PathInIt Ads

Computer users that like to try out new free programs may be surprised to see listed PathInIt in their 'Programs and Features' module. The PathInIt software is classified by security analysts as adware that is written with the sole purpose of earning pay-per-click revenue. The PathInIt adware is delivered to users enclosed in freeware bundles and may launch a background process in Windows to execute its operations. The PathInIt adware may read your browsing history, detect your approximate geographical location and use tracking cookies to show targeted marketing offers and maximize its efficiency. The PathInIt adware may use banners, pop-up windows, in-text hyperlinks and video commercials to attract your attention and may disrupt your comfortable Internet routine. Security analysts warn users that the PathInIt adware might substitute the safe ads on Walmart, Amazon, Best Buy and eBay with corrupted ads pointing to untrusted websites. In many cases, adware like PathInIt redirects users to low-quality software distribution platforms where users could be welcomed to install riskware like Sambreel and Protector. You may want to know that riskware may load more ads and cause security issues, and you should not download apps advertised by the PathInIt adware. Security analysts recommend users to use a trustworthy anti-spyware instrument to clean the PathInIt binary and ensure the optimal performance of their system.

Table of Contents

Toggle

Analysis Report

General information

Family Name:	Hacktool.PassView.B
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 50cf719c9e41cd9e2e6dd26d83398298 SHA1: d3ff9c0e7308e871d3be9bd4a4dcf51450be55f5 SHA256: 451B40FDEB2B35D94421E8DB39DFDFA4AD28640BB2BD1E4336D0527A3DCA25A7 File Size: 4.44 MB, 4438348 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have relocations information
• File doesn't have security information
• File has exports table
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)

Show More

• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

File Traits

• packed
• x86

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe\srvsvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\system\cpl\x32\autofix.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\autofix.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\bluescreenview.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\bluescreenview.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\bootsafe.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\bootsafe.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\bootvis.chm	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\bootvis.chm	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\bootvis.exe	Synchronize,Write Attributes

Show More

c:\program files (x86)\system\cpl\x32\bootvis.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\cplbonus.dll	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\cplbonus.dll	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\cpuz.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\cpuz.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\cpuz.ini	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\cpuz.ini	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\detectduplicates.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\detectduplicates.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\eula.rtf	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\eula.rtf	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\gprint.dll	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\gprint.dll	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\gpu-z.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\gpu-z.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\gsharpsqlite.dll	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\gsharpsqlite.dll	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\gsharptools.dll	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\gsharptools.dll	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\hdtune.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\hdtune.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\hpusbfw.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\hpusbfw.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\hwmonitor.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\hwmonitor.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\md5sums.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\md5sums.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\memtest.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\memtest.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\msicuu.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\msicuu.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\msizap.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\msizap.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\pathed.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\pathed.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\pserv3.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\pserv3.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\pserv3.exe.config	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\pserv3.exe.config	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\set62a5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set62a5.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set62a5.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set62e4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set62e4.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set62e4.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6324.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6324.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6324.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6373.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6373.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6373.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set63b2.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set63b2.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set63b2.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set63f2.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set63f2.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set63f2.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6402.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6402.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6402.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6432.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6432.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6432.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6452.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6452.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6452.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6463.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6463.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6463.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6493.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6493.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6493.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set64d2.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set64d2.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set64d2.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set64f3.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set64f3.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set64f3.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6513.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6513.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6513.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6533.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6533.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6533.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6563.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6563.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6563.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6583.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6583.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6583.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set65a4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set65a4.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set65a4.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set65d3.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set65d3.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set65d3.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6603.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6603.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6603.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6633.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6633.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6633.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6663.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6663.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6663.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6693.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6693.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6693.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set66b3.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set66b3.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set66b3.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set66c4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set66c4.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set66c4.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set66f4.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set66f4.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set66f4.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6714.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6714.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6714.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6734.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6734.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6734.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6754.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6754.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6754.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6775.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6775.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6775.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set67a5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set67a5.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set67a5.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set67c5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set67c5.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set67c5.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set67f5.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set67f5.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set67f5.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\set6825.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\system\cpl\x32\set6825.tmp	Generic Write,Read Attributes
c:\program files (x86)\system\cpl\x32\set6825.tmp	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\smartdriverbackup.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\smartdriverbackup.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\timezone.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\timezone.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\timezone.exe.manifest	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\timezone.exe.manifest	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\touch.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\touch.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\tweakui.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\tweakui.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\vcdrom.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\vcdrom.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\vcdrom.sys	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\vcdrom.sys	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\whatinstartup.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\whatinstartup.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\which.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\which.exe	Synchronize,Write Data
c:\program files (x86)\system\cpl\x32\wul.exe	Synchronize,Write Attributes
c:\program files (x86)\system\cpl\x32\wul.exe	Synchronize,Write Data
c:\users\user\appdata\local\temp\rarsfx0	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_23078	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\autofix.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\autofix.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\bluescreenview.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\bluescreenview.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\bootsafe.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\bootsafe.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\bootvis.chm	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\bootvis.chm	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\bootvis.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\bootvis.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cplbonus.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cplbonus.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cplbonus.inf	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cplbonus.inf	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cpuz.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cpuz.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cpuz.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cpuz.ini	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cpuz.txt	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cpuz.txt	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cttune.chm	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cttune.chm	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\cttune.cpl	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\cttune.cpl	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\detectduplicates.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\rarsfx0\detectduplicates.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\rarsfx0\eula.rtf	Generic Read,Write Data,Write Attributes,Write extended,Append data

66 additional files are not displayed above.

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}::	MS AutoPlay Repair Wizard	RegNtPreCreateKey

Show More

HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}::infotip	Allows repairing of the Windows autoplay functions.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-14	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{87e19709-b25d-426e-83f9-aab1732ecd82}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\AutoFix.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{87e19709-b25d-426e-83f9-aab1732ecd82}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{87e19709-b25d-426e-83f9-aab1732ecd82}::	Add MS Autoplay to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}::	BootSafe	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}::infotip	Makes rebooting into safe mode a snap!	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-2	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{422bd191-5e37-4155-b76b-c1a471fd39f6}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\bootsafe.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{422bd191-5e37-4155-b76b-c1a471fd39f6}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{422bd191-5e37-4155-b76b-c1a471fd39f6}::	Add bootsafe to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}::	BootVis	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}::infotip	Easily optimize your Windows boot time.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-18	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{73d5bb05-7810-4f11-8677-8dbe16758384}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\bootvis.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{73d5bb05-7810-4f11-8677-8dbe16758384}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{73d5bb05-7810-4f11-8677-8dbe16758384}::	Add bootvis to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::	BlueScreenView	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::infotip	Analyzes BSOD Mini Dumps.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-23	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{09751c19-8b51-4c09-984b-944e7bd3e8a4}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\BlueScreenView.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{09751c19-8b51-4c09-984b-944e7bd3e8a4}::	Add BlueScreenView to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::	Clipboard Viewer	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::infotip	Starts the Clipboard.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-21	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}\shell\open\command::	clipbrd.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{4de05bc9-69f6-4bfc-8094-5e1069f2f51f}::	Add Clipboard to the Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}::	CPU-Z	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}::infotip	Shows detailed CPU and RAM information.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cpuz.exe,-128	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{4b580a54-0c73-4a05-af1d-3953daef2004}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\cpuz.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{4b580a54-0c73-4a05-af1d-3953daef2004}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{4b580a54-0c73-4a05-af1d-3953daef2004}::	Add CPU-z to The Control Panel	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\control panel\extended properties\{305ca226-d286-468e-b848-2b2e8e697b74} 2::c:\windows\system32\cttune.cpl		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::	GPU-Z	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::infotip	Video card information utility.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\gpu-z.exe	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\gpu-z.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{07b3a01f-c33d-4824-9755-bbbd2f8aa809}::	Add GPU-Z to The Control Panel	RegNtPreCreateKey
HKCU\software\techpowerup\gpu-z::interval		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::	HD Tune	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::infotip	Hard drive diagnostics and monitoring tool.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-15	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\hdtune.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{b09dbd5e-5f80-4f99-91a8-d232e8badd08}::	Add hdtune to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}::	Hardware Monitor	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}::infotip	Shows monitoring info for your CPU and drives like the current temp.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\HWMonitor.exe	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{6736cc00-9852-4a6e-a59a-875f36d7b262}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\HWMonitor.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{6736cc00-9852-4a6e-a59a-875f36d7b262}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{6736cc00-9852-4a6e-a59a-875f36d7b262}::	Add HWMonitor to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::	HP USB Format Tool	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::infotip	A super thumb-drive formatting tool!	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-19	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\HPUSBFW.EXE	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{d14ed2e1-c75b-443c-bd7c-fc03b2f08c17}::	Add HPUSBFW to the control panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::	MemTest	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::infotip	Test the stability of your PC's ram.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-5	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b87ea05c-a92e-48c1-83e8-cddf07244afe}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\memtest.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{b87ea05c-a92e-48c1-83e8-cddf07244afe}::	Add Memtest to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}::	MSConfig	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}::infotip	An internal Windows configuration tool.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-3	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3978d214-c68d-468a-81c7-9454b188ba4f}\shell\open\command::	msconfig.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{3978d214-c68d-468a-81c7-9454b188ba4f}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{3978d214-c68d-468a-81c7-9454b188ba4f}::	Add msconfig to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::	MSI Clean Up Utility	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::infotip	Cleans the left over msi installation files.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-6	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{662546eb-4737-4f6d-b8ba-cd4e6f390702}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\msicuu.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{662546eb-4737-4f6d-b8ba-cd4e6f390702}::	Add MSI Cleaner to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::	RegEdit	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::infotip	Windows Registry Manager.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-8	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}\shell\open\command::	regedt32.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{2d805cd4-85e6-44ad-bb3c-4711941d0ec8}::	Add regedit to The Control Panel	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::displayname	Kels' CPL Bonus Pack!	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::displayversion	12.6	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::nomodify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::norepair		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::publisher	Kelsenellenelvian EverDawn	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::comments	A huge addition of control panel utilities, apps and programs.	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::displayicon	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll, -1	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::urlinfoabout	http://www.wincert.net/forum/index.php?showtopic=337	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::urlupdateinfo	http://www.wincert.net/forum/index.php?showtopic=337	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::helplink	http://www.wincert.net/forum/index.php?showtopic=337	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\cplbonus::uninstallstring	rundll32.exe advpack.dll,LaunchINFSection CPLBonus.inf,Uninstall	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}::	Services and Devices	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}::infotip	Allows greater control over Windows services and devices.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-9	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{ad762173-ccd3-4711-9d99-944b9da73373}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\pserv3.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{ad762173-ccd3-4711-9d99-944b9da73373}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{ad762173-ccd3-4711-9d99-944b9da73373}::	Add PSERV to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::	Smart Driver Backup	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::infotip	A great driver backup tool!	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\SmartDriverBackup.exe	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\SmartDriverBackup.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{3ef2d048-6964-4b03-a8e7-b3ca6077affc}::	Add Smart Driver Backup to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::	What In Startup	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::infotip	A startup process manager.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\WhatInStartup.exe	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}\shell\open\command::	C:\Program Files (x86)\System\CPL\x32\WhatInStartup.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{fdb6ff72-88cc-4324-9d2a-b4fbbb6497be}::	Add WhatInStartup to The Control Panel	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}::	Windows Task Manager	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}::infotip	Windows running proccess manager.	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}\defaulticon::	C:\Program Files (x86)\System\CPL\x32\cplbonus.dll,-10	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}::{305ca226-d286-468e-b848-2b2e8e697b74} 2		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}\shellfolder::attributes		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}\shell\open::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}\shell\open\command::	taskmgr.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\explorer\controlpanel\namespace\{a02f63a1-5571-41bc-b2a2-207c1b4677ed}::		RegNtPreCreateKey

52 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Keyboard Access	GetKeyState
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	ShellExecuteEx
Anti Debug	NtQuerySystemInformation

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

(NULL) rundll32.exe advpack.dll,LaunchINFSection cplbonus.inf