File name:

VBoxRT.dll

Full analysis: https://app.any.run/tasks/1fae822a-de43-4d24-8870-86d7299b1e5c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 12:25:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
lumma
stealer
loader
miner
winring0x64-sys
vuln-driver
upx
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections
MD5:

FDEA446B7C4D6C4BAA4825BBC117808E

SHA1:

F37A14CF36BE8C997F7212959EF77E5DC7245112

SHA256:

6DC5ABB6139D7B4EB85060B5FDDA557D4D5CC9643C469382AF7603F34C0C7172

SSDEEP:

24576:GNDP8D0S9CuSg2JBV/sWBzJN4k9ZU50w:GNDP8D0S9CuSg2JBV/sWBzJN4k9ZU50

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • dialer.exe (PID: 6752)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2236)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 2236)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 2236)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 2236)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 2236)

    • Changes Windows Defender settings

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Adds extension to the Windows Defender exclusion list

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 668)
      • cmd.exe (PID: 7944)

    • Application was injected by another process

      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 1252)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2172)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 1444)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 2920)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3216)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3196)
      • svchost.exe (PID: 3860)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 4312)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 860)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 6024)
      • svchost.exe (PID: 4952)
      • dllhost.exe (PID: 6896)
      • svchost.exe (PID: 1572)
      • uhssvc.exe (PID: 648)
      • sihost.exe (PID: 4984)
      • winlogon.exe (PID: 6648)
      • dwm.exe (PID: 6568)
      • svchost.exe (PID: 4544)
      • RuntimeBroker.exe (PID: 6160)
      • svchost.exe (PID: 6608)
      • explorer.exe (PID: 5492)
      • ApplicationFrameHost.exe (PID: 6952)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 1684)
      • svchost.exe (PID: 4916)
      • UserOOBEBroker.exe (PID: 1248)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 2616)
      • svchost.exe (PID: 6180)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 3956)
      • RuntimeBroker.exe (PID: 1036)
      • RuntimeBroker.exe (PID: 5368)
      • ctfmon.exe (PID: 956)
      • svchost.exe (PID: 6544)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 4348)
      • RuntimeBroker.exe (PID: 3032)
      • svchost.exe (PID: 4408)
      • SppExtComObj.Exe (PID: 5404)
      • WmiPrvSE.exe (PID: 2644)
      • WmiPrvSE.exe (PID: 6656)
      • svchost.exe (PID: 5592)
      • slui.exe (PID: 3240)
      • svchost.exe (PID: 6036)
      • svchost.exe (PID: 4336)

    • Runs injected code in another process

      • dialer.exe (PID: 1616)
      • dialer.exe (PID: 3620)

    • Vulnerable driver has been detected

      • WindowsAutHost (PID: 7728)

    • MINER has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • dialer.exe (PID: 6752)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 6752)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 5492)

    • Application launched itself

      • rundll32.exe (PID: 1660)
      • UjyjtqNYJp.exe (PID: 3676)

    • Executes application which crashes

      • rundll32.exe (PID: 1660)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 6656)

    • Checks for external IP

      • rundll32.exe (PID: 1188)
      • svchost.exe (PID: 2196)

    • Connects to unusual port

      • rundll32.exe (PID: 1188)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 1188)
      • dialer.exe (PID: 6752)

    • Process requests binary or script from the Internet

      • rundll32.exe (PID: 1188)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 1188)
      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2236)

    • Reads security settings of Internet Explorer

      • UjyjtqNYJp.exe (PID: 3676)

    • Reads the date of Windows installation

      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 2236)

    • Starts POWERSHELL.EXE for commands execution

      • UeIHkHBjFt.exe (PID: 6476)
      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Starts process via Powershell

      • powershell.exe (PID: 4212)

    • Manipulates environment variables

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • Script adds exclusion path to Windows Defender

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Stops a currently running service

      • sc.exe (PID: 6988)
      • sc.exe (PID: 3332)
      • sc.exe (PID: 2772)
      • sc.exe (PID: 5352)
      • sc.exe (PID: 6252)
      • sc.exe (PID: 7952)
      • sc.exe (PID: 7616)
      • sc.exe (PID: 2240)
      • sc.exe (PID: 8048)
      • sc.exe (PID: 8144)
      • sc.exe (PID: 5744)

    • Script adds exclusion extension to Windows Defender

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Starts CMD.EXE for commands execution

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Process uninstalls Windows update

      • wusa.exe (PID: 1012)
      • wusa.exe (PID: 8084)

    • Starts SC.EXE for service management

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Searches for installed software

      • MSBuild.exe (PID: 2236)

    • Modifies hosts file to alter network resolution

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Creates a new Windows service

      • sc.exe (PID: 2984)

    • Uses powercfg.exe to modify the power settings

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1040)
      • sc.exe (PID: 7624)

    • Executes as Windows Service

      • WindowsAutHost (PID: 7728)

    • Drops a system driver (possible attempt to evade defenses)

      • WindowsAutHost (PID: 7728)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • The process checks if it is being run in the virtual environment

      • UjyjtqNYJp.exe (PID: 6744)

  • INFO

    • Creates files in the program directory

      • svchost.exe (PID: 4408)
      • UeIHkHBjFt.exe (PID: 1568)
      • MoUsoCoreWorker.exe (PID: 5496)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6656)

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • rundll32.exe (PID: 1188)
      • MSBuild.exe (PID: 2236)
      • slui.exe (PID: 3240)
      • slui.exe (PID: 8024)

    • Checks supported languages

      • jPTV9jsIUp.exe (PID: 4180)
      • MSBuild.exe (PID: 2236)
      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)
      • UeIHkHBjFt.exe (PID: 6476)
      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)
      • uhssvc.exe (PID: 648)

    • Create files in a temporary directory

      • rundll32.exe (PID: 1188)

    • Reads the computer name

      • MSBuild.exe (PID: 2236)
      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 2236)

    • Process checks computer location settings

      • UjyjtqNYJp.exe (PID: 3676)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 6656)

    • The executable file from the user directory is run by the Powershell process

      • UeIHkHBjFt.exe (PID: 1568)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • The sample compiled with japanese language support

      • WindowsAutHost (PID: 7728)

    • UPX packer has been detected

      • dialer.exe (PID: 6752)

    • Checks proxy server information

      • slui.exe (PID: 8024)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(2236) MSBuild.exe
C2 (9)onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 10:10:42+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 298496
InitializedDataSize: 415744
UninitializedDataSize: -
EntryPoint: 0x2a88
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
163
Malicious processes
100
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rundll32.exe rundll32.exe svchost.exe werfault.exe no specs svchost.exe jptv9jsiup.exe no specs conhost.exe no specs #LUMMA msbuild.exe #LUMMA svchost.exe ujyjtqnyjp.exe no specs ujyjtqnyjp.exe wmiprvse.exe ueihkhbjft.exe no specs powershell.exe no specs conhost.exe no specs ueihkhbjft.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT windowsauthost powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe no specs #MINER dialer.exe slui.exe svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe runtimebroker.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe sppextcomobj.exe explorer.exe mousocoreworker.exe svchost.exe dllhost.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
668C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exeUeIHkHBjFt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\system32\powercfg.exe /x -standby-timeout-ac 0C:\Windows\System32\powercfg.exeUeIHkHBjFt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
40 373
Read events
40 213
Write events
117
Delete events
43

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000004400000044000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
0000000000000000000000000000000003000100010001000F000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000064006500620074006700720061006E0064002E0070006E0067003E00200020000000180000000000000069006E0069007400690061006C00640065007400650072006D0069006E0065002E007200740066003E0020002000000014000000000000006C006F006E0064006F006E0075006E0069007400650064002E0070006E0067003E0020002000000015000000000000007000610079006D0065006E007400720065006E00740061006C002E007200740066003E002000200000001300000000000000700072006100630074006900630065006200750074002E007200740066003E0020002000000012000000000000007400680065006F00720079007400650072006D002E0070006E0067003E002000200000000E00000000000000560042006F007800520054002E0064006C006C003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000000F00000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000000400E00
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
2B80286800000000
(PID) Process:(3284) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH
Operation:writeName:CheckPointTime
Value:
223199305
(PID) Process:(956) ctfmon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TypingInsights
Operation:writeName:Insights
Value:
02000000071DE8C131CC8360A3D6D9C1330A686B165ABA2E235F5A5C
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler
Operation:writeName:Index
Value:
2
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Hash
Value:
616EF862EC8F7E8ED858D89898FB22EF900ABC366B1E9928E10AF3530ADF5430
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Schema
Value:
65540
Executable files
5
Suspicious files
41
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_VBo_548e252fecf521961740fa78c6abc8ae9ddf49dc_0729c91a_9caedc33-71f0-4121-9fc9-c79c4ff31f9c\Report.wer
MD5:
SHA256:
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC611.tmp.dmpbinary
MD5:8DEAA7CB072F678623EA8BABABDF0E48
SHA256:C1BA08BECAB94F3E290703A64A3C8B590726B481321129CDEF3D977EA0172C04
4408svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FB.tmp.csvbinary
MD5:56156567F0A789C510B1BB57DB2F21CF
SHA256:C0BCFB7CF8868753D5C6A3C9452AD7534F8B56815A85F2B00367BC7E00441933
6656WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\rundll32.exe.1660.dmpbinary
MD5:099AC8478B294AC4DF1E7F441011AC21
SHA256:9918171C6BADB9EFE51EDD65154C924E9F573DAE5B4C1EE9CBF432AABB2B15AE
1772svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:57D276F0241E2EC13599051CB5CC66F1
SHA256:44DAD04FD73BDD33075FE4830B34D7650630E29E9A2C1ABBCDB71634062BC3A9
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC6EE.tmp.xmlxml
MD5:33A6D1263442B57BEEE9669E5FC60CA1
SHA256:FD83E5BE38983AB055D9AEA8CA5D1FD13C018D1BD6A4295E444F63A5E835FBE3
1772svchost.exeC:\Windows\Prefetch\UPFC.EXE-BDDF79D6.pfbinary
MD5:4E786FBA71088CEC087206A9E192F47C
SHA256:9885C70B4064FE0D87FF9B4F7329C060D83D44C9774BB8FECF54943DDC562024
4408svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC72B.tmp.txtbinary
MD5:591D2B9E931A652664696A57138B26CB
SHA256:8F18266D0C03559C7575F6BAF790C76ECAC61351550B58D52646336E9B524132
1188rundll32.exeC:\Users\admin\AppData\Local\Temp\jPTV9jsIUp.exeexecutable
MD5:4EC27B28DE0DAABEDC8C0D4BF6AD026E
SHA256:1775B560823AE6C6D01C712B25B87FE7B3375A2A81F36B1CEC6EA0B84D27597C
1772svchost.exeC:\Windows\Prefetch\RUNDLL32.EXE-54B82F22.pfbinary
MD5:2F50E6CBDCAA848F74B86E5F369BC39D
SHA256:581382EA3122D846FFF79B2DCB99EDEB962775773F80B3355F2AE84E6993C636
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
17
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4212
RUXIMICS.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1188
rundll32.exe
POST
200
185.100.157.137:7999
http://185.100.157.137:7999/collect1
unknown
unknown
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/1.exe
unknown
malicious
4212
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/11.exe
unknown
malicious
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/111.exe
unknown
malicious
1188
rundll32.exe
GET
404
45.150.34.140:80
http://xabanak.online/ptcgvr/1111.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4212
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1188
rundll32.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4212
RUXIMICS.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1188
rundll32.exe
185.100.157.137:7999
LLC Digital Network
TR
unknown
4212
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1188
rundll32.exe
45.150.34.140:80
xabanak.online
CLOUD-SOUTH
GB
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
xabanak.online
  • 45.150.34.140
malicious
cornerdurv.top
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.96.1
  • 104.21.80.1
unknown
narrathfpt.top
  • 104.21.83.105
  • 172.67.222.194
unknown
jackthyfuc.run
  • 104.21.77.252
  • 172.67.214.17
unknown
onehunqpom.life
  • 172.67.215.238
  • 104.21.16.209
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1188
rundll32.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1188
rundll32.exe
Potential Corporate Privacy Violation
ET INFO Possible IP Check api.ipify.org
Potential Corporate Privacy Violation
ET INFO External IP Lookup (ipify .org)
1188
rundll32.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1188
rundll32.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
1188
rundll32.exe
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M2
1188
rundll32.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1188
rundll32.exe
Misc activity
ET INFO Packed Executable Download
1188
rundll32.exe
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VBoxRT.dll