GridinSoft Threat Intelligence

EFfI.dll threat report

Detected as Trojan.Heur! File reputation report

» File
File Details
Overview
Analysis

Status Trojan.Heur!

Identity 6be003956d0ac8b51cd491fbbb275671

Source GridinSoft ThreatInfo

MD5 6be003956d0ac8b51cd491fbbb275671

Latest seen 2025-09-11 23:02:44 (8 months ago)

First seen 2020-07-21 03:16:19 (5 years ago)

Size 19 MB

Publisher ©kms

Product EFfI

Analyst brief

What this report says

GridinSoft Anti-Malware detects EFfI.dll as Trojan.Heur!. The sample was last observed on 2025-09-11 23:02:44 (8 months ago) and reports publisher metadata associated with ©kms / EFfI.

This page combines the detection verdict with file identity, publisher metadata, alternate names, observed paths, geography, OS signals, and PE details so the report reads as a triage record rather than a standalone download page.

GridinSoft Anti-Malware detection

Detected by GridinSoft before you download

The current ThreatInfo record shows this exact file hash detected as Trojan.Heur!. Download GridinSoft Anti-Malware to scan the device, confirm whether this file is present, and remove the detected object if it is found.

Detection name: Trojan.Heur!
Recommended action: Scan and remove
Last analysis: 2025-09-11 23:02:44 (8 months ago)
File hash: 6be003956d0ac8b51cd491fbbb275671

Download Anti-Malware

Why it matters

Why GridinSoft flags this file

Detection

GridinSoft identifies the sample as Trojan.Heur!.

Timeline

First seen 2020-07-21 03:16:19 (5 years ago); latest analysis 2025-09-11 23:02:44 (8 months ago).

Publisher context

Company metadata: ©kms. Product metadata: EFfI.

Observed locations

ThreatInfo has seen this file in user or system paths listed below. Unexpected locations increase the need for local verification.

Recommended action

What to do next

Compare the MD5 above with the file found on the device.
Check whether the file appears in the observed locations or under one of the alternate names.
Run GridinSoft Anti-Malware to confirm the detection and remove the file if it is present.

File context

EFfI.dll is a Windows file recorded in the ThreatInfo database. It is associated with EFfI. The reported company name is ©kms. The current detection status is Trojan.Heur!, based on the latest analysis from 2025-09-11 23:02:44 (8 months ago).

If EFfI.dll appears on your computer unexpectedly, treat it as suspicious. Check its location, digital signature, and recent system changes before allowing it to run. A full anti-malware scan is recommended when this file is detected as Trojan.Heur!.

File Details

Main Info:

Product Name:	EFfI
Company Name:	©kms
MD5:	6be003956d0ac8b51cd491fbbb275671
Size:	19 MB
First Published:	2020-07-21 03:16:19 (5 years ago)
Latest Published:	2025-09-11 23:02:44 (8 months ago)

Analysis:

Status:	Trojan.Heur! (on last analysis)
Analysis Date:	2025-09-11 23:02:44 (8 months ago)

Detection screenshot

The screenshot is a visual record of a GridinSoft Anti-Malware detection for this sample. Use the hash and metadata above as the primary identifiers when comparing the file on your system.

Common Places:

%sysdrive%

%desktop%\fait inno off\allimmo\all_immo_programs

%profile%\videos\desktop\ملفات المحل\مجلد جديد\effi

%desktop%\im

%sysdrive%\gift all off\immo off pin software + archivos\effi zedbull v2.7.2\effi zedbull v2.7.2.rar

%sysdrive%\worck\my devices\effl

%sysdrive%\local disk\data\program ecu\effi - 173 modulos

%sysdrive%\worck\my devices\effl.rar

%sysdrive%\worck\my devices\gift all off\[pack] 30 immo off pin software + files\effi zedbull v2.7.2\effi zedbull v2.7.2

%desktop%

ThreatInfo has observed EFfI.dll in the locations listed above. Files found in temporary folders, user profile folders, startup locations, or unusual application directories should be reviewed more carefully than files installed under a known program directory.

Geographic signal

Observed country distribution

ThreatInfo has seen EFfI.dll across 7 countries. Use this signal to compare local evidence with where the sample is most often reported.

Top country Egypt

Share 40.0%

Low High activity

Top observed countries

40.0%

10.0%

The strongest geographic signal for this file is Egypt with 40.0% of observed hits. Geographic distribution can help identify targeted campaigns, regional software bundles, or where a file is most commonly reported.

OS Version:

Windows 10 70.0%

Windows 7 20.0%

Windows 8.1 10.0%

The most common operating system signal for EFfI.dll is Windows 10 with 70.0% of observed hits. If your system differs from the common profile, check whether the file was introduced by a specific installer, archive, or removable device.

Analysis

PE Info:

EFfI.dll is identified as pe for 32-bit systems. The subsystem is Windows GUI. PE header values are useful for triage, especially when they do not match the expected publisher, product, or release timeline.

Format pe

Architecture 32-bit

Subsystem Windows GUI

Entry point 0x020f1cba

Image base 0x00400000

PE Sections:

Sections 15

Raw data 20602786

Section layout highlights raw-size concentration, repeated names, packer markers, and hashes that can be compared across related samples.

.text 4055796 bytes · 19.7% of section data

MD5 f88b654eb1ac97e80f09a10723c3d749

.itext 11672 bytes · 0.1% of section data

Uncommon name

MD5 e16ef4e0959ba2d9339f34deb24116be

.data 240916 bytes · 1.2% of section data

MD5 bff3be380abc485ad8eb9b6c9227e34f

.bss 348592 bytes · 1.7% of section data

MD5 97b61a43dd1b759bdae2dfa6c6e60efb

.idata 17200 bytes · 0.1% of section data

MD5 9d716feee0679b3ae767e78f69b582db

.didata 1104 bytes · 0.0% of section data

Uncommon name

MD5 19e59b44356b8283d32d9f951f7b072a

.tls 72 bytes · 0.0% of section data

MD5 ac3b5a19643ee5816a1df17f2fadaae3

.rdata 24 bytes · 0.0% of section data

MD5 96849b22496360746f71a42de3a278b4

.UPX0 7350599 bytes · 35.7% of section data

Packer marker Large raw data Uncommon name

MD5 4bd0c3ee94147b4146d1fc6015fcca13

.UPX1 8409701 bytes · 40.8% of section data

Packer marker Large raw data Uncommon name

MD5 4ef827a2d70419204cdf36fb3b21954c

.rsrc 11566 bytes · 0.1% of section data

MD5 2dc49efb7f85c8379fd5be1fc59c0e22

IAT_SEC_ 85400 bytes · 0.4% of section data

Uncommon name

MD5 c2dd0e44d0c20da71a43de5bc3c112c7

LOCAL_AD 512 bytes · 0.0% of section data

Uncommon name

MD5 25291f6c8ac013f64712a163826a427c

HEAP_AD_ 28672 bytes · 0.1% of section data

Uncommon name

MD5 0cdd2eeaef54e80fa8708db673ec9e52

RES_AD_R 40960 bytes · 0.2% of section data

Uncommon name

MD5 d6a2c8272372c989db4c123e5a1196ed

PE section names and hashes can reveal packing, injected resources, or unusual build artifacts. Sections with uncommon names, very large raw data, or hashes that differ from a trusted copy deserve additional review.

Report conclusion

GridinSoft detects this file as Trojan.Heur!

This report identifies EFfI.dll by MD5 6be003956d0ac8b51cd491fbbb275671. If the same file is present on your device, scan the system and remove the detected object after confirming the hash and location.

Download GridinSoft Anti-Malware Scan the device and confirm whether this exact hash is present. Check this hash on VirusTotal

Recommended next steps

Compare the local file MD5 with 6be003956d0ac8b51cd491fbbb275671.
Check the file path, publisher, and signature against the details in this report.
Run a GridinSoft scan and remove the object if the same hash is found.