Multi-License Discount Quote

Change Region

English Português
Threat Database Browser Hijackers Malware.Rujack

Malware.Rujack

By CagedTech in Browser Hijackers
Translate To:

Threat Scorecard

Popularity Rank: 314
Threat Level: 50 % (Medium)
Infected Computers: 455,173
First Seen: April 6, 2017
Last Seen: January 24, 2026
OS(es) Affected: Windows

Rujack and Malware.Rujack are detection names that are used by cybersecurity developers in reference to riskware and browser hijacking software, which forces users to load pages on the h[tt]ps://mail[.]ru domain. Mail.ru is a legitimate site suited for Russian-speaking Web surfers. Mail.ru is similar to Bing and Google in many ways with its built-in weather forecast, IM client support, email service, news feeds and the Yandex search service integration. Unfortunately, the reputation of Mail.ru is has been plagued by adware activity and browser hijacking that was caused by third parties looking to claim advertising revenue from redirecting users to Mail.ru.

The software flagged as Rujack and Malware.Rujack may include browser extensions for Google Chrome, add-ons for Mozilla Firefox and Browser Helper Objects (BHOs) for Internet Explorer. Usually, the Rujack applications are distributed to PC users in the company of misleading and fake updates for Adobe Flash and Java. Rujack-branded programs may be presented to users as free media players and extensions that help with streaming video content from the Internet. We have seen applications like “Rutube Chrome Extension,” “WebExpEnhanced,” and “UpdHost2” flagged as Malware.Rujack and PUP.Optional.MailRu. Extensions with the following IDs have been known to cause problems for users:

lhemechcanjmilllmccjbjldonmnnjjj
hcadgijmedbfgciegjomfpjcdchlhnif
bhjhnafpiilpffhglajcaepjbnbjemci
indjgiebmakhmnaplnlnanodkfiejfjd

The Rujack software is observed to make changes to popular Web browsers and force them to load resources at Mail.ru, as well as advertisements from untrusted domains. Most of the cases that involve the Rujack software correspond to Europe and Central America. Malware.Rujack may use VBS scripts and Registry keys to redirect users to insecure pages on the Internet, as well as invite users to run questionable software from unverified publishers. It is best to remove the files and applications associated with Malware.Rujack using a credible anti-malware suite. AV scanners may list related files with the following names:

  • Suspicious_GEN.F47V0628
  • Trojan.Agent.CIPO
  • Trojan.VBS.HotNews.a
  • Win32/Trojan.7e4
  • malware (ai score=81)

SpyHunter Detects & Remove Malware.Rujack

File System Details

Malware.Rujack may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. ijhg.vbs 990b494c525a8368f4b7ed9bac762ae1 58
More files

Registry Details

Malware.Rujack may create the following registry entry or registry entries:
CLSID
{CBF88FC2-F150-4F29-BC80-CE30EFD1B62C}
File name without path
amigo.bat
Чистилка.lnk
Regexp file mask
%ALLUSERSPROFILE%\[RANDOM CHARACTERS] [RANDOM CHARACTERS].lnk.bat
%ALLUSERSPROFILE%\[RANDOM CHARACTERS] [RANDOM CHARACTERS].lnk.bat
%ALLUSERSPROFILE%\Application Data\help.bat
%ALLUSERSPROFILE%\help.bat
%localappdata%\yandex.bat
%PROGRAMFILES%\Subversion\TortoiseSVN Overlay.dll
%WINDIR%\System32\Tasks \mysidex[NUMBERS]
%WINDIR%\System32\Tasks\101news101net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\101news101org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1bl0gcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1bl0gnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1news101com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\1news101net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24runewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24runewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24socialnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\24socialnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\2infoblogcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\2infoblognet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\3bloginfocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\7runewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\7runewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\[RANDOM CHARACTERS]journalorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\all-journalnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\andyounnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bl0gingcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bl0gingnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blog9newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogingtcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogingtnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\blogmytopnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\bossnewsbiz[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\browser-netnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\browser-netorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fornews2017net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fornews2017org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fpagesnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\fpagesnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\free1newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\gogetnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\good-journalnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\green5news[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hit5news[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitech-2017info[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitech-2017net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitnews1net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\hitnews1org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httphumanvevo12com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24klocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24procom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\httpnewsfor24smocom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\inewsennet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\interesting20news17com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\interesting20news17net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\internet-lifeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\inversenewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jooringcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jooringnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-allnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-goodnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journal-goodorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\journalaboutlifeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\jurnal-lifenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\kodobi[NUMBERS]
%WINDIR%\System32\Tasks\krutonewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\linenewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\LookUpPro[NUMBERS]
%WINDIR%\System32\Tasks\lorensonewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\lorensonewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\MarketAdvior[NUMBERS]
%WINDIR%\System32\Tasks\myblog10com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\myblognewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\mynewsforcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\mynewsfornet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\nano-newsinfo[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\new1newsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\new1newsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news-onlyorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news-truenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news1freecom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news1freeorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news24socialcom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\news24socialnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newscruisenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsfor24orgzhrotsm
%WINDIR%\System32\Tasks\newshistorysnetlhrots[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsonlineonlynet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newsonlyonlinenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newssocialorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstimes2017[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstop5net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\newstop5org[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\notbadnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\notbadnewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\onepagesnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\onepagesnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\pagesnewsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\timeandnewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\timeandnewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\top5newsorg[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\top9blogcomqazsm
%WINDIR%\System32\Tasks\topnews17com[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnews17info[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnews17net[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\topnewsonlinenet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\vnovostyahnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\yocoursenewscom[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\yocoursenewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\youfreenewsnet[RANDOM CHARACTERS]
%WINDIR%\System32\Tasks\YoutubeDownloader
%WINDIR%\System32\Tasks\YoutubeDownloader_upd
HKEY..\..\..\..{RegistryKeys}
Software\kodobi
Software\LookupPro
Software\MarketAdvior
Software\Microsoft\chst
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\kodobi
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\kodobi2
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LookUpPro
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LookUpPro2
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mysidex
SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\mysidex2
Software\Microsoft\Windows\CurrentVersion\Run\kodobi
Software\Microsoft\Windows\CurrentVersion\Run\LookUpPro
Software\Microsoft\Windows\CurrentVersion\Run\MarketAdvior
Software\Microsoft\Windows\CurrentVersion\Run\mysidex
Software\mysidex
SOFTWARE\Policies\Microsoft\Internet Explorer\SearchScopes\1E35BAB2-2EA9-428D-8E26-705304D76739
SOFTWARE\Wow6432Node\Policies\Microsoft\Internet Explorer\SearchScopes\1E35BAB2-2EA9-428D-8E26-705304D76739
SOFTWARE\Wow6432Node\Чистилка
SOFTWARE\Чистилка
SYSTEM\ControlSet001\services\Chistilka
SYSTEM\ControlSet002\services\Chistilka
SYSTEM\CurrentControlSet\services\Chistilka
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
kodobi
LookupPro
MarketAdvior
mysidex
Чистилка

Directories

Malware.Rujack may create the following directory or directories:

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Чистилка
%ALLUSERSPROFILE%\Чистилка
%APPDATA%\CurrencyConvertor
%APPDATA%\EVERYDAYHOLIDAY
%APPDATA%\MarketAdvior
%APPDATA%\Movies
%APPDATA%\Onetabber
%APPDATA%\PBot
%APPDATA%\WeatherForecaster
%APPDATA%\YoutubeDownloader
%APPDATA%\YoutubeDownloader_upd
%APPDATA%\adtschema
%APPDATA%\gerpril
%APPDATA%\kceidjgdigbhildogdafgekneemgibfe
%APPDATA%\msspeedlib
%APPDATA%\mysidex
%APPDATA%\okagncigkfokplmopeninonbibkmpogi
%APPDATA%\printfilterpipelinesvc
%AppData%\LookupPro
%AppData%\kodobi
%TEMP%\tmpnrlv3x9i
%TEMP%\tmpq07u1cp9

URLs

Malware.Rujack may call the following URLs:

/gazetwa.ru
c.traffic-media.co/
go.deliverymodo.com/afu
kalolo.ru
sagepubgo.com
search.distring.ru
searche-engine.ru
searchtds.ru
searchtrack.ru
send-notice.com
traff-1.ru
traff-2.ru
traff-3.ru
traff3.ru
traffic-media.co/mghtml

Analysis Report

General information

Family Name: Malware.Rujack
Signature status: Hash Mismatch

Known Samples

MD5: 7a63a29f7cba336748ae404be30b0293
SHA1: d13b21c14c6ff59c65a924ca44797ae871225365
File Size: 978.50 KB, 978504 bytes
MD5: f78b2b6bf6ee4c2d45dd80b80fc41eb5
SHA1: 7611ece276641bf3cee309e4047a3ac658645b3c
File Size: 5.17 MB, 5169152 bytes
MD5: b2224c39d840e8b4138a9b0189e50e85
SHA1: 303ea8f12651c382bc0f7e26ed551b88c41649e0
SHA256: BC84FA9AA38FD75379056E662C5E474CFE2BAF18DE1D23A0DF58D027ED4302E6
File Size: 2.55 MB, 2545936 bytes
MD5: 49bd2ac08370287fe8981ec44e489d2f
SHA1: 758646ef3c9c1fba7aa1134000624319c24e8cb7
SHA256: 6B8B02E815FF3AB39C474FA8D7F84AC2370563FA93BA9D90C299AB67B56C0DAE
File Size: 1.05 MB, 1052672 bytes
MD5: 3d1f5a6335e2380239b744f38eaa0ad1
SHA1: 9663ec59df0150cadac59cce87b14e2248272486
SHA256: A8C7AE4D422341CDD21EA54286F64C1550DBE145856724DF148FC74E8F870C2B
File Size: 293.90 KB, 293904 bytes
Show More
MD5: 3f9c0dd9a697271399b4258e90d17eb6
SHA1: ba104b981e24e0aaae774e07052d98785f1f99ad
SHA256: BEBC78C8F54EF5FAAE53AE6182C235DB99AE96C2DD7B87657C6526A57D34EADB
File Size: 251.56 KB, 251560 bytes
MD5: 0ab13baf8dc634609b2dac444b0c92f4
SHA1: 53cae181389bc9c57c97f4c4165bdad91853c07c
SHA256: E33B72130A5F79481D0A2264B97258ADBEA8472D9D1BE76D329CC28D43CCACF5
File Size: 1.23 MB, 1230784 bytes
MD5: 33b9a8b5c88778011c4f77107ba167fc
SHA1: 454755c8e375795dd7e9277e0a2282ce8fe821fc
SHA256: D61673C31E8DBF00FE4C1B0173024D9AF6E8384EBD14EA776586600C9B88FDE3
File Size: 3.66 MB, 3662800 bytes
MD5: b24173a36d4353fe1e059ec08ad36335
SHA1: 8ff3a1681699cfeb0936eca6d93a84ab3300473d
SHA256: 2EDBC21BD918B07DAC3097BA75363C0599B12312925D4273E085506327ED43C6
File Size: 190.87 KB, 190872 bytes
MD5: 14f7f35fdd9b3826a492392e9aaf40db
SHA1: 02c41d907e44c7b8f2bad33aa9e528709cf5e50f
SHA256: 40825F9CC45E6655A9A563B3C742A343C8C62D012AA7158D0A194A806B1020D3
File Size: 1.27 MB, 1272536 bytes
MD5: ac946d1efea429910b6720e42c499408
SHA1: 743013cd4d745a9efbe1b516c97fa290df6ea5d7
SHA256: 342CC2BD05E70875BDC5FEE7E3CCD02957ACDEDCC1A8BDC40996CFF914F85BB1
File Size: 2.45 MB, 2452248 bytes
MD5: 068e0df1ba4fd92068ee891624c810ec
SHA1: e3a148220a4f901ca1329c8bbbbb1804c6a5b1f9
SHA256: 8CE4D1E72FE174E8CC9FE653BE78D6F3DE5505C36838AEE4268548A5E50E1C97
File Size: 3.94 MB, 3937016 bytes
MD5: 55f28141894c9a1eb39084a2f40b690d
SHA1: 6f4dae273a57028c2c179fe7a8c3d7650776dc54
SHA256: F92CBC58655450E86139B48442A4E3DD7E1CF65800943AC43268C69AD2174AAC
File Size: 3.15 MB, 3153304 bytes
MD5: b6653433f74a1f8a83ea9ee19d57d5b3
SHA1: 3fb8861c5b0e1346bd737f1348536c11a9e16fe9
SHA256: 53FA3130B4ACD6FBEFA51F732C236B76E687CE66B0F9480120C1045BDAA36F6B
File Size: 4.88 MB, 4876184 bytes
MD5: 4e3087ab06ddfd5952216ea70d467fb0
SHA1: 51929190c7266fa1884669d07072d977504686c6
SHA256: 8200776275EF8F63858D6A98D1A5E937FBEE2395307B9A3E2FA235CFCDAA7D2D
File Size: 202.59 KB, 202592 bytes
MD5: 6d422f15a57fe38582564ce1d3fd1ff9
SHA1: 414306aa77b5594d6c6364869136e98df3f11bd6
SHA256: 6196014258E09D9F453D42963A9745920DE51202BA3276770066CB824517CB85
File Size: 1.08 MB, 1080184 bytes
MD5: 730275e7d8e10ec6eeddddb7c291874a
SHA1: 1cd4b56fe92b78ebc895d646b8ac95205aece75f
SHA256: 8715AFF8BFEB7622D3C2B9E50B2FFA3281F523527E24236212E84A26EFE1DE6E
File Size: 269.43 KB, 269432 bytes
MD5: 31ac648e8c4462fd9b79e6388a7abba8
SHA1: ecedae62e739a8b6cea1ff398ff47895d625420a
SHA256: C831B855BA9EA6550550A4BCCDF7FEDF696C94B859FC8DFA40B8D6BD4395D5A4
File Size: 153.50 KB, 153496 bytes
MD5: 46231d4781735515e152b600bb6fc69b
SHA1: 5b29f63133b39f7cb88c593835a83f9964f859de
SHA256: ABB457A96C518DA64A4B86858D1D44DCA17660973D4C5E84C43962D05953602D
File Size: 609.52 KB, 609524 bytes
MD5: b5cf3d002dbcdbd11aed2c5001b11304
SHA1: 7d56162d5aa8d9739391e3c0f88bf1e97d13f258
SHA256: DBA57457661CCC732595364F50A50C3E43C9379B4A1C32BDEBBE7A4175623F31
File Size: 2.89 MB, 2887064 bytes
MD5: 577234bda8f9ad99a37d1c7b264ee075
SHA1: a4bb80bac04a11d62283dc501b3a615460d32ca8
SHA256: 16BCF1765198EDCADE0DC710C1C7D1B81489E89829F8EDBF055DCDD35F9DC785
File Size: 3.96 MB, 3958935 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
Show More
  • File is 64-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Assembly Version 1.9.1.0
Comments
  • MediaGet installer
  • This installation was built with Inno Setup.
Company Name
  • Destiny Media
  • Elements Browser
  • MediaGet LLC
  • neunative
  • Offerbox
  • VideoFrom
File Description
  • AdGuardWebInstaller Setup (r2205031000)
  • Elements Browser Setup
  • Fenacibuki Setup
  • HDD_Low_Level_Format_Tool_Setup Setup
  • MediaGet installer
  • neunative-m Setup
  • Pirecegino Setup
  • VideoFrom
  • Zona installer
File Version
  • 1.9.1
  • 1.1.8.0
  • 1.00
  • 1.0.0.0
  • 1.0
Internal Name
  • Elements Browser Setup
  • mediaget-installer
  • TJprojMain
  • VideoFrom.exe
  • ZonaInst.exe
Legal Copyright
  • Copyright (c) 2011 MediaGet LLC
  • Copyright (C) 2013
  • Copyright (C) 2018
  • Copyright © 2018-2020
Original Filename
  • elementsbrowsersetup.exe
  • mediaget-installer.exe
  • TJprojMain.exe
  • VideoFrom.exe
Product Name
  • AdGuardWebInstaller
  • Elements Browser Setup
  • Fenacibuki
  • HDD_Low_Level_Format_Tool_Setup
  • mediaget-installer Module
  • neunative-m
  • Pirecegino
  • Project1
  • VideoFrom
Product Version
  • 4.4.4
  • 3.4
  • 3.0
  • 1.9.1
  • 1.1.8.0
  • 1.00
  • 1.0.2.6
  • 1.0
  • 0.0.0.1

Digital Signatures

Signer Root Status
AVRORA, OOO AAA Certificate Services Root Not Trusted
OOO Kod 7 COMODO RSA Code Signing CA Self Signed
PROTOTAIPS, OOO COMODO RSA Code Signing CA Self Signed
Global Microtrading PTE. LTD DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
ROSTPAY LTD DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch
Show More
Global Microtrading PTE. LTD DigiCert Trusted Root G4 Root Not Trusted
Destiny Media VeriSign Class 3 Public Primary Certification Authority - G5 Root Not Trusted
GLOBAL MICROTRADING PTE. LTD. thawte SHA256 Code Signing CA Hash Mismatch
Global Microtrading PTE. LTD thawte SHA256 Code Signing CA Hash Mismatch
ROSTPAY LTD thawte SHA256 Code Signing CA Self Signed

File Traits

  • .aspack
  • ASPack v2.11d
  • HighEntropy
  • No Version Info
  • packed
  • x86

Block Information

Total Blocks: 1,611
Potentially Malicious Blocks: 218
Whitelisted Blocks: 1,248
Unknown Blocks: 145

Visual Map

0 0 0 0 0 0 0 0 x x x 0 0 0 x x x 0 0 x 0 ? ? ? ? x x ? x ? x ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x ? x x ? ? ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x ? ? ? ? ? 0 0 0 0 ? x ? ? ? ? 0 ? ? ? 0 0 0 0 0 ? ? ? 0 ? x 0 0 ? 0 ? 0 ? ? ? ? ? ? ? ? ? 0 ? ? ? ? ? 0 0 0 0 ? 0 ? 0 ? ? 0 ? 0 0 ? 0 0 0 ? ? 0 ? ? 0 0 ? ? ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x ? ? 0 ? ? x x x x x x 0 ? x 0 0 x x ? ? 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 ? ? 0 ? 0 0 ? 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 ? 0 0 ? 0 0 ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x x x x x 0 x 0 x 0 x x x x x x x ? 0 x 0 ? x 0 0 0 x ? ? x x ? x 0 x x x x x x x 0 x ? ? x x x ? x x 0 0 0 0 0 0 0 0 x 0 x x x x x ? x x x x ? x x x x x x x ? x x x x x x x 0 0 x ? 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x 0 x ? x x 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? x ? ? x 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 x x x x x 0 x x x x x x x x x x x x x x x x 0 0 0 x x 0 x x x x x x x x x x x x x x x x x 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x x x ? ? x x 0 0 0 0 0 x x x x x x x x x x x 0 0 0 0 x 0 0 x 0 x x x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 x x 0 0 0 0 0 0 ? 0 x 0 0 0 x 0 0 x 0 0 x x 0 0 0 x 0 0 0 x 0 x x x 0 0 x 0 0 x x 0 x 0 0 0 x 0 0 0 0 0 0 0 x x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 2 1 1 1 1 0 0 0 0 0 0 0 2 1 0 1 2 1 0 1 1 1 0 1 1 1 1 0 2 3 1 3 1 0 1 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • AdGazelle.A
  • Agent.AN
  • Agent.IUH
  • Downloader.Agent.TJ
  • Farfli.XB
Show More
  • MediaGet.B
  • Mobogenie
  • Murphy.B
  • NukeSped.XB
  • Rozena.EA
  • SearchSuite.C
  • Trojan.Agent.Gen.PW
  • Trojan.Downloader.Gen.BP
  • Trojan.ShellcodeRunner.Gen.CL
  • Vybab.A
  • Zusy.CA

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\program files\common files\system\symsrv.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\elements_installer.log Read Attributes,Synchronize,Append data
c:\users\user\appdata\local\temp\hd.vbs Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-32nea.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-32nea.tmp\botva2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-32nea.tmp\nativeuid.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-5cuvp.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-5cuvp.tmp\_isetup\_shfoldr.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
Show More
c:\users\user\appdata\local\temp\is-bv69c.tmp\53cae181389bc9c57c97f4c4165bdad91853c07c_0001230784.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-ecqpl.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-fpqr9.tmp\743013cd4d745a9efbe1b516c97fa290df6ea5d7_0002452248.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-omt0c.tmp\303ea8f12651c382bc0f7e26ed551b88c41649e0_0002545936.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-rm8vl.tmp\e3a148220a4f901ca1329c8bbbbb1804c6a5b1f9_0003937016.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-vn2gj.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-vn2gj.tmp\botva2.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-vn2gj.tmp\callbackctrl.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-vn2gj.tmp\idp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-vn2gj.tmp\vbheznjbr7e6e7sdspk_aw2\krqz Generic Write,Read Attributes
c:\users\user\appdata\local\temp\mediaget-uninstaller.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc4fe2.tmp\findprocdll.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc4fe2.tmp\installoptions.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc4fe2.tmp\reason.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\nsc4fe2.tmp\reason.ini Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsc4fe2.tmp\uac.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zon629c.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zon6339.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\zonainstall.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~nsu.tmp\au_.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\zona\init.xml Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\elements browser::userid e20da494-dade-4d90-be97-90a661206df2 RegNtPreCreateKey
HKCU\software\elements browser::installer_id 6ec318a7-8e6e-4957-a119-473ee425a869 RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vewhxgpu\AppData\Local\Temp\~nsu.tmp\Au_.exe RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Vewhxgpu\AppData\Local\Temp\~nsu.tmp\Au_.exe\??\C:\Users\Vewhxgpu\AppData\Local\Temp\~nsu.tmp RegNtPreCreateKey
HKCU\software\media get llc\mediaget2\application::neu_ver  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475 RegNtPreCreateKey
Show More
HKCU\software\media get llc\mediaget2-systemscope\mediaget_info::hasdownloadedupdate false RegNtPreCreateKey
HKCU\software\zona::exec C:\Program Files (x86)\Zona\Zona.exe RegNtPreCreateKey
HKCU\software\pinstall::i_user_id AB7BB731-AE16-4E0C-9296-F8CF54E8492F RegNtPreCreateKey
HKCU\software\zona::downloadsdir C:\Users\user\Documents\Zona Downloads RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ᜠ橓庪ǜ RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
  • ShellExecute
User Data Access
  • GetComputerName
  • GetComputerNameEx
  • GetUserDefaultLocaleName
  • GetUserName
  • GetUserObjectInformation
Keyboard Access
  • GetKeyState
Network Winhttp
  • WinHttpOpen
Network Wininet
  • HttpOpenRequest
  • HttpQueryInfo
  • HttpSendRequest
  • InternetConnect
  • InternetOpen
  • InternetQueryOption
  • InternetSetOption
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateKey
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreatePrivateNamespace
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationJobObject
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
Process Terminate
  • TerminateProcess
Other Suspicious
  • SetWindowsHookEx

Shell Command Execution

"C:\Users\Uneihyoq\AppData\Local\Temp\is-OMT0C.tmp\303ea8f12651c382bc0f7e26ed551b88c41649e0_0002545936.tmp" /SL5="$2026C,2096998,488960,c:\users\user\downloads\303ea8f12651c382bc0f7e26ed551b88c41649e0_0002545936"
"C:\Users\Vewhxgpu\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\user\downloads\
"C:\Users\Waewglia\AppData\Local\Temp\is-BV69C.tmp\53cae181389bc9c57c97f4c4165bdad91853c07c_0001230784.tmp" /SL5="$300AE,971904,56832,c:\users\user\downloads\53cae181389bc9c57c97f4c4165bdad91853c07c_0001230784"
"C:\Users\Ysuizzzl\AppData\Local\Temp\is-FPQR9.tmp\743013cd4d745a9efbe1b516c97fa290df6ea5d7_0002452248.tmp" /SL5="$400FE,1592315,832512,c:\users\user\downloads\743013cd4d745a9efbe1b516c97fa290df6ea5d7_0002452248"
"C:\Users\Gvatgfhp\AppData\Local\Temp\is-RM8VL.tmp\e3a148220a4f901ca1329c8bbbbb1804c6a5b1f9_0003937016.tmp" /SL5="$90042,3145790,166400,c:\users\user\downloads\e3a148220a4f901ca1329c8bbbbb1804c6a5b1f9_0003937016"
Show More
(NULL) C:\Users\Rcwumpyt\AppData\Local\Temp\mediaget-uninstaller.exe --uninstall
cscript //NoLogo C:\Users\Dtcymojh\AppData\Local\Temp\hd.vbs

Trending

Most Viewed

Loading...