File name:

rufus-4.5_x86.exe

Full analysis: https://app.any.run/tasks/d00eb3c0-9691-46e2-abe1-5a5638e85df8
Verdict: Malicious activity
Analysis date: July 29, 2024, 17:25:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5:

6F43A312C5DF38E013ACD13FE4AFFC85

SHA1:

A829876213DFD8F8CB2675AB2F04610C3C2F8BA8

SHA256:

3EE3420BFED6DEE70D7AC587C741DEA567E80D44ABA0F133AB770F11F44D1CEB

SSDEEP:

49152:yZwWFp1ktk0kpn3W4bTuDiebbDoin+9hYxwywAiwaENtjZos8avv83LLbEMcD9TT:MwWFp6tApn376HDU9hYC5sd0avvwLnYB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rufus-4.5_x86.exe (PID: 7032)

    • Changes the Windows auto-update feature

      • rufus-4.5_x86.exe (PID: 7032)

  • SUSPICIOUS

    • Executes as Windows Service

      • vds.exe (PID: 5900)

  • INFO

    • Checks supported languages

      • rufus-4.5_x86.exe (PID: 7032)

    • Reads the computer name

      • rufus-4.5_x86.exe (PID: 7032)

    • Reads the machine GUID from the registry

      • rufus-4.5_x86.exe (PID: 7032)

    • Process checks whether UAC notifications are on

      • rufus-4.5_x86.exe (PID: 7032)

    • Create files in a temporary directory

      • rufus-4.5_x86.exe (PID: 7032)

    • UPX packer has been detected

      • rufus-4.5_x86.exe (PID: 7032)

    • Reads the software policy settings

      • slui.exe (PID: 3808)

    • Checks proxy server information

      • slui.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:22 11:06:09+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.42
CodeSize: 1478656
InitializedDataSize: 45056
UninitializedDataSize: 2912256
EntryPoint: 0x42f5b0
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.5.2180.0
ProductVersionNumber: 4.5.2180.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: https://rufus.ie
CompanyName: Akeo Consulting
FileDescription: Rufus
FileVersion: 4.5.2180
InternalName: Rufus
LegalCopyright: � 2011-2024 Pete Batard (GPL v3)
LegalTrademarks: https://www.gnu.org/licenses/gpl-3.0.html
OriginalFileName: rufus-4.5.exe
ProductName: Rufus
ProductVersion: 4.5.2180
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT rufus-4.5_x86.exe vdsldr.exe no specs vds.exe no specs slui.exe rufus-4.5_x86.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3808C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5900C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6232C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6512"C:\Users\admin\Desktop\rufus-4.5_x86.exe" C:\Users\admin\Desktop\rufus-4.5_x86.exeexplorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
MEDIUM
Description:
Rufus
Exit code:
3221226540
Version:
4.5.2180
Modules
Images
c:\users\admin\desktop\rufus-4.5_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7032"C:\Users\admin\Desktop\rufus-4.5_x86.exe" C:\Users\admin\Desktop\rufus-4.5_x86.exe
explorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
HIGH
Description:
Rufus
Version:
4.5.2180
Modules
Images
c:\users\admin\desktop\rufus-4.5_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 283
Read events
4 222
Write events
29
Delete events
32

Modification events

(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\AppHVSI
Operation:writeName:AllowAppHVSI_ProviderSet
Value:
0
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:writeName:UpdateDefault
Value:
0
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:writeName:NC_DoNotShowLocalOnlyIcon
Value:
1
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:writeName:EnableFeeds
Value:
0
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUServer
Value:
http://neverupdatewindows10.com
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUStatusServer
Value:
http://neverupdatewindows10.com
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:UpdateServiceUrlAlternate
Value:
http://neverupdatewindows10.com
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:**del.FillEmptyContentUrls
Value:
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:UseWUServer
Value:
1
(PID) Process:(7032) rufus-4.5_x86.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{783CAC4C-3E50-4CF4-84FD-2C96C79EB011}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
0
Executable files
0
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7032rufus-4.5_x86.exeC:\Windows\SysWOW64\GroupPolicy\gpt.initext
MD5:39DFFC602ED934569F26BE44EC645814
SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
7032rufus-4.5_x86.exeC:\Users\admin\AppData\Local\Temp\Ruf1862.tmptext
MD5:711B1476D716A52EEB5EE7565F612D0E
SHA256:B5C7B62A8281A940A479D8E6496710A7B96F45B406D10FB2E09C910FCE50949D
7032rufus-4.5_x86.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:2392F1772EA5EC57F3B38729204010E4
SHA256:182966E809A108282397D80C3F82D0116CB437D1C90630FCB1F93F7CC8F6219D
7032rufus-4.5_x86.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:0C014C71A70DC7758BFDC822E974F1F3
SHA256:8EBD915268E16B55A3ABDE6F612363576FAB5DF656F955D672CCE8889C5FF9CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
13.89.179.9:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
104.126.37.137:443
www.bing.com
Akamai International B.V.
DE
unknown
4376
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6220
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
6564
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.139
  • 104.126.37.161
  • 104.126.37.162
  • 104.126.37.153
  • 104.126.37.130
whitelisted
google.com
  • 142.250.186.110
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
rufus-4.5_x86.exe
*** Rufus init ***
rufus-4.5_x86.exe
Cur dir: 'C:\Users\admin\Desktop\'
rufus-4.5_x86.exe
App dir: 'C:\Users\admin\Desktop\'
rufus-4.5_x86.exe
Sys dir: 'C:\WINDOWS\Sysnative'
rufus-4.5_x86.exe
Usr dir: 'C:\Users\admin'
rufus-4.5_x86.exe
Dat dir: 'C:\Users\admin\AppData\Local'
rufus-4.5_x86.exe
Tmp dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.5_x86.exe
Binary executable is signed by 'Akeo Consulting'
rufus-4.5_x86.exe
Will use settings from registry
rufus-4.5_x86.exe
loc file not found in current directory - embedded one will be used
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rufus-4.5_x86.exe