Multi-License Discount Quote

Change Region

English
Threat Database Trojans Trojan.Rugmi.FL

Trojan.Rugmi.FL

By CagedTech in Trojans

Threat Scorecard

Popularity Rank: 12,229
Threat Level: 80 % (High)
Infected Computers: 9
First Seen: March 14, 2026
Last Seen: June 17, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Trojan.Rugmi.FL
Signature status: Hash Mismatch

Known Samples

MD5: a9746c7ff0d6fac0f9e334de61e071df
SHA1: 6ca098e8bd3e6dfd3aadb2369885b6e25af25e81
SHA256: 8C899CB16432D233970EDCA25209387DFDF9E44ED859B54827B9FA500C3A7795
File Size: 4.25 MB, 4249271 bytes
MD5: 82084d9c46419e209aa3a7a174a595d8
SHA1: 6207d92a76e6dd6944c48864a99bab63729e206c
SHA256: 8F3039779840B3FC6164D29EC5BF78EADAAB78A37E963BDBACFECC7CEB2F6FF8
File Size: 266.10 KB, 266096 bytes
MD5: 238449bae6ce98ebfb9bc518459209ef
SHA1: 04c176b9043616a45724d7bb18e4a48b37a60a5c
SHA256: 99D4C8953C8EE41F2DFACE3B1AC43DBDFA40C83765558C38F380E390A03919DE
File Size: 192.62 KB, 192616 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Comments
  • Arabic Stemmer for Translation Services
  • This installation was built with Inno Setup.
Company Name
  • COLTEC M.E.
  • Microsoft Corporation
File Description
  • Arabic Stemmer for MS Office 2009, by COLTEC M.E.
  • Good Setup
  • Microsoft® C/C++ OpenMP Runtime
File Version
  • 14.44.35112.1
  • 14.0.0.3
  • 2.0.0.0
Internal Name
  • msb1star.dll
  • VCOMP140.DLL
Legal Copyright
  • Copyright © 2009 COLTEC M.E.
  • © Microsoft Corporation. All rights reserved.
Legal Trademarks Microsoft® is a registered trademark of Microsoft Corporation.
Original Filename
  • msb1star.DLL
  • VCOMP140.DLL
Product Name
  • Coltec's Arabic Stemmer
  • Good
  • Microsoft® Visual Studio®
Product Version
  • 14.44.35112.1
  • 14.0.0.3
  • 9.1

Digital Signatures

Signer Root Status
Coltec Middle East Company for Computer Technologies Class 3 Public Primary Certification Authority Hash Mismatch
Microsoft Corporation Microsoft Code Signing PCA 2011 Hash Mismatch
Microsoft Windows Software Compatibility Publisher Microsoft Windows Third Party Component CA 2013 Hash Mismatch

File Traits

  • dll
  • ntdll
  • WriteProcessMemory
  • x64

Block Information

Total Blocks: 582
Potentially Malicious Blocks: 17
Whitelisted Blocks: 504
Unknown Blocks: 61

Visual Map

0 0 0 0 0 0 ? 0 1 0 0 0 0 0 0 1 ? ? ? 0 ? ? 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? ? 0 ? ? ? ? ? ? 0 ? ? ? 0 0 0 ? ? ? 0 0 0 0 ? ? 0 0 1 0 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? x 0 0 ? x x 0 ? x x x x x 0 x 0 x x x 0 0 x x 0 x 0 x ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? 0 0 ? 0 ? ? 0 ? 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Trojan.Downloader.Gen.PP

Files Modified

File Attributes
c:\programdata\drv\adplusmanager.exe.config Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\drv\dbgeng.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\drv\dbghelp.dll Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\drv\driver.cfg Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\drv\late.exe Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\programdata\drv\linkeragent56.conf Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\7b17489.tmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8amdh.tmp\_isetup\_setup64.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-8amdh.tmp\adplusmanager.exe.config Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8amdh.tmp\dbgeng.dll Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\is-8amdh.tmp\dbghelp.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8amdh.tmp\driver.cfg Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8amdh.tmp\late.exe Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-8amdh.tmp\linkeragent56.conf Generic Write,Read Attributes
c:\users\user\appdata\local\temp\is-if8bl.tmp\6ca098e8bd3e6dfd3aadb2369885b6e25af25e81_0004249271.tmp Generic Write,Read Attributes
c:\users\user\appdata\roaming\drv\crisp.exe Read Attributes,Synchronize,Write Data

Registry Modifications

Key::Value Data API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 �m �v(�1�1HO@V�A��N�_�zb"hy�9{b��P�������m�����$წ���&M�=�SB1_T�Vw���%�������AE��D��&��$���L RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 �m �v(�1�1HO@V�A��N�_�zb"hy�9{b��P����������m�����$წ���&M�=�SB1_T�Vw���%�������AE��D��&��$���L RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75 �m �� �v����#��(�*�"1�1HO@V�A��H[u_�zb"hc�wk�q{b��P������������m��gi�V����$�8წ���&MA�=�S)�B1_B��T�Vw��`���%�������AE��"��D��&��$���LA*�" RegNtPreCreateKey

Windows API Usage

Category API
Process Manipulation Evasion
  • NtUnmapViewOfSection
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAreMappedFilesTheSame
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCopyFileChunk
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateUserProcess
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtQueryWnfStateNameInformation
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtResumeThread
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUpdateWnfStateData
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN

Shell Command Execution

"C:\Users\Mpqmuiau\AppData\Local\Temp\is-IF8BL.tmp\6ca098e8bd3e6dfd3aadb2369885b6e25af25e81_0004249271.tmp" /SL5="$D0322,3861617,121344,c:\users\user\downloads\6ca098e8bd3e6dfd3aadb2369885b6e25af25e81_0004249271"
"C:\Users\Mpqmuiau\AppData\Local\Temp\is-8AMDH.tmp\LatE.exe"

Trending

Most Viewed

Loading...