PUP.Amonetize

By CagedTech in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank:	1,987
Threat Level:	10 % (Normal)
Infected Computers:	379,208

First Seen:	February 6, 2014
Last Seen:	February 1, 2026
OS(es) Affected:	Windows

Table of Contents

File System Details

PUP.Amonetize may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	AdmobPilotV401Crack__7934_il3770.exe	f444f83d0ace9009a19f35aa45899cfd	38
Name: AdmobPilotV401Crack__7934_il3770.exe MD5: f444f83d0ace9009a19f35aa45899cfd Size: 1.02 MB (1022684 bytes) Detections: 38 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
2.	VideoScribe231Pro__7934_il55.exe	9b4dd44cbfeeba2c0d10897849a28165	29
Name: VideoScribe231Pro__7934_il55.exe MD5: 9b4dd44cbfeeba2c0d10897849a28165 Size: 1.35 MB (1356461 bytes) Detections: 29 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
3.	DBFtoXLSExcelConverterFullDownload__7934_il1378.exe	0a15a3675b7ec12d97747a90ccab8d00	19
Name: DBFtoXLSExcelConverterFullDownload__7934_il1378.exe MD5: 0a15a3675b7ec12d97747a90ccab8d00 Size: 1.32 MB (1321926 bytes) Detections: 19 Type: Executable File Path: %USERPROFILE%\Downloads\Video\Programs Group: Malware file Last Updated: January 26, 2017
4.	setupos_1123.exe	30e3a418fe777bc00af856a29580a694	12
Name: setupos_1123.exe MD5: 30e3a418fe777bc00af856a29580a694 Size: 5.7 MB (5708288 bytes) Detections: 12 Type: Executable File Path: %PROGRAMFILES(x86)%\oTD6YY5x6g Group: Malware file Last Updated: February 3, 2017
5.	keywordrequest__7934_il2116.exe	67ba02a118a136e0f30e5bad0138f796	11
Name: keywordrequest__7934_il2116.exe MD5: 67ba02a118a136e0f30e5bad0138f796 Size: 1.18 MB (1180363 bytes) Detections: 11 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
6.	P50Adjustmentresetter__7934_il3386.exe	f5a09bd79a940b227dfc7f7ef0838100	11
Name: P50Adjustmentresetter__7934_il3386.exe MD5: f5a09bd79a940b227dfc7f7ef0838100 Size: 1.11 MB (1118381 bytes) Detections: 11 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
7.	PayPalMoneyAdder__7934_il7715_2.exe	22d15884aa1b8aa766ef36fcd017d38a	8
Name: PayPalMoneyAdder__7934_il7715_2.exe MD5: 22d15884aa1b8aa766ef36fcd017d38a Size: 1.18 MB (1183422 bytes) Detections: 8 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
8.	PayPalMoneyAdder__7934_il7715.exe	241a70673baff4fdeef513370cdce8ab	8
Name: PayPalMoneyAdder__7934_il7715.exe MD5: 241a70673baff4fdeef513370cdce8ab Size: 1.18 MB (1183422 bytes) Detections: 8 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
9.	PayPalMoneyAdder__7934_il7715_3.exe	46f02b4e0d007e402ca63bdc4de647cd	8
Name: PayPalMoneyAdder__7934_il7715_3.exe MD5: 46f02b4e0d007e402ca63bdc4de647cd Size: 1.18 MB (1183433 bytes) Detections: 8 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
10.	KMSpico__7934_il17.exe	47d62242df416ff107ca324079f73b05	7
Name: KMSpico__7934_il17.exe MD5: 47d62242df416ff107ca324079f73b05 Size: 1.29 MB (1293190 bytes) Detections: 7 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
11.	PDFXChangeEditorPlus603181MULTIPLx86x64Portable__7934_il5451.exe	99ce5c212ead5ef7e642507276e19cb7	4
Name: PDFXChangeEditorPlus603181MULTIPLx86x64Portable__7934_il5451.exe MD5: 99ce5c212ead5ef7e642507276e19cb7 Size: 1.41 MB (1413789 bytes) Detections: 4 Type: Executable File Path: D:\Dokumente Group: Malware file Last Updated: January 26, 2017
12.	SteamCodesPlusHack__7934_il6.exe	f12cd52d74b476e63c31db9d10371de3	3
Name: SteamCodesPlusHack__7934_il6.exe MD5: f12cd52d74b476e63c31db9d10371de3 Size: 1.28 MB (1284008 bytes) Detections: 3 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
13.	iSL3ZMNMT7.exe	05df758a2fdc54bf5ba8b4806d597478	3
Name: iSL3ZMNMT7.exe MD5: 05df758a2fdc54bf5ba8b4806d597478 Size: 265.21 KB (265216 bytes) Detections: 3 Type: Executable File Path: %SystemDrive%\Program Files\Intel\0X64YYX18 Group: Malware file Last Updated: October 24, 2025
14.	totalvpncracked__7934_il646.exe	4dc83d433a0fcdf7f5241fd9e4401b5f	2
Name: totalvpncracked__7934_il646.exe MD5: 4dc83d433a0fcdf7f5241fd9e4401b5f Size: 1.37 MB (1376482 bytes) Detections: 2 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
15.	ApowersoftVideoDownloadCapture604SerialKeys__7934_il3930.exe	80a7a4ab92f194133012a7c95a09b962	1
Name: ApowersoftVideoDownloadCapture604SerialKeys__7934_il3930.exe MD5: 80a7a4ab92f194133012a7c95a09b962 Size: 1.42 MB (1427426 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
16.	AVSVideoConverter__7934_il4863.exe	6ea5ed9221d1179d9702de0c2ea3bf07	1
Name: AVSVideoConverter__7934_il4863.exe MD5: 6ea5ed9221d1179d9702de0c2ea3bf07 Size: 725.65 KB (725659 bytes) Detections: 1 Type: Executable File Path: D:\FILMY\filmy dzisiaj ?ci?gni?te Group: Malware file Last Updated: January 26, 2017
17.	Doulci__7934_il6135_2.exe	44ad39009ba6a47f3f497c372e928235	1
Name: Doulci__7934_il6135_2.exe MD5: 44ad39009ba6a47f3f497c372e928235 Size: 1.29 MB (1292890 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
18.	Doulci__7934_il6135.exe	9fcfc5fb057f87956f35506b10b6d7a2	1
Name: Doulci__7934_il6135.exe MD5: 9fcfc5fb057f87956f35506b10b6d7a2 Size: 1.29 MB (1292885 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Desktop Group: Malware file Last Updated: January 26, 2017
19.	L550C85__7934_il724 (1).exe	933e1a0008d0fb82456718547a762d27	1
Name: L550C85__7934_il724 (1).exe MD5: 933e1a0008d0fb82456718547a762d27 Size: 1.26 MB (1262597 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
20.	Spyhunter4Keygen__7934_il2600.exe	f7c1c37cea8ffed3d4876c22283a3250	1
Name: Spyhunter4Keygen__7934_il2600.exe MD5: f7c1c37cea8ffed3d4876c22283a3250 Size: 1.15 MB (1158664 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
21.	PokemonGoBOT__7934_il471.exe	05675f7c9fb85f8cfc5524ab5d8439f2	1
Name: PokemonGoBOT__7934_il471.exe MD5: 05675f7c9fb85f8cfc5524ab5d8439f2 Size: 1.36 MB (1368786 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Desktop Group: Malware file Last Updated: January 26, 2017
22.	Emulador3dsCitra__7934_il19.exe	4b1ddd6808c5724b437deefcb323b9f4	1
Name: Emulador3dsCitra__7934_il19.exe MD5: 4b1ddd6808c5724b437deefcb323b9f4 Size: 1.35 MB (1351476 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads Group: Malware file Last Updated: January 26, 2017
23.	keygen115__7934_il8.exe	d39ee046952b4baa8f007f86ab44fe2f	1
Name: keygen115__7934_il8.exe MD5: d39ee046952b4baa8f007f86ab44fe2f Size: 2.77 MB (2772310 bytes) Detections: 1 Type: Executable File Path: %USERPROFILE%\Downloads\Programs Group: Malware file Last Updated: January 26, 2017
24.	File.exe	74ee1b7d938c0c55b17ae200b7f75df8	0
Name: File.exe MD5: 74ee1b7d938c0c55b17ae200b7f75df8 Size: 276.48 KB (276480 bytes) Detections: 0 Type: Executable File Group: Malware file Last Updated: March 31, 2017

More files

Registry Details

PUP.Amonetize may create the following registry entry or registry entries:

Regexp file mask

%TEMP%\amipixel.cfg

%TEMP%\amisetup[NUMBERS]__[NUMBERS][RANDOM CHARACTERS].exe

%TEMP%\amitest.txt

%WINDIR%\System32\Tasks\amiupdaterExd

%WINDIR%\System32\Tasks\amiupdaterExi

%WINDIR%\System32\Tasks\AmiUpdXp

%WINDIR%\Tasks\AmiUpdXp.job

HKEY..\..\..\..{RegistryKeys}

SOFTWARE\Classes\dream.capture

SOFTWARE\Classes\dream.capture.1

SOFTWARE\Classes\tschmna

SOFTWARE\Classes\Updater.AmiUpd

SOFTWARE\Classes\Updater.AmiUpd.1

Software\Microsoft\wewewe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExd

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExi

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AmiUpdXp

Software\Scanner_bot

SOFTWARE\Wow6432Node\Scanner_bot

Directories

PUP.Amonetize may create the following directory or directories:

%PROGRAMFILES%\AmiExt

%PROGRAMFILES%\compliant host controller

%PROGRAMFILES%\impacts

%PROGRAMFILES%\sarouga

%PROGRAMFILES(x86)%\AmiExt

%PROGRAMFILES(x86)%\compliant host controller

%PROGRAMFILES(x86)%\impacts

%PROGRAMFILES(x86)%\sarouga

Analysis Report

General information

Family Name:	PUP.Amonetize
Signature status:	No Signature

Known Samples

MD5: a7dce430c79adc76ef7ab68f9063e6c0

SHA1: 31d58284e53d720bd678401886f648e687c019c0

File Size: 2.43 MB, 2426543 bytes

MD5: 3224dad8dbabdc99b1e1a5de450b5f55

SHA1: f0bd5666328795410cd4c0cac0ee810239cc0f7c

File Size: 385.02 KB, 385024 bytes

MD5: 7c054b36927690f3e9e1b12d467763fc

SHA1: 649b11c3d3fe987b247eb141bd4081d59bbf35c2

File Size: 851.46 KB, 851456 bytes

MD5: 95b831ce68f4de797fa16eec60797362

SHA1: 893dd4366bc2fcb78d7ffb766ee2cb4d37daf6f6

File Size: 911.10 KB, 911104 bytes

MD5: 106086d35a0a2ae25f16d172f8c3dd5a

SHA1: 75604403692dd907cdfe30b2af3676f3c00feedf

SHA256: A3D65AC4B89B14D3BE3B6F54ECAB241F6DD890FB2CB38434FAE15300D19B74A5

File Size: 442.88 KB, 442880 bytes

MD5: 28ea8fe184e563fd642f751566a96bed

SHA1: 65a6f882391866e19669e7027c38fdd226d6452a

SHA256: BFDCF1A77CEE8DE2330921ABE850BDCCACEE8A3A9E85C88E15DC0BEB2184FC13

File Size: 757.78 KB, 757776 bytes

MD5: 84846e8ad3d8c9cf7d82318f7a3f024f

SHA1: 27b828e524ae9db69ab246700a1237e8a53a022b

SHA256: 6DBACA4F30E945BEF3EED694DABB5A97F07FEB95E2261AC122CC4966855EC9BF

File Size: 712.86 KB, 712864 bytes

MD5: a7c36f6aadaff0c642d547ece382009e

SHA1: b47c244e1a1d4710ef4bab904881c71cb7ef30e8

SHA256: C1BF73DE3186942C958D5280CDF3DA3659270148D4DDBF62D345203FF5657F0A

File Size: 385.02 KB, 385024 bytes

MD5: b102668a6bdbb42c556c9f4803abd81b

SHA1: b79c11f4a18edc49ed60cc173016815226ae192d

SHA256: 0F0E1BED29C98709DC39403DF94E64F229169C31AD0333D9BB041E3E9E27B8C3

File Size: 157.73 KB, 157728 bytes

MD5: cd15bc7304d91fadd7db9033d6898309

SHA1: f81790f42741a33608e0e07c18884dc8a608f434

SHA256: 25EF37FE895E2962078D9B53A11D4C59C594F00DD4F0ADBAF6CB7CA4EF68494A

File Size: 347.76 KB, 347761 bytes

MD5: 886ac6d33b5073d69cca9a25a631fbce

SHA1: 1655606611d7df45a6bc9e58ca44b17e5b650793

SHA256: 32E6F488F2CF3839F0514C8C067373AF10A8825FA45D809292E47D9DD00247A8

File Size: 44.33 KB, 44325 bytes

MD5: ef9062ed9967d65faaf0a36a7fe182ac

SHA1: da14c5b9357277eedfd758e65e4cf21e90a8f4cf

SHA256: E278A9927E75DC520DA5C94E6F8A77051F9BF76B9A860ED8189CA421D439327E

File Size: 2.46 MB, 2463576 bytes

MD5: e2c87a5ae12b845a46d0877519b0730c

SHA1: 368041d5cb06f71f1a71ed7babcf87cf5478b297

SHA256: 323276919CE39C71E5A129CA562D7B2A798B9A52F269787FA381D58EE021DC58

File Size: 883.41 KB, 883410 bytes

MD5: 5c18867bc4529ef3306c5913a2f4705b

SHA1: 6fa29da28ca8c944310b8525700f5653d68531c7

SHA256: B897A9E6AB4E3AD94DCC39AA621AA2782F25C3E2A8AD3375FDC64B78EF63CD30

File Size: 5.34 MB, 5337088 bytes

MD5: 8661a2523c955764c8d2528741ce4896

SHA1: 028894632ec7438d6f7cb14ab4a9e1d798b8bafd

SHA256: AE9A03CF1A34E34B81591597FE1341D2E3CE40BC838D471C25972EB484E01296

File Size: 2.22 MB, 2220907 bytes

MD5: c8930be62a79168f3f07c0df56b9c6a8

SHA1: 7404859df31927c257b9aa02d1cc61a20df8c670

SHA256: 1D92C5B6B43FA07FE81B4E21BB950C9554C39B82E76E4FDBF3FEEB3E786C8C00

File Size: 339.50 KB, 339496 bytes

MD5: 8f89be841455b712b5be9064e6e07755

SHA1: c2492465691e6a708b57c350333ac5475ec04b84

SHA256: C2603CDF7FAB0DA309C9D8F7F72A476A7A4826F061834CBF5D0958D1E80A5329

File Size: 2.43 MB, 2426543 bytes

MD5: bf7e095fcbbca60e93d1f1af69e79ccc

SHA1: 4a49b063c8c6d969e3d414b864c85930d8f6e911

SHA256: 1BCB411683915BF1CD3442D45E488F93DF53E6175A6E2E5E1FAD207443C33FF6

File Size: 2.30 MB, 2298534 bytes

MD5: ed5bee24566c735d02239e4dc0d2c484

SHA1: df29227bacf1c156aa567e768e4fe739b464f6fd

SHA256: C166DDD74CAC57151F2950FA23846B50CD641E15F22280715E2A1FEA0AF06203

File Size: 44.33 KB, 44325 bytes

MD5: 19d43976e1cb1cda7b761f19a33e5943

SHA1: 706948a835af9b3a55fd2abc89b07a6daa0706da

SHA256: BAC69E30A72169326A690538CA938AB5027DD14AD8621267519E6A1BEDF2038A

File Size: 711.29 KB, 711290 bytes

MD5: 7a9bf6966f04f8f28a379087789a8cf7

SHA1: e0a6ee9d450a60d593221a060dedd02c3aac9e3a

SHA256: BC58799270D8A059646E9C7B8DC27008BE8B8A6A93DAC856FEA6D7A42A314EA0

File Size: 44.33 KB, 44325 bytes

MD5: b66517aca214128ad6a79e32b3b932e6

SHA1: 17a1cef10a984b93f6da24063958fb4e8dceac5b

SHA256: 1AAD1462D5B01CD27A9A77EC4A3A5543EA198F8E6A914D5CE7FA40E79C28DAD7

File Size: 2.43 MB, 2426543 bytes

MD5: f32b15c82d1dcee3ccf0d5425b9a7cd2

SHA1: c1cab83df0e5c46e8fe51af63dd7bf42d7566d84

SHA256: F0A997C89548D76DB2D0F94CE954CB461D1FE386B0010B56B1121C4C0AA3D57E

File Size: 697.86 KB, 697856 bytes

MD5: 2df73a7c5ea21cb27256a3ceecc7d81d

SHA1: df1f9832b7adff295563fdc3e42ed90209efd3d4

SHA256: 059BE8F45F3F04E2B95720A0543A3C37872DF9AB65DC8CB14B3A778057224E5E

File Size: 189.49 KB, 189490 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has been packed
File has exports table
File has TLS information
File is .NET application
File is 32-bit executable

File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.4.0.1 1.0.0.0
Comments	Created with Setup Factory This installation was built with Inno Setup.
Company Name	Amonetize ltd. Amônétízé Ltd Apple Inc. Emirates Skillbrains
File Description	Apple Inc. 9.1.2 Installation Arsenal Frostgame inethnfd installer Installer install_services lightshot Setup P2GAMES Setup/Uninstall Setup Application Show More SetupEstacao win32exe installer
File Version	112.47.14.333 51.52.0.0 9.1.2 9.1.0.0 5.5.0.7 2.4.0.0 1.4.0.1 1.1.5.89 1.1.5.26 1.1.4.46 Show More 1.0.5.72 1.0.3.819 1.0.3.228 1.0.2.997 1.0.2.679 1.0.0.1 1.0.0.0 1.0.0
Internal Name	fly.exe Installer.exe P2GAMES.exe setup.exe SetupQbit3_Estacao.exe suf_launch
Legal Copyright	(c) Amonetize ltd., 2012,2013. All rights reserved. (c) Amônétízé Ltd, 2012,2013. All rights reserved. Apple Inc. Copyright 2013-2014 Copyright © 2013 Copyright © 2016 Copyright © 2026 shaderblox Fly Emirates Setup Engine Copyright © 2004-2012 Indigo Rose Corporation
Legal Trademarks	Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename	fly.exe Installer.exe P2GAMES.exe setup.exe SetupQbit3_Estacao.exe suf_launch.exe
Product Name	arsenal inethnfd Installer install_services lightshot P2GAMES SetupEstacao Setup Factory Runtime shaderblox win32exe
Product Version	112.47.0.0 9.1.0.0 5.5.0.7 2.1.12 1.4.0.1 1.1.5.26 1.1.4.46 1.0.0.0 1.0.0
Program I D	com.embarcadero.install_services

Digital Signatures

Signer	Root	Status
LLC "HALKON PLYUS"	COMODO RSA Certification Authority	Root Not Trusted
LLC "TELE-SERVIS"	COMODO RSA Code Signing CA	Self Signed
Amonetize ltd.	Thawte Code Signing CA - G2	Self Signed
octecnologia_SPC	octecnologia_SPC	Self Signed

File Traits

.NET
.sdata
2+ executable sections
big overlay
HighEntropy
Inno
InnoSetup Installer
Installer Manifest
Installer Version
nosig nsis

Nullsoft Installer
SUF
VirtualQueryEx
WriteProcessMemory
x86

Block Information

Similar Families

Banker.GN
Casbaneiro.A
Delf.OF
Dropper.Delf.C
Dropper.Delf.CF

Gamehack.ODB
Injector.AJA
Injector.KPD
MSIL.Agent.FQ
MSIL.Agent.XX
MSIL.Downloader.CPB
MSIL.Downloader.XL
MSIL.Dropper.HG
MSIL.Dropper.X
MSIL.Spy.Agent.XC
Morto.B
Ousaban.C
Sheloader.A
Softcnapp.N
Ulise.BE

Files Modified

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\program files (x86)\common files\config\data.xml	Generic Write,Read Attributes
c:\program files (x86)\common files\config\uninstinethnfd.exe	Generic Write,Read Attributes
c:\program files (x86)\common files\config\ver.xml	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.dat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.dat	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irsetup.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\_ir_sf_temp_0\irzip.lmd	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\_ir_sf_temp_0\lua5.1.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsabc22.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsdaaf1.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nse2087.tmp	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse2087.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse2087.tmp\nsexec.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nse2087.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nse2087.tmp\system.dll	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nsi219a.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsi219a.tmp\system.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nspfa03.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsqbd1c.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nssa9c8.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nst1f9b.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nsvfabf.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\~nsua.tmp\un_a.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\charles.exe	Generic Write,Read Attributes
c:\users\user\downloads\c1cab83df0e5c46e8fe51af63dd7bf42d7566d84_0000697856	Generic Read,Write Attributes
c:\users\user\downloads\c1cab83df0e5c46e8fe51af63dd7bf42d7566d84_0000697856	Synchronize,Write Attributes
c:\windows\system32\drivers\nethfdrv.sys	Generic Write,Read Attributes
c:\windows\syswow64\hfnapi.dll	Generic Write,Read Attributes
c:\windows\syswow64\hfpapi.dll	Generic Write,Read Attributes
c:\windows\syswow64\installd.exe	Generic Write,Read Attributes
c:\windows\syswow64\nethtsrv.exe	Generic Write,Read Attributes
c:\windows\syswow64\netupdsrv.exe	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\software\classes\amibs.installer.1::	Installer Class	RegNtPreCreateKey
HKLM\software\classes\amibs.installer.1\clsid::	{A6FEED89-3BCD-4D19-9DC2-3E613A80A2A4}	RegNtPreCreateKey
HKLM\software\classes\amibs.installer::	Installer Class	RegNtPreCreateKey
HKLM\software\classes\amibs.installer\curver::	AmiBs.Installer.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}::	Installer Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\progid::	AmiBs.Installer.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\versionindependentprogid::	AmiBs.Installer	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\localserver32::	"c:\users\user\downloads\b79c11f4a18edc49ed60cc173016815226ae192d_0000157728"	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\localserver32::serverexecutable	c:\users\user\downloads\b79c11f4a18edc49ed60cc173016815226ae192d_0000157728	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\typelib::	{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}	RegNtPreCreateKey

HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\version::	1.0	RegNtPreCreateKey
HKLM\software\classes\typelib\{1c1356da-1e98-4810-a9f6-18d89bd1c0c0}\1.0::	InstallerLib	RegNtPreCreateKey
HKLM\software\classes\typelib\{1c1356da-1e98-4810-a9f6-18d89bd1c0c0}\1.0\flags::	0	RegNtPreCreateKey
HKLM\software\classes\typelib\{1c1356da-1e98-4810-a9f6-18d89bd1c0c0}\1.0\0\win32::	c:\users\user\downloads\b79c11f4a18edc49ed60cc173016815226ae192d_0000157728	RegNtPreCreateKey
HKLM\software\classes\typelib\{1c1356da-1e98-4810-a9f6-18d89bd1c0c0}\1.0\helpdir::	c:\users\user\downloads	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}::	IBoot	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\typelib::	{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}::	IBoot	RegNtPreCreateKey
HKLM\software\classes\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\typelib::	{1C1356DA-1E98-4810-A9F6-18D89BD1C0C0}	RegNtPreCreateKey
HKLM\software\classes\interface\{d54c859c-6066-4f31-8fe0-2aaedcae67d7}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\wow6432node\client::cid		RegNtPreCreateKey
HKLM\software\wow6432node\client::cname	sdAaideMweiV	RegNtPreCreateKey
HKLM\software\wow6432node\client::sid		RegNtPreCreateKey
HKLM\software\wow6432node\client::i	2025091804425	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::uninstallstring	"C:\Program Files (x86)\Common Files\Config\uninstinethnfd.exe"	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::quietuninstallstring	"C:\Program Files (x86)\Common Files\Config\uninstinethnfd.exe" /S	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::displayicon	%C:\Program Files (x86)\Common Files\Config\uninstinethnfd.exe	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::displayname	Network System Driver	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::displayversion	1.0.0.3001	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::publisher		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::urlinfoabout		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::urlupdateinfo		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::versionmajor	1	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::versionminor	0	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::installedby		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::nomodify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\uninstall\inethnfd::norepair		RegNtPreCreateKey
HKLM\system\controlset001\services\tcpip6\parameters::disabledcomponents		RegNtPreCreateKey
HKLM\system\controlset001\control\grouporderlist::pnp_tdi		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ຒ⡰ǜ	RegNtPreCreateKey
HKLM\software\wow6432node\client::iv	1892025	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ᨩ༖⡰ǜ	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Tkykqoct\AppData\Local\Temp\nse2087.tmp\	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ugzwntub\AppData\Local\Temp\~nsu.tmp\Au_.exe	RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	\??\C:\Users\Ugzwntub\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Ugzwntub\AppData\Local\Temp\~nsu.tmp	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\localserver32::	"c:\users\user\downloads\7404859df31927c257b9aa02d1cc61a20df8c670_0000339496"	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{a6feed89-3bcd-4d19-9dc2-3e613a80a2a4}\localserver32::serverexecutable	c:\users\user\downloads\7404859df31927c257b9aa02d1cc61a20df8c670_0000339496	RegNtPreCreateKey
HKLM\software\classes\typelib\{1c1356da-1e98-4810-a9f6-18d89bd1c0c0}\1.0\0\win32::	c:\users\user\downloads\7404859df31927c257b9aa02d1cc61a20df8c670_0000339496	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old5af521\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old5af62*1\??\C:\P	RegNtPreCreateKey
HKLM\software\policies\google\update::updatedefault		RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations	1\??\C:\Windows\SystemTemp\MicrosoftEdgeUpdate.exe.old122e41\??\C:\Windows\SystemTemp\CopilotUpdate.exe.old12352*1\??\C:\P	RegNtPreCreateKey
HKLM\software\classes\amidship.hydrops.1::	Inst Class	RegNtPreCreateKey
HKLM\software\classes\amidship.hydrops.1\clsid::	{b70850b6-7d88-4326-bf0c-9d6420971c4a}	RegNtPreCreateKey
HKLM\software\classes\amidship.hydrops::	Inst Class	RegNtPreCreateKey
HKLM\software\classes\amidship.hydrops\curver::	amidship.hydrops.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}::	Inst Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\progid::	amidship.hydrops.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\versionindependentprogid::	amidship.hydrops	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\localserver32::	"c:\users\user\downloads\c1cab83df0e5c46e8fe51af63dd7bf42d7566d84_0000697856"	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\localserver32::serverexecutable	c:\users\user\downloads\c1cab83df0e5c46e8fe51af63dd7bf42d7566d84_0000697856	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\typelib::	{e8aedbb3-ca7d-4705-b569-be63035e333e}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b70850b6-7d88-4326-bf0c-9d6420971c4a}\version::	1.0	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䐃퉿迯ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetComputerName GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAddAtomEx ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort Show More ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtGdiAnyLinkedFonts win32u.dll!NtGdiBitBlt win32u.dll!NtGdiCreateBitmap win32u.dll!NtGdiCreateCompatibleBitmap win32u.dll!NtGdiCreateCompatibleDC win32u.dll!NtGdiCreateDIBitmapInternal win32u.dll!NtGdiCreateRectRgn win32u.dll!NtGdiCreateSolidBrush win32u.dll!NtGdiDeleteObjectApp win32u.dll!NtGdiDoPalette win32u.dll!NtGdiDrawStream win32u.dll!NtGdiExcludeClipRect win32u.dll!NtGdiExtGetObjectW win32u.dll!NtGdiExtSelectClipRgn win32u.dll!NtGdiExtTextOutW win32u.dll!NtGdiFlush win32u.dll!NtGdiFontIsLinked 104 additional items are not displayed above.
Network Info Queried	GetAdaptersAddresses
Process Shell Execute	CreateProcess ShellExecuteEx
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Service Control	OpenSCManager OpenService
Process Terminate	TerminateProcess
Network Winhttp	WinHttpOpen
Other Suspicious	SetWindowsHookEx
Keyboard Access	GetAsyncKeyState

Shell Command Execution


							net stop nethttpservice


							"C:\WINDOWS\system32\nethtsrv.exe" -nfdr


							net stop serviceupdater


							"C:\WINDOWS\system32\netupdsrv.exe" -nfdr


							"C:\WINDOWS\system32\installd.exe" nethfdrv


									"C:\WINDOWS\system32\nethtsrv.exe" -nfdi


									"C:\WINDOWS\system32\netupdsrv.exe" -nfdi


									net start nethttpservice


									net start serviceupdater


									"C:\Users\Ugzwntub\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									c:\users\user\downloads\nicVision_srv.exe /install /silent


									c:\users\user\downloads\nicVision_mnt.exe /install /silent


									c:\users\user\downloads\Windows_nv_mnt.exe /install /silent


									open C:\Users\Ggpwxqij\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe __IRAOFF:2102130 "__IRAFN:c:\users\user\downloads\4a49b063c8c6d969e3d414b864c85930d8f6e911_0002298534" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3119368278-1123331430-659265220-1001"


									"C:\Users\Lwzpabwg\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									C:\Users\user\AppData\Roaming\Charles.exe


									schtasks /Delete /TN GoogleUpdateTaskMachineCore /F


									(NULL) schtasks /Delete /TN GoogleUpdateTaskMachineCore /F


									"C:\Users\Aecchzeb\AppData\Local\Temp\~nsu.tmp\Au_.exe"  _?=c:\users\user\downloads\


									"C:\Users\Tprxxkjm\AppData\Local\Temp\~nsuA.tmp\Un_A.exe"  _?=c:\users\user\downloads\


									"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -C "if (Get-Command Get-CimInstance -ErrorAction SilentlyContinue) { exit 0 } else { exit 1 }"

PUP.Amonetize

Threat Scorecard

EnigmaSoft Threat Scorecard

File System Details

Registry Details

Directories

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed