Troj/Ramnit-CV exhibits the following characteristics:
File Information
- Size
- 249K
- SHA-1
- f8004434ee7726c09f77fe042acdecf08fd24cc5
- MD5
- 212656c65c95fc244bdf14e36c632cf3
- CRC-32
- 9c27dded
- File type
- Windows executable
- First seen
- 2013-03-06
Runtime Analysis
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
- Debugger
- qu□□r□pt□□_□□e□□e□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 2500
- 0x00000003
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\housecalllauncher.exe
- Debugger
- re□□b□`c□□_□□e□□e□
- HKEY_USERS\S-1-5-20_Classes\CLSID\{5475D4E8-D3D7-2A4F-8166-0545730B5BD7}\04200134\CW1
- 668
- □□□□□□□□□□□□@l□□□□□□`□□
- HKEY_USERS\S-1-5-20\Software\Classes\CLSID\{5475D4E8-D3D7-2A4F-8166-0545730B5BD7}\04200134\CW1
- 668
- □□□□□□□□□□□□@l□□□□□□`□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 2500
- 0x00000003
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 2500
- 0x00000003
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- 2500
- 0x00000003
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
- Debugger
- ij□□u□□s□□_□□e□□e□
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ezztxopie.exe
- DisableExceptionChainValidation
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
- Debugger
- kb□□i□□p□□_□□e□□e□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 2500
- 0x00000003
- HKCU\Software\Win7zip
- Uuid
- Tu□@□□0□□□O□□f□PE□0□□□□□
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- CreativeAudio
- C:□□P□ o□pr□□m□□F□□l□Ps□□C□□m□□o□□ □`i□□e□0\□0r□Pa□@i□`e□□u□@i□□.□□2□ 2□pA□ 8□□-□0A□PA□□1□□6□□-□□2□@E□□0□□0□□2□ 3□□3□□9□@}□□e□□z□@x□□p□□e□□e□□e□
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- 2500
- 0x00000003
- HKLM\SOFTWARE\Win7zip
- Uuid
- Tu□@□□0□□□O□□f□PE□0□□□□□
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run
- CreativeAudio
- C:□□P□ o□pr□□m□□F□□l□Ps□□C□□m□□o□□ □`i□□e□0\□0r□Pa□@i□`e□□u□@i□□.□□2□ 2□pA□ 8□□-□0A□PA□□1□□6□□-□□2□@E□□0□□0□□2□ 3□□3□□9□@}□□e□□z□@x□□p□□e□□e□□e□
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- 2500
- 0x00000003
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- CreativeAudio
- C:□□P□ o□pr□□m□□F□□l□Ps□□C□□m□□o□□ □`i□□e□0\□0r□Pa□@i□`e□□u□@i□□.□□2□ 2□pA□ 8□□-□0A□PA□□1□□6□□-□□2□@E□□0□□0□□2□ 3□□3□□9□@}□□e□□z□@x□□p□□e□□e□□e□
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- 2500
- 0x00000003
Registry Keys Modified
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Startup
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden
- 0x00000000
Processes Created
- c:\program files\common files\creativeaudio.{2227a280-3aea-1069-a2de-08002b30309d}\ezztxopie.exe
- c:\windows\system32\wuauclt.exe
DNS Requests
- beta.uandmearevideos1.com
- windowsupdate.microsoft.com