Cotação de desconto para licenças múltiplas

Mudar de região

English Dansk Deutsch Español Français Italiano Nederlands Português Русский
Banco de Dados de Ameaças Adware AdLoad

AdLoad

Por GoldSparrow em Adware, Malware para Mac
Traduzir Para:

Cartão de pontuação de ameaças

Nível da Ameaça: 20 % (Normal)
Computadores infectados: 3,348
Visto pela Primeira Vez: June 16, 2011
Visto pela Última Vez: October 24, 2025
SO (s) Afetados: Windows

O AdLoad é uma ferramenta maliciosa destinada a introduzir adware potencialmente irritante no seu sistema Mac. A ferramenta está em circulação há quase três anos e não mostra sinais de desaceleração. Seu longo mandato se deve à sua capacidade de evoluir com rapidez suficiente para evitar a detecção. Ao longo de sua evolução, o AdLoad descartou dezenas de Aplicativos Potencialmente Indesejados (PUAs) - Kreberisec, SearchDaemon, DataSearch, ApolloSearch, AphroditeResults e muitos outros (veja a lista abaixo) - em um incontável número de sistemas MacOS em todo o mundo. Considerando a natureza desses aplicativos, o AdLoad não se comporta como uma ameaça típica do nível grave. No entanto, seu comportamento persistente torna qualquer tentativa de remoção uma tarefa bastante desafiadora.

Um Sequestrador ou um Trojan?

O AdLoad parece ter uma natureza duvidosa. Por um lado, ele compartilha as características típicas dos sequestradores de navegador clássicos. Ele vem disfarçado como uma atualização de software falsa ou como um download drive-by. Por outro lado, alguns pesquisadores tendem a classificar o AdLoad como uma entidade semelhante a um Trojan por causa da sua funcionalidade de backdoor para plantar todos os tipos de PUAs no host de um sistema Mac.

Uma vez dentro, o AdLoad redireciona a atividade de navegação na Web das vítimas para servidores predeterminados por meio de ataques man-in-the-middle. Esses redirecionamentos geralmente ocorrem sempre que os autores responsáveis desejam monetizar a receita de anúncios redirecionando os usuários de computador para sites infestados de anúncios pay-per-click (PPC). Embora esse modelo de publicidade não seja de forma alguma prejudicial quando aplicado com os mecanismos de busca mais populares da Web, ele pode causar problemas se for explorado pelos motivos errados. O último geralmente envolve anunciantes que pagam mecanismos de pesquisa menos conhecidos para direcionar o tráfego para sites pesados de PPC de natureza não muito saudável.

Apesar da longevidade do AdLoad, ele continua difícil de se detectar até hoje, conforme mostrado no VirusTotal, pois o adware planta vários arquivos em um grande número de diretórios. A maioria dos dados cai em várias pastas na seção Biblioteca local. Em seguida, ele executa um ou mais executáveis, que estabelecem uma conexão de área de trabalho remota por meio de um script python. Além das pastas visíveis na seção da Biblioteca local, o AdLoad pode criar uma pasta oculta projetada para manter o adware em execução.

Indicadores de uma Infecção pelo AdLoad

Como qualquer outra peça de adware, o AdLoad pode diminuir a velocidade do seu sistema, trazer inúmeros anúncios e levá-lo a sites que você nunca viu antes. Os anúncios podem oferecer atualizações de software falsas, downloads drive-by, produtos e serviços atraentes. Cuidado com o último, no entanto, especialmente se eles parecem bons demais para ser verdade.

PUAs Associados

A AdLoad supostamente trouxe dezenas de PUAs para os computadores baseados em MacOS. Alguns desses PUAs incluem, mas não estão limitados a: WebSearchStride, TotalAdviseSearch, Sorimbrsec, SkilledProjectSearch, SearchRange, SearchNetCharacter, PositiveSearch, KeyWordsSearch, MajorChannelSearch, AlphaLookup, GoldResults, GlobalQuestSearch, LeadingSignSearch, OdysseusLookup, ExpertModuleSearch, VirtualToolboxSearch, TabSearch, UpgradeSearchView, ResultsSync, NetToolboxSearch, SimpleFunctionSearch, AresLookup, PublicAdviseSearch, MajorLetterSearch, SearchArchive, SearchRange, CalypsoLookup, BinarySignSearch e assim por diante.
A lista acima é apenas uma amostra doque o AdLoad Adware é capaz de trazer para a mesa. Se um ou mais desses nomes soam conhecidos para você, é provável que você esteja com uma infecção pelo AdLoad em andamento e precise agir.

Dicas de Remoção

Para começar, você pode seguir o procedimento de remoção convencional trazendo para o Lixo quaisquer aplicativos suspeitos ou desconhecidos que encontrar na pasta Aplicativos. Em seguida, você pode limpar quaisquer arquivos AdLoad residuais que encontrar na sua Biblioteca. Preste uma atenção especial à pasta LaunchAgents em particular. Ainda assim, não se esqueça de passar por todas as pastas da Biblioteca. Embora essas etapas possam resolver o problema, examinar o seu sistema com uma solução anti-malware confiável não prejudicará. Recomendamos fortemente que você faça o último, pois o AdLoad provou ser persistente além da medida quando atacado.

AdLoad capturas de tela

AdLoad Flash Player install prompt
adload flash player prompt

Detalhes Sobre os Arquivos do Sistema

AdLoad pode criar o(s) seguinte(s) arquivo(s):
Expandir todos | Recolher todos
# Nome do arquivo MD5 Detecções
1. update.exe 3cc981c67179f1c8a1002f8026d6c6f8 3,327

Relatório de análise

Informação geral

Family Name: Trojan.Adload
Signature status: No Signature

Known Samples

MD5: b8c7b6e43f4a0ab140bcc235c247bbc5
SHA1: 6dd3adec6fe76e7fa6b2e35b30c67504c12f066f
Tamanho do Arquivo: 359.22 KB, 359220 bytes
MD5: c557fc3db4d9b52c025307e95f475747
SHA1: e782480fd9b8626ce246e6fc081acbc7fec6f9c6
Tamanho do Arquivo: 486.72 KB, 486720 bytes
MD5: ba3b39ca30a0e520b0ba7d56536b40db
SHA1: 9813a9d9b3ffc2bef3a009058d8bafe9e865e695
Tamanho do Arquivo: 180.85 KB, 180848 bytes
MD5: e87b55334389949b93cb52ffb81455be
SHA1: 0f3b83ea6aa235137442dcb9d91c545e97182c89
Tamanho do Arquivo: 121.50 KB, 121499 bytes
MD5: cf041587d8bb4bc19a9d9d18668cec92
SHA1: 3a22e93838d64693dccf30f97ec30371a5c48677
Tamanho do Arquivo: 486.82 KB, 486824 bytes
Show More
MD5: a81b99b2d91d0881e37966abe644ef79
SHA1: 058ef8b55fb5ebd390496295a49820c94e29cc2b
Tamanho do Arquivo: 219.62 KB, 219618 bytes
MD5: caa93864eb9a4e503fa9edaebf9ea974
SHA1: bf7058261e6a7aa984364c1abdd554b2c645b14f
SHA256: 46C35B73C288CCC7F74EF6F9CF9A183CF7AAFA95E8ACBA38FF87D0E2A0730286
Tamanho do Arquivo: 295.41 KB, 295414 bytes
MD5: d774ae8806f084a5ab7ff77941f4c013
SHA1: 6a69f07fc68cc99a7526f75ad84dd82e5a56972d
SHA256: 7276422F1F14AF5208DAEBF5735A77F1DF84D6618BF98FCCDAECB6F7A5A6992A
Tamanho do Arquivo: 250.54 KB, 250536 bytes
MD5: e187cfad80d4cbac3eed879e8017a47f
SHA1: 2073a80cf1bd84ec032b2421bd34427cefb8499b
SHA256: 9384096EF7D8C4E4805E63715A1ABED5D5C0D09CD46FBCB99CFC0972299F68AD
Tamanho do Arquivo: 366.73 KB, 366725 bytes
MD5: 38997bbcfbeed4b71917e6f68622c7c5
SHA1: 12042ab1425fbe1b132f54c0daff5edd6c5fd1c4
SHA256: B73BCDA71F8227B34E4E46A064797DAE3AA7F6832A161DB9130A0B9199624338
Tamanho do Arquivo: 75.54 KB, 75544 bytes
MD5: 556ab3d9bf4ae37f72b201aacd3b18e0
SHA1: c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21
SHA256: C2B3D3A04E50C27F45177050B4939DD47448D36EDD6B71EE04756AFF822EA7A2
Tamanho do Arquivo: 5.54 MB, 5543000 bytes
MD5: e2301c49f57b249aa8f13691a927a443
SHA1: 0887e46f34bec87601f359efaa768e9271fb8d81
SHA256: 1EEC6282760C6B6BF8249E4DB797F64349C5F32825E70B6FF233C43123299B34
Tamanho do Arquivo: 559.67 KB, 559672 bytes
MD5: 838d3c6d2e5cba0145ffd763220b5561
SHA1: 5c7691cc827bc62bf04968657d823ad8cce67dd8
SHA256: 63E0A5824566D2A3D14E1CAF63F78276909F7CE3D48B20800134316FFC92D90B
Tamanho do Arquivo: 308.22 KB, 308224 bytes
MD5: f966e7c6b8ce4e3838f49464276191c3
SHA1: ae60bce9e4cd5d8bfb513191a5145528c075dc20
SHA256: 6BD3E76959E607292DD0623386F31109FD4367136319B2EF3ED5855C270C2279
Tamanho do Arquivo: 501.41 KB, 501408 bytes
MD5: fa01b68ef2246c3a26a7ab26f2033890
SHA1: 5910d6a3f753828f1da4011e455459f26e9e4494
SHA256: 29E8575F2E5EEF6B180D49C94DC08E05E08CF59292010EE1E99CF8A2A98AE489
Tamanho do Arquivo: 3.08 MB, 3076827 bytes
MD5: 87042ba828a5ea209ea20c028227bea5
SHA1: 3000646dddff721b62346c5e86159ec4a1e185d0
SHA256: EC7861DEC5A5F1213378C08C2A30C45184511598B10E719E5033E955856D2D8C
Tamanho do Arquivo: 53.48 KB, 53480 bytes
MD5: 19ee7986e20521f7048afbea19076024
SHA1: 314338c4716b627733e16ec458428c97f5c3feed
SHA256: 6EF65BC0676BCA7EC2930883FE047C90DD75C0CC1E098F12A4CA6DDFF39E57F4
Tamanho do Arquivo: 3.26 MB, 3261524 bytes
MD5: 035ddd8703824c5d75f16499a0397893
SHA1: b17b8f3c3eafe88406fc71322630816084398e3e
SHA256: 9E2AC28077C57DD7EA9D48ED145F82D9AA15CED005597084733D991D6EB04F47
Tamanho do Arquivo: 78.18 KB, 78184 bytes
MD5: c8c33ba616cb111ca64d6f5762138d47
SHA1: b170960f9b1f1e45954fa0314fbe2a7a8fe64139
SHA256: E8696EC1695EBE7989618810222E5D39D7086B12CDB72B4F7AB2E5254048BE9A
Tamanho do Arquivo: 262.46 KB, 262460 bytes
MD5: 8393968220dbc0e75d79b783ad84cfdf
SHA1: 2904fa1664f6c231ce58a6fdeb605480dbfc6bf9
SHA256: F48E40010ADA411B06F16D9BB6CDFFADE3358FB1EE47AF0E2D670290E6377DED
Tamanho do Arquivo: 2.10 MB, 2097151 bytes
MD5: 9279118f57eefd978bac175ce2e91374
SHA1: a2284ab79d138526bc24218797a45f42dc72436c
SHA256: 0B6E1613A3AF0816231D7A0CD922657C35CB2D8D92BBA897114D1331677B1745
Tamanho do Arquivo: 2.10 MB, 2097151 bytes
MD5: 58b1829fa5706235c1f6763151fd37c6
SHA1: 0202d25e874489c5e53da4788857f301e30fe5b9
SHA256: B7BD8DC7AB6E02A670A0194F10087AC2088D9E164BC513A4C4208C5C797925F3
Tamanho do Arquivo: 2.10 MB, 2097151 bytes
MD5: b160ce13f27f1e016b7bfc7a015f686b
SHA1: bfb714891d12ffd43875e72908d8b9f4f576ad6e
SHA256: FAC205247D3B19B5F82F5F4D1269A5C047B6C9AD9F21CC51B4B782C2B08A3B87
Tamanho do Arquivo: 757.62 KB, 757615 bytes
MD5: 3f6d037be2f2723aa38472ae981f10d6
SHA1: f5e8679a2df2c7d3f9e7473d6b0f749327998648
SHA256: 8B7D03E64B80E844D68FD6C7CEB5B75F29D4355A98E94F57F2C777D79DE8A327
Tamanho do Arquivo: 3.86 MB, 3861785 bytes
MD5: 103b48abc69e0b80838ee23f8f7bd049
SHA1: 906cfab568e241b6821c0671da2e8f5feb1bd6cc
SHA256: 69E5CE6C7BB53FC89BA4DDE30B6FE9C48D14615F385A15A655AE6F6F24693E59
Tamanho do Arquivo: 486.82 KB, 486824 bytes
MD5: 0013d426df25b2b43160b412b3f6d35d
SHA1: 0fdf0dfc916451bdeb0911af022c5e872f2a9176
SHA256: BBB456B10E07F2FC48BBF19808D9EA64E5ECB96179C9A5244E5539ED85397B45
Tamanho do Arquivo: 615.06 KB, 615062 bytes
MD5: 556a13a2d4fbe23a26f7b1a23df670a0
SHA1: 67de5186982e23a4572902516c27c47cc4bc8a78
SHA256: 1BF4A996925826849CEB0AA570AB32E9E98A42D4FDAF3A2141B314E9BADF8A80
Tamanho do Arquivo: 75.64 KB, 75641 bytes
MD5: 8f0b9c5e8b48a6b8525a469e5a9e48ec
SHA1: 862793346177034b3b9d17bcfc055c5c200aa5f0
SHA256: DC7EDF6E31FBFD3EEC4876448878A1DEF6A3C97E9ED23BC4425912073BD012DE
Tamanho do Arquivo: 63.09 KB, 63087 bytes
MD5: 341afc3c4e8aa0148493d13dfc8bed97
SHA1: afb649034e69ece6f16d0e3282d1b8391dbff44b
SHA256: B41B8705F0CA2A4FB4B52D1F02E50143739DA97ED05DFAF245D037F8B5E88601
Tamanho do Arquivo: 1.39 MB, 1385717 bytes
MD5: 1fcac397bbe64f00e0865e36132fb2bf
SHA1: ad6d5e8854479c27c130d17aeed9c097038f52d7
SHA256: CC08B1CDCE33AECD99BD0D1098D5D8696410EF2B44D21FFC492C498D09BC4525
Tamanho do Arquivo: 524.01 KB, 524008 bytes
MD5: 89f6ef362c41116d638264a9c89a7a7b
SHA1: d1f4badf9eab3ac53a2a064db5812a5b4359cc79
SHA256: 1148D09D6B61BC7BE98F18685E86C3BC72515DC1CB1CC02AF7E0C8689F07E745
Tamanho do Arquivo: 2.52 MB, 2520394 bytes
MD5: 0683350ff975c4f831a33171e3dbd9e6
SHA1: a466bd7464b4a714c93b8230476541538cce0819
SHA256: 4E99617EED0547371F97D15D34A5CCB67410AAE911ED9A415D70782706A1DE09
Tamanho do Arquivo: 75.57 KB, 75573 bytes
MD5: 6965e133b0208698a13d6ce60f1ba18d
SHA1: b31d5b3377fabd6ca2992dc2bc5030ac34760591
SHA256: 5CECC4B4432ABF9BB4D48E888E34EBC5B6A9BB92B55D537E78A3B1FB5BF7B31E
Tamanho do Arquivo: 2.10 MB, 2097150 bytes
MD5: 862228ac7b458677ae8c5d69fccf7527
SHA1: b63c28e9e22ae19210e30a5d0557415704ffda1b
SHA256: 651B492CE504A5519E2D7982666452FE81EBF564E4316967434BFE13D7CA5E2C
Tamanho do Arquivo: 6.44 MB, 6436459 bytes
MD5: 340d30bb6fe363d782db84cbcd9bd8d6
SHA1: 0ab19e65df7f97d7d5eee65410668f31acd45a2d
SHA256: EE20DA6F620ADA5B0D3A1622485654C90685448EABDBE57DBE043304F936522A
Tamanho do Arquivo: 75.58 KB, 75585 bytes
MD5: e261f1fd2af901c9528e5ba353af961b
SHA1: d924f6981ca26a655e79fa80664b7417ce024941
SHA256: 05DBD391C1A4FED6EED5CDA514DB1D59451FC1A4A9C7B0DF9120293DF680F799
Tamanho do Arquivo: 5.13 MB, 5128085 bytes
MD5: b963938a7479471dff48fafdcf1fc581
SHA1: 8cb445efb70e8a0c9ea7d83e94756c971726c458
SHA256: D5A69F8994A9BAF4DEEAE6048B1F67435B627DE735D160CBFAD6F1C0AFBE0EC9
Tamanho do Arquivo: 9.52 MB, 9521664 bytes
MD5: 74bfc6946298f496c2864bb0dd0678d9
SHA1: c6c3510874c8141f2344ddabb509f73e441f1d11
SHA256: 145BADFEF16B4E50AB8FCB11CCCF97231F474C84DE1BB9AA86EA3F83F45B15D3
Tamanho do Arquivo: 576.88 KB, 576881 bytes
MD5: 04cd4470d50c53becbc494cbd4d05f0d
SHA1: 676f118214d9f4e9bc8c4af3b24ef4a1f685a8af
SHA256: 317C1F7D13D27537BF164C35B2B42116A6DFDFA82933499C1A5A69B5DDB3C733
Tamanho do Arquivo: 180.82 KB, 180824 bytes
MD5: fff6509a917506c0c8f3e63b1e92e065
SHA1: b2223709995ef13d86ef43792b66198ceebcaaff
SHA256: 940C99D764B8E14F79EB965480BB9C8DC756F00B63C2FB17494707C1BFBF2AC7
Tamanho do Arquivo: 72.36 KB, 72360 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Nome Valor
Comments
  • 5Vgq1OA3fIVBIfRu
  • This installation was built with Inno Setup.
  • This installation was built with Inno Setup: http://www.innosetup.com
Company Name
  • 5Vgq1OA3fI
  • Makhaon
  • Usługi Informatyczne 'Szansa' Gabriela Ciszyńska-Matuszek
File Description
  • 46807GHF____ Setup
  • Adobe PhotoShop CC
  • Blanditiis Setup
  • Dolores Setup
  • Download da Internet
  • DownloadUpdateInfo Setup
  • Free DWG Viewer
  • Game of Whores v025 By MANITU Games.exe Setup
  • K-Lite Mega Codec Pack
  • Libreoffice
Show More
  • Microsoft .NET Framework
  • Similique Setup
  • ZWToolbox Setup
File Version
  • 9.4.5.7
  • 4.0.4
  • 1.0.2
  • 1.0.0.0
  • 0.3
Legal Copyright
  • 5Vgq1OA3fIVBIfRueB5B
  • Copyright (C) 2003-2005 Makhaon Software, Inc.}
  • Copyright © 2000-2015 Usługi Informatyczne 'Szansa' Gabriela Ciszyńska-Matuszek
  • Copyright © 2023 Dolphin
  • Copyright © 2023 Setup
  • Copyright © 2024 Findue
Legal Trademarks 5Vgq1OA3fIVBIfRueB5BzcN8qnR
Product Name
  • 5Vgq1OA3fIVB
  • 46807GHF____
  • Adobe PhotoShop CC
  • Blanditiis
  • Dolores
  • Dolphin
  • DownloadUpdateInfo
  • Findue
  • Free DWG Viewer
  • Game of Whores v025 By MANITU Games.exe
Show More
  • K-Lite Mega Codec Pack
  • Libreoffice
  • Microsoft .NET Framework
  • Setup
  • Similique
  • ZWToolbox
Product Version
  • v.Classic
  • 9.13.17.7
  • 5.0
  • 4.10.5.4
  • 4.0.4
  • 3.5
  • 1.0.2
  • 0.14.8.16
  • 0.3

Digital Signatures

Signer Root Status
Tommy Tech LTD Sectigo Public Code Signing Root R46 Root Not Trusted
MIDIA TECHNOLOGIES LLC Starfield Class 2 Certification Authority Root Not Trusted
GENCO LABS LLC Starfield Secure Certification Authority Root Not Trusted
pdfforge GmbH Thawte Code Signing CA - G2 Self Signed
Innovative Systems LLC VeriSign Class 3 Code Signing 2010 CA Self Signed
Show More
Sevas-S LLC VeriSign Class 3 Code Signing 2010 CA Self Signed

File Traits

  • 2+ executable sections
  • dll
  • HighEntropy
  • Inno
  • InnoSetup Installer
  • Installer Manifest
  • Installer Version
  • MZ (In Overlay)
  • nosig nsis
  • No Version Info
Show More
  • Nullsoft Installer
  • x86

Block Information

Similar Families

  • Agent.M
  • Agent.MH
  • Agent.MI
  • Agent.MU
  • Autorun.LA
Show More
  • Autorun.X
  • Delf.EA
  • FakeAV.AU
  • Parite.F
  • Parite.P

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\program files (x86)\dolores\unins000.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\similique\unins000.dat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics Synchronize,Write Attributes
c:\programdata\synaptics\rcxc4cd.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\synaptics\synaptics.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\synaptics\synaptics.exe Synchronize,Write Attributes
c:\programdata\synaptics\synaptics.exe Synchronize,Write Data
c:\users\user\appdata\local\rmi\offer_downloader.exe Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\5gvhvti.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\dummyfile.txt Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-3av31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-4o7c0.tmp\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-759aa.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-759aa.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-759aa.tmp\idp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8f4vo.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-cbpba.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-cbpba.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-cc2s2.tmp\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-d3gt7.tmp\_isetup\_iscrypt.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-d3gt7.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-h164b.tmp\non.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\is-hjh98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-m98dn.tmp\is-hk8gn.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_iscrypt.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-s1jf7.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-tdc56.tmp\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\button.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\ocsetuphlp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\skinnedbutton.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsab735.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\nsweb.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\registry.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsabd0d.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsb162c.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsbbdf7.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsca833.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca833.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsca833.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nscc4ac.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsd54b9.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsda9b9.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsde0d.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsg5b22.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsi5526.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsiaa27.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsiaa27.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsiaa27.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj1d50.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\button.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\ocsetuphlp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\skinnedbutton.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6321.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsj6b42.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nskb724.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl402b.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\nsprocess.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\uac.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl402b.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cc5.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4cd4.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsl4d14.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\button.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\buttonevent.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\ocsetuphlp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\skinnedbutton.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsl5b42.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsm4f84.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsma7d4.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsne4c.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso54f9.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nso5595.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsp2684.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\md5dll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\nsisdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\xid.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsp56d7.tmp\z.ini.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq15ec.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq308e.tmp\button.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\ocsetuphlp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\skinnedbutton.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq308e.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq4ca4.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq6183.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsq61c3.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsq61c3.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsq61c3.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrbe56.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsrbe56.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsrbe56.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc4bd.tmp\nsweb.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\button.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\ocsetuphlp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\skinnedbutton.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nst62c3.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstab4f.tmp\installoptions.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstab4f.tmp\iospecial.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nstab4f.tmp\iospecial.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstab4f.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste79b.tmp\b Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste79b.tmp\i7l49gw0zb Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste79b.tmp\nsisdl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nste79b.tmp\setup.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\nste79b.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsu6ae4.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsvbced.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nswfa4c.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\b Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\inetc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\inetc.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\jav6nswuyi Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\jav6nswuyi_deleted_ Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\setup.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\setup.exe Synchronize,Write Data
c:\users\user\appdata\local\temp\nswfa4c.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nswfa4c.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsx4fc4.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsxa729.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsxa778.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsxa778.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsxa778.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy1d10.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsy7bd8.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy7bd8.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy7bd8.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy7bd8.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsy7bd8.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\nsprocess.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\nsprocess.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\stdutils.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\stdutils.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\system.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\uac.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\winshell.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsyb3d8.tmp\winshell.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz2221.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsz2270.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz2270.tmp\modern-wizard.bmp Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsz2270.tmp\nsdialogs.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsz2625.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\310714_is.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_br.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_cr.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_gs.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_nj.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_a9.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_am2.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn_t3.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\temp\o5vgq1oa3fivbifrueb5bzcn8qn5vgq1oa3fivbifrueb5bzcn8qn\5vgq1oa3fivbifrueb5bzcn8qn_mb_1.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\05ddc6aa91765aacacdb0a5f96df8199 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\24bd96d5497f70b3f510a6b53cd43f3e_3a89246fb90c5ee6620004f1ae0eb0ea Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\dde8b1b7e253a9758ec380bd648952af_3a4de8c2e294aa1406667e99022477bb Generic Read,Write Data,Write Attributes,Write extended,Append data

9 additional files are not displayed above.

Registry Modifications

Key::Value Dados API Name
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Tj RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\ RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp RegNtPreCreateKey
Show More
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe\??\C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\??\C:\Users\Uo RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.3570"hypervisor="Hypervisor detected (Micros RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e4*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::synaptics pointing device driver C:\ProgramData\Synaptics\Synaptics.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 闭ȁ獖}偫~엦1dᵂċᵆċr֢ RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations *1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af52*1\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.5794"hypervisor="Hypervisor detected (Micros RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserName
  • GetUserObjectInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
  • ZwMapViewOfSection
Process Shell Execute
  • CreateProcess
  • ShellExecuteEx
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetOpenUrl
  • InternetQueryOption
  • InternetReadFile
  • InternetSetOption
Keyboard Access
  • GetKeyState
Network Winsock2
  • WSAStartup
  • WSAttemptAutodialName
Network Winsock
  • bind
  • closesocket
  • connect
  • gethostbyname
  • getsockname
  • inet_addr
  • recv
  • send
  • socket
Network Info Queried
  • GetAdaptersInfo
Service Control
  • OpenSCManager
Network Winhttp
  • WinHttpOpen
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8FC6518A4AAC4BBAB9EFA51BED30CBC3,CD067BF2561F435F9FA7CBC4BDA2D109,FFD012E79F9845349DD5A2020A788861
RunDll32.exe "C:\Users\Tdnqepzt\AppData\Local\Temp\nst62C3.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 6064,8A64A2149AB84BF28721CF13E4FA57C7,327920F321744BF690746BFE0FF83873,FFD012E79F9845349DD5A2020A788861
"C:\Users\Tjgkcfyl\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,F923245B4C4C41DD84992E564C74F2C5,958511D693AC49B3B7D9836B47A51407,62322D7CD20A42C192C8055BC765DB80
RunDll32.exe "C:\Users\Vqaklfgo\AppData\Local\Temp\nsj6321.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 4708,27521B4AC5FB49ADBFB210D4D23C3685,D804B426A5BE4F19BCCEFDAAB8E38154,62322D7CD20A42C192C8055BC765DB80
Show More
C:\Users\Izxmuvxw\AppData\Local\Temp\nswFA4C.tmp\setup.exe
"C:\Users\Rhndaseb\AppData\Local\Temp\is-3AV31.tmp\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000.tmp" /SL5="$10270,5157645,119296,c:\users\user\downloads\c6ed1b3470b89cdcfa9ed78d115cbe4c0f994f21_0005543000"
"C:\Users\Rhndaseb\AppData\Local\Temp\is-H164B.tmp\Non.exe" 6fc6ae7ad0e20df51a913ccabb2a36e4
RunDll32.exe "C:\Users\Mrozdasf\AppData\Local\Temp\nsl5B42.tmp\OCSetupHlp.dll",_RHPID994RHEng2@16 5980,9595210CF9E2400C90134CC2A18BB9F1,1276B8DBECA844DDBB5A15346776A41D,2509EDF23DD74C068F7FDBE1574BA62F
"C:\Users\Uouenrps\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
RunDll32.exe "C:\Users\Ofeohdal\AppData\Local\Temp\nsaB735.tmp\OCSetupHlp.dll",_OCPID994OpenCandy2@16 1856,3F167C7F69BD454191D1126D67ED7F5F,C5D8C87AB2F74FED9946893891DE1DAF,6D0D4CC7B2864887A794D688C45C35A4
"C:\Users\Cltgpxis\AppData\Local\Temp\is-HJH98.tmp\314338c4716b627733e16ec458428c97f5c3feed_0003261524.tmp" /SL5="$3013C,2422026,832512,c:\users\user\downloads\314338c4716b627733e16ec458428c97f5c3feed_0003261524"
"C:\Users\Zjfxqecu\AppData\Local\Temp\is-CC2S2.tmp\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785.tmp" /SL5="$50300,3455730,240640,c:\users\user\downloads\f5e8679a2df2c7d3f9e7473d6b0f749327998648_0003861785"
RunDll32.exe "C:\Users\Kitklmoi\AppData\Local\Temp\nsq308E.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 7612,2879BE44B157471DB9B3AB7758193E61,514502EEEEA64E19884D4FB0A2ADD04A,452E5715FC4A4CFBAE780DD8DEE2172D
RunDll32.exe "C:\Users\Kitklmoi\AppData\Local\Temp\nsq308E.tmp\OCSetupHlp.dll",_OCPID755OpenCandy2@16 7612,8F2B307B8B9F4E009F4988FA291B62B8,E23813372B8C40ED8AFC99F050910C84,452E5715FC4A4CFBAE780DD8DEE2172D
"C:\Users\Fykmzkok\AppData\Local\Temp\is-4O7C0.tmp\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062.tmp" /SL5="$A20260,220874,131584,c:\users\user\downloads\0fdf0dfc916451bdeb0911af022c5e872f2a9176_0000615062"
"C:\Users\Khjbmrmj\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
C:\Users\Olxobqng\AppData\Local\Temp\nstE79B.tmp\setup.exe
"C:\Users\Xrqokjkv\AppData\Local\Temp\is-M98DN.tmp\is-HK8GN.tmp" /SL4 $3035E "c:\users\user\downloads\d1f4badf9eab3ac53a2a064db5812a5b4359cc79_0002520394" 2286371 52224
"C:\Users\Olegikiu\AppData\Local\Temp\is-TDC56.tmp\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459.tmp" /SL5="$702BA,5739916,721408,c:\users\user\downloads\b63c28e9e22ae19210e30a5d0557415704ffda1b_0006436459"
runas c:\users\user\downloads\._cache_8cb445efb70e8a0c9ea7d83e94756c971726c458_0009521664
runas C:\ProgramData\Synaptics\Synaptics.exe InjUpdate
"C:\Users\Icfxxknw\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=c:\users\user\downloads\
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn_mb_1.exe
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\310714_is.exe
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_cr.exe
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_t3.exe /np 1 /is cfsp1br
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_a9.exe -silence -ptid=pcm
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_am2.exe /u http://www.amoninst.com/index.php /ta /ci 9664 /i MyBestOffersTodayBR
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_br.exe
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_nj.exe
C:\Users\Peorcehd\AppData\Local\Temp\Temp\O5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn\5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn5Vgq1OA3fIVBIfRueB5BzcN8qn_gs.exe

Postagens Relacionadas

Tendendo

MegaCortex, um ransomware inspirado em matriz está à...

Segurança do Computador
Uma nova e sofisticada ameaça Ransomware, chamada MegaCortex, foi detectada pelos pesquisadores da Sophos para atacar redes corporativas em todo o mundo. Uma vez lá dentro, o ransomware se espalha para todas as máquinas disponíveis através de controladores de domínio do Windows. Os ataques do MegaCortex foram observados em vários países - EUA, Canadá, Argentina, França, Itália, Holanda,...

Mais visto

Carregando...