE7B8B7852654C138D8F72052F28787CA88705BF96A1B716CDEC06A74211570
File Size: 1.53 MB, 1525457 bytes
MD5: 209425dd928d63d70510f30294f9c4f8
SHA1: f599b08ad6b0ac69a43186566a9c85532e20d922
SHA256: 7005169795036212A63D789400929BB48DED27482568CCA87D3F56191837A97C
File Size: 2.45 MB, 2447303 bytes
MD5: 7570c12afd6c9bc94699c762cb9d5a71
SHA1: db409623598a68021336c73985e1eb3996eaf3bb
SHA256: 0F1FE03723C2C39E9A447C0E452F5DC5738D37506885C766FE121615FC5B86D2
File Size: 7.80 MB, 7798280 bytes
MD5: 1751142e508e99e6925bd6fe0b8f1e68
SHA1: 7ec8a05b6ddefbce7ac2aa504650d9d145c8dbe4
SHA256: 0B6DFB6B2318F3C900F5BA84B6D676E0DCABACFCD6C706FA3350DE86CA3EF13E
File Size: 315.33 KB, 315335 bytes
MD5: 73802ef3d5809127346991da7cb7cb97
SHA1: 5a3ebf8b67a5835e4cb47896541bf7470ddd9700
SHA256: 86609F6D36C42345965EB59ECB58200DBF29A246C50BDD5335C2D70D9612D7EE
File Size: 2.86 MB, 2861744 bytes
MD5: 701491dc30d883c2e91093ee411c6f03
SHA1: e677f5d4554e86c597f9e3a9526f818bdb0d40a1
SHA256: 0DE81A181FBC01CFC406134CC2B333EF9E9B4833B2D06FDA96A27A746C4F1F42
File Size: 1.85 MB, 1847751 bytes
MD5: 669befd9d18665c4370c1d9c5bedf3cc
SHA1: 5a98c1ab2f8ecddd243b0e378eda43eb3b577b59
SHA256: 687215D47C542B78A792BE80E11ABA3106663218722727D105E633122CDA7281
File Size: 114.63 KB, 114631 bytes
MD5: 0e25fc5c5a2d867383c8a7ea3eda231f
SHA1: 645ea8113bbde9b419d11293c1b5406cb511f9d0
SHA256: 68037EE0C1ECC54C54CD4D2D6E27205502EB01F9BBC7207DA8033ACFA82A3FF8
File Size: 6.09 MB, 6092231 bytes
MD5: b5583633f9478af281acf1cefd615705
SHA1: 319710c217c734a5c0daa200d1ba1a64d40ee283
SHA256: E473B1D80CAD40F0D7537532A90AB35A6815B87B21828049D6475F492F49B440
File Size: 2.17 MB, 2168775 bytes
MD5: f70441787bae0395897e158df51d62c8
SHA1: 652a788064737273c032d0bc2052657319c727d3
SHA256: 929ED0DDFF176023F33014A1FDC68D559B6ABAC547E99BDE72140F60B6C39042
File Size: 1.85 MB, 1850107 bytes
MD5: 43409892857e93d4635fbd0726b6a20b
SHA1: e97b2d3e96d6168bbb59171dd5d0d9800d8e6d1c
SHA256: 90D4BBAFD9FDB311D0A47FE2869CAB48BC4BD641AE2A55642081E3B1546FD909
File Size: 6.10 MB, 6104007 bytes
MD5: 8d45c6fde699db58ded981190701061a
SHA1: ff3ac3382bd8c40ea9b8a5d960ef77d53582361c
SHA256: A2972381A2758A1D0E1482D451D2AE10C439E7BF2ABE50E6FF8DA0F58AF6E143
File Size: 527.30 KB, 527303 bytes
MD5: 92b34dff3d47ca533a1e1ae29d7ba08e
SHA1: ccf09be46167dab6540e0158ac917f0fc86bdca0
SHA256: 0A873B9368D39B908559CB2F6CBBA40F2A27195772F682A26AD8CDA1ECDC62FF
File Size: 680.90 KB, 680903 bytes
MD5: 17a0cc6288c80c16ea7e0e6082474caa
SHA1: bf4f4a0b3b0ff477183ccf73cad237b2d5d2e595
SHA256: 515BA292A6542CE9CB49DD76E118CC311AD78F863B9A5A0AE255E6B8A3B1734D
File Size: 4.43 MB, 4428931 bytes
MD5: 0333d64ea47cbacd4355d17f55964133
SHA1: cd10ffe8791dda411b4c01f039cb90aac6030520
SHA256: 2267D9E7C351D7D8845F03BE6FE8911FE20980F467A18343156524367377788F
File Size: 763.85 KB, 763847 bytes
MD5: 932129810ed2bd947cd4d090a9fe0f12
SHA1: 36e744679a0d16311af57b122b0cd627e14ca303
SHA256: 5CDDF95688E7E6F94F2B0E3033B7F872C6BC895ADF1D096842AC403B69560A40
File Size: 2.13 MB, 2127815 bytes
MD5: f2527f57fa89ad003aecc8d692bbdbd0
SHA1: e32ec0c53edeae42452b2ebc9d1022bb2e3c5e66
SHA256: B7E595BA20A66532CA0B9423D97D065BACEE0B41199479DFABF8C5AFFE58D09F
File Size: 266.52 KB, 266519 bytes
MD5: cfc63b98e2491f6b531ddebf843295f5
SHA1: 9d962a480f809eab2de732aa18355cca032f3dbd
SHA256: A3107ECB38E0CEA5D8E9340F6A3B9DF9033618169CA919168340B1E2DEC2DA81
File Size: 6.93 MB, 6932878 bytes
MD5: 0d18ec4c2800a3f79bee51289f3b2f84
SHA1: 3fc6c9325f86487b7f551a8459e8daa61678a1b8
SHA256: 336E0545E615A7384532053B0C59A9C8992EBF6A69EE7033F0DA020FF7A9105A
File Size: 129.48 KB, 129479 bytes
MD5: 70df73df180236185eedce15dfe4d718
SHA1: 15f2251a0130ade269bad2363ec5bd349d1463c0
SHA256: 88B5B6828C6177F5520BF2FFB9B1E0E8370870352573C3E9DA56AF04011D8EF1
File Size: 573.89 KB, 573895 bytes
MD5: 95985b00a23a35b7b6c0a42725a88ec7
SHA1: 348e931905d3d9ecf69299fe4604e4a2e8cc876f
SHA256: 9004A311243EF622FF71E0DEDCB64C67F351F9EEB4D9A0F341201A41B98418FA
File Size: 4.73 MB, 4731335 bytes
MD5: a19176359b836005e8e820f970bead26
SHA1: 1e49a7adf3f49ca208b9da28f93bbc8a57442abe
SHA256: B6E32D1959E2C2D352EF7598292D758E9C96B80BE0E19F69B2F56077DEE226D2
File Size: 6.10 MB, 6104519 bytes
MD5: 42f632e7237db2d88f13378e3a27d9d7
SHA1: 71c70334ac7039ea57ca0d8a0c8b07398f39837f
SHA256: A999CA4785BA54C35377AA485887267396D7BDABEA5D40465D4F14F3ACAC3FF9
File Size: 910.28 KB, 910279 bytes
MD5: ef72e8f65f94260efe814b6e34a2d7bf
SHA1: ed43c532ea4531919754fc2f8c75f5e11e82feab
SHA256: 462B36298FDB736964B72683F4E0FC983AB677BE2A505FC498ED7654ED01CAD2
File Size: 6.11 MB, 6107591 bytes
MD5: 9b6ab30f167d19c85d49825bd066f08d
SHA1: dc968029ee51f9fd0005895cb26f49847dceadd1
SHA256: 2964EB65A60244DF5F10D2A54DDD2EF4221124D1660C41F793F6131D14599EA8
File Size: 3.25 MB, 3251143 bytes
MD5: bd184925a255ef821b4526d1829f1f7b
SHA1: 78cd595479fff4cf83ad42255c7fceb6cba5d629
SHA256: A65D37C12A0299B6D22ED0F4407B4B289A437696D39B69C23509856DE3FDB9BF
File Size: 3.42 MB, 3421639 bytes
MD5: 1cde08c717c033f983397b623ecbdf04
SHA1: f4f64287a51449a696e5715e2388a535a3b12ba4
SHA256: 54C2FCCF3EA160F9FBA15901DDB139B9475E524052647B2B93D22F69CC8C2F1B
File Size: 211.40 KB, 211399 bytes
MD5: 1431e420f8524c68bb4e57ff5eff49d9
SHA1: 9a98afb6ba534309c7081723571009ba640fb3a8
SHA256: D1437BF8DDF195DC82C8223F020F373BE059B25BF4F59076D0B77076B19ABEFF
File Size: 631.09 KB, 631090 bytes
MD5: 336c2680812f64032847a863e10c9258
SHA1: 7cb7f640e7d9b40584af05af14c81e4fdfa77acf
SHA256: 46877B56B61F07CDF1A82287ECF4C748FB8326F70407BD3F1DB30A87B47BA627
File Size: 271.30 KB, 271303 bytes
MD5: bf4064655231f4ef2923ee76636b6563
SHA1: cff7c507c58c0ae0aac2b53118f25eaf5360703a
SHA256: 78AC12681EADDB59229F9BF8A603891F221103715111810CFD726161C0A15C57
File Size: 161.74 KB, 161735 bytes
MD5: ca79ca98c2cba9648efada3692dc8b01
SHA1: 6b7d33a4e1127cf9426dd1ebadc83b3d23e28a01
SHA256: 6F90A3CAAABC6469654BB081127EC284E83610A626E9CE14BE3B8F8DE1CC7C4B
File Size: 161.74 KB, 161735 bytes
MD5: f1b1124246329a006b37a3b54b54197d
SHA1: 3bf4bec539d3604ebd7f319d47d48038cf0fd6ef
SHA256: 1F64A1F24AC352BBB578F9966E3CD01F7E4DAAE25AFD5C3BD3CD2949B84F5DD8
File Size: 630.41 KB, 630415 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

172 additional icons are not displayed above.

Windows PE Version Information

Name Value
Authors tittoproject - winPenPack Team & winPenPack community
Comments
  • Creado por XPyro - X' Portables - Mejorando el mañana
  • hdl_dump - Windows-based game installer for Open PS2 Loader Wizard of 0z (AKA b...) w1zard0f07@yahoo.com revisited by AKuHAK https://github.com/ps2homebrew/hdl-dump
  • http://www.internetdownloadmanager.com
  • Inno Setup home page: http://www.innosetup.com
  • microsoft
  • Modified by an unpaid evaluation copy of Resource Tuner 2. http://www.heaventools.com
  • RuntimePack x86/x64
  • This installation was built with Inno Setup.
  • This installation was built with InstallAware: http://www.installaware.com
  • Winaero Tweaker 32bit support process
Show More
  • X-Launcher allows you to change at will the options for initiating programs undertaken in order to make them portable.
Company Name
  • AdAvoid Ltd.
  • AKuHAK https://github.com/AKuHAK/hdl-dump w1zard0f07@yahoo.com
  • ASSAYYED
  • Bils
  • Blue Marble Geographics
  • BonSoft
  • DSDCS
  • EternalCast
  • funhacker's EO Pserver Apps
  • http://jameszero.net
Show More
  • http://winaero.com
  • http://www.xportables.co.cc/
  • Igor Pavlov
  • Intel Corporation
  • Jordan Russell
  • Kerish Products
  • KLCP
  • Lenovo
  • LibUSB-Win32
  • MediaTek
  • microsoft
  • Microsoft
  • Mozilla Corporation
  • PDFLogic Corporation
  • Power Software Ltd
  • QUALCOMM, Inc.
  • Samsung Electronics Co., Ltd.
  • SaT-Dz TeaM
  • Spreadtrum Communications Inc.
  • Tonec Inc.
  • UNISOC Communications INC.
  • Vetronix Corp.
  • www.SamLab.ws
  • www.winpenpack.com
  • ZaraSoft
Compile Date 2020oct05
Compiled Script
  • AutoIt v3 Script : 3, 2, 12, 1
  • AutoIt v3 Script: 3, 3, 8, 1
File Description
  • 7-Zip Installer
  • AdBlocker Ultimate
  • ALi.Hassani.DD
  • A Program To Edit All Android Components
  • ClocX
  • CmdDloader
  • Creates an SQL script from your NPC.ini which will translate you
  • Delayed launcher
  • dll loader
  • DriverSetup
Show More
  • Dz-LZMA Tool
  • EternalCast
  • Everything
  • Firefox Helper
  • Global Mapper 26.1 64-bit
  • hdl_dump - Windows-based game installer for Open PS2 Loader
  • Identification Service - 01234567890123456789
  • Inno Setup Uninstaller
  • Internet Download Manager (IDM)
  • Kerish Doctor
  • LenovoUsbDriver
  • LibUSB-Win32 Setup
  • Mozilla Maintenance Service Installer
  • PC Equalizer 1.3.2.1 Installation
  • PDF Reader for Windows 7 Setup
  • PowerISO Setup
  • qcmtusvc
  • RuntimePack Lite x86/x64
  • Screen Saver Installer
  • Setup/Uninstall
  • Snappy Driver Installer
  • This installer database contains the logic and data required to install InputMapper.
  • UltraISO Premium
  • Winaero Tweaker 32bit support process
  • winPenPack X-Firefox Launcher
  • WinSFX32M Self Extractor for Win32
  • ZaraRadio Setup
File Version
  • PDF Reader for Windo
  • 2021.1.17.0
  • 115.29.0
  • 115.28.0
  • 115.12.0
  • 51.1052.0.0
  • 51.52.0.0
  • 51.5.0.0
  • 26.10.0000
  • 22, 19, 13, 2
Show More
  • 19.00
  • 17.3.14
  • 9.3.6.2750
  • 8.1.0.0
  • 7.7.0.0
  • 6, 42, 58, 3
  • 6, 42, 58, 2
  • 6, 42, 50, 2
  • 6, 42, 19, 2
  • 4.85.0.0
  • 3.58.0.0
  • 3.8.4.0
  • 3.6.3
  • 3, 3, 8, 1
  • 3, 2, 12, 1
  • 2.71.2.11
  • 2.4.73.82
  • 2, 0, 0, 49
  • 1.20 1.20.0
  • 1.12.44.1
  • 1.6.10.19991
  • 1.6.2.0
  • 1.6.0.0
  • 1.5.4
  • 1.3.2.1
  • 1.2.6.0
  • 1.1.33
  • 1.1.0.0
  • 1.02.0057
  • 1.00
  • 1.0.2.3
  • 1.0.0.0
  • 1, 19, 32, 1
  • 1,8,2,0
  • 1, 2, 1, 371
  • 1, 0, 0, 1
  • 1,0,0,0
  • 0, 9, 2, 0
Internal Date 27071500
Internal Name
  • 7zipInstall
  • al
  • ALi.Hassani.DD.exe
  • ClocX
  • CmdDloader
  • DriverSetup
  • Dz-LZMA Tool
  • EternalCast.exe
  • Everything
  • hdl_dump
Show More
  • Identification Service
  • InputMapper
  • Internet Download Manager
  • Kitchen
  • LaunchDelay
  • qcmtusvc
  • RuntimePack.exe
  • TJprojMain
  • Win
  • winaerotweakerhelper.exe
  • WINSFX32M
  • X-Firefox
Legal Copyright
  • (C)Micco 1997-2001 All rights reserved.
  • (c) Samsung Electronics. All rights reserved.
  • 2015 http://winaero.com
  • ASSAYYED: © xda-developers.com
  • Bils
  • Contact: geohelp@bluemarblegeo.com
  • Copyright (C) 1998-2001 Jordan Russell
  • Copyright (c) 1999-2018 Igor Pavlov
  • Copyright(c) 2004-2020
  • Copyright(c) 2004-2021
Show More
  • Copyright (c) 2005 - 2014 Vetronix Corp. All rights reserved.
  • Copyright (C) 2005-2008 David Carpenter
  • Copyright (C) 2013
  • Copyright (C) 2016 - 2019 Spreadtrum Communications INC.
  • Copyright (C) 2016 DSDCS
  • Copyright (C) 2019 UNISOC Communications INC.
  • Copyright (C) 2024 Industrial Contracting LLC
  • Copyright (c) AdAvoid Ltd. All rights reserved.
  • Copyright (C) Lenovo Corporation. All rights reserved.
  • Copyright (C) QUALCOMM, Inc.
  • Copyright 2004 ScreenTime Media. All Rights Rsvrd.
  • Copyright 2011, Intel Corporation
  • Copyright © 2005-2021 PDFLogic Corporation
  • GNU General Public License
  • GNU GPL v3
  • http://jameszero.net
  • Kerish Products 2005-2021. All rights reserved.
  • microsoft compiler
  • Mozilla Corporation
  • SaT-Dz TeaM
  • Shannon Talbot
  • Tonec FZE, Copyright © 1999 - 2024
  • Tonec FZE, Copyright © 1999 - 2025
  • X' Portables
  • © 2004, 2005, 2006, 2007 Wizard of 0z, 2012, 2013 AKuHAK
Legal Trademarks
  • Credits goes for Sony and the creators of HD Loader. Remember guys, you're the one, that opened Pandora's box.
  • Firefox is a Trademark of The Mozilla Foundation.
  • http://jameszero.net
  • http://winaero.com
  • Intel Corporation
  • Internet Download Manager
  • SaT-Dz TeaM
  • ScreenTime is a registered trademark of ScreenTime Media.
  • winPenPack
Original File Name InputMapper.aiui
Original Filename
  • 7zipInstall.exe
  • al.exe
  • ALi.Hassani.DD.exe
  • ClocX.exe
  • CmdDloader.exe
  • DriverSetup.exe
  • Dz-LZMA Tool
  • EternalCast.exe
  • Everything.exe
  • hdl_dump.exe
Show More
  • helper.exe
  • IDMan.exe
  • LaunchDelay.exe
  • LZHSFX32.EXE
  • maintenanceservice_installer.exe
  • qcmtusvc.exe
  • RuntimePack.exe
  • SDI_1.20.0.exe
  • TJprojMain.exe
  • vci-ident.exe
  • Win.exe
  • winaerotweakerhelper.exe
  • X-Firefox.exe
Private Build 14.03.2017
Product Group 01234567890123456789
Product Name
  • 7-Zip
  • AdBlocker Ultimate
  • Android Editor
  • ClocX Application
  • CmdDloader
  • Delayed launcher
  • DriverSetup
  • EternalCast
  • Everything
  • Firefox
Show More
  • Global Mapper 26.1 64-bit
  • hdl_dump
  • Identification Service
  • InputMapper
  • Internet Download Manager (IDM)
  • K-Lite Codec Pack
  • Kerish Doctor
  • LenovoUsbDriver 1.1.33
  • LibUSB-Win32
  • MediaTek Log Installer
  • microsoft dll loader
  • NPC Translator
  • NVR
  • Odin Downloader
  • PDF Reader for Windows
  • PowerISO Setup
  • Project1
  • QUALCOMM qcmtusvc
  • RuntimePack x86/x64
  • SaT-Dz TeaM
  • ScreenTime for Flash
  • Snappy Driver Installer
  • UltraISO Premium
  • Win
  • Winaero Tweaker Helper
  • winPenPack X-Firefox
  • WinSFX32M for Win32
Product Version
  • Unlimited
  • PDF Reader for Windo
  • Ini Rev 8
  • 2021
  • 115.29.0
  • 115.28.0
  • 115.12.0
  • 26.10.0000
  • 22, 19, 13, 2
  • 19.1.5
Show More
  • 19.00
  • 17.3.14
  • 9.3.6.2750
  • 8.1.0.0
  • 7.7.0.0
  • 6, 42, 58, 3
  • 6, 42, 58, 2
  • 6, 42, 50, 2
  • 6, 42, 19, 2
  • 4.85.0.0
  • 3.58.0.0
  • 3.6.3
  • 2.71.2.11
  • 2.4.73.82
  • 2, 0, 0, 49
  • 1.20.0
  • 1.8.2.0
  • 1.6.10.19991
  • 1.6.0.0
  • 1.2.6.0
  • 1.1.33
  • 1.02.0057
  • 1.00
  • 1.0.2.3
  • 1.0.0.0
  • 1.0
  • 1, 19, 32, 1
  • 1, 2, 1, 371
  • 1, 0, 0, 1
  • 1,0,0,0
  • 0, 9, 2, 0
Products 0123456789012345678901234567890123456789
Program I D com.embarcadero.AdblockerUltimateGUI
Special Build
  • command-line
  • http://jameszero.net
E Mail winpenpack@gmail.com

Digital Signatures

Signer Root Status
Mozilla Corporation DigiCert Assured ID Root CA Hash Mismatch
Mozilla Corporation DigiCert Trusted Root G4 Hash Mismatch
Mozilla Corporation Thawte Premium Server CA Hash Mismatch

File Traits

  • .adata
  • 00 section
  • 2+ executable sections
  • 7-zip (In Overlay)
  • 7-zip Installer
  • 7-zip SFX
  • 7zSFX
  • AdvInst
  • Autoit
  • big overlay
Show More
  • CryptUnprotectData
  • GetConsoleWindow
  • HighEntropy
  • imgui
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • No CryptProtectData
  • nosig nsis
  • No Version Info
  • ntdll
  • Nullsoft Installer
  • packed
  • RAR (In Overlay)
  • RARinO
  • SIM
  • upx
  • UPX!
  • vb6
  • VirtualQueryEx
  • WinRAR SFX
  • WinZip SFX
  • WRARSFX
  • WriteProcessMemory
  • x86
  • ZIP (In Overlay)
  • ZIPinO
  • zlib (In Overlay)
  • zlib overlay

Block Information

Similar Families

  • Agent.DJB
  • Agent.GDSG
  • Agent.TRB
  • Agent.TRC
  • Agent.WO
Show More
  • Ahead.B
  • Autoit
  • BadJoke.XA
  • Banker.YC
  • CheatEngine.A
  • Chuyun.A
  • DarkGate.B
  • Downloader.Agent.XE
  • Dropper.Delf.C
  • Dropper.Delf.CF
  • Expiro.IE
  • Farfli.KB
  • Floxif.E
  • GandCrab.BM
  • Goldrv.A
  • Injector.AJA
  • Injector.GPB
  • Injector.ISA
  • Injector.KPD
  • Keylogger.XA
  • Kryptik.KABL
  • Kryptik.KBBJ
  • Kryptik.KBD
  • Kryptik.KBH
  • Kryptik.KBP
  • Kryptik.REA
  • Kryptik.REC
  • KuwanBar.B
  • Lumma.GFD
  • Lumma.XC
  • Marte.W
  • Morto.B
  • Mulinex.C
  • PornTool.B
  • Rozena.FGB
  • Rozena.XAC
  • Rozena.XAE
  • Rugmi.IA
  • ShellcodeRunner.YC
  • Sheloader.A
  • Softcnapp.N
  • Stealer.BPE
  • Sybici.A
  • Votos.A

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\dav rpc service Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\wkssvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\polisoftware Synchronize,Write Attributes
c:\polisoftware\nfe Synchronize,Write Attributes
c:\polisoftware\nfe\__tmp_rar_sfx_access_check_84796 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\istar Synchronize,Write Attributes
c:\program files (x86)\istar\__tmp_rar_sfx_access_check_25890 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\istar\iformat.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\program files (x86)\istar\iformat.exe Synchronize,Write Attributes
c:\program files (x86)\istar\ipclock.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\istar\ipclock.exe Synchronize,Write Attributes
c:\program files (x86)\istar\star.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\istar\star.exe Synchronize,Write Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.207.5\msedgeupdate.dll Synchronize,Write Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.207.5\msedgeupdate.dll Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.207.5\msedgeupdate.dll.dat Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.207.5\msedgeupdate.dll.tmp Generic Write,Read Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.213.7\msedgeupdate.dll Synchronize,Write Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.213.7\msedgeupdate.dll Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.213.7\msedgeupdate.dll.dat Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.213.7\msedgeupdate.dll.tmp Generic Write,Read Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll Synchronize,Write Attributes
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll.dat Synchronize,Write Data
c:\program files (x86)\microsoft\edgeupdate\1.3.215.9\msedgeupdate.dll.tmp Generic Write,Read Attributes
c:\program files (x86)\mozilla maintenance service\uninstall.exe Generic Write,Read Attributes
c:\program files (x86)\windows defender\mpoav.dll Synchronize,Write Attributes
c:\program files (x86)\windows defender\mpoav.dll Synchronize,Write Data
c:\program files (x86)\windows defender\mpoav.dll.dat Synchronize,Write Data
c:\program files (x86)\windows defender\mpoav.dll.tmp Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll.000 Generic Write,Read Attributes
c:\programdata\servecas.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\servecas.exe.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\sandbox_live\injected-win32.dll Synchronize,Write Attributes
c:\sandbox_live\injected-win32.dll Synchronize,Write Data
c:\sandbox_live\injected-win32.dll.dat Synchronize,Write Data
c:\sandbox_live\injected-win32.dll.tmp Generic Write,Read Attributes
c:\sandbox_live\shsandbox32.exe Synchronize,Write Attributes
c:\sandbox_live\shsandbox32.exe Synchronize,Write Data
c:\sandbox_live\shsandbox32.exe.dat Synchronize,Write Data
c:\sandbox_live\shsandbox32.exe.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_32.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\$inst\2.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\$inst\4.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\$inst\4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\$inst\4.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\$inst\5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\$inst\5.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\$inst\5.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\$inst\7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\$inst\7.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\$inst\7.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\$inst\8.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\$inst\8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\$inst\8.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\_mei10682\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10682\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10682\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10682\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10682\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11282\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11282\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11282\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11282\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11282\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei2882\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei2882\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei2882\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei2882\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei2882\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei36162\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei36162\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei36162\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei36162\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei36162\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei39482\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei39482\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei39482\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei39482\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei39482\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei51122\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei51122\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei51122\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei51122\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei51122\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei52042\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei52042\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei52042\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei52042\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei52042\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53242\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53242\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53242\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53242\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53242\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53482\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53482\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53482\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53482\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei53482\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54562\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54562\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54562\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54562\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54562\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54642\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54642\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54642\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54642\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei54642\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60562\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60562\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60562\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60562\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60562\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60682\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60682\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60682\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60682\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei60682\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61162\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61162\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61162\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61162\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61162\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61402\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61402\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61402\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61402\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei61402\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei9202\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei9202\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei9202\python36.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei9202\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei9202\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3b1011c17e4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3c48e2c17fc.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3d81d64398.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3da4aa02310.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3eaaa50468.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\3ff2133417a8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\411b147013f8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\424417c4e20.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\436ce841454.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\44862301230.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\44c415d014cc.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\45fd82014e4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\47455f8120.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\487de5842c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\49a611e8f6c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4a6215181258.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4adf123c17b4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4aeb7a4140c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4c1714dc1550.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4d4010b41558.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\4e6916f8368.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\513c161c15e0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\514714a41128.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\5285171816d8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\52de41817dc.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\53fc175c1714.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\549d17f814f0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\567c17b41768.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\589f15c41530.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\5a35168c1644.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\5b1011841188.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\61241d701fe0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\635df8c14c0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\63da170416bc.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\66d81d9c1ea8.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\6bba17f41770.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\7228e81458.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\8f6181c1060.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\a3faef82a4.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\a7071c7816e0.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\a8bd11fc172c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\aaffbc8938.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a1d26e2\d25a12901b00.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aut570a.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aut67d3.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aut6822.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\aut68af.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ct4c0.tmp\is-qmfue.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc6c0a.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsca8ce.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsca8ce.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca8ce.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsd54af.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsd54af.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsd54af.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsh52b6.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh52b6.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh6c2a.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh6c2a.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsh6c2a.tmp\system.dll Generic Write,Read Attributes

59 additional files are not displayed above.

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⷹǛ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\easyboot systems\ultraiso\5.0::language 4 RegNtPreCreateKey
HKCU\software\easyboot systems\ultraiso\5.0::registration RegNtPreCreateKey
HKCU\software\easyboot systems\ultraiso\5.0::username XPyro RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::appinit_dlls C:\PROGRA~1\COMMON~1\System\symsrv.dll RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::loadappinit_dlls  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\windows::requiresignedappinit_dlls RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Lkuoevoc\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Lkuoevoc\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Lkuoevoc\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKCU\software\winrar sfx::c%%polisoftware%nfe C:\POLISOFTWARE\NFE RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cfdebdgk\AppData\Local\Temp\~nsu1.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Cfdebdgk\AppData\Local\Temp\~nsu1.tmp\??\C:\Users\Cfdebdgk\AppData\Local\Temp\~nsu1.tmp\Un.exe RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::displayname Mozilla Maintenance Service RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::uninstallstring "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::displayicon C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe,0 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::displayversion 115.28.0 RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::publisher Mozilla RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::comments Mozilla Maintenance Service RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::nomodify  RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::estimatedsize d RegNtPreCreateKey
HKLM\software\mozilla\maintenanceservice::attempted  RegNtPreCreateKey
HKLM\software\mozilla\maintenanceservice::installed  RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vjlodldu\AppData\Local\Temp\nsiD27C.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Rxroilvp\AppData\Local\Temp\nsw4E8A.tmp\ RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::regname RmK-FreE RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::regkey 1234-1234-1234-1234-1234-1234-1234-1234-1234-1234-1234567 RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::apppath c:\users\user\downloads\App\KerishDoctor\KerishDoctor.exe RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::installpath c:\users\user\downloads\App\KerishDoctor RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::language Russian.lng RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::instanceid ƶ RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::serverdate !  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::installdate !  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::messagehistory 1;4;27; RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::messagecenter 21,6;4,4;1,3;39,2;27,2; RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::issystemdiskssd RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::lastrecommends 2;11;21;22;25;27;36;37;42; RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::moduleswork RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::realtimemode RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::usekerishcloud  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::version 4.65 RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::globalsettings  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scheduleruserchanges RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scantypes  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scancustomtypes RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scantrashtypes āāā RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scantrashcustomtypes āāā RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::helpshowed RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::reportenable  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::clearreport  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::debugmode RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::backupenable  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::clearbackup  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::ignoreremovable  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcontrol  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scanacpoweronly  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scanpcidleonly  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scanfailures  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::failurescanprocesses  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::failurescanservices  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::failurescansettings  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::failurescanassociations  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::failurestate RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::windowsvisit RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::newrecommendtips  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::messagestips  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::reminddiagnostics  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::remindupdate  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcelsius  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::showdailytips  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcheckcpu  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcpuwarning P RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcpucritical Z RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcheckgpu  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempgpuwarning P RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempgpucritical Z RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempcheckdisk  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempdiskwarning 2 RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::tempdiskcritical A RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyshow  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyfix  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifystartup  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifystartupdel RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyservices RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyscheduler RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyupdate  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyrestore  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifygamemode  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyaddons RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyblacklist  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyblacklistinterval < RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyalertshowagain RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyalertinterval < RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::notifyautohide  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::playsound  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundfix  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundstartup  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundstartupdel  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundservices  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundscheduler  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundupdate  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundrestore  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundgamemode  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::soundblacklist  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::socialrecommend RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::asktoolshortcut  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationrecoverydrive RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationrecoveryrecyclebin RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationshredderdelete RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationshredderrecyclebin RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationunlocker RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::integrationappinfo RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::fileshredderused RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::malwareprotect  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::riskwareprotect  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::scansuspicious  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::hostsprotect  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::quarantineenable  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::sysfilesprotect  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::freezeprocesses RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::securitycontrol  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::appvulnerabilitiescheck  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::lastupdate RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::lastscan 30.12.1899 00:00:00 RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::laststart 21.10.2017 14:54:31 RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updatestatus RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updatecheck  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updatenews RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updatebeta RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updateproxy RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::proxyadress - RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::proxyport RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::updatemodules āāā RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::deblockerenable  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::deblockerinterval RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::internettitle RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::internettext RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::internetlink RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::showsystemservices RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::serviceslistorientation RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::servicescolumnsort  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::showsystemprocesses RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::showprocessservices RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::processlistorientation  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::processescolumnsort  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::showsystemlocks RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::connectionlistorientation RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::connectioncolumnsort  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::uninstalllistorientation  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::uninstallcolumnsort  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::bigfilesminimumsize  RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::recommendenabled āāāāāāāāāāāāāāāāāāāāāāāā RegNtPreCreateKey
HKLM\software\kerish products\kerish doctor::recommendinvisible RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\uninstall\mozillamaintenanceservice::displayversion 115.29.0 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Nkbuohrt\AppData\Local\Temp\nsd54AF.tmp\ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\direct3d\mostrecentapplication::name 24d64c3bda8be71de299f9001487b9c2e1972335_0003606752 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Windows\SystemTemp\77e37ce0-8214-4414-aced-551c5ae204d7.tmp\??\C:\Windows\SystemTemp\e28eadcf-6ab0-4d8c-8821-7ce9a6aba1 RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\iexplore::name Internet Explorer RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\iexplore::int  RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\msedge::name Microsoft Edge RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\msedge::int  RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\firefox::name Mozilla Firefox RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\firefox::int  RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\chrome::name Google Chrome RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\chrome::int  RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\opera::name Opera RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\opera::int  RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\safari::name Apple Safari RegNtPreCreateKey
HKCU\software\downloadmanager\idmbi\safari::int  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKCU\software\microsoft\multimedia\drawdib:: 1920x1200x32(bgr 0) 31,31,31,31 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\##10.200.31.10#amas::_labelfromdesktopini RegNtPreCreateKey
HKCU\software\bonsoft\319710c217c734a5c0daa200d1ba1a64d40ee283_0002168775::ontop  RegNtPreCreateKey
HKCU\software\bonsoft\319710c217c734a5c0daa200d1ba1a64d40ee283_0002168775::alpha ÿ RegNtPreCreateKey

28 additional registry modifications are not displayed above.

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
User Data Access
  • GetComputerName
  • GetUserName
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
  • WriteConsole
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate
  • win32u.dll!NtGdiIntersectClipRect
  • win32u.dll!NtGdiQueryFontAssocInfo
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtGdiSetLayout
  • win32u.dll!NtGdiStretchDIBitsInternal

61 additional items are not displayed above.

Keyboard Access
  • GetAsyncKeyState
  • GetKeyState
Network Winhttp
  • WinHttpOpen
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Network Winsock2
  • WSAStartup
  • WSAttemptAutodialName
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Service Control
  • OpenSCManager
  • OpenService
  • StartServiceCtrlDispatcher
Network Winsock
  • gethostname

Shell Command Execution

C:\WINDOWS\system32\cmd.exe /c "C:\Users\user\downloads\7315078bc73ee2fe8fd46ee94d18390b61a1177b_0000628073.ini"
UltraISO.exe
"C:\Users\Ejootttb\AppData\Local\Temp\is-CT4C0.tmp\is-QMFUE.tmp" /SL4 $2003C "c:\users\user\downloads\8534d8487a5bf6039cb297610332950bd11eb3c0_0003689370.exe" 3340939 70656
(NULL) C:\Program Files (x86)\iStar\Star.exe
c:\users\user\downloads\e088689658d3cfd5130def2faad24afab5560a11_0003243320 "c:\users\user\downloads\e088689658d3cfd5130def2faad24afab5560a11_0003243320"
Show More
"C:\Users\Lkuoevoc\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Cfdebdgk\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=c:\users\user\downloads\
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" install
"C:\WINDOWS\system32\CMD.EXE" /C "C:\WINDOWS\system32\regsvr32 /s "c:\users\user\downloads\App\Sys32\asycfilt.dll"
"C:\Users\Ayeonqeo\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
WriteConsole: Register Window
WriteConsole: Create Window...
WriteConsole: Create Window ti
WriteConsole: create tray noti
WriteConsole: command_line "c:
WriteConsole: ui_t::create()
WriteConsole: ui_t::on_create(
WriteConsole: db::load
WriteConsole: db::destroy
WriteConsole: load db...
WriteConsole: ui_t::create():
WriteConsole: begin create_db
C:\ProgramData\servecas.exe "del" c:\users\user\downloads\71c70334ac7039ea57ca0d8a0c8b07398f39837f_0000910279
c:\users\user\downloads\bin\MetaGUI.exe
(NULL) C:\Users\Vdpqyjli\AppData\Local\Temp\RarSFX0\KeyboardTest\KeyboardTest.exe
C:\WINDOWS\regedit.exe /s "c:\users\user\downloads\config.reg"
c:\users\user\downloads\DPInst64.exe

Related Posts

Trending

Most Viewed

Loading...