Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Rugmi.AB

Trojan.Rugmi.AB

By CagedTech in Trojans

Analysis Report

General information

Family Name: Trojan.Rugmi.AB
Signature status: Hash Mismatch

Known Samples

MD5: 6621a481238d3ade0b47411dd1dbd3bc
SHA1: 31a2dabb1b2d5dbb2e5bb79f8932738084b119e4
SHA256: 75D42C0263FD56755F8AB8E9F26605F14BCD1D09AF891F2ED77B31862F4446D0
File Size: 1.07 MB, 1066192 bytes
MD5: e016a22ed0d878cafaa003b73f02ce0b
SHA1: 184a12bc93d2ccfd90eac43168e80ea71c3c4175
SHA256: D635C5EA2B84640EF97D591C10A7C8082BD0187A0298CD1C85BCDBE0828781D7
File Size: 1.15 MB, 1146880 bytes
MD5: 624815d9534e372b6b8022b397682527
SHA1: f44718dc3c98c7a54e3bc8954e4340f5653dccfb
SHA256: 7D96F749C848C3A3C081869804EE57227A84DB1AF59C26F43EB03A9F07601539
File Size: 1.14 MB, 1142856 bytes
MD5: dbf7b69d39ec8b84022a4b5bf2a361cb
SHA1: 2514c624179b48c7eb77079fcb304a449ba6c968
SHA256: 8BD21060D4AE739E182D4C26B46050B60282741994CF41B0E7E75987F08E5C95
File Size: 1.13 MB, 1131520 bytes
MD5: a822527032d17ccc3c2722bd40ead020
SHA1: e4956d3a5eeb6348b90324a90fe57a1cabd7bd91
SHA256: C05489DBC6E00BDCEC1126B77C9D2FE01C150AE3D5B0EF41FDCE3712C7EC1D72
File Size: 1.00 MB, 1000961 bytes
Show More
MD5: 43f1befb60debf9bc1e873c1a48c6d3a
SHA1: 14e7662ee2b6eae5d8dbe37b7cd7dfa98f9ddd6a
SHA256: AE0B18790D82CBA0D82BC23E95AAEDB4F213B48C5ECB0B48F0592F1E5F44588A
File Size: 939.08 KB, 939080 bytes
MD5: 684f4c6570432bfee782e562a16fe837
SHA1: 1a7420bd2059f10e30342e59b2f677ca4a707d0f
SHA256: 5BBCB29F0C0E8B56C3FDACB3E4DC09708E9B4C7721D922BECDC8D7A8C11BA393
File Size: 826.44 KB, 826440 bytes
MD5: 10dac28fed9d0688eded37a5c234131b
SHA1: d164f1b945dd7978ef5edb2a72ce15bc6cda6b4f
SHA256: 5B1344921677E2F8963003CBCDF08F6DEF8B2CFD2E6760E952A3085B98BA7F61
File Size: 1.25 MB, 1254624 bytes
MD5: 712c2443999f580e79157ce31cec1b75
SHA1: 528d8d10b4b12e2dcf33755647187475448d728d
SHA256: 32970C5174C4535F3EFA2A3F0588AEB3D0D24943C9DDC41772548014267F9660
File Size: 1.08 MB, 1079296 bytes
MD5: cc462a2346b607d76fc181837f4cfd0c
SHA1: 8877b190814b73710454ee14c4b24241c0beab7e
SHA256: B5AFB3910EEE2CB1DA817BCDA5EA8C73A8F5C5F0AAE61EABD02524A49DBB4E36
File Size: 1.39 MB, 1389344 bytes
MD5: 043eb60b88ec71d43c7539a0497fb351
SHA1: bf02e925aac9e164d94c0e25aa12f67b627d51b5
SHA256: EEA52CC1E972786E94A011FBD287E99622F189AEDCF94CEA292BCECB890C8844
File Size: 982.49 KB, 982486 bytes
MD5: 04f2ac72fbdea917bd95901cdc364ee8
SHA1: 2bc1695a60ae6690a1a5e83d2e3f649860d721ed
SHA256: 1D3AF25D615696CA08EDF63880692F7477D0D236077367F3C49B7C0D4442AEE9
File Size: 817.78 KB, 817778 bytes
MD5: 6974db43009ff0d659147636491fe435
SHA1: 072eba3f4da7b4120efbe3ca506f8fc96c5af181
SHA256: D031CAF10FFB1A28FBD0F38E6E4025FA6BEC317CEBBBC564D5DF05A0FC532D87
File Size: 1.18 MB, 1184076 bytes
MD5: 3e338b37703df2053690aa37e3bd34d5
SHA1: 0820ae46dba8bcb7efea65f13d4a3a6037ef180c
SHA256: 7D55729B69D39413AF178BC3DCC252104870A839962559400F6AEB905D688BF4
File Size: 493.06 KB, 493056 bytes
MD5: 3f36f0cddb177540c06a66649f73d081
SHA1: 5e33bd7d323750ed4687ee944883c48d58dd47ae
SHA256: 8AC5F9D96EEC0F6208DADEB1B701627A263CD6DD9C4F81B5FFE854E2C1BE1F76
File Size: 1.01 MB, 1009227 bytes
MD5: 84f143f08e2078cd3588b88dd4a126a0
SHA1: e7eedb70dc9facec95f9340827752f4b76dc04f5
SHA256: E649C785AD825F99CFB75DAD644DC75691E541ED328F57FCA5D9FF5FBA6604DB
File Size: 1.18 MB, 1183232 bytes
MD5: 917ba444ace6879b36060aba22a0052b
SHA1: 4fed427868d1bda5af6eaadb33b768778ff4dcdb
SHA256: DDB41EA89DA7FE7021CADA8773D1D4415FFE231FF8E48356ED355FDB482B1CDA
File Size: 799.82 KB, 799816 bytes
MD5: c0dc6d06a4e8cb156fe91a0e46a3bafa
SHA1: d0b34ea99b3749483fb2d42e64eb1d13b2086a95
SHA256: A82DC6C7419A58AA9762E8871E46D7C3C275A9B3183C8C8E676F88AC89E37CAF
File Size: 942.15 KB, 942152 bytes
MD5: c57dc5062e7708f82f6bf69b8ec84086
SHA1: 6e207097f21d17ef8ed426aa0e17c6b8aef08f6b
SHA256: 95D6B12EDFD918F62DC975D2904D6F4FD7837883CD245237DB0FB7B034D87FC6
File Size: 803.91 KB, 803912 bytes
MD5: c8a35a3fc52e0a5af900aa2fc127adb5
SHA1: b883f966944813a3684dfdeaecd1dab252b01675
SHA256: 1463E2C548713B126288A079D73D62E16DDCB5B408DE3A41EE6B3569C0D9125D
File Size: 1.21 MB, 1214054 bytes
MD5: 527a2753386c1c21686567fe729219a4
SHA1: 28e86cdaab924fcacf853b7b907a400c413bea75
SHA256: DDF4CAA5C76F79857783B426F9DD6298CE6E55F781113819FD7044DFF251F052
File Size: 1.37 MB, 1374720 bytes
MD5: 2ed769a5d98b1ed7817da1fb87758e90
SHA1: f0c337c2e0b844ae12f72cd8c96394bc39336ea5
SHA256: 46E82D5DD32B0F91256DFFDFD117C0DA95C7CC5B50724CFFED0DD7BD919E93DF
File Size: 811.15 KB, 811152 bytes
MD5: 6b0ee7bac2f6bd64bbacb64b0d93b181
SHA1: d87d10b1a4e3bf98a90d0127f36ac7ad61b97321
SHA256: 54D0CE7FD30274E4BB3D251A679109E3BCB2CB48B5AAA912A550E023B0CACF2C
File Size: 1.24 MB, 1237087 bytes
MD5: e09ba22d24755d0e96dbaab456e750d5
SHA1: 7b6be3042e6815808de7f9f816410a47bcb46076
SHA256: 389DF3D4BB7A4DBC525E141FD121D66CDD077E6789D8424E54A9369EAB080182
File Size: 1.38 MB, 1376768 bytes
MD5: f6bb87ebc9a09937250cdc0c237b30b1
SHA1: b41f8e1b7bbf6456471b321a0bbb81c76cf5938b
SHA256: DBAC415A1EE81E04D5108609DB4D677D658D359F6F6E4A7B59182D960CC57F27
File Size: 971.54 KB, 971544 bytes
MD5: 1a3c469428f13e5fb599adf1676172b6
SHA1: e02e87d61f34abf2505c23716751ea77a45ea5cd
SHA256: F441306EBD6B6BF05120CDDCE3DB2D3324E677439DE705F5DC9D60D73A6D5F62
File Size: 1.10 MB, 1102503 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

Windows PE Version Information

Name Value
Comments WinSparkle updates checking library (https://winsparkle.org).
Company Name
  • Microsoft
  • winsparkle.org
File Description
  • drfone_setup_full3367.exe
  • drfone_setup_full3452.exe
  • edrawmax_setup_full5371.exe
  • filmora-video-editor-(spanish-es)_setup_full2173.exe
  • iskysoft-data-recovery_setup_full3245.exe
  • keepvid-music_setup_full2323.exe
  • pdfelement-pro_setup_full5264.exe
  • pdfelement-pro_setup_full5476.exe
  • WinSparkle updater
  • wondershare-dr.fone-per-ios(italiano)_setup_full1580.exe
Show More
  • wondershare-filmora-(portuguese)_setup_full1083.exe
  • wondershare-recoverit-free_setup_full4286.exe
  • wondershare-recoverit-pro-(deutsch)-(cpc)_setup_full4194.exe
  • wondershare-repairit_setup_full5913.exe
  • Wondershare App Express
File Version
  • 2.1.7.4
  • 2.0.18.2
  • 2.0.15.2
  • 2.0.10.2
  • 2.0.9.2
  • 2.0.4.2
  • 1.2.2.2
  • 1.2.1.1
  • 1.00
  • 1,5,2,0
Show More
  • 0.5.1
Internal Name
  • TJprojMain
  • Win
  • WinSparkle
Legal Copyright
  • Copyright (C) 2009-2016 Vaclav Slavik
  • Copyright 2015 Wondershare Corporation
  • Copyright 2016 Wondershare Corporation
  • Copyright©2017 IskySoft. All rights reserved.
  • Copyright©2017 Wondershare. All rights reserved.
  • Copyright©2017 Wondershare. All rights reserved.
Original Filename
  • TJprojMain.exe
  • Win.exe
  • WinSparkle.dll
Product Name
  • drfone
  • EdrawMax
  • Filmora Video Editor (Spanish ES)
  • iSkysoft Data Recovery
  • KeepVid Music
  • PDFelement Pro
  • Project1
  • Win
  • WinSparkle
  • Wondershare App Express
Show More
  • Wondershare Dr.Fone per iOS(Italiano)
  • Wondershare Filmora (Portuguese)
  • Wondershare Recoverit Free
  • Wondershare Recoverit Pro (Deutsch) (CPC)
  • Wondershare Repairit
Product Version
  • 10.5.0
  • 9.6.4
  • 9.4.0
  • 8.5.5
  • 8.5.3
  • 8.3.2
  • 8.2.1
  • 8.0.4
  • 8.0.1
  • 7.0.3
Show More
  • 7.0.0
  • 5.0.0
  • 2.0.3
  • 1.2.2.2
  • 1.2.1.1
  • 1.00
  • 0.5.1

Digital Signatures

Signer Root Status
Wondershare software CO., LIMITED Class 3 Public Primary Certification Authority Hash Mismatch
Shenzhen Yi Xing Investment Co., Ltd. DigiCert Assured ID Code Signing CA-1 Hash Mismatch
Wondershare Technology Co.,Ltd DigiCert Assured ID Code Signing CA-1 Hash Mismatch
Shenzhen Yi Xing Investment Co., Ltd. DigiCert SHA2 Assured ID Code Signing CA Hash Mismatch
Wondershare Technology Co.,Ltd DigiCert SHA2 Assured ID Code Signing CA Hash Mismatch
Show More
Wondershare Technology Co.,Ltd Symantec Class 3 SHA256 Code Signing CA Hash Mismatch
Shenzhen Wondershare Information Technology Co., Ltd. VeriSign Class 3 Code Signing 2010 CA Self Signed
Wondershare Technology Co.,Ltd VeriSign Class 3 Code Signing 2010 CA Hash Mismatch

File Traits

  • dll
  • HighEntropy
  • Installer Version
  • x86

Block Information

Total Blocks: 2,262
Potentially Malicious Blocks: 15
Whitelisted Blocks: 1,928
Unknown Blocks: 319

Visual Map

? 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 ? 1 ? ? ? ? ? ? ? ? ? 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? 0 ? ? ? ? 0 ? 2 ? ? ? 1 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 ? 0 ? ? 0 ? ? 0 ? ? 0 0 0 0 ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 ? 0 0 1 ? 0 0 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 ? 1 ? ? ? ? ? 0 0 0 ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 0 0 ? 0 ? ? 0 0 0 0 ? ? 0 0 ? 0 ? ? ? ? x 0 0 0 0 0 0 0 0 0 ? ? 0 ? 0 ? ? ? ? 0 ? ? ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 1 0 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? 1 ? ? ? ? ? ? 0 ? ? ? ? ? ? ? 0 ? ? 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 x 0 1 ? ? ? ? ? ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? ? ? 0 ? ? ? x ? ? ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 ? ? 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 x ? 1 ? 0 0 0 ? ? ? ? ? ? ? ? ? ? ? 0 ? 0 ? x ? ? ? ? ? ? ? ? ? 0 0 0 ? ? ? ? ? ? ? ? ? ? 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 2 1 1 1 1 0 0 0 0 0 0 1 0 1 1 0 0 0 0 2 2 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 1 1 0 0 1 0 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 0 0 1 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 1 1 1 3 1 0 0 0 1 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 2 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 3 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 2 2 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Rugmi.AB
  • Rugmi.GI

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\public\documents\keepvid\nfwchk.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\public\documents\wondershare\nfwchk.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\wswae.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\wswae.log.2025-08-15 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-16 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-17 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-17.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-17.2 Synchronize,Write Data
Show More
c:\users\user\appdata\local\temp\wswae.log.2025-08-18 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-18.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-18.2 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-18.3 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-18.4 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-26 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-08-28 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-01 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-02 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-02.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-24 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-24.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-24.2 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25.2 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25.3 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25.4 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-25.5 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-09-26 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-10-06 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-10-07 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-10-15 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2025-10-25 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-11 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-12 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-15 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-15.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-15.2 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-15.3 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-16 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-16.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-16.2 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-16.3 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-27 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-27.1 Synchronize,Write Data
c:\users\user\appdata\local\temp\wswae.log.2026-04-29 Synchronize,Write Data
c:\users\user\downloads\28e86cdaab924fcacf853b7b907a400c413bea75_0001374720.dmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\downloads\5e33bd7d323750ed4687ee944883c48d58dd47ae_0001009227.dmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\downloads\bf02e925aac9e164d94c0e25aa12f67b627d51b5_0000982486.dmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\downloads\e02e87d61f34abf2505c23716751ea77a45ea5cd_0001102503.dmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496
c:\users\user\downloads\e7eedb70dc9facec95f9340827752f4b76dc04f5_0001183232.dmp Generic Read,Generic Execute,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 786496

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\wafcx:: (NULL) RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::5371 (NULL) RegNtPreCreateKey
HKLM\software\wow6432node\edrawsoft\edrawsoft helper compact::clientsign {BE6CF229-0000-0000-0000-0F030F040A0C} RegNtPreCreateKey
HKLM\software\wow6432node\edrawsoft\waf::clientsign {BE6CF229-0000-0000-0000-0F030F040A0C} RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\software\wow6432node\edrawsoft\edrawsoft helper compact::clientsign {BE6CF229-0000-0000-0000-0F030F040A0C} RegNtPreCreateKey
HKLM\software\wow6432node\edrawsoft\waf::clientsign {BE6CF229-0000-0000-0000-0F030F040A0C} RegNtPreCreateKey
HKCU\software\microsoft\internet explorer\gpu::adapterinfo vendorId="0x1414",deviceID="0x8c",subSysID="0x0",revision="0x0",version="10.0.19041.3570"hypervisor="Hypervisor detected (Micros RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-02040A060B0C} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-02040A060B0C} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-weit RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::1580 sku-weit RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {F32D16D1-772A-4042-B95D-D3A8159E9590} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {F32D16D1-772A-4042-B95D-D3A8159E9590} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-ppc RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\.netframework::noguifromshim  RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-wees RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::3245 sku-wees RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\iskysoft helper compact::clientsign {BE6CF229-0000-0000-0000-050C06080206} RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\waf::clientsign {BE6CF229-0000-0000-0000-050C06080206} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-ween RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::3367 sku-ween RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-070A0D0D0301} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-070A0D0D0301} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {57DEB8BA-7B4C-4fc1-9D83-7232016C69F5} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {57DEB8BA-7B4C-4fc1-9D83-7232016C69F5} RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 컔ڔ㛕ǜ RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {CD91B08C-47BA-4dc0-91E7-F25CE80E6CC7} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {CD91B08C-47BA-4dc0-91E7-F25CE80E6CC7} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {AF96C1AB-0EE6-47fc-AC39-AB1D39DFCC40} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {AF96C1AB-0EE6-47fc-AC39-AB1D39DFCC40} RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 塬䏴䜉ǜ RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {6FCF5292-C429-4757-8B90-42E5CB7EB9AA} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {6FCF5292-C429-4757-8B90-42E5CB7EB9AA} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::1083 (NULL) RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-03070F000103} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-03070F000103} RegNtPreCreateKey
HKLM\software\wow6432node\keepvid\keepvid helper compact::clientsign {BE6CF229-0000-0000-0000-0F090F0D0E0F} RegNtPreCreateKey
HKLM\software\wow6432node\keepvid\waf::clientsign {BE6CF229-0000-0000-0000-0F090F0D0E0F} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-ppcde RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::4194 sku-ppcde RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-0B0F060B010E} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-0B0F060B010E} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::5476 sku-ppc RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-0F040A0C0809} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-0F040A0C0809} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {33121D9E-DD8A-491b-9C51-51F300FE83B2} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {33121D9E-DD8A-491b-9C51-51F300FE83B2} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::3452 sku-weit RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-090C0E0B090E} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-090C0E0B090E} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::2173 (NULL) RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\iskysoft helper compact::clientsign {BE6CF229-0000-0000-0000-050102040C0F} RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\waf::clientsign {BE6CF229-0000-0000-0000-050102040C0F} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {C7210BF0-D80B-4f37-99AE-48351666ACFC} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {C7210BF0-D80B-4f37-99AE-48351666ACFC} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-ppc-s RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {E3A89961-0666-4598-8CAD-69F8DB2A045D} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {E3A89961-0666-4598-8CAD-69F8DB2A045D} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {641EC7A6-105C-4a0d-B4AA-07EBE4D12DE1} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {641EC7A6-105C-4a0d-B4AA-07EBE4D12DE1} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-wejp RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-0E0008070B0A} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-0E0008070B0A} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-wefr RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::4286 sku-wefr RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-08070C060D08} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-08070C060D08} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {A5573D17-C2BE-4159-9A33-A70CCD13B9D3} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {A5573D17-C2BE-4159-9A33-A70CCD13B9D3} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::5264 (NULL) RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\iskysoft helper compact::clientsign {BE6CF229-0000-0000-0000-0F0D030C0306} RegNtPreCreateKey
HKLM\software\wow6432node\iskysoft\waf::clientsign {BE6CF229-0000-0000-0000-0F0D030C0306} RegNtPreCreateKey
HKLM\software\wow6432node\wafcx:: sku-ween-ween RegNtPreCreateKey
HKLM\software\wow6432node\wafcx::5913 sku-ween-ween RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\wondershare helper compact::clientsign {BE6CF229-0000-0000-0000-030608010E0C} RegNtPreCreateKey
HKLM\software\wow6432node\wondershare\waf::clientsign {BE6CF229-0000-0000-0000-030608010E0C} RegNtPreCreateKey

Windows API Usage

Category API
Network Info Queried
  • GetAdaptersAddresses
Network Winsock2
  • WSAStartup
Network Winsock
  • connect
  • gethostbyname
  • send
  • socket
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetUserObjectInformation
Syscall Use
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
Show More
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFlushProcessWriteBuffers
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtGetCurrentProcessorNumber
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryFullAttributesFile
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtYieldExecution
  • UNKNOWN
Encryption Used
  • CryptAcquireContext
Process Terminate
  • TerminateProcess
Other Suspicious
  • AdjustTokenPrivileges
  • SetWindowsHookEx

Shell Command Execution

C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0820ae46dba8bcb7efea65f13d4a3a6037ef180c_0000493056.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7b6be3042e6815808de7f9f816410a47bcb46076_0001376768.,LiQMAxHB

Trending

Most Viewed

Loading...