Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.InstallBrain

PUP.InstallBrain

By GoldSparrow in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 8,135
Threat Level: 10 % (Normal)
Infected Computers: 15,257
First Seen: January 11, 2013
Last Seen: January 22, 2026
OS(es) Affected: Windows

InstallBrain is promoted as an updater service and is developed by PerformerSoft LLC. InstallBrain is a Potentially Unwanted Program. PUPs like InstallBrain are used by software developers and distributors or third party marketers to increase their profits and monetize free software. InstallBrain runs in the background as a Windows Service. InstallBrain is a download manager, a common way of distributing PUPs.

How InstallBrain and Its Components Work

InstallBrain, described as an updater service, has four variants, signed either by Performersoft LLC or by WhiteSmoke Inc, both of which are entities that have been linked to other PUPs. As soon as InstallBrain is installed, InstallBrain will attempt to connect to various URLs in order to retrieve advertisement information that InstallBrain then displays on affected Web browsers. The most typical release of InstallBrain is 14.12.8.9, which accounts for nearly all of the versions that have been reported by affected computer users. As soon as InstallBrain is installed, InstallBrain creates a Windows Service that runs without stopping in the background as soon as the computer user starts up Windows. Manually stopping this service may make the program crash.

In most cases, InstallBrain does not deliver a valuable service, and most computer users remove InstallBrain and its associated software nearly immediately. There are several reasons why InstallBrain should be removed. InstallBrain may be associated with threats, despite not being threatening itself. InstallBrain is classified as a PUP that may cause unwanted symptoms on affected computers and expose computer users to unwanted advertising material. InstallBrain installs a Windows Service automatically, running in the background constantly and consuming system resources. InstallBrain is distributed by third parties who take advantage of payment schemes where they are paid according to the number of people that install InstallBrain on their computers.

Removing InstallBrain from an Affected Computer

Most computer users do not install InstallBrain on purpose. This is because InstallBrain may be bundled with third party software, which uses misleading tactics to trick inexperienced computer users into installing InstallBrain. This is a common tactic of most PUPs. It is simpler to remove InstallBrain using a reliable, fully updated security program capable of dealing with PUPs. However, manual removal of InstallBrain also is not too complicated and requires the following steps:

  1. Computer users can uninstall InstallBrain by using the Add/Remove Program feature that is available in Windows (through the Control Panel). Uninstalling InstallBrain using this method should be a straightforward process, simply following the Windows prompts. In some cases, InstallBrain will not be able to be uninstalled through this method. In these cases, Microsoft's utility for dealing with software that cannot be uninstalled has been proven to help.
  2. Once InstallBrain has been removed, it is recommended to perform a full scan of the affected computer to ensure that no threat is present. Although not threatening, PUPs like InstallBrain may be associated with threats indirectly or may be installed along with numerous other PUPs. Since many threat infections run silently in the background and do not cause any symptoms, computer users should take actions to assure that they have not compromised their computer as a result of the presence of InstallBrain.
  3. InstallBrain may make changes to Web browser and computer settings. These changes may not be reverted by security software. Because of this, malware researchers recommend inspecting the Web browser and PC settings and changing them to their defaults or to their desired settings manually after InstallBrain has been uninstalled.

SpyHunter Detects & Remove PUP.InstallBrain

File System Details

PUP.InstallBrain may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. InstallBrainService.exe 91333c04d588dee3addafd2f1b9c7095 253
2. Softango_VideoConverter_Multi.exe e7d56d9991a1b4d1a53cf54f67eb1506 216
3. ibsvc.exe abb41b3bc5cc9bfcf8d18a4de1f277fa 183
4. C:\Documents and Settings\\Application Data\IBUpdaterService\ibsvc.exe
5. drop/2b2b1f1ed597eed9dd62ba4ad2a 2b2b1f1ed597eed9dd62ba4ad2abe15e 0
6. 0f1583197f5d7f6a2952adb0d0f6773c.exe 0f1583197f5d7f6a2952adb0d0f6773c 0
7. 77371b9678258eff4dc7b9fb269799e9 77371b9678258eff4dc7b9fb269799e9 0
8. 1944df25b6fd7c5fa9e42ff8bef38cd2 1944df25b6fd7c5fa9e42ff8bef38cd2 0
More files

Directories

PUP.InstallBrain may create the following directory or directories:

%ALLUSERSPROFILE%\Application Data\InstallBrainService
%ALLUSERSPROFILE%\InstallBrainService
%PROGRAMFILES%\InstallBrainService
%PROGRAMFILES(x86)%\InstallBrainService

Analysis Report

General information

Family Name: PUP.InstallBrain
Signature status: Modified signature

Known Samples

MD5: 8e61560db0f1cc7d9906542c9f35d124
SHA1: f94ea97673d841386022a40041f3cb984eb6ab98
File Size: 625.98 KB, 625984 bytes
MD5: 973786604adbd34cd50b4a7b83458caa
SHA1: a5722e1545035a34a8e5688d7576a9577e0fdd76
SHA256: 46C2DD7153FB599DC504673B0E34C66C5F70E697B730B4DE7ACF91E64EBFBA6C
File Size: 1.28 MB, 1279984 bytes
MD5: 820d069fcf438bd78510dc96ff50c86a
SHA1: 62d20b2a547360adb46e085b4da8ecce433f4a32
SHA256: 0C0BD6CB4B7B1F9DE238E6C664FE95E0388C5C7A1649CAE6ABD9926E63061D04
File Size: 881.57 KB, 881568 bytes
MD5: 91ba7a239130c931acda1b10c82be278
SHA1: 489d22d6a45f41acc579e2d98aa2203c6900dbc0
SHA256: C8546A5A2095C38C1BB6554382AD4F6B4A06F4EB4EE8D218098D8B7710491C86
File Size: 644.86 KB, 644856 bytes
MD5: 32d73f27ce2ac84824e5bd181f74193c
SHA1: 05c4518e96ccc5f09e185787f181be55db657765
SHA256: 6B0933318909CB9C42728CAF50A54D2C46EE3E7C5EC97ED6D7958958986DC7BC
File Size: 1.03 MB, 1027048 bytes
Show More
MD5: ee2d3fe4a58a5c11424267fa71673a2d
SHA1: 666275b482d060eb8605405eeb08d5796ad767ea
SHA256: E1DF473879A019E4E9E8963F4A122AB8BF615286ADF14FE82AA210A7F6956341
File Size: 1.29 MB, 1293704 bytes
MD5: 4b7571a89327270594d697bb6768c9c1
SHA1: 445acb82a11f31a171facb00bceeda1ffc465c0e
SHA256: E1309045A0BA98D21ABD00191D988F03FAA073F38195B9AB9F0B6D9DAF7A7617
File Size: 671.81 KB, 671808 bytes
MD5: 9df7f5ee1ba1818ac4b4a462cbcf0515
SHA1: 97e71562d8377aaa3182263c09757dd891fe3687
SHA256: 63323E61A9D3F4866CF484AA953513F696A0D5D252A24482BC3669FEDD76B4C2
File Size: 639.86 KB, 639864 bytes
MD5: de3564e21f3d40d3a120cff2e2b142f1
SHA1: 3d3bacf9d4225abd416c94cb2fb1f3a132698928
SHA256: 320CE3A55E4C07C9376D7E566187B9A9231AA5626AA867359F49AB44BA3DE7FD
File Size: 554.63 KB, 554632 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Company Name
  • Best Download Manager
  • PCPerformer
  • Video Perforer
  • VideoPerformer
File Description
  • Installer
  • KBM2 Installer
  • PCPerformer
  • Video Perforer
  • VideoPerformer
File Version
  • 15.9.28.27
  • 15.3.25.18
  • 14.12.8.9
  • 14.10.15.9
  • 14.9.2.13
  • 2.5.1.0
Internal Name
  • installer
  • KBM2.exe
  • PCPerformer
  • Video Perforer
  • VideoPerformer
Legal Copyright
  • (c) Best Download Manager . All rights reserved.
  • Copyright 2012
  • Copyright 2014
Original Filename
  • installer.exe
  • KBM2.exe
  • PCPerformerSetup.exe
  • setup
  • VideoPerformerSetup.exe
Product Name
  • Installer
  • KBM2 Installer
  • PCPerformer
  • Video Perforer
  • VideoPerformer
Product Version
  • 15.9.28.27
  • 15.3.25.18
  • 14.12.8.9
  • 14.10.15.9
  • 14.9.2.13
  • 2.5.1.0

Digital Signatures

Signer Root Status
F11L Software Inc. Go Daddy Class 2 Certification Authority Root Not Trusted
Forty Seven Tech Software LLC Go Daddy Class 2 Certification Authority Root Not Trusted
Klingon Tech Software LLC Go Daddy Class 2 Certification Authority Root Not Trusted
Best Download Manager VeriSign Class 3 Code Signing 2010 CA Self Signed

Block Information

Total Blocks: 2,360
Potentially Malicious Blocks: 4
Whitelisted Blocks: 2,237
Unknown Blocks: 119

Visual Map

x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? 0 ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 x 0 0 0 0 0 0 ? 0 ? ? 0 ? ? 0 ? ? 0 ? ? ? ? ? ? ? 0 0 ? ? ? ? 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1 1 2 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 1 1 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 1 0 1 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 0 3 1 1 0 0 2 3 0 0 0 0 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 2 0 0 1 1 1 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 1 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • InstallBrain.A

Files Modified

File Attributes
c:\users\user\appdata\local\temp\30cb.tmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\5e68.tmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\6358.tmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\793ab6d.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bbknhtkewcc\tmppack.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f1ab.tmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\appdata\local\temp\nvmwfyqrkbpolsxitsgqngeqn\tmppack.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ygtllbtgl\tmppack.exe Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ⢈섀េǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 밝佂伜ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 菬䷋兛ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix NoVisited: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zones\3::1400 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerNameEx
  • GetUserObjectInformation
Network Winhttp
  • WinHttpConnect
  • WinHttpOpen
  • WinHttpOpenRequest
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiAnyLinkedFonts
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateRectRgn
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiDoPalette
  • win32u.dll!NtGdiDrawStream
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiExtTextOutW
  • win32u.dll!NtGdiFontIsLinked
  • win32u.dll!NtGdiGetCharABCWidthsW
  • win32u.dll!NtGdiGetDCDword
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiGetDIBitsInternal
  • win32u.dll!NtGdiGetEntry
  • win32u.dll!NtGdiGetFontData
  • win32u.dll!NtGdiGetGlyphIndicesW
  • win32u.dll!NtGdiGetOutlineTextMetricsInternalW
  • win32u.dll!NtGdiGetRandomRgn
  • win32u.dll!NtGdiGetRealizationInfo
  • win32u.dll!NtGdiGetTextFaceW
  • win32u.dll!NtGdiGetTextMetricsW
  • win32u.dll!NtGdiGetWidthTable
  • win32u.dll!NtGdiHfontCreate
  • win32u.dll!NtGdiIntersectClipRect
  • win32u.dll!NtGdiQueryFontAssocInfo
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal

63 additional items are not displayed above.

Process Terminate
  • TerminateProcess
Other Suspicious
  • SetWindowsHookEx

Shell Command Execution

C:\Users\Vcemypqk\AppData\Local\Temp\BBKNHTKEWCC\tmppack.exe -y
C:\Users\Frhxolac\AppData\Local\Temp\NVMWFYQRKBPOLSXITSGQNGEQN\tmppack.exe -y
C:\Users\Kdbrgdzw\AppData\Local\Temp\YGTLLBTGL\tmppack.exe -y

Trending

Most Viewed

Loading...