Gridinsoft Security Lab

Cybercrime world changes rapidly – both by expanding, collapsing, evolving extensively and intensively. One of the most massive malware types in the modern threat landscape – Infostealer Malware – appears to enter a new stage of development. Though its major names remain the same, some new malware families with promising features popped out. Let’s have a peek at all of them and see what to expect. Infostealer Malware Market in 2024 Infostealer malware gained more and more popularity during the…

SearchHost is a process responsible for indexing the Start menu and Explorer search files in Windows 10/11. It allows you to conveniently search for files on your computer by indexing their contents. However, this process can be spoofed by a coin miner or malware that uses its name to masquerade on your system. How to know if this process is a virus? And what should I do in the case of searchhost.exe high memory and GPU usage? Here is our…

WinRing0x64.sys is a low-level driver that is used by specific applications. The file is not malicious, though, but malware can abuse this driver. Next, we will find out who uses WinRing0x64.sys and why and answer the question of whether it can be removed. WinRing0x64 Overview WinRing0x64.sys is a crucial software component that allows applications to gain low-level access to hardware components for system monitoring or overclocking purposes. It bypasses high-level interfaces provided by the operating system to interact directly with…

Over the last four years, the share of script-based attacks of malware offenses worldwide has grown so drastically that it raised alerts among security specialists and ordinary users. In this post, we shall regard script-based malware, assess its strengths and weaknesses, explain how the attacks happen, and suggest measures to maintain security in your workgroup. What is Script Malicious Code? To understand how someone can run a script-based attack on a computer, we must know what scripts are. They are…

Trojan:Win32/Vigorf.A is a generic detection of Microsoft Defender. This detection commonly identifies a running loader malware that may deal significant harm to the system. In this article, let’s find out how dangerous Vigorf.A is and how to get rid of it. What is Trojan:Win32/Vigorf.A? Trojan:Win32/Vigorf.A is the detection name that Microsoft Defender attributes to dropper/loader malware. This generic detection name refers to a whole range of malicious programs, rather than one specific family. The goal of Vigorf.A is unauthorizing system…

Program:Win32/Wacapew.C!ml detection refers to programs that have suspicious properties. This can be either a false positive or a detection of a program that has its properties & functions border with ones of a PUA. Let’s look into this and find out what this detection is. What is Win32/Wacapew.C!ml? Program:Win32/Wacapew.C!ml is a heuristic detection designed to detect a suspicious program. However, it is not a specific virus or malware. Microsoft Defender uses this type of detection to identify a wide range…

PUABundler:Win32/CandyOpen (or OpenCandy) is an unwanted program that acts as a browser hijacker and can download junk apps to your system. Specifically, it points at a thing known as OpenCandy adware, which is known for its indecent behavior. Let’s break it down and see what the PUABundler/Candyopen in a real-world example. What is PUABundler:Win32/CandyOpen? PUA OpenCandy Detection As I’ve said in the introduction, CandyOpen is a detection name for a specific program that spreads bundles with…

Trojan:Win32/Cerber is a detection name that Microsoft Defender uses to flag ransomware. Its name was once associated with a specific malware family, but as it ceased its activity, this name has been used for a wide range of ransomware samples. It is common to see this malware type in attacks on corporations, though all of them are able to harm individuals to the same degree. Trojan:Win32/Cerber Overview Trojan:Win32/Cerber is an older type of malware classified as ransomware. It first appeared…

The RegAsm.exe process is an important component of the Windows operating system associated with the .NET Framework. This utility is designed to register .NET assemblies in the Windows registry, allowing COM clients to call managed applications. Let’s analyze its functionality and see whether malware can abuse it. What is RegAsm.exe? RegAsm.exe (Assembly Registration Tool) is a command line utility that provides users and developers with the ability to register CLR (Common Language Runtime) assemblies in the Windows Registry. The main…

TextInputHost.exe is a legitimate process by Microsoft required for text input functionality in Windows. It gathers input from sources like your keyboard, touchscreen, or pen, interprets it, and delivers it to your specific application. Though for some users seeing that process may be confusing; it is also a source of several issues that I will help you to address. TextInputHost.exe – What is It? TextInputHost.exe is a legitimate process in the Windows Feature Experience Pack. It is responsible for inputting…

Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware. What is Werfault.exe? Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11.…

Aggregatorhost.exe is a process in the Task Manager that is also often suspicious to users. Due to its uncertain nature, it can appear to the users as a malicious process, but it is not (at least, not usually). Below, I will tell you what this process is, what it refers to, and whether you may have a reason to distrust it. What is AggregatorHost.exe? The Aggregatorhost.exe is a system process that you can occasionally spectate in the Task Manager. I…