Run Autoruns.exe and wait that he at the end of the filling of the list of entries.

If you don’t see it in Autoruns, you may edit the registry and remove the item from your startup folder it. It might be a removal of malicious software or an application not installed. The entry may have a curious looking name since it was probably generated at random when the malware was installed. If you search your system for the referenced file, you may not find.

Interesting Mechanisms ofВ PlugX

This is a very well-designed, well-written software project; it has modular plugins which, rather than having their own routines for tasks such as external communication, use functionality provided by PlugX internal APIs. This design choice allows plugins or APIs to be updated independently and in a backward-compatible way, without interrupting the execution of the malware or requiring it to be reinstalled. It can also be run in thread-safe and non-thread-safe environments.

  • This is sometimes known as a dll-load-order-hijack, where a local DLL supplants a system-supplied library.
  • It is set to be start when the PC boots and any user logs into Windows .
  • Note that the insertion time of hkcmd.exe is the same, and that the others differ.

Path through the execution graph which shows a lot of hccutils_dll behavior (e.g. with respect to called API functions). Execution Graphs are highly condensed control flow graphs which give the user a synthetic view of the code detected during Hybrid Code Analysis. They include additional runtime information such as the execution status which is highlighted with different colors and shapes.


I hope you find what you need to complete the setup of your e-mail applications. Code for which it is unknown if it has been executed or not at runtime. A code location where a decision has been made to avoid execution of potentially malicious behavior. Igfxpph.dll is loaded as dynamic link library that runs in the context of a process.

Finally, as this information comes to the forum and other non-official sites, I want to add that it is a document of copy/paste/edit-for-easy-read I created in my spare time. I did as much research as I can do regarding the implementation of the HP ePrint App e-mail accounts. If you do not see your e-mail information listed here, feel free to post below or contact your internet service company provider, by phone or e-mail, or to anyone else who might know this. I am sure there are many others that could be added, but this is a pretty comprehensive list.

T1027: Obfuscated Files or Information

Also, it is obvious that after unpacking the malware, it is very easy to change this option. One can infer that the people for whom this malware was demonstrated probably weren’t malware developers, as this appears to be a very simple protection. You can always google the name of the plugin and you’re sure to get an explanation somewhere in the top 10 hits. If you are sure you don’t need a pug you can always uninstall it. If you come across a site that uses it, it will ask you to install again.