Ghokswa Browser

By GoldSparrow in Adware

Threat Scorecard

Popularity Rank:	226
Threat Level:	10 % (Normal)
Infected Computers:	509,223

First Seen:	November 18, 2015
Last Seen:	April 8, 2026
OS(es) Affected:	Windows

Computer users with Google Chrome as their default Web browser have reported that they have received messages from a different Web browser, noting that instead of Chrome, the Ghokswa Browser was set as their default Web browser. These pop-ups, associated with a published named 'BYSENDA TECHNOLOGIES LIMITED' prompt computer users to install 'BROWSERSERVER.EXE' on their computers. This Web browser, known as the Ghokswa Browser, looks and acts like Google Chrome, but presents different behaviors. The Ghokswa Browser is used to collect the Google login credentials of computer users, monitor their online activities, and expose them to unwanted advertising content. The Ghokswa Browser may change the affected computer's shortcuts, both on the Desktop and the Start Menu. Computer users clicking on these shortcuts expecting to launch Google Chrome will, instead, launch the Ghokswa Browser, often without realizing it because of the resemblance between the Ghokswa Browser and Google Chrome. If the Ghokswa Browser is installed on your computer, remove the Ghokswa Browser at once, perform a full scan of your computer with a reliable security application, and take steps to ensure that your online credentials have not been compromised.

Table of Contents

The Ghokswa Browser has no Connection with Google Chrome

As part of the Ghokswa Browser, this fake version of the Google Chrome Web browser is used to trick inexperienced computer users into thinking that they are using Google Chrome. When computer users are prompted to log into their Google account, they may be giving their login information to the people responsible for the Ghokswa Browser. After the Ghokswa Browser is removed, it is impossible to check and make sure that all shortcuts (including those on the Task Bar, Start Menu and Desktop) direct to Google Chrome rather than to the Ghokswa Browser. Although other versions of this hoax were easy to spot using Task Manager, the executable file and memory process associated with the Ghokswa Browser is still Chrome.exe. However, if one tracks the file down, it is actually in the Ghokswa Browser folder rather than in the usual location for the Google Chrome Web browser. The Ghokswa Browser may be linked to other unwanted software, including a bogus 'unzipper' for managing ZIP or RAR files on Windows.

How the Ghokswa Browser Tactic Works

The main strategy of the Ghokswa Browser is to impersonate the Google Chrome Web browser. There are several ways this may be exploited: if computer users believe that they are using a reputable Web browser like Google Chrome, they may disclose information such as online banking credentials and Google login information. The tactic also may work the other way and the people responsible for the Ghokswa Browser also may use this Web browser to deliver unwanted advertisements or redirections without the need of a PUP or adware because, in this case, the entire Web browser is compromised. Google Chrome will still be on the affected computer; it is not deleted as part of the Ghokswa Browser installation process. However, without alerting the computer user, the affected computer's default Web browser will be changed to the Ghokswa Browser. All relevant shortcuts will be replaced so that they launch the Ghokswa Browser instead of Google Chrome.

Dealing with the Ghokswa Browser

If the Ghokswa Browser has been installed on your computer, the Ghokswa Browser should be uninstalled. It may be necessary to uninstall the Ghokswa Browser manually, as well as delete all files associated with the Ghokswa Browser. Computer users should confirm that all shortcuts effectively lead to Google Chrome again. It may also be necessary to use the Registry Editor to delete all registry key related to this bogus Web browser. PC security researchers recommend performing a full scan of your computer with the help of a reliable security application that is fully up-to-date to ensure that no threat has been installed, either as a result of the Ghokswa Browser or as part of its delivery to your computer.

SpyHunter Detects & Remove Ghokswa Browser

File System Details

Ghokswa Browser may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	uploader.dll	063d0760944aa9feff5a63599183ca1e	1,544
Name: uploader.dll MD5: 063d0760944aa9feff5a63599183ca1e Size: 108.54 KB (108544 bytes) Detections: 1,544 Type: Dynamic link library Path: c:\programdata\microsoft\onedrive\uploader.dll Group: Malware file Last Updated: August 8, 2025
2.	provider.dll	444c6621caed712fafa7fa0afc8c5be7	522
Name: provider.dll MD5: 444c6621caed712fafa7fa0afc8c5be7 Size: 122.88 KB (122880 bytes) Detections: 522 Type: Dynamic link library Path: c:\programdata\microsoft\software\shadow\provider.dll Group: Malware file Last Updated: February 14, 2024
3.	chk.dll	9260fcee39be90620e1f202590c40f97	171
Name: chk.dll MD5: 9260fcee39be90620e1f202590c40f97 Size: 105.47 KB (105472 bytes) Detections: 171 Type: Dynamic link library Path: %ALLUSERSPROFILE%\microsoft onenote\updates\versioncheck\chk.dll Group: Malware file Last Updated: July 21, 2022
4.	Firefox.exe	34d63ff24f0c71b643d229253db1cb2d	143
Name: Firefox.exe MD5: 34d63ff24f0c71b643d229253db1cb2d Size: 494.08 KB (494080 bytes) Detections: 143 Type: Executable File Path: %PROGRAMFILES(x86)%\Firefox Group: Malware file Last Updated: November 23, 2020
5.	appv.dll	79d096f16e7538c2df69f61403b06da8	104
Name: appv.dll MD5: 79d096f16e7538c2df69f61403b06da8 Size: 105.98 KB (105984 bytes) Detections: 104 Type: Dynamic link library Path: c:\programdata\microsoft\app-v\client\appv.dll Group: Malware file Last Updated: June 17, 2025
6.	dbg.dll	51fdc4d5a3f458e10123cbadbf77f4bf	103
Name: dbg.dll MD5: 51fdc4d5a3f458e10123cbadbf77f4bf Size: 109.05 KB (109056 bytes) Detections: 103 Type: Dynamic link library Path: c:\programdata\microsoft\appv\sym\dbg.dll Group: Malware file Last Updated: April 10, 2022
7.	trzBAD6.tmp	4c1c3aaafacc78ee820ca5e98ecf43e4	96
Name: trzBAD6.tmp MD5: 4c1c3aaafacc78ee820ca5e98ecf43e4 Size: 98.45 KB (98456 bytes) Detections: 96 Type: Temporary File Path: C:\Program Files\Firefox\bin\trzBAD6.tmp Group: Malware file Last Updated: March 4, 2022
8.	FirefoxUpdate.exe	afd0c49288860c4e8c61484c24f0fdac	72
Name: FirefoxUpdate.exe MD5: afd0c49288860c4e8c61484c24f0fdac Size: 93.69 KB (93696 bytes) Detections: 72 Type: Executable File Path: C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe Group: Malware file Last Updated: March 10, 2022
9.	9bcb3fab78e80d68be28892ea7ad46c3.msp.dll	77cd97afc91d1e31bd8e2023fab25b90	55
Name: 9bcb3fab78e80d68be28892ea7ad46c3.msp.dll MD5: 77cd97afc91d1e31bd8e2023fab25b90 Size: 105.47 KB (105472 bytes) Detections: 55 Type: Dynamic link library Path: C:\ProgramData\Package Cache\{00C5024D-925C-4E9E-A8E6-F9B84ABE0DA0}\packages\Win81_SDK\9bcb3fab78e80d68be28892ea7ad46c3.msp.dll Group: Malware file Last Updated: December 20, 2021
10.	chkver.dll	f31cccc81416f9cbcf6b78fec1d0a3e9	50
Name: chkver.dll MD5: f31cccc81416f9cbcf6b78fec1d0a3e9 Size: 105.47 KB (105472 bytes) Detections: 50 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft OneNote\Updates\Version\Check Group: Malware file Last Updated: February 1, 2020
11.	4e29234340aaf3a96ec480c1aad8d179.cab:ad	51fe179e199b04bb3e82558fd5a9183b	33
Name: 4e29234340aaf3a96ec480c1aad8d179.cab:ad MD5: 51fe179e199b04bb3e82558fd5a9183b Size: 107 KB (107008 bytes) Detections: 33 Path: %ALLUSERSPROFILE%\Package Cache\{1FBCBC17-4527-2340-0832-B1D49C41FF67}v10.0.26624\packages\Font\10240 Group: Malware file Last Updated: August 22, 2020
12.	ppcrlconfig617.dll	12699c22a6cd88a31b9cb670c29ceb2b	23
Name: ppcrlconfig617.dll MD5: 12699c22a6cd88a31b9cb670c29ceb2b Size: 117.76 KB (117760 bytes) Detections: 23 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\IdentityCRL\production Group: Malware file Last Updated: December 18, 2019
13.	MobileIntellisense.dll	c101020efe777f6badce99a8f152ec77	19
Name: MobileIntellisense.dll MD5: c101020efe777f6badce99a8f152ec77 Size: 104.44 KB (104448 bytes) Detections: 19 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Package Cache\{FE250127-0DBB-47AA-8439-7A2FA145030F}v10.1.14393.795\Installers Group: Malware file Last Updated: August 1, 2018
14.	helper.dll	733ccd349c8d6a86ff6bd0a65a82b901	18
Name: helper.dll MD5: 733ccd349c8d6a86ff6bd0a65a82b901 Size: 105.98 KB (105984 bytes) Detections: 18 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\Apps\common Group: Malware file Last Updated: March 24, 2021
15.	Integrator.dll	a4030f19a6672564adb9f6e90222f7c9	18
Name: Integrator.dll MD5: a4030f19a6672564adb9f6e90222f7c9 Size: 105.98 KB (105984 bytes) Detections: 18 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\AppV\Setup Group: Malware file Last Updated: December 6, 2020
16.	SyncTool.dll	872840e19332703410f557fd374c44b8	18
Name: SyncTool.dll MD5: 872840e19332703410f557fd374c44b8 Size: 129.02 KB (129024 bytes) Detections: 18 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft OneDrive\setup Group: Malware file Last Updated: May 29, 2020
17.	appidsvr.dll	66edd44eb8353805b4ed081f4aab0e2e	17
Name: appidsvr.dll MD5: 66edd44eb8353805b4ed081f4aab0e2e Size: 103.93 KB (103936 bytes) Detections: 17 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\Windows\system Group: Malware file Last Updated: April 4, 2020
18.	Appinfo.dll	7f07d0a50a65f6d24297f5c4428ffaef	14
Name: Appinfo.dll MD5: 7f07d0a50a65f6d24297f5c4428ffaef Size: 120.83 KB (120832 bytes) Detections: 14 Type: Dynamic link library Path: C:\ProgramData\Microsoft\Office\OneNote\Appinfo.dll Group: Malware file Last Updated: February 27, 2023
19.	iisexp.dll	f3922eb8251356a2e2913718f5c69925	6
Name: iisexp.dll MD5: f3922eb8251356a2e2913718f5c69925 Size: 105.47 KB (105472 bytes) Detections: 6 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Package Cache\{59399776-575D-9C54-E861-0D5EAB7E707D}v10.1.14393.795\Installers\IIS Group: Malware file Last Updated: April 24, 2020
20.	PackageLocker.dll	73e165be0fe990382bae26b8c71a4a04	4
Name: PackageLocker.dll MD5: 73e165be0fe990382bae26b8c71a4a04 Size: 119.8 KB (119808 bytes) Detections: 4 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\Office Group: Malware file Last Updated: June 27, 2020
21.	msdeploy.resources.dll	ae88db5467abeb4d91c511c5e468c25d	4
Name: msdeploy.resources.dll MD5: ae88db5467abeb4d91c511c5e468c25d Size: 105.98 KB (105984 bytes) Detections: 4 Type: Dynamic link library Path: %PROGRAMFILES(x86)%\IIS\Microsoft Web Deploy V3\te Group: Malware file Last Updated: October 8, 2018
22.	Descriptor.dll	4b36b6e7d0699dd1e3fc0142a63b04d0	2
Name: Descriptor.dll MD5: 4b36b6e7d0699dd1e3fc0142a63b04d0 Size: 101.37 KB (101376 bytes) Detections: 2 Type: Dynamic link library Path: %PROGRAMFILES(x86)%\Microsoft Office\Updates\Detection\Version Group: Malware file Last Updated: July 23, 2022
23.	30daf459e79c5d26366654b1b482e87.cab:dp	11552c35ea61525d8ba2102eeec1ae38	2
Name: 30daf459e79c5d26366654b1b482e87.cab:dp MD5: 11552c35ea61525d8ba2102eeec1ae38 Size: 102.91 KB (102912 bytes) Detections: 2 Path: %ALLUSERSPROFILE%\Package Cache\{E01CB7F1-3E88-4450-1764-B3CC1E205C4A}v10.1.14393.795\Installers Group: Malware file Last Updated: June 2, 2017
24.	9bcb3fab78e80d68be28892ea7ad46c3.msp:dp	8181dc651a89923800a109c9629d957f	1
Name: 9bcb3fab78e80d68be28892ea7ad46c3.msp:dp MD5: 8181dc651a89923800a109c9629d957f Size: 106.49 KB (106496 bytes) Detections: 1 Path: %ALLUSERSPROFILE%\Package Cache\{00C5024D-925C-4E9E-A8E6-F9B84ABE0DA0}\packages\Win81_SDK Group: Malware file Last Updated: June 2, 2017
25.	1.1.4322__2.3.0.2.dll	a2201686f1f6eca16e7331feea4c7a29	1
Name: 1.1.4322__2.3.0.2.dll MD5: a2201686f1f6eca16e7331feea4c7a29 Size: 404.36 KB (404367 bytes) Detections: 1 Type: Dynamic link library Path: %ALLUSERSPROFILE%\PreEmptive Solutions\Common\LAC\sos Group: Malware file Last Updated: November 4, 2017
26.	SDKFilesVer.dll	2311c387be305e70dc6103bb623c3f4d	1
Name: SDKFilesVer.dll MD5: 2311c387be305e70dc6103bb623c3f4d Size: 325.99 KB (325997 bytes) Detections: 1 Type: Dynamic link library Path: %ALLUSERSPROFILE%\Microsoft\Phone Tools\CoreCon\12.0\addons Group: Malware file Last Updated: June 27, 2017

More files

Registry Details

Ghokswa Browser may create the following registry entry or registry entries:

Regexp file mask

%ALLUSERSPROFILE%\Apple\Common\Cloud\WinHelper.dll

%ALLUSERSPROFILE%\Apple\Temp\upgrade.ini:ad

%ALLUSERSPROFILE%\common\Apple\Apps\AzureTools.dll

%ALLUSERSPROFILE%\Microsoft OneDrive\setup\SyncTool.dll

%ALLUSERSPROFILE%\Microsoft OneNote\Updates\Version\Check\chkver.dll

%ALLUSERSPROFILE%\Microsoft OneNote\Updates\VersionCheck\chk.dll

%ALLUSERSPROFILE%\Microsoft\App-V\Client\AppV.dll

%ALLUSERSPROFILE%\Microsoft\Apps\common\helper.dll

%ALLUSERSPROFILE%\Microsoft\AppV\setup\install.dll

%ALLUSERSPROFILE%\Microsoft\AppV\Setup\Integrator.dll

%ALLUSERSPROFILE%\Microsoft\AppV\sym\dbg.dll

%ALLUSERSPROFILE%\Microsoft\IdentityCRL\production\ppcrlconfig617.dll

%ALLUSERSPROFILE%\Microsoft\Office\OneNote\Appinfo.dll

%ALLUSERSPROFILE%\Microsoft\Office\PackageLocker.dll

%ALLUSERSPROFILE%\Microsoft\OneDrive\Uploader.dll

%ALLUSERSPROFILE%\Microsoft\Phone Tools\CoreCon\12.0\addons\SDKFilesVer.dll

%ALLUSERSPROFILE%\Microsoft\Software\Shadow\Provider.dll

%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer\Resources.dll

%ALLUSERSPROFILE%\Microsoft\Windows\system\appidsvr.dll

%ALLUSERSPROFILE%\Package Cache\{2A002F88-FD5D-379B-A350-A25D84AF128B}v14.0.25420\packages\VisualC_D14\VC_IDE.Base\VC_IDE_Base.dll

%ALLUSERSPROFILE%\PreEmptive Solutions\Common\LAC\sos\1.1.4322__2.3.0.2.dll

%ALLUSERSPROFILE%\Software\Apple\Apps\Notification.dll

%ALLUSERSPROFILE%\Sun\Java\extension.dll

%ALLUSERSPROFILE%\Windows\App\Kit\ApplicationVerifier.dll

%APPDATA%\go00001.bak

%PROGRAMFILES%\Explorer\iedvutils.exe

%PROGRAMFILES(x86)%\Explorer\iedvutils.exe

%PROGRAMFILES(x86)%\IIS\Microsoft Web Deploy V3\te\msdeploy.resources.dll

%PROGRAMFILES(x86)%\Microsoft Office\Updates\Detection\Version\Descriptor.dll

%WINDIR%\System32\Tasks\BookfatUpdateTaskMachineCore

%WINDIR%\System32\Tasks\BookfatUpdateTaskMachineUA

%WINDIR%\System32\Tasks\ceQeekgBrowserUpdateCore

%WINDIR%\System32\Tasks\ceQeekgBrowserUpdateUA

%WINDIR%\System32\Tasks\ceQeekgCheckTask

%WINDIR%\System32\Tasks\FootblueUpdateTaskMachineCore

%WINDIR%\System32\Tasks\FootblueUpdateTaskMachineUA

%WINDIR%\System32\Tasks\milimili

%WINDIR%\System32\Tasks\MonoldBrowserUpdateUA

%WINDIR%\System32\Tasks\MonoldCheckTask

%WINDIR%\System32\Tasks\OutboatUpdateTaskMachineCore

%WINDIR%\System32\Tasks\OutboatUpdateTaskMachineUA

%WINDIR%\System32\Tasks\ZootonyUpdateTaskMachineCore

%WINDIR%\System32\Tasks\ZootonyUpdateTaskMachineUA

HKEY..\..\..\..{RegistryKeys}

SOFTWARE\Applemy

SOFTWARE\Baglook

SOFTWARE\BagSarah

SOFTWARE\Bangcar

SOFTWARE\Bangtony

SOFTWARE\Bedkiss

SOFTWARE\Dohat

SOFTWARE\Eastness

SOFTWARE\Everness

SOFTWARE\Footjane

SOFTWARE\Gotoe

Software\Hipmy

SOFTWARE\Hippig

SOFTWARE\Hotleaf

SOFTWARE\Legass

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\milimili

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MonoldBrowserUpdateCore

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MonoldBrowserUpdateUA

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\apple_config

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\AppsSvc

Software\Microsoft\Windows\CurrentVersion\Run\background_fault

SOFTWARE\Pearhas

SOFTWARE\Setleaf

SOFTWARE\Wow6432Node\Applemy

SOFTWARE\Wow6432Node\Baglook

SOFTWARE\WOW6432Node\BagSarah

SOFTWARE\Wow6432Node\Bangcar

SOFTWARE\Wow6432Node\Bangtony

SOFTWARE\WOW6432Node\Bedkiss

SOFTWARE\WOW6432Node\Dohat

SOFTWARE\WOW6432Node\Eastness

SOFTWARE\WOW6432Node\Everness

SOFTWARE\WOW6432Node\Footjane

SOFTWARE\Wow6432Node\Gotoe

SOFTWARE\Wow6432Node\Hipmy

SOFTWARE\Wow6432Node\Hippig

SOFTWARE\WOW6432Node\Hotleaf

SOFTWARE\Wow6432Node\Legass

SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\apple_config

SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\AppsSvc

SOFTWARE\Wow6432Node\Pearhas

SOFTWARE\WOW6432Node\Setleaf

SYSTEM\ControlSet001\services\AlltieSU

SYSTEM\ControlSet001\services\Apple_Cfg

SYSTEM\ControlSet001\Services\APPLE_svr

SYSTEM\ControlSet001\services\AppleAzureSrv

SYSTEM\ControlSet001\services\Apps_Cfg

SYSTEM\ControlSet001\services\eventlog\Application\iedvutils

SYSTEM\ControlSet001\Services\FootblueU

SYSTEM\ControlSet001\services\FootperSU

SYSTEM\ControlSet001\Services\MCSvc

SYSTEM\ControlSet001\Services\MSCFG_SVR

SYSTEM\ControlSet001\services\MVCSrv

SYSTEM\ControlSet001\services\vreXjvX_protect

SYSTEM\ControlSet001\services\vreXjvX_update

SYSTEM\ControlSet001\Services\WPDTSrv

SYSTEM\ControlSet002\services\AlltieSU

SYSTEM\ControlSet002\services\Apple_Cfg

SYSTEM\ControlSet002\Services\APPLE_svr

SYSTEM\ControlSet002\services\AppleAzureSrv

SYSTEM\ControlSet002\services\Apps_Cfg

SYSTEM\ControlSet002\services\eventlog\Application\iedvutils

SYSTEM\ControlSet002\Services\FootblueU

SYSTEM\ControlSet002\services\FootperSU

SYSTEM\ControlSet002\Services\MCSvc

SYSTEM\ControlSet002\Services\MSCFG_SVR

SYSTEM\ControlSet002\services\MVCSrv

SYSTEM\ControlSet002\services\vreXjvX_protect

SYSTEM\ControlSet002\services\vreXjvX_update

SYSTEM\ControlSet002\Services\WPDTSrv

SYSTEM\CurrentControlSet\services\AlltieSU

SYSTEM\CurrentControlSet\services\Apple_Cfg

SYSTEM\CurrentControlSet\Services\APPLE_svr

SYSTEM\CurrentControlSet\services\AppleAzureSrv

SYSTEM\CurrentControlSet\services\Apps_Cfg

SYSTEM\CurrentControlSet\services\eventlog\Application\iedvutils

SYSTEM\CurrentControlSet\Services\FootblueU

SYSTEM\CurrentControlSet\services\FootperSU

SYSTEM\CurrentControlSet\Services\MCSvc

SYSTEM\CurrentControlSet\Services\MSCFG_SVR

SYSTEM\CurrentControlSet\services\MVCSrv

SYSTEM\CurrentControlSet\services\vreXjvX_protect

SYSTEM\CurrentControlSet\services\vreXjvX_update

SYSTEM\CurrentControlSet\Services\WPDTSrv

Directories

Ghokswa Browser may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\Inbob

%ALLUSERSPROFILE%\Bagbin

%ALLUSERSPROFILE%\Banglamp

%ALLUSERSPROFILE%\Birdeye

%ALLUSERSPROFILE%\Birdmay

%ALLUSERSPROFILE%\Bookfat

%ALLUSERSPROFILE%\Bossseed

%ALLUSERSPROFILE%\Eastmy

%ALLUSERSPROFILE%\Eastness

%ALLUSERSPROFILE%\Fishlose

%ALLUSERSPROFILE%\Footblue

%ALLUSERSPROFILE%\Gotoe

%ALLUSERSPROFILE%\Hotdear

%ALLUSERSPROFILE%\Hotmay

%ALLUSERSPROFILE%\Inbob

%ALLUSERSPROFILE%\Jamben

%ALLUSERSPROFILE%\Jamjob

%ALLUSERSPROFILE%\Junetoe

%ALLUSERSPROFILE%\Newjob

%ALLUSERSPROFILE%\Onfat

%ALLUSERSPROFILE%\Setmike

%ALLUSERSPROFILE%\Weness

%ALLUSERSPROFILE%\Zootony

%ALLUSERSPROFILE%\ceQeekg

%ALLUSERSPROFILE%\redjane

%ALLUSERSPROFILE%\seteat

%APPDATA%\go00001

%LOCALAPPDATA%\Allold

%LOCALAPPDATA%\Alltoe

%LOCALAPPDATA%\Antanna

%LOCALAPPDATA%\Antper

%LOCALAPPDATA%\Applefat

%LOCALAPPDATA%\Applemy

%LOCALAPPDATA%\Bagbin

%LOCALAPPDATA%\Baghair

%LOCALAPPDATA%\Baglook

%LOCALAPPDATA%\Bagsarah

%LOCALAPPDATA%\Ballcine

%LOCALAPPDATA%\Ballduck

%LOCALAPPDATA%\Bangcar

%LOCALAPPDATA%\Banglamp

%LOCALAPPDATA%\Bangone

%LOCALAPPDATA%\Bangtony

%LOCALAPPDATA%\Bedhat

%LOCALAPPDATA%\Bedkiss

%LOCALAPPDATA%\Bemike

%LOCALAPPDATA%\Bepat

%LOCALAPPDATA%\Bigflat

%LOCALAPPDATA%\Bigold

%LOCALAPPDATA%\Birdeye

%LOCALAPPDATA%\Birdkiss

%LOCALAPPDATA%\Birdmay

%LOCALAPPDATA%\Birdsarah

%LOCALAPPDATA%\Bookfat

%LOCALAPPDATA%\Bossface

%LOCALAPPDATA%\Bossseed

%LOCALAPPDATA%\Bossship

%LOCALAPPDATA%\Boxbob

%LOCALAPPDATA%\Boxfat

%LOCALAPPDATA%\Cansuck

%LOCALAPPDATA%\Coldmay

%LOCALAPPDATA%\Coldold

%LOCALAPPDATA%\Coldone

%LOCALAPPDATA%\Cupblue

%LOCALAPPDATA%\Cupface

%LOCALAPPDATA%\Cuppat

%LOCALAPPDATA%\Daydoor

%LOCALAPPDATA%\Docine

%LOCALAPPDATA%\Doeye

%LOCALAPPDATA%\Dohat

%LOCALAPPDATA%\Doold

%LOCALAPPDATA%\Eastmy

%LOCALAPPDATA%\Eastness

%LOCALAPPDATA%\Eggness

%LOCALAPPDATA%\Evercine

%LOCALAPPDATA%\Everness

%LOCALAPPDATA%\Fishjane

%LOCALAPPDATA%\Fishlamp

%LOCALAPPDATA%\Fishlose

%LOCALAPPDATA%\Footblue

%LOCALAPPDATA%\Footeat

%LOCALAPPDATA%\Footjane

%LOCALAPPDATA%\Footlook

%LOCALAPPDATA%\Footper

%LOCALAPPDATA%\Gofat

%LOCALAPPDATA%\Goldass

%LOCALAPPDATA%\Gotoe

%LOCALAPPDATA%\Gunone

%LOCALAPPDATA%\Gunship

%LOCALAPPDATA%\Hipbear

%LOCALAPPDATA%\Hipeat

%LOCALAPPDATA%\Hipfat

%LOCALAPPDATA%\Hipmy

%LOCALAPPDATA%\Hippig

%LOCALAPPDATA%\Hisarah

%LOCALAPPDATA%\Hotdear

%LOCALAPPDATA%\Hothair

%LOCALAPPDATA%\Hotjob

%LOCALAPPDATA%\Hotleaf

%LOCALAPPDATA%\Hotmay

%LOCALAPPDATA%\Inbob

%LOCALAPPDATA%\Infun

%LOCALAPPDATA%\Inper

%LOCALAPPDATA%\Jamben

%LOCALAPPDATA%\Jamjob

%LOCALAPPDATA%\Jamlarry

%LOCALAPPDATA%\Jamsarah

%LOCALAPPDATA%\Jarhair

%LOCALAPPDATA%\Jarness

%LOCALAPPDATA%\Junedoor

%LOCALAPPDATA%\Junetoe

%LOCALAPPDATA%\Lefttoe

%LOCALAPPDATA%\Legness

%LOCALAPPDATA%\Legpat

%LOCALAPPDATA%\Mapbob

%LOCALAPPDATA%\Mapcar

%LOCALAPPDATA%\Moncar

%LOCALAPPDATA%\Monold

%LOCALAPPDATA%\Newjob

%LOCALAPPDATA%\Nobean

%LOCALAPPDATA%\Nolarry

%LOCALAPPDATA%\Nosekiss

%LOCALAPPDATA%\Nosemay

%LOCALAPPDATA%\Onfat

%LOCALAPPDATA%\Ontoe

%LOCALAPPDATA%\Outbob

%LOCALAPPDATA%\Outfire

%LOCALAPPDATA%\Outlose

%LOCALAPPDATA%\Pearhas

%LOCALAPPDATA%\Seablue

%LOCALAPPDATA%\Seaness

%LOCALAPPDATA%\Setleaf

%LOCALAPPDATA%\Setmike

%LOCALAPPDATA%\Shutness

%LOCALAPPDATA%\Stancine

%LOCALAPPDATA%\Standoor

%LOCALAPPDATA%\Standuck

%LOCALAPPDATA%\Stanper

%LOCALAPPDATA%\Tooleat

%LOCALAPPDATA%\Toolhair

%LOCALAPPDATA%\Toolrain

%LOCALAPPDATA%\Tooltony

%LOCALAPPDATA%\Wefat

%LOCALAPPDATA%\Weness

%LOCALAPPDATA%\Yeahfire

%LOCALAPPDATA%\Yeahseed

%LOCALAPPDATA%\Yeahship

%LOCALAPPDATA%\Yesdear

%LOCALAPPDATA%\Yeshat

%LOCALAPPDATA%\Yestony

%LOCALAPPDATA%\Zooarm

%LOCALAPPDATA%\Zooface

%LOCALAPPDATA%\Zootony

%LOCALAPPDATA%\background_fault

%LOCALAPPDATA%\birdjob

%LOCALAPPDATA%\ceQeekg

%LOCALAPPDATA%\fishhas

%LOCALAPPDATA%\hotcine

%LOCALAPPDATA%\legass

%LOCALAPPDATA%\redjane

%LOCALAPPDATA%\seteat

%LOCALAPPDATA%\vreXjvX

%PROGRAMFILES%\Alltoe

%PROGRAMFILES%\Antanna

%PROGRAMFILES%\Antper

%PROGRAMFILES%\Applefat

%PROGRAMFILES%\Applemy

%PROGRAMFILES%\Bagbin

%PROGRAMFILES%\Baghair

%PROGRAMFILES%\Baglook

%PROGRAMFILES%\Bagsarah

%PROGRAMFILES%\Ballcine

%PROGRAMFILES%\Ballduck

%PROGRAMFILES%\Bangcar

%PROGRAMFILES%\Banglamp

%PROGRAMFILES%\Bangtony

%PROGRAMFILES%\Bedhat

%PROGRAMFILES%\Bedkiss

%PROGRAMFILES%\Bemike

%PROGRAMFILES%\Bepat

%PROGRAMFILES%\Bigflat

%PROGRAMFILES%\Bigold

%PROGRAMFILES%\Birdeye

%PROGRAMFILES%\Birdmay

%PROGRAMFILES%\Bookfat

%PROGRAMFILES%\Bossface

%PROGRAMFILES%\Bossseed

%PROGRAMFILES%\Bossship

%PROGRAMFILES%\Boxbob

%PROGRAMFILES%\Boxfat

%PROGRAMFILES%\Cansuck

%PROGRAMFILES%\Coldmay

%PROGRAMFILES%\Coldold

%PROGRAMFILES%\Coldone

%PROGRAMFILES%\Cupface

%PROGRAMFILES%\Cuppat

%PROGRAMFILES%\Doeye

%PROGRAMFILES%\Dohat

%PROGRAMFILES%\Eastmy

%PROGRAMFILES%\Eastness

%PROGRAMFILES%\Eggness

%PROGRAMFILES%\Evercine

%PROGRAMFILES%\Everness

%PROGRAMFILES%\Fishjane

%PROGRAMFILES%\Fishlose

%PROGRAMFILES%\Footblue

%PROGRAMFILES%\Footeat

%PROGRAMFILES%\Footjane

%PROGRAMFILES%\Footlook

%PROGRAMFILES%\Footper

%PROGRAMFILES%\Gofat

%PROGRAMFILES%\Goldass

%PROGRAMFILES%\Gotoe

%PROGRAMFILES%\Gunone

%PROGRAMFILES%\Hipeat

%PROGRAMFILES%\Hipmy

%PROGRAMFILES%\Hippig

%PROGRAMFILES%\Hotdear

%PROGRAMFILES%\Hothair

%PROGRAMFILES%\Hotjob

%PROGRAMFILES%\Hotleaf

%PROGRAMFILES%\Hotmay

%PROGRAMFILES%\Inbob

%PROGRAMFILES%\Infun

%PROGRAMFILES%\Inper

%PROGRAMFILES%\Jamben

%PROGRAMFILES%\Jamjob

%PROGRAMFILES%\Jamlarry

%PROGRAMFILES%\Jarhair

%PROGRAMFILES%\Jarness

%PROGRAMFILES%\Junetoe

%PROGRAMFILES%\Legness

%PROGRAMFILES%\Lerfopervather Host

%PROGRAMFILES%\MIO\loader

%PROGRAMFILES%\Mapbob

%PROGRAMFILES%\Moncar

%PROGRAMFILES%\Newjob

%PROGRAMFILES%\Nolarry

%PROGRAMFILES%\Nosekiss

%PROGRAMFILES%\Onfat

%PROGRAMFILES%\Ontoe

%PROGRAMFILES%\Outbob

%PROGRAMFILES%\Pearhas

%PROGRAMFILES%\Setleaf

%PROGRAMFILES%\Setmike

%PROGRAMFILES%\Shutness

%PROGRAMFILES%\Stancine

%PROGRAMFILES%\Standoor

%PROGRAMFILES%\Standuck

%PROGRAMFILES%\Stanper

%PROGRAMFILES%\Tooleat

%PROGRAMFILES%\Toolhair

%PROGRAMFILES%\Tooltony

%PROGRAMFILES%\Weness

%PROGRAMFILES%\Yeahfire

%PROGRAMFILES%\Yeahseed

%PROGRAMFILES%\Yeahship

%PROGRAMFILES%\Yeshat

%PROGRAMFILES%\Zooarm

%PROGRAMFILES%\Zootony

%PROGRAMFILES%\birdjob

%PROGRAMFILES%\fishhas

%PROGRAMFILES%\hotcine

%PROGRAMFILES%\legass

%PROGRAMFILES%\redjane

%PROGRAMFILES%\seteat

%PROGRAMFILES(x86)%\Alltoe

%PROGRAMFILES(x86)%\Antanna

%PROGRAMFILES(x86)%\Antper

%PROGRAMFILES(x86)%\Applefat

%PROGRAMFILES(x86)%\Applemy

%PROGRAMFILES(x86)%\Bagbin

%PROGRAMFILES(x86)%\Baghair

%PROGRAMFILES(x86)%\Baglook

%PROGRAMFILES(x86)%\Bagsarah

%PROGRAMFILES(x86)%\Ballcine

%PROGRAMFILES(x86)%\Ballduck

%PROGRAMFILES(x86)%\Bangcar

%PROGRAMFILES(x86)%\Banglamp

%PROGRAMFILES(x86)%\Bangtony

%PROGRAMFILES(x86)%\Bedhat

%PROGRAMFILES(x86)%\Bedkiss

%PROGRAMFILES(x86)%\Bemike

%PROGRAMFILES(x86)%\Bepat

%PROGRAMFILES(x86)%\Bigflat

%PROGRAMFILES(x86)%\Bigold

%PROGRAMFILES(x86)%\Birdeye

%PROGRAMFILES(x86)%\Birdmay

%PROGRAMFILES(x86)%\Bookfat

%PROGRAMFILES(x86)%\Bossface

%PROGRAMFILES(x86)%\Bossseed

%PROGRAMFILES(x86)%\Bossship

%PROGRAMFILES(x86)%\Boxbob

%PROGRAMFILES(x86)%\Boxfat

%PROGRAMFILES(x86)%\Cansuck

%PROGRAMFILES(x86)%\Coldmay

%PROGRAMFILES(x86)%\Coldold

%PROGRAMFILES(x86)%\Coldone

%PROGRAMFILES(x86)%\Cupface

%PROGRAMFILES(x86)%\Cuppat

%PROGRAMFILES(x86)%\Daydoor

%PROGRAMFILES(x86)%\Doeye

%PROGRAMFILES(x86)%\Dohat

%PROGRAMFILES(x86)%\Eastmy

%PROGRAMFILES(x86)%\Eastness

%PROGRAMFILES(x86)%\Eggness

%PROGRAMFILES(x86)%\Evercine

%PROGRAMFILES(x86)%\Everness

%PROGRAMFILES(x86)%\Fishjane

%PROGRAMFILES(x86)%\Fishlose

%PROGRAMFILES(x86)%\Footblue

%PROGRAMFILES(x86)%\Footeat

%PROGRAMFILES(x86)%\Footjane

%PROGRAMFILES(x86)%\Footlook

%PROGRAMFILES(x86)%\Footper

%PROGRAMFILES(x86)%\Gofat

%PROGRAMFILES(x86)%\Goldass

%PROGRAMFILES(x86)%\Gotoe

%PROGRAMFILES(x86)%\Gunone

%PROGRAMFILES(x86)%\Hipeat

%PROGRAMFILES(x86)%\Hipmy

%PROGRAMFILES(x86)%\Hippig

%PROGRAMFILES(x86)%\Hotdear

%PROGRAMFILES(x86)%\Hothair

%PROGRAMFILES(x86)%\Hotjob

%PROGRAMFILES(x86)%\Hotleaf

%PROGRAMFILES(x86)%\Hotmay

%PROGRAMFILES(x86)%\Inbob

%PROGRAMFILES(x86)%\Infun

%PROGRAMFILES(x86)%\Inper

%PROGRAMFILES(x86)%\Jamben

%PROGRAMFILES(x86)%\Jamjob

%PROGRAMFILES(x86)%\Jamlarry

%PROGRAMFILES(x86)%\Jarhair

%PROGRAMFILES(x86)%\Jarness

%PROGRAMFILES(x86)%\Junetoe

%PROGRAMFILES(x86)%\Legness

%PROGRAMFILES(x86)%\Lerfopervather Host

%PROGRAMFILES(x86)%\MIO\loader

%PROGRAMFILES(x86)%\Mapbob

%PROGRAMFILES(x86)%\Moncar

%PROGRAMFILES(x86)%\Newjob

%PROGRAMFILES(x86)%\Nolarry

%PROGRAMFILES(x86)%\Nosekiss

%PROGRAMFILES(x86)%\Onfat

%PROGRAMFILES(x86)%\Ontoe

%PROGRAMFILES(x86)%\Outbob

%PROGRAMFILES(x86)%\Pearhas

%PROGRAMFILES(x86)%\Setleaf

%PROGRAMFILES(x86)%\Setmike

%PROGRAMFILES(x86)%\Shutness

%PROGRAMFILES(x86)%\Stancine

%PROGRAMFILES(x86)%\Standoor

%PROGRAMFILES(x86)%\Standuck

%PROGRAMFILES(x86)%\Stanper

%PROGRAMFILES(x86)%\Tooleat

%PROGRAMFILES(x86)%\Toolhair

%PROGRAMFILES(x86)%\Tooltony

%PROGRAMFILES(x86)%\Weness

%PROGRAMFILES(x86)%\Yeahfire

%PROGRAMFILES(x86)%\Yeahseed

%PROGRAMFILES(x86)%\Yeahship

%PROGRAMFILES(x86)%\Yeshat

%PROGRAMFILES(x86)%\Zooarm

%PROGRAMFILES(x86)%\Zootony

%PROGRAMFILES(x86)%\birdjob

%PROGRAMFILES(x86)%\fishhas

%PROGRAMFILES(x86)%\hotcine

%PROGRAMFILES(x86)%\legass

%PROGRAMFILES(x86)%\redjane

%PROGRAMFILES(x86)%\seteat

%UserProfile%\Local Settings\Application Data\Weness

%UserProfile%\Local Settings\Application Data\Yestony

Analysis Report

General information

Family Name:	PUP.Ghokswa Browser
Signature status:	Self Signed

Known Samples

MD5: 3fd4a18dd50b38f69fb9f1378c696cf6

SHA1: b23b95b7ed8805643ccd007facdfb04ec2eff1e6

SHA256: 08D8A5A7F437FA0236885312301A5D8ABE6181E36790C1D1F608252975D43553

File Size: 293.59 KB, 293592 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

Windows PE Version Information

Name	Value
File Version	46.10.2490.86
Product Version	46.10.2490.86

Digital Signatures

Signer	Root	Status
Shan Feng	thawte SHA256 Code Signing CA	Self Signed

Block Information

Total Blocks:	1,073
Potentially Malicious Blocks:	42
Whitelisted Blocks:	945
Unknown Blocks:	86

Visual Map

0 0 0 0 x 0 0 x 0 0 0 0 x 0 0 0 0 0 x 0 0 0 0 x 0 0 0 x 0 0 0 x 0 0 0 0 0 x 0 0 0 x 0 x x x x 0 x x x x 0 x 0 ? 0 0 0 0 0 0 0 0 x 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 x 0 x x 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 x 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 x 0 0 x 0 0 0 0 0 x 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 ? ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 ? ? ? ? 0 ? 0 ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 x 0 0 0 0 ? ? ? 1 0 ? ? ? 0 ? ? 0 ? ? ? ? 0 0 0 0 ? ? ? ? ? ? ? 1 ? ? ? 0 x ? ? 0 ? ? ? 0 ? 0 0 0 0 0 0 0 0 x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? 0 ? ? ? x ? 0 2 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 2 3 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 2 2 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 3 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Windows API Usage

Category	API
Network Info Queried	GetAdaptersAddresses
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen InternetSetOption
Network Winhttp	WinHttpOpen

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Ghokswa Browser

Threat Scorecard

EnigmaSoft Threat Scorecard

The Ghokswa Browser has no Connection with Google Chrome

How the Ghokswa Browser Tactic Works

Dealing with the Ghokswa Browser

SpyHunter Detects & Remove Ghokswa Browser

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

Block Information

Block Information

Visual Map

Windows API Usage

Windows API Usage

Submit Comment

Trending

Mr Beast Discord Scam

Your Cloud Is Disabled Email Scam

PCLocked Ransomware

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Pornktube.porn

Discord Shows Black Screen when Sharing Screen