Multi-License Discount Quote

Change Region

English
Threat Database Worms Worm.Ramnit

Worm.Ramnit

By CagedTech in Worms

Threat Scorecard

Threat Level: 50 % (Medium)
Infected Computers: 65
First Seen: November 12, 2010
Last Seen: April 28, 2022
OS(es) Affected: Windows

File System Details

Worm.Ramnit may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. $R1PTAK7.exe ce99b549382dbfc4f41efe99b5dbcd54 29
2. rundll32srv.exe e79f2388f25b81d3544c861fb99acd23 2
3. desktoplayer.exe fbf3d2e793ee27f19e15b791ee867c62 1
More files

Analysis Report

General information

Family Name: Virus.Ramnit
Signature status: No Signature

Known Samples

MD5: f305e5a2ff175bf983884368839116fa
SHA1: e36ec4af9138c68e6476550bbbec5d48ab1aed62
File Size: 3.35 MB, 3348992 bytes
MD5: 742e7d98a7f49e08628df00aef522641
SHA1: d8231479b45354fd1fb2493a3191c9cde37eeb1e
File Size: 94.72 KB, 94720 bytes
MD5: bb5f75fdde57f5829a402e184bfaf5c9
SHA1: cbb3468b047cdd428e973f39d04907c6e6cd22d6
SHA256: CC7CBFE42D5D1D8AB5F677BAEEB2E70B672B06A01D78FB0D76F2147B879202B4
File Size: 908.80 KB, 908800 bytes
MD5: c5bf3a8e7d5d659dd863af243f8e0028
SHA1: 563ec51c5d0eb06f04296b4ffd97de6968c8a286
SHA256: DB2FF4A37B3B5BC0B0B916B53D4CC74489A24D8F356D738307D4669005472003
File Size: 128.51 KB, 128512 bytes
MD5: bbd7303565715bd5a70aca166e5d1008
SHA1: 85274b3a3f2b4c1dd9bd08d3e525c264554f9df0
SHA256: 29B80D0D1B16D71BDE0BCBF992CB9E8841B7C14B6AA523B4E39521F74D2C470D
File Size: 8.91 MB, 8906131 bytes
Show More
MD5: 23f4ea05999cef1b072cd29d3f7b2985
SHA1: c2c1196513d90e862de8c658349e197ed55ba71f
SHA256: 0F0064777BF29B845B22816D96A73D34E5E565E463E2676AA279D33F305787C7
File Size: 419.84 KB, 419840 bytes
MD5: 15fad0087fa950670d11ad23ea286c5f
SHA1: caba7f5c2d46d5b1a6f3cbb3e1c10e9bae7ef8b1
SHA256: 7B6386448B0DE1196DBDBB9C1444458302D4B5654AE96D99303D1FABBF2457A2
File Size: 3.55 MB, 3547136 bytes
MD5: 47774d335319a79a5062f8f8105c13ab
SHA1: e2d5b432e6634e84c289534ff0e529dbac5e06a4
SHA256: 4F239DC9D2F5AA842B3D24DE939A17D64F09B71084A68E3D3E3B7A630DF152B6
File Size: 167.94 KB, 167936 bytes
MD5: 1a6da5e5f2c5a31c016f965f5d4a3646
SHA1: 50623038165328fa063e5792efc036cd043c8061
SHA256: 61BC845F599F5BB0A6636AB8FA8C41FE68BA4104AA79325715834DD9DB2F881D
File Size: 2.40 MB, 2400104 bytes
MD5: ed7083abd0308bc8fe598094d34692c1
SHA1: 00c8ff728d2290e9378a6d61bdabb4f134abb087
SHA256: C377AF25CD6FF1EDD2191F3E54EE3A15F87B8BB3F9FC7E20DDD1C4F5D7B43443
File Size: 2.38 MB, 2380631 bytes
MD5: a54cc533634f5c11a5482dcd111afd49
SHA1: 94d05772a2f011cc9376ed5886b0d4ff04bd57c0
SHA256: 8D6CF93E7082F1B3B1739FC584131B96058B537BB66D03C58BCBF1C5C6A52610
File Size: 6.58 MB, 6578176 bytes
MD5: 833ecba7a10684d834f651affc86ae67
SHA1: 4981f7ff076e61f1f04c4bb2e5754333721dc154
SHA256: 4492762BD38EA5399E5FA4C7EB232996A41EC6D0BD51A5A189515E5B45F140A8
File Size: 2.21 MB, 2211328 bytes
MD5: cf99fdafe133a55641aca8ccd84b3b8b
SHA1: 82927e5a6116fd826eb80d14a29cd0b81a24f8f5
SHA256: 5133802B8898F9F05F28DE8D3A687CF9D2440F6FF0B45B5413DB7ACD2C8427D7
File Size: 507.90 KB, 507904 bytes
MD5: 65cdbdce1c3d5127bef9a1b76db1c9ce
SHA1: 6f0b8eb4a3b208e18fe80cfea801406ba09d6f86
SHA256: 655B1B7104BE2A6474F8B035B8C2804796051B8255094ADD1D21C731C5D2DD0A
File Size: 6.65 MB, 6646146 bytes
MD5: eb3f0c1fd02bad98f8c1e6fac3c2cf06
SHA1: b4f9b5f5d10744c2cc4418daea0885614e5246a5
SHA256: 3F604CEEC7912FF7D4177350521F6CD7ABB72999700A563E53E36058A14C21AA
File Size: 204.29 KB, 204288 bytes
MD5: fed5d78d09ccc6dfef0965e352c8fb87
SHA1: 73cbac9348e66b9881912a82b48178131a06cb28
SHA256: 7D8CB5D83618BF90E696025FEDE551865132ABA29C5666D98B8D8D281881BF33
File Size: 116.69 KB, 116689 bytes
MD5: c11735a786f558287256e4488fc7ddb7
SHA1: 11b0c2802991ebb46efbc0fa38f002f010b8abe4
SHA256: 3E68B574C950C29D66F7080AD67007C837EF5EA973630952F037451097BD4288
File Size: 172.03 KB, 172032 bytes
MD5: 853a028b6dbde866cf1e4bf73b6e5888
SHA1: 670295249f654afb56088f156c2ff018c4adb477
SHA256: D2C0BC26A6424794A9226BEC1D5C92221F5969920214B3281A85D5F08D01AC61
File Size: 222.62 KB, 222622 bytes
MD5: 108e6cd477cfa8ab662c489f608446a8
SHA1: 6f0665a8446c6578b3c613e63609e26bb8797707
SHA256: D47C8E39AA6DC3E835CB15DD609EB714B9A9A7E9A99672CA7056626142D76CC0
File Size: 8.53 MB, 8533342 bytes
MD5: 9bb2a2fa7924ba685ef3c7228e3c80ad
SHA1: ee3cea661b3b62bab75d4ee3c319cb18b0fb8c42
SHA256: C4CB1C0093244F9D2DE23CC7584D339C5BB7858B9294E68EBA44D35F42D19C74
File Size: 5.32 MB, 5323092 bytes
MD5: 04b83d7141e9be12ab6f4780579e116b
SHA1: 0d86051102614d665d092c3d5f6981358c541040
SHA256: 4CB817DA72CAD9E8CB36D82EA9371EC3321F48D31C7E88B89C2157B8F8FE0FBF
File Size: 303.10 KB, 303104 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have resources
  • File doesn't have security information
  • File has been packed
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
Show More
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • Created with AutoPlay Media Studio
  • Elder Scrolls 3
  • GUI Version
Company Name
  • Bethesda Softworks
  • CANON INC.
  • FTDI Ltd.
  • Hewlett-Packard Company
  • Inprise Corporation
  • Microsoft Corporation
  • Nokia Corporation and/or its subsidiary(-ies)
  • SOFTWIN S
  • The OpenSSL Project, https://www.openssl.org/
File Description
  • AutoPlay Application
  • BitDefen
  • C++ application development framework.
  • Canon IJ Printer Assistant Tool
  • Dynamic Link Run Time Library (VCL MT)
  • Español by rade
  • FTBUSUI Property Page Provider
  • Morrowind Launcher
  • OpenSSL library
  • SwiftShader libGLESv2 32-bit Dynamic Link Library
Show More
  • vaporware bak lanz lanz ertl ertl whoppers lanz ertl Nelsons Heartily adulthood Agriculturists vaporware bak lanz lanz ertl ertl whoppers lanz ertl Nelsons Heartily adulthood Agriculturists vaporware bak lanz lanz ertl ertl whoppers lanz ertl Nelsons Heartily adulthood Agriculturists vaporware bak lanz lanz ertl ertl whoppers lanz ertl Nelsons Heartily adulthood Agriculturists
  • Windows Easy Transfer
  • 添加ARP Microsoft 基础类应用程序
File Version
  • 106.42.73
  • 8.5.0.0
  • 6.2.9200.16384 (win8_rtm.120725-1247)
  • 5.9.1.192
  • 4.50.0000
  • 4.7.1.0
  • 3.3.0.1
  • 2, 0, 6, 0
  • 1.1.1d
  • 1.05.2.10
Show More
  • 1.0.0.5
  • 1, 0, 0, 1
Internal Name
  • ams_runtime
  • CNMPAUI.DLL
  • FTBUSUI.dll
  • HPUSBFW
  • libcrypto
  • libGLESv2
  • Morrowind Launcher
  • Run Time Library
  • wet.dll
  • фжзрюкшэщ
Show More
  • 添加ARP
Legal Copyright
  • 2528-6
  • Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies).
  • Copyright (C) 2016 Google Inc.
  • Copyright 1998-2019 The OpenSSL Authors. All rights reserved.
  • Copyright CANON INC. 2017
  • Copyright Inprise Corporation 1994,1999
  • Copyright © 2001
  • Copyright © 2003-2004 Hewlett-Packard Development Company, L.P. All rights reserved.
  • Copyright © 2006 FTDI Ltd.
  • Runtime Engine Copyright © 2015 Indigo Rose Corporation (www.indigorose.com)
Show More
  • Surpluses
  • © Microsoft Corporation. All rights reserved.
  • 版权所有 (C) 2012
Legal Trademarks AutoPlay Media Studio is a Trademark of Indigo Rose Corporation
Original Filename
  • ams_runtime.exe
  • CNMPAUI.DLL
  • FTBUSUI.dll
  • HPUSBFW.exe
  • libcrypto
  • libGLESv2.dll
  • Morrowind Launcher
  • nedwp
  • QtGui4.dll
  • Surpluses
Show More
  • wet.dll
  • 添加ARP.EXE
Private Build
  • 3.3.0.1
  • Jan 21, 2004 Build 006
Product Name
  • AutoPlay Media Studio Runtime
  • Bethesda Softworks Morrowind Launcher
  • Borland C++ Builder 4.0
  • Canon IJ Printer Assistant Tool
  • FTDIChip CDM Drivers
  • HP USB Disk Storage Format Tool
  • Microsoft® Windows® Operating System
  • Qt4
  • Surpluses
  • SwiftShader libGLESv2 Dynamic Link Library
Show More
  • The OpenSSL Toolkit
  • люзанх
  • 添加ARP 应用程序
Product Version
  • 106.4
  • 8.5.0.0
  • 6.2.9200.16384
  • 5.9.1.192
  • 4.5
  • 3.3.0.1
  • 2.00.00.1
  • 2, 0, 6, 0
  • 1.1.1d
  • 1.05.2.10
Show More
  • 1, 0, 0, 1

File Traits

  • .adata
  • 2+ executable sections
  • AMS
  • dll
  • HighEntropy
  • imgui
  • No Version Info
  • ntdll
  • packed
  • PEC2
Show More
  • upx
  • UPX!
  • x86

Block Information

Total Blocks: 1,122
Potentially Malicious Blocks: 0
Whitelisted Blocks: 1,112
Unknown Blocks: 10

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? ? ? ? ? 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ?
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Agent.IFSB
  • Kryptik.DGE
  • Ramnit.V
  • Rugmi.RC
  • Trojan.Agent.Gen.UZ
Show More
  • Trojan.Downloader.Gen.GN
  • Ulise.A
  • ZBot.NA
  • ZBot.NB
  • Zbot.N
  • Zzinfor.C

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c: Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\hmxtkl.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\hmxtkl.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\hmxtkl.exe Synchronize,Write Attributes
c:\users\user\appdata\local\temp\nslcbb0.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\~tma36e.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
Show More
c:\users\user\downloads\cmgr.exe Generic Write,Read Attributes
c:\users\user\downloads\csrv.exe Generic Write,Read Attributes
c:\users\user\downloads\csrvsrv.exe Generic Write,Read Attributes
c:\users\user\downloads\e36ec4af9138c68e6476550bbbec5d48ab1aed62_0003348992srv.exe Generic Write,Read Attributes
c:\users\user\downloads\temp\shsandbox-win32.dll-5.21.4.9999-x86.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\2ca2e1 Generic Write,Read Attributes
c:\windows\system.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\rundll32mgr.exe Generic Write,Read Attributes
c:\windows\syswow64\rundll32srv.exe Generic Write,Read Attributes
c:\windows\syswow64\temp\shsandbox-win32.dll-5.22.1.9999-x86.dmp Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify  RegNtPreCreateKey
Show More
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\direct3d\mostrecentapplication::name caba7f5c2d46d5b1a6f3cbb3e1c10e9bae7ef8b1_0003547136 RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications  RegNtPreCreateKey
HKCU\software\jguh::u1_0 啕啕 RegNtPreCreateKey
HKCU\software\jguh::u2_0 RegNtPreCreateKey
HKCU\software\jguh::u3_0 権ă RegNtPreCreateKey
HKCU\software\jguh::u4_0 RegNtPreCreateKey
HKCU\software\jguh::u1_1 䴜㱃 RegNtPreCreateKey
HKCU\software\jguh::u2_1 書牥 RegNtPreCreateKey
HKCU\software\jguh::u3_1 ᥜ獦 RegNtPreCreateKey
HKCU\software\jguh::u4_1 獵牥 RegNtPreCreateKey
HKCU\software\jguh::u1_2 ꋏꁼ RegNtPreCreateKey
HKCU\software\jguh::u2_2  RegNtPreCreateKey
HKCU\software\jguh::u3_2 賃 RegNtPreCreateKey
HKCU\software\jguh::u4_2  RegNtPreCreateKey
HKCU\software\jguh::u1_3 婯䁹 RegNtPreCreateKey
HKCU\software\jguh::u2_3 俒地 RegNtPreCreateKey
HKCU\software\jguh::u3_3 ぶ嘳 RegNtPreCreateKey
HKCU\software\jguh::u4_3 婟地 RegNtPreCreateKey
HKCU\software\jguh::u1_4 鼭ⷤ RegNtPreCreateKey
HKCU\software\jguh::u2_4 RegNtPreCreateKey
HKCU\software\jguh::u3_4 ꟽ좖 RegNtPreCreateKey
HKCU\software\jguh::u4_4 췔즕 RegNtPreCreateKey
HKCU\software\jguh::u1_5 綁ׂ RegNtPreCreateKey
HKCU\software\jguh::u2_5 哄㯻 RegNtPreCreateKey
HKCU\software\jguh::u3_5 ⭠㫸 RegNtPreCreateKey
HKCU\software\jguh::u4_5 䅉㯻 RegNtPreCreateKey
HKCU\software\jguh::u1_6 ⷨ𢡄 RegNtPreCreateKey
HKCU\software\jguh::u2_6 ꄳ깠 RegNtPreCreateKey
HKCU\software\jguh::u3_6 RegNtPreCreateKey
HKCU\software\jguh::u4_6 뒾깠 RegNtPreCreateKey
HKCU\software\jguh::u1_7 穠峕 RegNtPreCreateKey
HKCU\software\jguh::u2_7 㶾⃆ RegNtPreCreateKey
HKCU\software\jguh::u3_7 䈚⇅ RegNtPreCreateKey
HKCU\software\jguh::u4_7 ⠳⃆ RegNtPreCreateKey
HKCU\software\jguh::u1_8 騍橎 RegNtPreCreateKey
HKCU\software\jguh::u2_8 踥錫 RegNtPreCreateKey
HKCU\software\jguh::u3_8 鈨 RegNtPreCreateKey
HKCU\software\jguh::u4_8 鮨錫 RegNtPreCreateKey
HKCU\software\jguh::u1_9 驄깽 RegNtPreCreateKey
HKCU\software\jguh::u2_9 ᪐֑ RegNtPreCreateKey
HKCU\software\jguh::u3_9 攴Ғ RegNtPreCreateKey
HKCU\software\jguh::u4_9 ༝֑ RegNtPreCreateKey
HKCU\software\jguh::u1_10 옯쟌 RegNtPreCreateKey
HKCU\software\jguh::u2_10 鷺矶 RegNtPreCreateKey
HKCU\software\jguh::u3_10 盵 RegNtPreCreateKey
HKCU\software\jguh::u4_10 芒矶 RegNtPreCreateKey
HKCU\software\jguh::u1_11 䡖騅 RegNtPreCreateKey
HKCU\software\jguh::u2_11  RegNtPreCreateKey
HKCU\software\jguh::u3_11 鰮 RegNtPreCreateKey
HKCU\software\jguh::u4_11  RegNtPreCreateKey
HKCU\software\jguh::u1_12 ጱ RegNtPreCreateKey
HKCU\software\jguh::u2_12 稠峁 RegNtPreCreateKey
HKCU\software\jguh::u3_12 ͕巂 RegNtPreCreateKey
HKCU\software\jguh::u4_12 楼峁 RegNtPreCreateKey
HKCU\software\jguh::u1_13 摂 RegNtPreCreateKey
HKCU\software\jguh::u2_13 왕켦 RegNtPreCreateKey
HKCU\software\jguh::u3_13 뛘츥 RegNtPreCreateKey
HKCU\software\jguh::u4_13 RegNtPreCreateKey
HKCU\software\jguh::u1_14 ᚿ쳲 RegNtPreCreateKey
HKCU\software\jguh::u2_14 䖘䆌 RegNtPreCreateKey
HKCU\software\jguh::u3_14 㩏䂏 RegNtPreCreateKey
HKCU\software\jguh::u4_14 偦䆌 RegNtPreCreateKey
HKCU\software\jguh\1214104697::1919251317  RegNtPreCreateKey
HKCU\software\jguh\1214104697::-456464662 RegNtPreCreateKey
HKCU\software\jguh\1214104697::1462786655 RegNtPreCreateKey
HKCU\software\jguh\1214104697::-912929324  RegNtPreCreateKey
HKCU\software\jguh\1214104697::1006321993 K RegNtPreCreateKey
HKCU\software\jguh\1214104697::-1369393986 http://padrup.com/sobaka1.gifhttp://190.120.227.91:8080/sobak RegNtPreCreateKey
HKCU\software\jguh\1214104697::549857331 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ➅핯飡ǜ RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list::c:\users\user\downloads\b4f9b5f5d10744c2cc4418daea0885614e5246a5_0000204288 c:\users\user\downloads\b4f9b5f5d10744c2cc4418daea0885614e5246a5_0000204288:*:enabled:@shell32.dll,-1 RegNtPreCreateKey

Windows API Usage

Category API
Process Shell Execute
  • CreateProcess
Encryption Used
  • CryptAcquireContext
Syscall Use
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtProtectVirtualMemory
Show More
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetThreadState
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ZwMapViewOfSection
User Data Access
  • GetUserObjectInformation

Shell Command Execution

c:\users\user\downloads\e36ec4af9138c68e6476550bbbec5d48ab1aed62_0003348992Srv.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\cbb3468b047cdd428e973f39d04907c6e6cd22d6_0000908800.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\85274b3a3f2b4c1dd9bd08d3e525c264554f9df0_0008906131.,LiQMAxHB
cSrv.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\e2d5b432e6634e84c289534ff0e529dbac5e06a4_0000167936.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\50623038165328fa063e5792efc036cd043c8061_0002400104.,LiQMAxHB
cmgr.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\4981f7ff076e61f1f04c4bb2e5754333721dc154_0002211328.,LiQMAxHB
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Vifibodj\AppData\Local\""
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\73cbac9348e66b9881912a82b48178131a06cb28_0000116689.,LiQMAxHB
c:\users\user\downloads\cSrvSrv.exe
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\6f0665a8446c6578b3c613e63609e26bb8797707_0008533342.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\ee3cea661b3b62bab75d4ee3c319cb18b0fb8c42_0005323092.,LiQMAxHB

Related Posts

Trending

Most Viewed

Loading...