Threat Database Trojans Trojan.Rugmi.O

Trojan.Rugmi.O

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 1,944
Threat Level: 80 % (High)
Infected Computers: 5,201
First Seen: February 17, 2024
Last Seen: April 22, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Rugmi.O
Signature status: Hash Mismatch

Known Samples

MD5: 8861986e5b54c113dbe3701c55cf6f8b
SHA1: 567f86a86549b5e175b68caf357e063699e423fe
SHA256: 57336CAE53BE92356ACFD56749E72391743FA4543F5F98B83F85883D6A33F550
File Size: 230.91 KB, 230912 bytes
MD5: 44deedafc141f5d437293af6ded95ae4
SHA1: 5268ddba619bb189421c5a612265ed8b94fb80bc
SHA256: 86D3817A889959DA71C56F11EBCCD08259A050FE89A4E8537CF837A2E6B70A90
File Size: 290.59 KB, 290592 bytes
MD5: 87185233934be4644ded1f100ffcc3e0
SHA1: bf60a592538ee416676c68d1e86664d1d3a48018
SHA256: 274C61A81C69A23B98D605C2548EC2FA19CF915304301A4BB97F737DABB7B2E2
File Size: 1.10 MB, 1095168 bytes
MD5: 02a9b2d7f7d06fede7c296ae5c414af8
SHA1: ec497bbb238c58889b9bd895e36356ce860f3dd9
SHA256: DF68D8F211C41F72F4F116C48403C0BFE102AF1611F84224DC8C5D3142DECE47
File Size: 1.50 MB, 1500160 bytes
MD5: 0aee087de9213617155d8d741bccc526
SHA1: ff25d373e0c01109b7facdb307fe98f0566d721f
SHA256: C73829E502FB6F7DB9BDF13173843F4E43CA8715CB96A28112327276B25548E6
File Size: 2.28 MB, 2278912 bytes
Show More
MD5: 74a66252c8a16ce636dc1df062a192ee
SHA1: 0ad639c23251f215abded53ca987cab3ea299b9a
SHA256: 2C447ECBE6A992A7D951BD7198EF53E475C53A7EF1FA913FB55FFA03A4015B02
File Size: 6.49 MB, 6494936 bytes
MD5: 71ac9fc7b52eefb3ce50879fca22b8a0
SHA1: 7fac9e90ebbe2034d01c01df9f3155b652caa1bd
SHA256: B8FBFB7904902CA54D4DE95F7FA740A022214FDCD1BCADDD2F09563BE3D84B29
File Size: 2.23 MB, 2232744 bytes
MD5: e6ec33e758eb6ce65e6412b384f53b06
SHA1: 43bd6e40425250d232f6ee10779d6a5140e193aa
SHA256: 208C57A5E14A2F5611961CB0071F11DE318D3839A4D88291A4F1CBA288EB33FD
File Size: 168.96 KB, 168960 bytes
MD5: d35311403d8441a5dca7b30e2183cedd
SHA1: 0e15df7e6b4d3a67949f70d7a7e6b06e1de04412
SHA256: 048C7A07761094520F8E3071BDC7D18B198749AE421127FD5B9F0E31A2ADEFE8
File Size: 2.28 MB, 2278912 bytes
MD5: bc2650d615fabce7310300dbaac4348e
SHA1: 0efba9e0df192e09829a3057a0ee94aaf511a9b4
SHA256: 7403A00E5D0F9FDA4230133D46B15D7FC8986DF2A11B1DD8A4BEE38C1C3CB6A9
File Size: 1.12 MB, 1123424 bytes
MD5: 99aaf486011bb3251113cc4a3beb4ba7
SHA1: cff38b78cd35f04bd67e3c173fc3311e73fb4486
SHA256: F2CDD90CECE5D69F2FFBE8C6349F08646DBB942993C8EE4CF44084F220F99ED3
File Size: 810.32 KB, 810320 bytes
MD5: a4517afa0fe7bad5ae2d361eac4cde3b
SHA1: 65fd69e4585d6d60caf0c286dc184cbd2d9c3c87
SHA256: 8469C95349EC0259878DB6087D16A9C7F24745CF269C9ABBA6F6EB0EC4088BC5
File Size: 3.31 MB, 3311068 bytes
MD5: e248d17dfd75610f4ca85e4858525f44
SHA1: 28281a71e580d5a0c2752229c93dc3279395d2d2
SHA256: 679F22500C97F31E938E62D414DB4A05180D7C8D631118F93F6C6ACFD2C7B116
File Size: 6.09 MB, 6090624 bytes
MD5: df94c33b75497461deb172286bbf560d
SHA1: 6d7c2178736d021a1050496c3b4bda62b15dc9a1
SHA256: 498EA72F0B7A0B4452A008CF8304E74261BBCD998D03D0DCD774535D4FDB4B54
File Size: 3.37 MB, 3371856 bytes
MD5: a1d4998fc67dcf51840a0ceca7e262f0
SHA1: ff953d4047b589f817127e56f7f67e0157cbce43
SHA256: 313AB8CF91FC1953A2FAA5486AF176A5AB68DB8F6F12CD43E0DF8BE56DDBA561
File Size: 3.61 MB, 3610490 bytes
MD5: 683f4396a76da60646a0177feefa402f
SHA1: 5894cedc872a2495db48fddcb9c23e163b326103
SHA256: FF1A04AB27E11B839D68D104CC6BA46504B8225D52A42285521EC1C61F6B7693
File Size: 335.87 KB, 335872 bytes
MD5: 64e501d27315dcb796cc3b4206dcc8f2
SHA1: 725ced09a83c71b9f423791bab1241aa0b924725
SHA256: F8B63C8F0833BC3246FB02086088429635D79A31467F2940FC82C23FE06F79D1
File Size: 903.68 KB, 903680 bytes
MD5: 6c5392ab01d8449f1db97ebbea94d946
SHA1: 823af3de967fe7a5e98829ca3fcf1ea478741d7c
SHA256: CF394261DC4E191ACE3D3F9CD1C3E9D4EAB08B1DD35457F88870E85ABC369734
File Size: 134.04 KB, 134040 bytes
MD5: 02e850cbfb14efa8192a509d5b0b3da1
SHA1: b04d1ee5030b575aa3338f988441b1b3ef232c70
SHA256: BFB246C33E7E9C2C3D7B04A0C80320DBC69597A8290A87BCE54905540E112373
File Size: 1.11 MB, 1113288 bytes
MD5: dd32258ff91ef581b9bf08dc0e3d40de
SHA1: 958899133d0c097d0c8c58212ec793a6beb1c4d0
SHA256: 76512596FECC3344CB5B6784BD3EBCD070F933F8EAEEA37374538BD028E3D0C6
File Size: 135.18 KB, 135182 bytes
MD5: e3e1150ccf0dd1d1a2af9a5a9d5594b8
SHA1: e983f84095db26035c675c12d063e7009bbfcc66
SHA256: C0ED8FE666F030CA9795F9B6FFBD55F007784182F9212F104FCF2FD73BE7753F
File Size: 3.37 MB, 3371856 bytes
MD5: 853b5a2b37f0dde806b72e64ec16e8ef
SHA1: 0b1135605c313f07d15e9bd922b3f579f2320c87
SHA256: 4D9DA8FC1CAEE03298D067183B78662DC61CB649F3A891DE6843AF09349B6048
File Size: 1.32 MB, 1319560 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have resources
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Bin Type 32
Build Date 2010/09/27-13:37:26
Build I D 10630
Build Type Release
Build Version 63.442452
Built With B I B 1.2.02
Company Name
  • Adobe Systems Incorporated
  • Borland Corporation
  • DivX, LLC
  • Elaborate Bytes AG
  • Embarcadero Technologies, Inc.
  • Flexera
  • iTop Inc.
  • Macrospore
  • Microsoft Corporation
  • Neil Hodgson neilh@scintilla.org
Show More
  • Picotee
  • VMware, Inc.
  • wyDay
File Description
  • Activation Licensing Service Installer
  • AXE Shared EXPAT (UTF-8 native)
  • Borland C++ Multi-thread RTL (WIN/VCL MT)
  • CodeGear Component Package
  • Czarevitch
  • DivX Download Manager
  • IDCRL Dynamic Link Library
  • Microsoft Visual Studio Solution File Extension Handler
  • Product Statistics
  • Scintilla.DLL - a Source Editing Component
Show More
  • SDL
  • TurboActivate
  • Twoup
  • VirtualCloneDrive
  • VMware base library
File Version
  • 17.0.32708.82 built by: D17.3
  • 16.1.0 build-17198959
  • 12.0.3210.17555
  • 11.16.6.0 build 260203
  • 5, 5, 2, 0
  • 4.100.313.1
  • 4.4.4.0
  • 3.8.11.25
  • 3.6.102.10630
  • 3.1.4.0
Show More
  • 3.0.8.0
  • 3.0.0.6394
  • 2.22
  • 2, 28, 5, 0
  • 1.2.0.195
  • 0.0.0.0 (informal build)
Internal Name
  • AXE8SharedExpat
  • burn
  • DivX Download Manager
  • FlexNet Publisher (32 bit)
  • IDCRL
  • RTL120
  • Run Time Library
  • Scintilla
  • SDL
  • sqlite3.dll
Show More
  • TurboActivate
  • VirtualCloneDrive
  • vmwarebase
  • VSFileHandler
Legal Copyright
  • Copyright (c) 2006-2019, Flexera. All Rights Reserved.
  • Copyright (C) 2018
  • Copyright (C) 2023 Sam Lantinga
  • Copyright (c) Macrospore. All rights reserved.
  • Copyright (c) Picotee. All rights reserved.
  • Copyright 1998-2010 by Neil Hodgson
  • Copyright Borland Corporation 1994,2002
  • Copyright © 1995-2006 Microsoft Corporation.
  • Copyright © 1997-2008 Embarcadero Technologies, Inc.
  • Copyright © 1998-2020 VMware, Inc.
Show More
  • Copyright © 2002 - 2015 Elaborate Bytes AG
  • Copyright © 2005-2021 wyDay
  • © 2000-2011 DivX, LLC.
  • © 2003-2010 Adobe Systems Incorporated
  • © iTop Inc. All rights reserved.
  • © Microsoft Corporation. All rights reserved.
Legal Trademarks
  • CloneDrive is a trademark of Elaborate Bytes AG
  • iTop Inc.
  • Microsoft® is a registered trademark of Microsoft Corporation.
Original Filename
  • AXE8SharedExpat.dll
  • DivXDownloadManager.dll
  • ElbyVCD.dll
  • FlexNet Publisher (32 bit)
  • magneton.exe
  • msidcrl.dll
  • oblique.exe
  • ProductStatistics3.dll
  • RTL120.BPL
  • Scintilla.DLL
Show More
  • SDL2.dll
  • sqlite3.dll
  • TurboActivate.dll
  • vmwarebase.dll
  • VSFileHandler.DLL
Private Build No
Product Name
  • AXE8SharedExpat 2010/09/27-13:37:26
  • Borland C++ Builder 6.0
  • Borland Package Library
  • Czarevitch
  • DivX Download Manager
  • Elaborate Bytes VirtualCloneDrive
  • FlexNet Publisher (32 bit)
  • Microsoft® Identity CRL
  • Microsoft® Visual Studio®
  • Product Statistics
Show More
  • Scintilla
  • Simple DirectMedia Layer
  • TurboActivate
  • Twoup
  • VMware Workstation
Product Version
  • 63.442452
  • 17.0.32708.82
  • 16.1.0 build-17198959
  • 12.0
  • 11.16.6.0 build 260203
  • 6.0
  • 5, 5, 2, 0
  • 4.100.313.1
  • 4.4.4.0
  • 3.8.1.1
Show More
  • 3.1.4.0
  • 3.0.8.0
  • 3.0
  • 2.22
  • 2, 28, 5, 0
  • 1.2.0.195
Special Build No

Digital Signatures

Signer Root Status
wyDay, LLC COMODO RSA Extended Validation Code Signing CA Hash Mismatch
Open Source Developer, Martijn Laan Certum Code Signing CA SHA2 Hash Mismatch
VMware, Inc. DigiCert Assured ID Root CA Hash Mismatch
ORANGE VIEW LIMITED DigiCert High Assurance EV Root CA Hash Mismatch
ASUSTeK Computer Inc. DigiCert SHA2 High Assurance Code Signing CA Hash Mismatch
Show More
Chengdu XiaoShanHu Information Technology Co.,Ltd. DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Hash Mismatch
Elaborate Bytes AG GlobalSign Root CA Hash Mismatch
Microsoft Corporation Microsoft Root Authority Hash Mismatch
Flexera Software LLC Symantec Class 3 SHA256 Code Signing CA Hash Mismatch
VMware, Inc. VeriSign Class 3 Public Primary Certification Authority - G5 Hash Mismatch

File Traits

  • 2+ executable sections
  • big overlay
  • CryptUnprotectData
  • dll
  • HighEntropy
  • imgui
  • Installer Manifest
  • Installer Version
  • ntdll
  • VirtualQueryEx
Show More
  • x86

Block Information

Total Blocks: 3,962
Potentially Malicious Blocks: 52
Whitelisted Blocks: 3,910
Unknown Blocks: 0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • 1stBrowser.A
  • Agent.EQA
  • Agent.KKC
  • Bobik.F
  • Farfli.LD
Show More
  • MoFinder.A
  • OpenSUpdater.HB
  • Rugmi.DA
  • Rugmi.FA
  • Rugmi.FD
  • Rugmi.FI
  • Rugmi.GI
  • Rugmi.JD
  • Rugmi.JG
  • Rugmi.O
  • Rugmi.OA
  • Rugmi.OI
  • Rugmi.ON
  • Rugmi.RC
  • Rugmi.TB
  • Rugmi.Y
  • Rugmi.YA
  • Shopper.A
  • Stealer.IC
  • Stealer.KF
  • Trojan.Downloader.Gen.GR
  • Vidar.F
  • Vidar.FA

Files Modified

File Attributes
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicecmdlock Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicecmdlock Generic Write,Read Attributes
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicecmdserializelock Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicecmdserializelock Generic Write,Read Attributes
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicecmdshared Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicelock Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\boost_interprocess\ddm0servicelock Generic Write,Read Attributes

Windows API Usage

Category API
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Process Shell Execute
  • CreateProcess
Anti Debug
  • NtQuerySystemInformation
Process Manipulation Evasion
  • NtUnmapViewOfSection

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\567f86a86549b5e175b68caf357e063699e423fe_0000230912.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5268ddba619bb189421c5a612265ed8b94fb80bc_0000290592.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\bf60a592538ee416676c68d1e86664d1d3a48018_0001095168.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ec497bbb238c58889b9bd895e36356ce860f3dd9_0001500160.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ff25d373e0c01109b7facdb307fe98f0566d721f_0002278912.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0ad639c23251f215abded53ca987cab3ea299b9a_0006494936.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\7fac9e90ebbe2034d01c01df9f3155b652caa1bd_0002232744.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\43bd6e40425250d232f6ee10779d6a5140e193aa_0000168960.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0e15df7e6b4d3a67949f70d7a7e6b06e1de04412_0002278912.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0efba9e0df192e09829a3057a0ee94aaf511a9b4_0001123424.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\cff38b78cd35f04bd67e3c173fc3311e73fb4486_0000810320.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6d7c2178736d021a1050496c3b4bda62b15dc9a1_0003371856.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ff953d4047b589f817127e56f7f67e0157cbce43_0003610490.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5894cedc872a2495db48fddcb9c23e163b326103_0000335872.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\725ced09a83c71b9f423791bab1241aa0b924725_0000903680.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\823af3de967fe7a5e98829ca3fcf1ea478741d7c_0000134040.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\b04d1ee5030b575aa3338f988441b1b3ef232c70_0001113288.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\958899133d0c097d0c8c58212ec793a6beb1c4d0_0000135182.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e983f84095db26035c675c12d063e7009bbfcc66_0003371856.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\0b1135605c313f07d15e9bd922b3f579f2320c87_0001319560.,LiQMAxHB

Related Posts

Trending

Most Viewed

Loading...