| File name: | 4aace0007f268d3fff992ab8f784993938578baccc87fcacc019ab11e47c2fa2.dll |
| Full analysis: | https://app.any.run/tasks/7082b3a9-e52a-496e-99b3-b93c902e3222 |
| Verdict: | Malicious activity |
| Analysis date: | August 08, 2025, 22:16:08 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 9 sections |
| MD5: | 407FD1AD49581B927854D86093B0A9C0 |
| SHA1: | 1583FFF48CC32E1956EEA68DD4B1F52D7434B2A5 |
| SHA256: | 4AACE0007F268D3FFF992AB8F784993938578BACCC87FCACC019AB11E47C2FA2 |
| SSDEEP: | 49152:21RBRj2tAJVNblApphdOYz5nXrsYZ4vl1wmUfG7mcAiBMaEmcg5hhDkhph/hhCw9:kRBR2tYhDou7mkbN |
MALICIOUS
Loads dropped or rewritten executable
- svchost.exe (PID: 2368)
- svchost.exe (PID: 6024)
- PLUGScheduler.exe (PID: 1212)
- SIHClient.exe (PID: 1156)
- MusNotifyIcon.exe (PID: 5716)
- WaaSMedicAgent.exe (PID: 3488)
- WmiPrvSE.exe (PID: 1036)
- conhost.exe (PID: 1288)
- slui.exe (PID: 4040)
- slui.exe (PID: 6164)
- slui.exe (PID: 3624)
- slui.exe (PID: 1380)
- svchost.exe (PID: 4708)
- slui.exe (PID: 768)
SUSPICIOUS
The process creates files with name similar to system file names
- rundll32.exe (PID: 3760)
Executable content was dropped or overwritten
- rundll32.exe (PID: 3760)
The process drops C-runtime libraries
- rundll32.exe (PID: 3760)
INFO
Checks supported languages
- RUXIMICS.exe (PID: 236)
Creates files in the program directory
- MusNotificationUx.exe (PID: 6756)
- RUXIMICS.exe (PID: 236)
- MusNotifyIcon.exe (PID: 5716)
Reads the time zone
- MusNotificationUx.exe (PID: 6756)
- MusNotifyIcon.exe (PID: 5716)
- WmiPrvSE.exe (PID: 1036)
Reads the computer name
- PLUGScheduler.exe (PID: 1212)
The sample compiled with english language support
- rundll32.exe (PID: 3760)
Reads the software policy settings
- SIHClient.exe (PID: 1156)
- WaaSMedicAgent.exe (PID: 3488)
- slui.exe (PID: 1380)
- slui.exe (PID: 3624)
The sample compiled with Italian language support
- rundll32.exe (PID: 3760)
The sample compiled with german language support
- rundll32.exe (PID: 3760)
The sample compiled with chinese language support
- rundll32.exe (PID: 3760)
The sample compiled with spanish language support
- rundll32.exe (PID: 3760)
The sample compiled with french language support
- rundll32.exe (PID: 3760)
Checks proxy server information
- slui.exe (PID: 3624)
The sample compiled with korean language support
- rundll32.exe (PID: 3760)
The sample compiled with russian language support
- rundll32.exe (PID: 3760)
The sample compiled with czech language support
- rundll32.exe (PID: 3760)
The sample compiled with japanese language support
- rundll32.exe (PID: 3760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:08:06 09:46:13+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, DLL |
| PEType: | PE32+ |
| LinkerVersion: | 14.34 |
| CodeSize: | 961536 |
| InitializedDataSize: | 557568 |
| UninitializedDataSize: | 239616 |
| EntryPoint: | 0x6b530 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.384.49 |
| ProductVersionNumber: | 1.3.384.49 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Sumpitan Insulize Corp. |
| ProductName: | Flattest Patens |
| FileDescription: | Carcoon tricycle thyreocolloid scenarioize jongleurs bepinch antifermentative modernities overclaim. |
| FileVersion: | 1.3.384.49 |
| ProductVersion: | 1.3.384.49 |
| OriginalFileName: | TripetaloidHispanophobe.exe |
| InternalName: | Metaformaldehyde Formularise |
| LegalCopyright: | © 2025 Sumpitan Insulize Corp. |
Total processes
135
Monitored processes
19
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | %ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetwork | C:\Program Files\RUXIM\RUXIMICS.exe | — | PLUGScheduler.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Reusable UX Interaction Manager Exit code: 0 Version: 10.0.19041.3623 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 768 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1036 | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding | C:\Windows\System32\wbem\WmiPrvSE.exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Provider Host Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1156 | C:\WINDOWS\System32\sihclient.exe /cv u4rrgu/q3EucN6gXQ5WlQA.0.2 | C:\Windows\System32\SIHClient.exe | upfc.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: SIH Client Exit code: 2149863430 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1212 | "C:\Program Files\RUXIM\PLUGscheduler.exe" | C:\Program Files\RUXIM\PLUGScheduler.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Update LifeCycle Component Scheduler Exit code: 0 Version: 10.0.19041.3623 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1268 | C:\WINDOWS\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1288 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | WaaSMedicAgent.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1380 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2368 | C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2940 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s CryptSvc | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
32 541
Read events
32 276
Write events
237
Delete events
28
Modification events
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | ETag |
Value: "66A2A386BBA04BD5A6331A0AD7AF8FD8389BA07DAF02CB8E5F846CAC" | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | refreshInterval |
Value: 534 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | refreshAfter |
Value: 1EC6BD3A7B09DC01 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICEHEALTHPLUGIN |
| Operation: | write | Name: | ORDER |
Value: 1 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SCHEDULEDTASKSPLUGIN |
| Operation: | write | Name: | MAXUPTIMETHRESHOLD |
Value: 20 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICEHEALTHPLUGIN |
| Operation: | write | Name: | MINUPTIMETHRESHOLD |
Value: 0 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICINGCLEANUPPLUGIN |
| Operation: | write | Name: | RUNONMANAGED |
Value: | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SCHEDULEDTASKSPLUGIN |
| Operation: | write | Name: | INTERVALINHOURS |
Value: 24 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\DISKCLEANUPPLUGIN |
| Operation: | write | Name: | THREADEXECUTIONTIMEOUTINSECONDS |
Value: 7200 | |||
| (PID) Process: | (1268) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICINGCLEANUPPLUGIN |
| Operation: | write | Name: | ORDER |
Value: 6 | |||
Executable files
2 461
Suspicious files
161
Text files
89
Unknown types
66
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll | executable | |
MD5:8FC840B45813CC5C2A07E3630B62DB34 | SHA256:C407A7D3920DFAC893F61A6205B910DBBF1AA2A013FDDE8137E5614CFB14803C | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@AppHelpToast.png | image | |
MD5:D6F8DD9F561B8A67FFAC2BAD7E989770 | SHA256:89EC548C14582B2BDC7739BC0FA007EA5FD648E1690564638FDC6264103098A7 | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@WindowsHelloFaceToastIcon.png | image | |
MD5:13EF2C8D799F7B6E9D8E3D6BACB9C779 | SHA256:769B5F5FE87DA6A5F8535079E7A6A0EA65520D83800087513ADC0DBF86AEF62D | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@windows-hello-V4.1.gif | image | |
MD5:79166EAF65485F1432DD72B72870026B | SHA256:5101B61462E241A346A2726696430318A1188479216E0766EE2B43E4D139F0EC | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@optionalfeatures.png | image | |
MD5:A119D69B4C29845D3F8CE2E5638C8E65 | SHA256:377620233BA4FD20ED1694619307BAB09214D514E521F96D89C077B98B1FAB76 | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll | executable | |
MD5:AA22ACA4AF887A2C3859F19B037D044C | SHA256:F1A674EF9154775BF524C41D3364C867FEBA50162791DCA851597147D92D172D | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@AudioToastIcon.png | image | |
MD5:82C37C3E27020AF6C2E018E944284676 | SHA256:0B99B2576F1FA0689FF6E03462076F4CA2C36D3B198511F7497FB9C89615C445 | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@StorageSenseToastIcon.png | image | |
MD5:A3437673F5766635A8378F67645B81C0 | SHA256:6B05FB9F09FDB608DCCE58226B9B7E246A30873906AF8A5FEAC124C371BDA37E | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@WirelessDisplayToast.png | image | |
MD5:DB71001FC261F6685BE410527DAE3942 | SHA256:4F10CDC52BB903B8E84257F62923B8E3635FE554FDE344C27647CB6E7E369EE4 | |||
| 3760 | rundll32.exe | C:\Users\admin\TypeUniongetConsistencyGuaranteeInterlockedCompareExchange\@AdvancedKeySettingsNotification.png | image | |
MD5:C652A5EA6545C98CE71684018E0640E7 | SHA256:AA24A85644ECCCAD7098327899A3C827A6BE2AE1474C7958C1500DCD55EE66D8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
54
DNS requests
19
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.26:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.216.77.26:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4912 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.67:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.67:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.140:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.22:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1268 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4912 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.216.77.26:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.26:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4912 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |