Multi-License Discount Quote

Change Region

English
Threat Database HEUR Malware HEUR.Malware.FakeFld.Generic

HEUR.Malware.FakeFld.Generic

By CagedTech in HEUR Malware, Malware

Threat Scorecard

Popularity Rank: 1,044
Threat Level: 100 % (High)
Infected Computers: 48,716
First Seen: February 26, 2021
Last Seen: April 9, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: HEUR.Malware.FakeFld.Generic
Signature status: No Signature

Known Samples

MD5: 2044ba3b5639c8fb6b99bb923b152d05
SHA1: ef54e17693ff7b62ca4a72e98c9cb4bf9c26bb33
SHA256: 1CC9BB5B0915A1F0A3D755864144689DDF7EBB64BC836D46C34AF592ABD655EB
File Size: 3.62 MB, 3624992 bytes
MD5: abf880457a1ef618517c429b64c364cf
SHA1: 298b6097e1ab98e3b8d8d7ac624230875c570316
SHA256: 190C455254905317265C50E28D16A07E1DB2DEF450D3321BA748E7BA9BF61F15
File Size: 552.10 KB, 552103 bytes
MD5: 7a555100a38f945a24f7dc00bb6bf97a
SHA1: 691a059df49dfe9aa53720e96c7841262391beec
SHA256: 2048BF88134547221F52A56B87CDB445D17FB35CA0A3E475F9CFD7902600F07C
File Size: 65.54 KB, 65536 bytes
MD5: 0da7befcccd51d3309c922c1356dfc3a
SHA1: 656d8dfd1d586535e92fbdf38feba421234cf191
SHA256: 523F0143CC3DC2FC93483ED6103A2BC79B4C1CB2ABCFA98387887706E0B01E30
File Size: 74.19 KB, 74188 bytes
MD5: 2720e45429562a722442d1fe0155db39
SHA1: ae4a52b72cb71157b65442760feaffbc9f2df58f
SHA256: DA19DA5EABC41A70F33080635C1C98A1CD8411BB7937EC1DC8DB9C986E9468A9
File Size: 239.62 KB, 239616 bytes
Show More
MD5: 8fa26c5d4850d42a5c9292ef330aa850
SHA1: 9493d28bc1e07eb622dc6449c8e69693c8b49283
SHA256: 15C001E90FC53882BF90A2E6C9D11BFC8756F2A19CAB4797AF22B5D945741C90
File Size: 139.26 KB, 139264 bytes
MD5: af55dc69cf9e47ce3000c5a89244415b
SHA1: 9b8575a65675428d32d42ca2e8effe7d9d94399a
SHA256: 4B38D6F633E3E4C0D31398C89A9BDD39A7087DD8CF5046DB22838AB66F11F989
File Size: 164.32 KB, 164323 bytes
MD5: 01f65c605a88692cb10e722feb3e6eb3
SHA1: 2d6f50c9905caa77482c5a98522bc57f9be2b2ea
SHA256: A04AD2C8CA86F5DAB56C9E13D67E5CFDF0444A25F79AC622E5FECE52D5AD03C7
File Size: 3.70 MB, 3702272 bytes
MD5: d4a3738d6444ddc84cd1aea5c248171c
SHA1: 5a18ca7fad31147d1111765c8d49dfaa7cb1110e
SHA256: F1E7DE36D57D1B7435A15F652CFB90586E8E46206D4A40036F0E01AD75B2B193
File Size: 140.04 KB, 140040 bytes
MD5: 4e84ddf7e0788ecc9cb19543b34cf9b1
SHA1: 1b9547655824322b0b1c48bb1c22f86cc54c7d27
SHA256: EB3F3BA915CE5E505DEBD6629EF5D71A0A2308B91187196A71464D94774C3890
File Size: 1.57 MB, 1571229 bytes
MD5: 34b91a63280bf96baf7578e98df79dfb
SHA1: 035cd7a19eb3b80b2e538f54f50984e849a5bcb7
SHA256: 980227CED2F6D7523D5EE40FEC7DFCB82A08464F233C1F576304D16EB1F2D0DC
File Size: 221.64 KB, 221639 bytes
MD5: d60ded91deb9b4a426efae01e894aef3
SHA1: 25df20831d44f8c56cc4e401d13751435e0117be
SHA256: DCC92971F523851AC3E54CDDE733D517144A0C61D26C8FE66617AE7CD95A1BFC
File Size: 131.07 KB, 131072 bytes
MD5: 42e00a0850882be08dc04bac6a662f8d
SHA1: 173673702f373563ca83330e3765a62745ecc6e4
SHA256: F4218AE59DE95DED89DC58FD51912EEA59A286507B414B4C07F96F50D2DEE08A
File Size: 2.19 MB, 2194098 bytes
MD5: 827874add4da7d24556a0caf232dfe30
SHA1: 09f6749df33473aefe31b206c652f568a5da4393
SHA256: 6D6E134E2C79DBCBEE3AE6F6457E15236396FFA0741FDE4AB11779ADDB82688D
File Size: 1.55 MB, 1548193 bytes
MD5: fb8df08b9b95a9a85b80ea15fe37518d
SHA1: 00b86e32ea48a89e2265a9d862f9bc07bdd6513f
SHA256: D59A23CF44025DD7FE386069738BB4973371A95AFB8BD5217D71F81EB52EE00A
File Size: 510.46 KB, 510464 bytes
MD5: 94f3831117a864672b05210c2f9200c7
SHA1: 30906e7e56861cc34403beae2508e87985a063fb
SHA256: E8BF99688278BE1B361B1798E5E7005BF3F4C0AC47BD0594313C409B02C8C650
File Size: 123.39 KB, 123392 bytes
MD5: f01a6f6bd01c6e8dfabfc2e5774a524f
SHA1: 52819e19ae47043d9b14c8eb9261917930d0d485
SHA256: 24D22A6AC712B10040FF5D9BB0FE9C917662AEA6313D94D7577F78E8B1C46DC5
File Size: 900.10 KB, 900096 bytes
MD5: d2818a46091902376584f626fe17c91d
SHA1: d3f8eb470570439ca1e28a45dd77f040a83cc104
SHA256: 0569BEC002EDC9AD7627EF76710465B4549858697B3F12586433131ED4A870A8
File Size: 782.34 KB, 782336 bytes
MD5: 91d3751f2312e035a8f9077b7cfe07fb
SHA1: 3020746247e0210d68f8732189a5d198bf5e6a6c
SHA256: C4C83391AD7BAE5152886DDD767448CD80C68AA518E06FF5BD870ECC48FD4799
File Size: 641.48 KB, 641479 bytes
MD5: af8bb374dbd5387f70b8d021055fab6a
SHA1: ced655855e219ed1dab44f2b036b66dc20092663
SHA256: C668305CDC906120CAC3054F5F9B13ABF7182C92EE5BCD52FA1F499C083A6141
File Size: 699.78 KB, 699782 bytes
MD5: a21a3fbd123a5b87318feb3bbc38dfeb
SHA1: 5e2a71974604a49c2a57812c563100e4bc47c77c
SHA256: 572392BD92AEECA210D967341271A78D2B2C964855C978BD2BDF10BD5B2A3CE8
File Size: 47.10 KB, 47104 bytes
MD5: 70df16e738db19ae23462278be5878fa
SHA1: 17c5540e0d83223ed0e76a962161fb0a5df512c3
SHA256: 3DFD9B71873235E12CEF810CC07A7CE76D80AF95A4F03985DE4606D5E53A0D28
File Size: 135.17 KB, 135168 bytes
MD5: b61bdb6528fd0145d37c4b4491c743c2
SHA1: bedf64f336016d7a477ce7f87ee29856088b718d
SHA256: C7A4E4ABB6922AC1FFDA3F859D5888F77C749C65CA9463F9048E75D9A21E8ECC
File Size: 7.55 MB, 7546528 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Comments www.facebook.com/llaneroinformatico
Company Name
  • .
  • Acresso Software Inc.
  • Perú
  • Smart Systems Ltd
Compiled Script
  • AutoIt v3 Script : 3, 2, 4, 9
  • AutoIt v3 Script: 3, 3, 8, 1
File Description
  • Carpeta de archivos
  • Explorador de Windows
  • InstallShield
  • Open V6 Quotes
File Version
  • 16.0.328
  • 3, 3, 8, 1
  • 3, 2, 4, 9
  • 2.6.28.0
  • 1.00
  • 1.0.0.0
  • 1
  • 0.00
  • 0.0.0.0
Internal Build Number 90563
Internal Name
  • honey
  • llanero solitario
  • Prueba0001
  • SmartShreder
  • V6OpenQuote_v2.exe
  • _IsIcoRes.exe
Legal Copyright
  • Copyright (C) 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
  • Copyright © Smart Systems Ltd 2012
  • llanero solitario
  • Willamonehase
Legal Trademarks llanero solitario
Original Filename
  • .exe
  • honey.exe
  • llanero solitario
  • Prueba0001.exe
  • SmartShreder.exe
  • V6OpenQuote_v2.exe
  • _IsIcoRes.exe
Product Name explorer
Product Name
  • honey
  • InstallShield
  • llanero solitario
  • Open V6 Quotes
  • Project1
  • SmartShreder
  •  
Product Version
  • 16.0
  • 2.6.28.0
  • 1.00
  • 1.0.0.0
  • 0.00

File Traits

  • .adata
  • .NET
  • .UPX
  • 2+ executable sections
  • Autoit
  • big overlay
  • BINinO
  • dll
  • HighEntropy
  • Installer Manifest
Show More
  • Installer Version
  • MZ (In Overlay)
  • NewLateBinding
  • nosig nsis
  • No Version Info
  • Nullsoft Installer
  • packed
  • PEC2
  • PECompact v2.20
  • Py-installer
  • SusSec
  • upx
  • UPX!
  • vb6
  • VirtualQueryEx
  • WriteProcessMemory
  • x64
  • x86
  • zlib (In Overlay)
  • zlib overlay

Block Information

Total Blocks: 820
Potentially Malicious Blocks: 0
Whitelisted Blocks: 820
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Autoit
  • DialupPass.A
  • InstallMonstr.B
  • Ramnit.V
  • Sohanad.B

Files Modified

File Attributes
Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Generic Write,Read Attributes,Delete,LEFT 262144
Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
Synchronize,Write Attributes
\device\namedpipe\srvsvc Generic Read,Write Data,Write Attributes,Write extended,Append data
c: Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\2caa72 Generic Write,Read Attributes
c:\bawkwe.gif Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\bawkwe.gif Synchronize,Write Attributes
c:\inetpub\inetpub.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Show More
c:\inetpub\inetpub.exe Synchronize,Write Attributes
c:\lmtryg.txt Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\lmtryg.txt Synchronize,Write Attributes
c:\mfiles Synchronize,Write Attributes
c:\mfiles\winlogon.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\mfiles\winlogon.exe Synchronize,Write Attributes
c:\nxrglc.jpg Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\nxrglc.jpg Synchronize,Write Attributes
c:\percjy.bmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\percjy.bmp Synchronize,Write Attributes
c:\perflogs\perflogs.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\perflogs\perflogs.exe Synchronize,Write Attributes
c:\program files (x86)\common files Synchronize,Write Attributes
c:\program files (x86)\common files\microsoft shared\explorer.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\common files\microsoft shared\explorer.exe Synchronize,Write Attributes
c:\program files (x86)\common files\uiui8.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\program files (x86)\common files\uiui8.dll Synchronize,Write Attributes
c:\program files (x86)\program files (x86).exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files (x86)\program files (x86).exe Synchronize,Write Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll.000 Generic Write,Read Attributes
c:\program files\program files.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\program files\program files.exe Synchronize,Write Attributes
c:\programdata\microsoft\windows\start menu\programs\startup Synchronize,Write Attributes
c:\programdata\microsoft\windows\start menu\programs\startup\1681.lnk Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\microsoft\windows\start menu\programs\startup\1681.lnk Synchronize,Write Attributes
c:\sandbox_local\sandbox_local.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_local\sandbox_local.exe Synchronize,Write Attributes
c:\sandbox_stage\sandbox_stage.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\sandbox_stage\sandbox_stage.exe Synchronize,Write Attributes
c:\startup_test\startup_test.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\startup_test\startup_test.exe Synchronize,Write Attributes
c:\system volume information Synchronize,Write Attributes
c:\users\public\desktop\intennet exploner.lnk Synchronize,Write Data
c:\users\public\desktop\¸Ä±äÄãµÄÒ»Éú.url Synchronize,Write Data
c:\users\public\desktop\Ãâ·ÑµçÓ°c.url Synchronize,Write Data
c:\users\public\desktop\ÌÔ±¦¹ºÎïa.url Synchronize,Write Data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320 Synchronize,Write Attributes
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\dmc Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\dmc Synchronize,Write Attributes
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\rotinom Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\rotinom Synchronize,Write Attributes
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\tlsr Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\s-1-5-31-1286970278978-5713669491-166975984-320\tlsr Synchronize,Write Attributes
c:\users\user\appdata\local\start Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\start Synchronize,Write Attributes
c:\users\user\appdata\local\start\update.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\start\update.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca2a2_rar\52819e19ae47043d9b14c8eb9261917930d0d485_0000900096 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca2a2_rar\52819e19ae47043d9b14c8eb9261917930d0d485_0000900096 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\_mei10042\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei10042\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei11682\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei16762\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei23442\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei29162\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei43402\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_bz2.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_ctypes.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_decimal.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_elementtree.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_hashlib.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_lzma.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_socket.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\_ssl.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\base_library.zip Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\libcrypto-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\libffi-8.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\libssl-1_1.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\psutil\_psutil_windows.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\pyexpat.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\python3.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\python311.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\select.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\unicodedata.pyd Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei47562\vcruntime140.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\_mei50202\_bz2.pyd Generic Write,Read Attributes

158 additional files are not displayed above.

Registry Modifications

Key::Value Data API Name
HKLM\software\classes\exefile::nevershowext 1 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\associations::modriskfiletypes .exe RegNtPreCreateKey
HKLM\system\controlset001\control\storagedevicepolicies::writeprotect RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\WINDOWS\SysWOW64\drivers\etc\hosts RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\WINDOWS\SysWOW64\drivers\etc\hosts\??\c:\RECYCLER\winlogon.exe RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::showsuperhidden RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\hidedesktopicons\newstartpanel::{871c5380-42a0-1069-a2ea-08002b30309d}  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\hidedesktopicons\classicstartmenu::{871c5380-42a0-1069-a2ea-08002b30309d}  RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe::debugger ntsd -d RegNtPreCreateKey
Show More
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ravcopy.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avastu3.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\scanu3.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avu3launcher.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kavpf.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\selfupdate.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\navapw32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\webscanx.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\npfmntor.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\vsstat.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\zjb.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qqdoctormain.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mmsk.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\wopticlean.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qqkav.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\eghost.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qqdoctor.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\regclean.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\fyfirewall.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\iparmo.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\adam.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\icesword.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\agentsvr.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\appsvc32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avgrssvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\dsmain.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avmonitor.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\filedsty.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ftcleanershell.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\hijackthis.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\iparmor.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ispwdsvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kabaload.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kascrscn.scr::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kasmain.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kastask.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\antiu.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kav32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kavdx.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kavpfw.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kavsetup.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\arswp2.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kislnchr.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kmfilter.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kpfw32x.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kregex.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ksloader.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvcenter.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\arswp3.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvdetect.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvfwmcl.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp_1.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvol.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvolself.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvscan.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvstub.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvupload.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvwsc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvxp.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvxp_1.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kwatch9x.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kwatchx.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\loaddll.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\magicset.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\pfw.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mcconsol.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\nod32krn.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\pfwliveupdate.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qhset.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ravstub.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ras.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rfwcfg.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rsaupd.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\safelive.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\irsetup.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\scan32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\shcfg32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\smartup.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\sreng.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\symlcsvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\syssafe.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\trojandetector.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\trojanwall.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\uihost.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\umxagent.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\umxattachment.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\umxcfg.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\umxfwhlp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\umxpol.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\uplive.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\upiea.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ast.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\arswp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\usbcleaner.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kvreport.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qqsc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ghost.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\krepair.com::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\srengps.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\xdelbox.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\appdllman.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\~.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\sos.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ufo.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\tnt.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\niu.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\xp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\wsyscheck.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\txomou.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\aoyun.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\auto.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\av.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\zxsweep.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\cross.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\discovery.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\guangd.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\kernelwind32.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\logogo.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qqdoctorrtp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\navsetup.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\pagefile.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\pagefile.pif::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rfwproxy.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\sdgames.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\servet.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\mmqczj.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\trojdie.kxp::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rav.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\ravmon.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.com::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\avp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\tmp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\jisu.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\filmst.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qheart.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\qsetup.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\sxgame.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\wbapp.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\pfserver.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\799d.exe::debugger ntsd -d RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\image file execution options\stormii.exe::debugger ntsd -d RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 隃㴹富ǜ RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidefileext  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::webviewbarricade RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\shell folders::startup C:\Users\Prvutyhs\AppData\Local\Start RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\user shell folders::startup C:\Users\Prvutyhs\AppData\Local\Start RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::nodeslots ȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂȂ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru::mrulistex ￿￿ RegNtPreCreateKey
HKCU\local settings\software\microsoft\windows\shell\bagmru\2::mrulistex ￿￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows nt\currentversion\winlogon::sfcdisable  RegNtPreCreateKey
HKLM\software\policies\microsoft\windows nt\windows file protection::sfcdisable  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer::slowcontextmenuentries RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::local service C:\WINDOWS\Cursors\services.exe RegNtPreCreateKey

50 additional registry modifications are not displayed above.

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
  • ShellExecute
  • WinExec
  • WriteConsole
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx
Encryption Used
  • BCryptOpenAlgorithmProvider
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAccessCheckByType
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcAcceptConnectPort
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreatePort
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
Show More
  • ntdll.dll!NtAlpcDisconnectPort
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateTimer
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtImpersonateAnonymousToken
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetTimerEx
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory

1 additional items are not displayed above.

Network Winsock2
  • WSAStartup
Network Winsock
  • bind
  • socket
Process Terminate
  • TerminateProcess
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetSetOption
Network Winhttp
  • WinHttpOpen

Shell Command Execution

explorer.exe C:\Users\user\downloads\298b6097e1ab98e3b8d8d7ac624230875c570316_000055
c:\Win\lsass.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\explorer.exe
open C:\Users\Grxbpkds\Documen\nod42.exe
open c:\users\user\downloads\2d6f50c9905caa77482c5a98522bc57f9be2b2ea_0003702272
Show More
C:\WINDOWS\sysmgr.exe (NULL)
open c:\users\user\downloads\5a18ca7fad31147d1111765c8d49dfaa7cb1110e_000014\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MS_Office.exe
C:\WINDOWS\explorer.exe c:\users\user\downloads\..
C:\WINDOWS\system32\cmd.exe /C AT /delete /yes
C:\WINDOWS\system32\at.exe AT /delete /yes
WriteConsole: The AT command h
C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\user\Desktop\system3_.exe
C:\WINDOWS\system32\at.exe AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Users\user\Desktop\system3_.exe
WriteConsole: Warning: Due to
WriteConsole: Added a new job
C:\WINDOWS\system32\cmd.exe /C cacls "C:\system volume information" /e /g "Ygplqvwf":f
C:\WINDOWS\system32\cacls.exe cacls "C:\system volume information" /e /g "Ygplqvwf":f
explorer.exe C:\Users\user\downloads\3020746247e0210d68f8732189a5d198bf5e6a6c_000064
cmgr.exe
c:\users\user\downloads\bedf64f336016d7a477ce7f87ee29856088b718d_0007546528 "c:\users\user\downloads\bedf64f336016d7a477ce7f87ee29856088b718d_0007546528"

Trending

Most Viewed

Loading...