Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Risk
Threat report

RiskTool.Win32.Phpw.ckd removal

Published Feb 27, 2024 Risk category 3 min read
Report context

What to verify before removal

This report keeps RiskTool.Win32.Phpw.ckd removal in the active library because the detection has enough technical context to support a careful second-opinion scan and cleanup decision.

Start by comparing the local file name with 36318CF613A28485DA1C.mlw, then review the behavior notes for persistence entries, dropped files, unusual processes, and browser or network changes. This helps separate a matching detection from a different file that only shares a similar alert name.

Observed file
36318CF613A28485DA1C.mlw
  • Compare the suspicious file name with 36318CF613A28485DA1C.mlw.
  • Confirm the detection name matches RiskTool.Win32.Phpw.ckd removal before removing related files.
  • Review the report for persistence entries, dropped files, unusual processes, and browser or network changes so the cleanup is based on observed behavior, not only the label.
  • Run a full scan, quarantine confirmed detections, and restart before signing back in to sensitive accounts.

The RiskTool.Win32.Phpw.ckd is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What RiskTool.Win32.Phpw.ckd virus can do?

  • Sample contains Overlay data
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Anomalous binary characteristics

How to determine RiskTool.Win32.Phpw.ckd?



File Info:

name: 36318CF613A28485DA1C.mlw
path: /opt/CAPEv2/storage/binaries/41878c2635c38ee590ee0a3157b350d95080b75c10424c852b2c8c6be42ccc99
crc32: CA605588
md5: 36318cf613a28485da1c87dbaa878d8b
sha1: 4f17fce5a3653cf75525d68b644b8048028c7450
sha256: 41878c2635c38ee590ee0a3157b350d95080b75c10424c852b2c8c6be42ccc99
sha512: 32eb7c13c789413ebfcc253438bf95585337af4573bae8cdbdabf4634a0e98566079cea8e46872b97b048f458de62b85e07ec6cea3d4544697b777c0b24f0cb5
ssdeep: 49152:UHr/nhghxXVMUhoWOvEdsjIOjDlrCQli+1ZA4FJk2uOI/joB9xtA:kThQlMSoVvEdC/lmQli+1ZA4FKj0r
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T142C5338E1628CD49D6002BB845B8CF31DA3DDD6D3C2BD65E4DF9B55F363B2A03A80465
sha3_384: 5ab81b4dc853fab6418bf3596513ddf6599fb2864dfd31d3216fd57e95d1d94cdde64ba942cff1b06f531d3e82b8159a
ep_bytes: e861000000e979feffff6860bb440064
timestamp: 2008-10-18 02:04:13


Version Info:

Comments: SunShine
CompanyName: SunShine AntiCheat
FileDescription: SunShine AntiCheat
FileVersion: 2016, 0, 0
InternalName: SunShine
LegalCopyright: Copyright (C) 2013-2016
LegalTrademarks: 
OriginalFilename: El-Shaf3y
PrivateBuild: El-Shaf3y
ProductName: El-Shaf3y
ProductVersion: 2016, 0, 0
SpecialBuild: 
Translation: 0x0804 0x04b0

RiskTool.Win32.Phpw.ckd also known as:

Lionic Riskware.Win32.Phpw.1!c
Elastic malicious (high confidence)
Skyhigh BehavesLike.Win32.Generic.vc
CrowdStrike win/malicious_confidence_70% (D)
Symantec ML.Attribute.HighConfidence
Kaspersky not-a-virus:RiskTool.Win32.Phpw.ckd
Alibaba RiskWare:Win32/Generic.3df18297
Avast Win32:Malware-gen
Tencent Win32.Risk.Phpw.Vmhl
F-Secure Heuristic.HEUR/AGEN.1346692
Trapmine malicious.high.ml.score
FireEye Generic.mg.36318cf613a28485
Sophos Generic ML PUA (PUA)
SentinelOne Static AI – Suspicious PE
Jiangmin RiskTool.Phpw.pc
Webroot W32.Phpw.ckd
Avira HEUR/AGEN.1346692
ZoneAlarm not-a-virus:RiskTool.Win32.Phpw.ckd
Cynet Malicious (score: 99)
McAfee Artemis!36318CF613A2
VBA32 Backdoor.Bladabindi
Malwarebytes Generic.Malware/Suspicious
Rising PUF.Pack-Enigma!1.BA33 (CLASSIC)
Yandex Trojan.GenAsa!V+hJW/TZp1s
MaxSecure Trojan.Malware.12135575.susgen
Fortinet Riskware/Phpw
BitDefenderTheta Gen:NN.ZexaF.36744.AE1@a4Hcyjeb
AVG Win32:Malware-gen
Cybereason malicious.5a3653
DeepInstinct MALICIOUS

How to remove RiskTool.Win32.Phpw.ckd?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.