PriceFountain

By GoldSparrow in Adware

Threat Scorecard

Popularity Rank:	3,608
Threat Level:	20 % (Normal)
Infected Computers:	61,828

First Seen:	September 11, 2014
Last Seen:	February 6, 2026
OS(es) Affected:	Windows

PriceFountain is an adware program that may attempt to assist computer users with saving money on the internet through shopping sites. The PriceFountain ads may be intrusive and bothersome to many computer users where they are displayed as pop-ups or banners that load while surfing the internet. The PriceFountain ads may also reduce performance of some web browsers making it hard to view certain pages or sites that have a lot of media resources to load. The PriceFountain ads are mostly unwanted and may be stopped through removal of the PriceFountain program and any related plugins or add-on components.

Table of Contents

SpyHunter Detects & Remove PriceFountain

File System Details

PriceFountain may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	PriceFountainIE.dll.vir	7593be8c6ebf14ceead30f14004daf0c	3,439
Name: PriceFountainIE.dll.vir MD5: 7593be8c6ebf14ceead30f14004daf0c Size: 88.06 KB (88064 bytes) Detections: 3,439 Path: %SYSTEMDRIVE%\AdwCleaner\Quarantine\C\Users\<username>\AppData\Local\PriceFountain\PriceFountainIE.dll.vir Group: Malware file Last Updated: October 23, 2025
2.	treasonshayersupdater.exe.196737.gzquar	f51b38b72aad104861c2761b31fa6d57	118
Name: treasonshayersupdater.exe.196737.gzquar MD5: f51b38b72aad104861c2761b31fa6d57 Size: 511.48 KB (511488 bytes) Detections: 118 Path: C:\Users\<username>\AppData\Local\~TreasonsHayers\treasonshayersupdater.exe.196737.gzquar Group: Malware file Last Updated: January 24, 2026
3.	UpdateTask.exe	10bacfd2851c0f591006f1938dc7f9fd	97
Name: UpdateTask.exe MD5: 10bacfd2851c0f591006f1938dc7f9fd Size: 349.18 KB (349184 bytes) Detections: 97 Type: Executable File Path: %APPDATA%\PriceFountainUpdateVer\UpdateProc Group: Malware file Last Updated: June 1, 2016
4.	pricefountainupdateverupdate.exe	701af2a68cd925ab2e5f4fe8d5e00dad	64
Name: pricefountainupdateverupdate.exe MD5: 701af2a68cd925ab2e5f4fe8d5e00dad Size: 340.99 KB (340992 bytes) Detections: 64 Type: Executable File Path: %APPDATA%\{5B261E9F-D119-BDB0-81BC-0281DA260C72} Group: Malware file Last Updated: July 13, 2017
5.	A15D2028-577E-4962-2370-BE1A747E3FBD_1d20f0cfe92c76e	949f60bbf7c3435f3e3bb2219c44bc2b	52
Name: A15D2028-577E-4962-2370-BE1A747E3FBD_1d20f0cfe92c76e MD5: 949f60bbf7c3435f3e3bb2219c44bc2b Size: 480.25 KB (480256 bytes) Detections: 52 Path: C:\WINDOWS\System32\MRT\2168C094-1DFC-43A9-B58E-EB323313845B\FilesStash\A15D2028-577E-4962-2370-BE1A747E3FBD_1d20f0cfe92c76e Group: Malware file Last Updated: January 28, 2022
6.	PriceFountainUpdateVer.exe	196e9ec186c99ef89b58c3d2f1793302	32
Name: PriceFountainUpdateVer.exe MD5: 196e9ec186c99ef89b58c3d2f1793302 Size: 279.55 KB (279552 bytes) Detections: 32 Type: Executable File Path: %APPDATA%\{65C932AA-50CC-FC16-63F2-4BF8CFC81A8F} Group: Malware file Last Updated: July 13, 2017
7.	pricefountainw.exe.vir	7562a40072dffc3365b45f5ddbbd8fd4	23
Name: pricefountainw.exe.vir MD5: 7562a40072dffc3365b45f5ddbbd8fd4 Size: 464.38 KB (464384 bytes) Detections: 23 Path: %SYSTEMDRIVE%\AdwCleaner\Quarantine\C\Users\<username>\AppData\Local\PriceFountain\pricefountainw.exe.vir Group: Malware file Last Updated: April 30, 2021
8.	bkup.dat	c8be2d8f2af522c5e2f6865378a947b8	14
Name: bkup.dat MD5: c8be2d8f2af522c5e2f6865378a947b8 Size: 18.83 KB (18839 bytes) Detections: 14 Type: Data file Path: C:\Users\<username>\AppData\Roaming\PriceFountain\UpdateProc Group: Malware file Last Updated: July 7, 2017
9.	pricefountain.exe	bf9223344cf805a417f13e6fb8011774	7
Name: pricefountain.exe MD5: bf9223344cf805a417f13e6fb8011774 Size: 627.71 KB (627712 bytes) Detections: 7 Type: Executable File Path: %SystemDrive%\Users\<username>\AppData\Local\PriceFountain Group: Malware file Last Updated: April 12, 2016
10.	prfo.dll	d2671ea6a02a33bd0fbf5e5f9ae248f8	5
Name: prfo.dll MD5: d2671ea6a02a33bd0fbf5e5f9ae248f8 Size: 650.75 KB (650752 bytes) Detections: 5 Type: Dynamic link library Group: Malware file Last Updated: December 4, 2019
11.	pricefountain.exe.vir	b4faedd0b50a04fc4c9c8e3299f83f53	3
Name: pricefountain.exe.vir MD5: b4faedd0b50a04fc4c9c8e3299f83f53 Size: 623.1 KB (623104 bytes) Detections: 3 Path: %SYSTEMDRIVE%\AdwCleaner\Quarantine\C\Users\<username>\AppData\Local\PriceFountain\pricefountain.exe.vir Group: Malware file Last Updated: July 29, 2020
12.	pricefountainw.exe	a5eb422fd7cd518492566fcc7271ecac	1
Name: pricefountainw.exe MD5: a5eb422fd7cd518492566fcc7271ecac Size: 464.38 KB (464384 bytes) Detections: 1 Type: Executable File Path: %LOCALAPPDATA%\PriceFountain Group: Malware file Last Updated: March 19, 2016
13.	PriceFountainIE.dll	fc0d6bf2f31137e0ba953a5c79928af0	1
Name: PriceFountainIE.dll MD5: fc0d6bf2f31137e0ba953a5c79928af0 Size: 199.52 KB (199525 bytes) Detections: 1 Type: Dynamic link library Path: %LOCALAPPDATA%\PriceFountain Group: Malware file Last Updated: February 13, 2016

More files

Registry Details

PriceFountain may create the following registry entry or registry entries:

CLSID

{b608cc98-54de-4775-96c9-097de398500c}

File name without path

PriceFountainUpdateVer.exe

PriceFountainUpdateVerUpdate.exe

Regexp file mask

%WINDIR%\System32\Tasks\Price Fountain

%WINDIR%\System32\Tasks\PriceFountainUpdateVer

%WINDIR%\System32\Tasks\PriceFountainV2

%WINDIR%\Tasks\Price Fountain.job

%WINDIR%\Tasks\PriceFountainUpdateVer.job

HKEY..\..\..\..{RegistryKeys}

Software\Microsoft\Internet Explorer\Approved Extensions\{b608cc98-54de-4775-96c9-097de398500c}

Software\Microsoft\Internet Explorer\DOMStorage\pricefountain.com

Software\Microsoft\Internet Explorer\DOMStorage\www.pricefountain.com

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\Price Fountain.job

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\Price Fountain.job.fp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\PriceFountainUpdateVer.job

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures\PriceFountainUpdateVer.job.fp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PFExe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Price Fountain

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PriceFountainUpdateVer

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PriceFountainV2

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B608CC98-54DE-4775-96C9-097DE398500C}

Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B608CC98-54DE-4775-96C9-097DE398500C}

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PriceFountain

Software\Microsoft\Windows\CurrentVersion\Run\pricefountainw.exe

Software\PrcFountain

Software\PriceFountain

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PriceFountain

HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}

BawdierNeuter

Price Fountain

PriceFountain

PriceFountainUpdateVer

Directories

PriceFountain may create the following directory or directories:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\PriceFountain

%APPDATA%\PriceFountain

%APPDATA%\PriceFountainUpdateVer

%LOCALAPPDATA%\BawdierNeuter

%LOCALAPPDATA%\DieresisPeach

%LOCALAPPDATA%\KrishnaRheums

%LOCALAPPDATA%\PriceFountain

%LOCALAPPDATA%\TorchierIncidental

%PROGRAMFILES%\PriceFountain

%PROGRAMFILES(x86)%\PriceFountain

%Temp%\PriceFountain

%UserProfile%\Local Settings\Application Data\PriceFountain

URLs

PriceFountain may call the following URLs:

PriceFountain

pricefountain.com

Analysis Report

General information

Family Name:	Adware.PriceFountain
Signature status:	No Signature

Known Samples

MD5: 2a551e16f09be86bf04187cd350e555b

SHA1: 54711c190cacf9617a14bc1ef94f28326b494945

File Size: 89.93 KB, 89927 bytes

MD5: 6568836f85e47e9662d1abf6bc1b225e

SHA1: 634bf4eb983ba179bb1ea97b5f3a247a944e4129

File Size: 47.54 KB, 47540 bytes

MD5: 8b38be25022c5620741d24d02be89d97

SHA1: 26781e6a65af20b8960271089b884480b45b7e26

File Size: 89.88 KB, 89881 bytes

MD5: 0ee8d7fb52e2eb34794f48271dc84c39

SHA1: 19231e7903e3a2c7a4b4094dea827fb050f6f2bc

SHA256: 9ED59AD319C3B3EC6B89E7AFD91C6DF4DB059B5C97293859E6758AE75217B78F

File Size: 370.69 KB, 370688 bytes

MD5: 4aae5161cedbd18f8364c752a4baaaae

SHA1: 3c473b4cac0d317f8b05ab9a1528e6e227a43756

SHA256: 5E7EDA8557F89A3C32D257D2A7995BA058A632C2399ACFA46F0166454C2581F0

File Size: 356.86 KB, 356864 bytes

MD5: 2c1c750a1835668d36621404f34340aa

SHA1: 86fead9bc7919c0ba5a50192dfde697118e31913

SHA256: 162869984B1262829F424D393EE7CF3B82C4862A4EEB35FD6A6BE47DCEBFA5B8

File Size: 47.53 KB, 47535 bytes

MD5: 23b8455ecc0b8e574f2e612efa4ab6a3

SHA1: ad405d9e3e45e972a05747b769824819086a3563

SHA256: CF43EE37F4285443DF22D0F30E11204CF0E940D3345691B9A886F7288BB3B7C3

File Size: 370.69 KB, 370688 bytes

MD5: 66334d259b9c433b10b8945b338da3fc

SHA1: 895bbed73f592576dd0664190838cd25345519ce

SHA256: 96E51776EC17F2678EC7DF99BDAE17EAFD17D5BF1AEF28682BDD374CD58DA4A5

File Size: 89.92 KB, 89923 bytes

MD5: 15fe57324833af3eddf8102088d9256f

SHA1: d08498372abc285232bdde82fdce44031bfc6807

SHA256: B3C8821D185445B9DCEF5F8DF73F759F0E194FE164320DE73210584A2CC493B5

File Size: 47.54 KB, 47536 bytes

MD5: 5b88f67c451850da971eadb05bfcbb84

SHA1: 8079a4dfb92ff503fff184e2b1fca30cfc4dfc67

SHA256: 851E97A8E74851D6824DCAD43560607CFB3503119C4AF557A40054049E1562FE

File Size: 47.53 KB, 47533 bytes

MD5: 533b2f43ee2e168c566a0cbe90ca01b0

SHA1: de03ff4e377717588a9f25753084394c82e02ad1

SHA256: E63E5D55C2DECFF62515AD3BB659BB74A6EDAC6F57BC1BF64AC24C868B833BB4

File Size: 47.54 KB, 47537 bytes

MD5: 1d0c630e4a94a925d77d23147031cac4

SHA1: 0e2e3d61ac268b6b7594e0a7c1cedcd2a98c9ce6

SHA256: 15A64D45AFB7A57361EBB142AC272CCB2E1F3C5C1159670BA9833AEDEA7F3A94

File Size: 427.52 KB, 427520 bytes

MD5: 9331a861b1912de89a9119d4761831f3

SHA1: 6a472e9af2921231427acf86c28d6f9fc19ae8df

SHA256: 6874A832468FA624638E4B8F33B7EF9DBA471F6FCA0F45C7929285B31358A491

File Size: 370.69 KB, 370688 bytes

MD5: ab0d9c05142e3165e1a5370a519dd5a5

SHA1: a092a0d5c9e1a9438b017904917650093981d17d

SHA256: 236C47F11FB648FF8A520E400C2C8073ABCF9BC39E6BC7C6B604C672CD864590

File Size: 89.92 KB, 89924 bytes

MD5: e6ec41404b352b33b34ac4e162177d57

SHA1: 00eb1908999a02b0b4289e3ad8b4834b60460f9a

SHA256: 106B61AC68042FC7A0BD49473B2E844797A6FB6E4D4E4360A9CE621E1B73F1B8

File Size: 371.20 KB, 371200 bytes

MD5: 3666ccfaf962e3325daf828978d3ec62

SHA1: f88de0faf88c7e17ad1786f158d6b1448c067aba

SHA256: 428A0AF35B98193454FAE61357F8A552CA5391EDE683216FC5C04A873488F3BA

File Size: 371.20 KB, 371200 bytes

MD5: 8928da0541d623798513faf45eaab9f6

SHA1: b5c1ee4b415c1c467a09d463583408c386556bf0

SHA256: DC7600E3355E4CE6C1166ED999DA2EFE353AA19DCAE77059A9CA98BE0C88FD9D

File Size: 89.87 KB, 89872 bytes

MD5: 369cf1a1bfb07183d15453f83b3f33fb

SHA1: 15bc636a97238715b55ac48d3a8ff0184defcab1

SHA256: 7A631506782266D24D1CC5E6B84FF4EB38DBEFBA29EBEBF58878D9A453BC1A15

File Size: 356.86 KB, 356864 bytes

MD5: e04eef7aa9d5b9a517fd57f97afa464f

SHA1: 486802702b49b9bd99786e27dc8e585427314a29

SHA256: 6180B1328DFB09D0D54D4EA3B5895BF1A69CD024EB6812FABDAEA737772B1549

File Size: 89.93 KB, 89930 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has exports table
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
F I L E Version	1.8.5.78 1.8.4.22 1.5.2.28
I N T E R N A L Name	CoeditorsArriving.dll LidosBrandishes.dll SubscribedTheatergoer.dll
L E G A L Copyright	Copyright (C) 2006 Copyright (C) 2015 Copyright (C) 2016
O R I G I N A L Filename	CoeditorsArriving.dll LidosBrandishes.dll SubscribedTheatergoer.dll
P R O D U C T Version	1.8.5.78 1.8.4.22 1.5.2.28

File Traits

dll
HighEntropy
x86

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsba525.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsba525.tmp\system.dll	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\nsba525.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsg69a8.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsg69a8.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsk5b88.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsn5bef.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsna8bf.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso5594.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5594.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp64c6.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\stdutils.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\stdutils.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsw1464.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx5229.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx5229.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx6f2f.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\nsprocess.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\nsprocess.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz69c5.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\downloads	Synchronize,Write Attributes
c:\users\user\downloads\486802702b49b9bd99786e27dc8e585427314a29_0000089930	Synchronize,Write Attributes
c:\users\user\downloads\634bf4eb983ba179bb1ea97b5f3a247a944e4129_0000047540.exe	Synchronize,Write Attributes
c:\users\user\downloads\8079a4dfb92ff503fff184e2b1fca30cfc4dfc67_0000047533	Synchronize,Write Attributes
c:\users\user\downloads\895bbed73f592576dd0664190838cd25345519ce_0000089923	Synchronize,Write Attributes
c:\users\user\downloads\a092a0d5c9e1a9438b017904917650093981d17d_0000089924	Synchronize,Write Attributes
c:\users\user\downloads\b5c1ee4b415c1c467a09d463583408c386556bf0_0000089872	Synchronize,Write Attributes
c:\users\user\downloads\d08498372abc285232bdde82fdce44031bfc6807_0000047536	Synchronize,Write Attributes
c:\users\user\downloads\de03ff4e377717588a9f25753084394c82e02ad1_0000047537	Synchronize,Write Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ggtxkaay\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ggtxkaay\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Ggtxkaay\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	᧰Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Hkbbuwno\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Hkbbuwno\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Hkbbuwno\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᰳ啐Ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Hkbbuwno\AppData\Local\Temp\nsp64C6.tmp\nsprocess.dll	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Hkbbuwno\AppData\Local\Temp\nsp64C6.tmp\nsprocess.dll\??\C:\Users\Hkbbuwno\AppData\Local\Temp\nsp64C6.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Pigsmvnt\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Pigsmvnt\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Pigsmvnt\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey

HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ulxblgfl\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ulxblgfl\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Ulxblgfl\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Eznhyqqy\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Eznhyqqy\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Eznhyqqy\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey
HKCU::uninstalled	TRUE	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Eznhyqqy\AppData\Local\Temp\nsw1464.tmp\nsprocess.dll	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Eznhyqqy\AppData\Local\Temp\nsw1464.tmp\nsprocess.dll\??\C:\Users\Eznhyqqy\AppData\Local\Temp\nsw1464.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ftbgsaet\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ftbgsaet\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Ftbgsaet\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	秓䆈䗧ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ftbgsaet\AppData\Local\Temp\nsk5B88.tmp\nsprocess.dll	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ftbgsaet\AppData\Local\Temp\nsk5B88.tmp\nsprocess.dll\??\C:\Users\Ftbgsaet\AppData\Local\Temp\nsk5B88.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Windows\SystemTemp\16c022bd-5ef5-475f-a01d-152d7f6dbd19.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	돔펊唺ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Cxycpcvj\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Cxycpcvj\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Use	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䃒槅坬ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Cxycpcvj\AppData\Local\Temp\nsx6F2F.tmp\nsprocess.dll	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.205.9\??\C:\Users\Cxycpcvj\AppData\Local\Temp\nsx6F2F.tmp\nsprocess.dll\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Windows\SystemTemp\77e37ce0-8214-4414-aced-551c5ae204d7.tmp\??\C:\Windows\SystemTemp\e28eadcf-6ab0-4d8c-8821-7ce9a6aba1	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꮧ幢毸ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e41\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	୑嵥觭ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	娼룻錒ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Process Shell Execute	CreateProcess
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile Show More ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiAnyLinkedFonts win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateRectRgn win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiDoPalette win32u.dll!NtGdiDrawStream win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiExtTextOutW win32u.dll!NtGdiFontIsLinked win32u.dll!NtGdiGetCharABCWidthsW win32u.dll!NtGdiGetDCDword win32u.dll!NtGdiGetDCforBitmap win32u.dll!NtGdiGetDCObject win32u.dll!NtGdiGetDeviceCaps win32u.dll!NtGdiGetDIBitsInternal win32u.dll!NtGdiGetEntry win32u.dll!NtGdiGetFontData win32u.dll!NtGdiGetGlyphIndicesW win32u.dll!NtGdiGetOutlineTextMetricsInternalW win32u.dll!NtGdiGetRandomRgn win32u.dll!NtGdiGetRealizationInfo win32u.dll!NtGdiGetTextFaceW win32u.dll!NtGdiGetTextMetricsW win32u.dll!NtGdiGetWidthTable win32u.dll!NtGdiHfontCreate win32u.dll!NtGdiIntersectClipRect win32u.dll!NtGdiQueryFontAssocInfo win32u.dll!NtGdiRestoreDC 66 additional items are not displayed above.
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserObjectInformation
Process Terminate	TerminateProcess
Process Manipulation Evasion	NtUnmapViewOfSection

Shell Command Execution


							"C:\Users\Ggtxkaay\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


							"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\SoldierGlasswork.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=0507183250&cmdline=%22C:\Users\Ggtxkaay\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"


							"C:\Users\Hkbbuwno\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


							"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\BaronetciesPlasmapheresis.dat" http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=


							"C:\Users\Pigsmvnt\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\ConveningPushcart.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=150712851&cmdline=%22C:\Users\Pigsmvnt\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\19231e7903e3a2c7a4b4094dea827fb050f6f2bc_0000370688.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\3c473b4cac0d317f8b05ab9a1528e6e227a43756_0000356864.,LiQMAxHB


									"C:\Users\Ulxblgfl\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\TakersMonocot.dat" http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ad405d9e3e45e972a05747b769824819086a3563_0000370688.,LiQMAxHB


									"C:\Users\Eznhyqqy\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\SerenelyCoziness.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=241001231&cmdline=%22C:\Users\Eznhyqqy\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"


									"C:\Users\Ftbgsaet\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\TapewormsFactor.dat" http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=


									"C:\Users\Whsjtwuq\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\ReforestedCrepey.dat" http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=


									"C:\Users\Cxycpcvj\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\KludgingCredibleness.dat" http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0e2e3d61ac268b6b7594e0a7c1cedcd2a98c9ce6_0000427520.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6a472e9af2921231427acf86c28d6f9fc19ae8df_0000370688.,LiQMAxHB


									"C:\Users\Hzdioufo\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\PelletsSnowmen.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=1212221859&cmdline=%22C:\Users\Hzdioufo\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\00eb1908999a02b0b4289e3ad8b4834b60460f9a_0000371200.,LiQMAxHB


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\f88de0faf88c7e17ad1786f158d6b1448c067aba_0000371200.,LiQMAxHB


									"C:\Users\Gundtsym\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\CudBards.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=200111548&cmdline=%22C:\Users\Gundtsym\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\15bc636a97238715b55ac48d3a8ff0184defcab1_0000356864.,LiQMAxHB


									"C:\Users\Upbgrmmq\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\CScript.exe"  //b //e:vbscript //nologo "c:\users\user\downloads\NonsubscriberIntimidations.dat" "http://ins.pricejs.net/dealdo/install-report?type=install&step=uninstall&instgrp=&partner=&channel=&reason=&hid=&winver=8.1&ver=&tm=3101163553&cmdline=%22C:\Users\Upbgrmmq\AppData\Local\Temp\~nsu.tmp\Au_.exe%22%20"

PriceFountain

Threat Scorecard

EnigmaSoft Threat Scorecard

SpyHunter Detects & Remove PriceFountain

File System Details

Registry Details

Directories

URLs

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

1 Comment

Submit Comment

Related Posts

Trending

Most Viewed