Yontoo Layers

By CagedTech in Adware

Translate To:

Threat Scorecard

Popularity Rank:	4,699
Threat Level:	20 % (Normal)
Infected Computers:	127,750

First Seen:	August 17, 2010
Last Seen:	January 16, 2026
OS(es) Affected:	Windows

There have been many reports of computer systems showing constant advertisements due to a Yontoo adware infection. Although these kinds of applications are often installed with the full knowledge that they will display advertisements, ESG security analysts have also received reports of severe virus and Trojan infections contracted from advertisements that Yontoo displays. Basically, the Yontoo application will be installed as part of a requirement for installing an application known as PageRage, designed to overlay designs on top of Facebook's profile pages, in essence allowing computer users to customize and make more attractive their Facebook wall, profile and Timeline.

PageRage's manufacturers claim that Yontoo is a legitimate way of supporting their software, although it is up to computer users to decide whether the advertisements that Yontoo delivers to the computer system are worth being able to tweak the appearance of a Facebook profile. There are several reasons why Yontoo is a form of adware, although this kind of infection may be worth the risk for some computer users. The main issue of installing Yontoo on your computer is the fact that advertisements that Yontoo displays may lead to undesirable sites. Yontoo also has some behaviors that are not compatible with good applications acting in good faith. For example, Yontoo Adware has several tracking and data-recollection components that are embedded and may be difficult to disable, as well as the fact that Yontoo is not entirely honest about what Yontoo does when installed on the computer user's system. While Yontoo Layers is limited to your web browser and can be easily quarantined by most security applications, some of the advertisements that Yontoo displays contain questionable content.

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor	Detection
AVG	Generic5.FR
Fortinet	Adware/Gaba
Ikarus	AdWare.Win32.Gabpath
GData	Win32:Gabpath-OY
Sophos	Troj/DwnLdr-JYF
McAfee-GW-Edition	Artemis!C03154CDDB74
AntiVir	TR/ATRAPS.Gen2
Kaspersky	not-a-virus:AdWare.Win32.Gaba.njw
Avast	Win32:Gabpath-OY [Adw]
AVG	unknown virus Win32/DH{DwNh}
Fortinet	W32/AutoRun.HLP!worm
Antiy-AVL	Trojan/win32.agent.gen
AntiVir	TR/Rogue.7619581
McAfee	W32/Autorun.worm.aacz
AVG	BackDoor.Generic16.VWN

SpyHunter Detects & Remove Yontoo Layers

File System Details

Yontoo Layers may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	Y2Desktop.Updater.exe	24fb8db6d1d55e2c5d0a53dfe48e6af8	3,687
Name: Y2Desktop.Updater.exe MD5: 24fb8db6d1d55e2c5d0a53dfe48e6af8 Size: 23.55 KB (23552 bytes) Detections: 3,687 Type: Executable File Path: C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe Group: Malware file Last Updated: October 4, 2025
2.	YontooIEClient.dll.vir	05586f1f292d99de1f5f2861c1ec16fa	390
Name: YontooIEClient.dll.vir MD5: 05586f1f292d99de1f5f2861c1ec16fa Size: 194.92 KB (194928 bytes) Detections: 390 Path: F:\AdwCleaner\Quarantine\C\Archivos de programa\Yontoo\YontooIEClient.dll.vir Group: Malware file Last Updated: December 25, 2025
3.	cst.exe	ab0f942b8a465c2e4399167537bccd7f	314
Name: cst.exe MD5: ab0f942b8a465c2e4399167537bccd7f Size: 13.31 KB (13312 bytes) Detections: 314 Type: Executable File Path: C:\Users\<username>\AppData\Roaming\Yontoo\dat\cst.exe Group: Malware file Last Updated: October 15, 2024
4.	BOX_cFosTASK.exe	d692a04e3b0fa1db641ef237fa2ef2e2	224
Name: BOX_cFosTASK.exe MD5: d692a04e3b0fa1db641ef237fa2ef2e2 Size: 405.21 KB (405218 bytes) Detections: 224 Type: Executable File Path: C:\Windows\BOX_cFosTASK.exe Group: Malware file Last Updated: August 9, 2022
5.	R-KILL.COM	ea5d533ede0a185245cc754e744bbd3a	172
Name: R-KILL.COM MD5: ea5d533ede0a185245cc754e744bbd3a Size: 780.28 KB (780283 bytes) Detections: 172 Type: Command, executable file Path: E:\3. Všechny programy 1.1 TB\!.Čistící 477 GB\1-257 GB\!6.CD+Závady+Opravy-Viry 176 GB\9-3.CD-bootovací,opravy-všechny\!!!! Nové programy\1-Programy CD\!.programy z CD-FalconFour Ultimate Boot CD v4.61\HBCD\WINTOOLS\R-KILL.COM Group: Malware file Last Updated: November 8, 2025
6.	A86207CA0123E3DC._bu	d7ad793a77f97f7e31a8ecdbb88eb1b2	165
Name: A86207CA0123E3DC._bu MD5: d7ad793a77f97f7e31a8ecdbb88eb1b2 Size: 133.63 KB (133632 bytes) Detections: 165 Path: %ALLUSERSPROFILE%\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\A86207CA0123E3DC._bu Group: Malware file Last Updated: September 15, 2024
7.	OptChrome.exe.vir	e014fa47c8e1ebd80f114ff87934f907	118
Name: OptChrome.exe.vir MD5: e014fa47c8e1ebd80f114ff87934f907 Size: 138.24 KB (138240 bytes) Detections: 118 Path: C:\$Recycle.Bin\S-1-5-21-1788207478-340930373-1749900118-1000\$RWA9VJ1\Quarantine\C\Program Files (x86)\Yontoo\OptChrome.exe.vir Group: Malware file Last Updated: January 6, 2026
8.	YontooClientSetup.Exe	fa83259165c4d0c68a3ccf346093e78e	52
Name: YontooClientSetup.Exe MD5: fa83259165c4d0c68a3ccf346093e78e Size: 554.1 KB (554104 bytes) Detections: 52 Type: Executable File Path: %USERPROFILE%\My Documents Group: Malware file Last Updated: October 3, 2020
9.	A0040407.dll	ad10098a08295681b234432d33c90d64	50
Name: A0040407.dll MD5: ad10098a08295681b234432d33c90d64 Size: 197.92 KB (197920 bytes) Detections: 50 Type: Dynamic link library Path: C:\System Volume Information\_restore{2BA859FF-70DD-40A6-A0A8-E7556ECFC096}\RP534\A0040407.dll Group: Malware file Last Updated: May 30, 2021
10.	SoundcardAudiocodec.exe	7beac080a6ea9eee6ae67da366bf0005	30
Name: SoundcardAudiocodec.exe MD5: 7beac080a6ea9eee6ae67da366bf0005 Size: 643.07 KB (643072 bytes) Detections: 30 Type: Executable File Path: %APPDATA% Group: Malware file Last Updated: December 18, 2012
11.	YontooDesktop.exe	1c8317e85a2dcf1de39a07d95eb20afa	27
Name: YontooDesktop.exe MD5: 1c8317e85a2dcf1de39a07d95eb20afa Size: 42.78 KB (42784 bytes) Detections: 27 Type: Executable File Path: %APPDATA%\Yontoo Group: Malware file Last Updated: March 26, 2016
12.	OptChrome.exe	1a090eded97f116b28ebf6a6c0fe2b64	25
Name: OptChrome.exe MD5: 1a090eded97f116b28ebf6a6c0fe2b64 Size: 133.63 KB (133632 bytes) Detections: 25 Type: Executable File Path: C:\Program Files\Yontoo\OptChrome.exe Group: Malware file Last Updated: January 18, 2024
13.	psexesvc.exe	4849b669497c3359e5f09e3613cd7e2f	24
Name: psexesvc.exe MD5: 4849b669497c3359e5f09e3613cd7e2f Size: 61.44 KB (61440 bytes) Detections: 24 Type: Executable File Path: c:\windows\system32\psexesvc.exe Group: Malware file Last Updated: January 16, 2026
14.	YontooIEClient.dll	708d92e4c52ebcbf55e269babecf17ab	21
Name: YontooIEClient.dll MD5: 708d92e4c52ebcbf55e269babecf17ab Size: 198.07 KB (198072 bytes) Detections: 21 Type: Dynamic link library Path: C:\Program Files (x86)\Yontoo\YontooIEClient.dll Group: Malware file Last Updated: March 27, 2021
15.	wsearch.exe	66529767fe6f9d9c2eb617a733e64c53	20
Name: wsearch.exe MD5: 66529767fe6f9d9c2eb617a733e64c53 Size: 419.84 KB (419840 bytes) Detections: 20 Type: Executable File Path: %LOCALAPPDATA%\WideSearch Group: Malware file Last Updated: December 18, 2012
16.	YontooUninstaller.exe	f473f6e32b773edee97950d2746fd088	19
Name: YontooUninstaller.exe MD5: f473f6e32b773edee97950d2746fd088 Size: 523.55 KB (523552 bytes) Detections: 19 Type: Executable File Path: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\AAD8VVY1 Group: Malware file Last Updated: April 1, 2020
17.	svchost.exe	22025ca0d008c0e17e26ddcfe10faffb	18
Name: svchost.exe MD5: 22025ca0d008c0e17e26ddcfe10faffb Size: 301.03 KB (301032 bytes) Detections: 18 Type: Executable File Path: %APPDATA%\nightupdate Group: Malware file Last Updated: December 18, 2012
18.	spsreng.exe	07f9bf43264060abcd3bb1686b78b66d	18
Name: spsreng.exe MD5: 07f9bf43264060abcd3bb1686b78b66d Size: 8.19 KB (8192 bytes) Detections: 18 Type: Executable File Path: %APPDATA%\Microsoft\Windows\Templates Group: Malware file Last Updated: December 18, 2012
19.	n.	f76f11e753ae6353f56be5b7c0e18d12	18
Name: n. MD5: f76f11e753ae6353f56be5b7c0e18d12 Size: 51.2 KB (51200 bytes) Detections: 18 Path: %SystemDrive%\RECYCLER\S-1-5-21-2626416508-434419615-3162726493-1006\$e147bd530acf0dfb79a40265a25de046 Group: Malware file Last Updated: December 18, 2012
20.	Blammi.exe	c03154cddb74ccdda551fbbb80628605	14
Name: Blammi.exe MD5: c03154cddb74ccdda551fbbb80628605 Size: 1.68 MB (1687552 bytes) Detections: 14 Type: Executable File Path: %APPDATA%\Blammi Group: Malware file Last Updated: December 18, 2012
21.	EZ_Sirefix.exe	9eef4ef1cf01c5a6567776a77079230a	14
Name: EZ_Sirefix.exe MD5: 9eef4ef1cf01c5a6567776a77079230a Size: 2.03 MB (2033481 bytes) Detections: 14 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\Desktop\Virus\Advanced MalwarePack\ZeroAccess\EZ_Sirefix.exe Group: Malware file Last Updated: May 29, 2023
22.	TNODUP.exe	61f4456f9848da1f5385799415ff8e69	12
Name: TNODUP.exe MD5: 61f4456f9848da1f5385799415ff8e69 Size: 1.89 MB (1892352 bytes) Detections: 12 Type: Executable File Path: G:\[SOLUCION] lXxDanteasdfxXl\Nueva carpeta\Eset Smart Security 5 Full en español 32 bits by angelithotutorial\ESETSM~1\TNod 1.4.1\TNODUP.exe Group: Malware file Last Updated: April 4, 2022
23.	mscorlib.exe	4ff56eb620defbbdbc13ff75708c1d81	5
Name: mscorlib.exe MD5: 4ff56eb620defbbdbc13ff75708c1d81 Size: 10.75 KB (10752 bytes) Detections: 5 Type: Executable File Path: %APPDATA%\Microsoft\Windows\Templates Group: Malware file Last Updated: December 18, 2012
24.	winhost.exe	20c02c85181c98b3f136fba654ade5d6	5
Name: winhost.exe MD5: 20c02c85181c98b3f136fba654ade5d6 Size: 58.36 KB (58368 bytes) Detections: 5 Type: Executable File Path: %APPDATA%\winhost Group: Malware file Last Updated: December 18, 2012
25.	sp.dll	7cc0fad47e5f5d329394e76935dcc0b0	5
Name: sp.dll MD5: 7cc0fad47e5f5d329394e76935dcc0b0 Size: 160.25 KB (160256 bytes) Detections: 5 Type: Dynamic link library Path: %WINDIR%\SysWow64\config\systemprofile\appdata\roaming\adobe Group: Malware file Last Updated: December 18, 2012
26.	dwm.exe	f80eb5a04e2d6cfaa149011df1367c19	1
Name: dwm.exe MD5: f80eb5a04e2d6cfaa149011df1367c19 Size: 1.27 MB (1270272 bytes) Detections: 1 Type: Executable File Path: %APPDATA% Group: Malware file Last Updated: December 18, 2012
27.	WindowsLiveUpdate.exe	8585a81af791b2780cbd67efe6d52120	1
Name: WindowsLiveUpdate.exe MD5: 8585a81af791b2780cbd67efe6d52120 Size: 113.15 KB (113152 bytes) Detections: 1 Type: Executable File Path: %APPDATA%\MCommon Group: Malware file Last Updated: December 18, 2012
28.	OptChrome.exe
Name: OptChrome.exe Type: Executable File Group: Malware file
29.	%CommonAppData%\Yontoo Layers\YontooIEClient.dll
Name: %CommonAppData%\Yontoo Layers\YontooIEClient.dll Type: Dynamic link library Group: Malware file
30.	%CommonAppData%\Temp\YontooTix2700750.log
Name: %CommonAppData%\Temp\YontooTix2700750.log Group: Malware file
31.	%Temp%\YontooSetup-Silent.exe
Name: %Temp%\YontooSetup-Silent.exe Type: Executable File Group: Malware file
32.	%Temp%\YontooIEClient.dll
Name: %Temp%\YontooIEClient.dll Type: Dynamic link library Group: Malware file
33.	%Temp%\YontooFFClient.xpi
Name: %Temp%\YontooFFClient.xpi Group: Malware file
34.	%Temp%\YontooLayers.crx
Name: %Temp%\YontooLayers.crx Group: Malware file
35.	%Temp%\YontooLayers.pem
Name: %Temp%\YontooLayers.pem Group: Malware file
36.	%ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll
Name: %ProgramFiles%\Yontoo Layers Runtime\YontooIEClient.dll Type: Dynamic link library Group: Malware file

More files

Registry Details

Yontoo Layers may create the following registry entry or registry entries:

CLSID

{1AD27395-1659-4DFF-A319-2CFA243861A5}

{7E84186E-B5DE-4226-8A66-6E49C6B511B4}

{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

{99066096-8989-4612-841F-621A01D54AD7}

{CFDAFE39-20CE-451D-BD45-A37452F39CF0}

{D372567D-67C1-4B29-B3F0-159B52B3E967}

{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

{FE9271F2-6EFD-44b0-A826-84C829536E93}

HKEY..\..\{CLSID Path}

{1AD27395-1659-4DFF-A319-2CFA243861A5}

Regexp file mask

%TEMP%\YontooFFClient.xpi

%TEMP%\YontooIEClient.dll

%TEMP%\YontooLayers.crx

%TEMP%\YontooSetup-Silent.exe

HKEY..\..\{Value}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\"Default" = "YontooIEClient"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\"AppID" = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{A8F0AD53-1AEE-447E-89CD-71C325796F84}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{F5F971A9-DBF8-4EEC-81E3-5F1660573E6C}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{B6783DFA-B8C8-4CB6-AB9F-EF1A1F7F7AE8}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{FC1DD4E4-688F-4E9B-BAE5-BFB6A956AE51}\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}"Default" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9307081B-7444-494C-8CF6-2FA7C0E92BFB}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Tarma Installer\Components\{9D9785E5-3424-40B6-A287-BA143AD53109}\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}"Default" = "1"

HKEY..\..\..\..{RegistryKeys}

SOFTWARE\Classes\AppID\YontooIEClient.DLL

SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL

Software\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}

SOFTWARE\Classes\YontooIEClient.Api

SOFTWARE\Classes\YontooIEClient.Api.1

SOFTWARE\Classes\YontooIEClient.Layers

SOFTWARE\Classes\YontooIEClient.Layers.1

SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLL

SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASAPI32

SOFTWARE\Wow6432Node\Microsoft\Tracing\yontoo-0B90_RASMANCS

SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASAPI32

SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooDesktop_RASMANCS

SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASAPI32

SOFTWARE\Wow6432Node\Microsoft\Tracing\YontooSetup-Silent-0CC4_RASMANCS

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

SOFTWARE\Wow6432Node\Tarma Installer\Products\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

SYSTEM\ControlSet001\services\Yontoo Desktop Updater

SYSTEM\ControlSet002\services\Yontoo Desktop Updater

SYSTEM\CurrentControlSet\services\Yontoo Desktop Updater

HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}

{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

Directories

Yontoo Layers may create the following directory or directories:

%ALLUSERSPROFILE%\9466af57-1f38-4973-ab1c-22f7e17e2d6a

%ALLUSERSPROFILE%\Application Data\9466af57-1f38-4973-ab1c-22f7e17e2d6a

%ALLUSERSPROFILE%\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

%ALLUSERSPROFILE%\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}

%APPDATA%\Yontoo

%PROGRAMFILES(x86)%\Yontoo

%PROGRAMFILES(x86)%\Yontoo Layers Runtime

%ProgramFiles%\Yontoo

%ProgramFiles%\Yontoo Layers Runtime

%ProgramFiles(x86)%\Yontoo Layers

%TEMP%\YontooLayers

URLs

Yontoo Layers may call the following URLs:

yontoo.com

Analysis Report

General information

Family Name:	Yontoo Layers
Signature status:	No Signature

Known Samples

MD5: 87bc5a7b14f0436bb116d5a009f383d1

SHA1: 47e8debf5f501005bfef070b2ceefa73751eebf0

SHA256: 2ADE387BAA8504CBDB323C5D866E7E8F68971B57B205AE824E04B5AEDC8AE51E

File Size: 444.93 KB, 444928 bytes

MD5: f28bb19bc5427697320c63e15e257395

SHA1: 0ca964209f8e51995111386779861dbb9291835c

SHA256: D68844A496C93F4D061E0B403803FD03A2556129D4E0ED972F3184C11983D1E1

File Size: 482.30 KB, 482304 bytes

MD5: c16826bf2284dc278421706aeb91e29e

SHA1: 5e2eed086d7ed79e4ca9ff8927c6c13f1169daeb

SHA256: AC237E13D5437F4B04C8BBCD7EE3D11FF193A8F145BDC70E10A113C1A9DE2DFC

File Size: 190.08 KB, 190082 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has exports table
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

File Traits

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\1clogo.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\accept.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\accept1.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\accept2.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\accept3.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\anon.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\decline.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\gc0	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\getcountry	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\inetc3.dll	Generic Write,Read Attributes

c:\users\user\appdata\local\temp\nssc178.tmp\install_macintosh_drivers_for_windows_xp_exe.magnet	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\mainpackfull.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\nsdialogs.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\nsisdl.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\save.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\skip.bmp	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nssc178.tmp\system.dll	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\ware\1clickdownloadware\1clickdownload::uid	319481074	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtClose ntdll.dll!NtCreateFile ntdll.dll!NtCreateSection ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenProcessToken ntdll.dll!NtProtectVirtualMemory Show More ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtReadFile ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Process Shell Execute	CreateProcess
Anti Debug	NtQuerySystemInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Network Winsock2	WSAStartup
Network Winsock	closesocket gethostbyname inet_addr socket
Network Wininet	HttpOpenRequest HttpQueryInfo HttpSendRequest InternetConnect InternetOpen InternetQueryOption InternetReadFile

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\47e8debf5f501005bfef070b2ceefa73751eebf0_0000444928.,LiQMAxHB


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0ca964209f8e51995111386779861dbb9291835c_0000482304.,LiQMAxHB

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Yontoo Layers

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

SpyHunter Detects & Remove Yontoo Layers

File System Details

Registry Details

Directories

URLs

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

File Traits

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Web.coilchocks.com

Search.secure-dm.com

HDWallpaper

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

How to Fix 'macOS cannot verify that this app is...