File name:

VBoxRT.dll

Full analysis: https://app.any.run/tasks/1fae822a-de43-4d24-8870-86d7299b1e5c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 12:25:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
lumma
stealer
loader
miner
winring0x64-sys
vuln-driver
upx
xmrig
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows, 6 sections
MD5:

FDEA446B7C4D6C4BAA4825BBC117808E

SHA1:

F37A14CF36BE8C997F7212959EF77E5DC7245112

SHA256:

6DC5ABB6139D7B4EB85060B5FDDA557D4D5CC9643C469382AF7603F34C0C7172

SSDEEP:

24576:GNDP8D0S9CuSg2JBV/sWBzJN4k9ZU50w:GNDP8D0S9CuSg2JBV/sWBzJN4k9ZU50

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2236)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • dialer.exe (PID: 6752)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 2236)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 2236)

    • Adds extension to the Windows Defender exclusion list

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Changes Windows Defender settings

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 2236)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 2236)

    • Uninstalls Malicious Software Removal Tool (MRT)

      • cmd.exe (PID: 668)
      • cmd.exe (PID: 7944)

    • Application was injected by another process

      • svchost.exe (PID: 1232)
      • svchost.exe (PID: 468)
      • svchost.exe (PID: 1044)
      • svchost.exe (PID: 1352)
      • svchost.exe (PID: 1416)
      • svchost.exe (PID: 1524)
      • svchost.exe (PID: 1444)
      • svchost.exe (PID: 1260)
      • svchost.exe (PID: 2292)
      • svchost.exe (PID: 1652)
      • svchost.exe (PID: 1552)
      • svchost.exe (PID: 1772)
      • svchost.exe (PID: 1792)
      • svchost.exe (PID: 1892)
      • svchost.exe (PID: 1784)
      • svchost.exe (PID: 1904)
      • svchost.exe (PID: 2196)
      • lsass.exe (PID: 756)
      • svchost.exe (PID: 1252)
      • svchost.exe (PID: 1288)
      • svchost.exe (PID: 2068)
      • svchost.exe (PID: 1988)
      • svchost.exe (PID: 2536)
      • svchost.exe (PID: 2448)
      • svchost.exe (PID: 2584)
      • svchost.exe (PID: 2776)
      • svchost.exe (PID: 2544)
      • svchost.exe (PID: 2624)
      • svchost.exe (PID: 2932)
      • svchost.exe (PID: 1980)
      • svchost.exe (PID: 2396)
      • svchost.exe (PID: 2172)
      • spoolsv.exe (PID: 2732)
      • svchost.exe (PID: 3284)
      • svchost.exe (PID: 3216)
      • dasHost.exe (PID: 3012)
      • svchost.exe (PID: 3196)
      • OfficeClickToRun.exe (PID: 3112)
      • svchost.exe (PID: 2920)
      • svchost.exe (PID: 3812)
      • svchost.exe (PID: 2880)
      • svchost.exe (PID: 3104)
      • svchost.exe (PID: 3184)
      • svchost.exe (PID: 3084)
      • svchost.exe (PID: 860)
      • svchost.exe (PID: 4508)
      • svchost.exe (PID: 3564)
      • svchost.exe (PID: 3232)
      • svchost.exe (PID: 3860)
      • svchost.exe (PID: 4312)
      • dllhost.exe (PID: 5880)
      • svchost.exe (PID: 2996)
      • svchost.exe (PID: 1684)
      • dllhost.exe (PID: 6896)
      • svchost.exe (PID: 6024)
      • dwm.exe (PID: 6568)
      • uhssvc.exe (PID: 648)
      • sihost.exe (PID: 4984)
      • winlogon.exe (PID: 6648)
      • svchost.exe (PID: 4544)
      • explorer.exe (PID: 5492)
      • svchost.exe (PID: 4952)
      • svchost.exe (PID: 6608)
      • RuntimeBroker.exe (PID: 1036)
      • RuntimeBroker.exe (PID: 6160)
      • ApplicationFrameHost.exe (PID: 6952)
      • MoUsoCoreWorker.exe (PID: 5496)
      • svchost.exe (PID: 4292)
      • svchost.exe (PID: 2112)
      • svchost.exe (PID: 1572)
      • dllhost.exe (PID: 6176)
      • svchost.exe (PID: 6544)
      • svchost.exe (PID: 2616)
      • svchost.exe (PID: 4348)
      • UserOOBEBroker.exe (PID: 1248)
      • svchost.exe (PID: 4684)
      • svchost.exe (PID: 6180)
      • svchost.exe (PID: 4916)
      • RuntimeBroker.exe (PID: 3032)
      • audiodg.exe (PID: 6168)
      • svchost.exe (PID: 3956)
      • svchost.exe (PID: 5592)
      • svchost.exe (PID: 4336)
      • slui.exe (PID: 3240)
      • svchost.exe (PID: 6036)
      • SppExtComObj.Exe (PID: 5404)
      • RuntimeBroker.exe (PID: 5368)
      • ctfmon.exe (PID: 956)
      • WmiPrvSE.exe (PID: 6656)
      • WmiPrvSE.exe (PID: 2644)
      • svchost.exe (PID: 4408)

    • Runs injected code in another process

      • dialer.exe (PID: 1616)
      • dialer.exe (PID: 3620)

    • MINER has been detected (SURICATA)

      • dialer.exe (PID: 6752)
      • svchost.exe (PID: 2196)

    • XMRIG has been detected (YARA)

      • dialer.exe (PID: 6752)

    • Vulnerable driver has been detected

      • WindowsAutHost (PID: 7728)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 5492)

    • Application launched itself

      • rundll32.exe (PID: 1660)
      • UjyjtqNYJp.exe (PID: 3676)

    • Executes application which crashes

      • rundll32.exe (PID: 1660)

    • The process creates files with name similar to system file names

      • WerFault.exe (PID: 6656)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 1188)
      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Checks for external IP

      • rundll32.exe (PID: 1188)
      • svchost.exe (PID: 2196)

    • Potential Corporate Privacy Violation

      • rundll32.exe (PID: 1188)
      • dialer.exe (PID: 6752)

    • Connects to unusual port

      • rundll32.exe (PID: 1188)

    • Process requests binary or script from the Internet

      • rundll32.exe (PID: 1188)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2236)

    • Reads security settings of Internet Explorer

      • UjyjtqNYJp.exe (PID: 3676)

    • Reads the date of Windows installation

      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)

    • Starts process via Powershell

      • powershell.exe (PID: 4212)

    • Starts POWERSHELL.EXE for commands execution

      • UeIHkHBjFt.exe (PID: 1568)
      • UeIHkHBjFt.exe (PID: 6476)
      • WindowsAutHost (PID: 7728)

    • Searches for installed software

      • MSBuild.exe (PID: 2236)

    • Script adds exclusion path to Windows Defender

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Manipulates environment variables

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • Script adds exclusion extension to Windows Defender

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 2236)

    • Starts CMD.EXE for commands execution

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Process uninstalls Windows update

      • wusa.exe (PID: 1012)
      • wusa.exe (PID: 8084)

    • Stops a currently running service

      • sc.exe (PID: 3332)
      • sc.exe (PID: 6988)
      • sc.exe (PID: 5352)
      • sc.exe (PID: 6252)
      • sc.exe (PID: 2772)
      • sc.exe (PID: 7616)
      • sc.exe (PID: 8144)
      • sc.exe (PID: 5744)
      • sc.exe (PID: 2240)
      • sc.exe (PID: 7952)
      • sc.exe (PID: 8048)

    • Modifies hosts file to alter network resolution

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Starts SC.EXE for service management

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Uses powercfg.exe to modify the power settings

      • UeIHkHBjFt.exe (PID: 1568)
      • WindowsAutHost (PID: 7728)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1040)
      • sc.exe (PID: 7624)

    • Creates a new Windows service

      • sc.exe (PID: 2984)

    • Executes as Windows Service

      • WindowsAutHost (PID: 7728)

    • Crypto Currency Mining Activity Detected

      • svchost.exe (PID: 2196)

    • The process checks if it is being run in the virtual environment

      • UjyjtqNYJp.exe (PID: 6744)

    • Drops a system driver (possible attempt to evade defenses)

      • WindowsAutHost (PID: 7728)

  • INFO

    • Creates files in the program directory

      • svchost.exe (PID: 4408)
      • UeIHkHBjFt.exe (PID: 1568)
      • MoUsoCoreWorker.exe (PID: 5496)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Reads the software policy settings

      • lsass.exe (PID: 756)
      • rundll32.exe (PID: 1188)
      • MSBuild.exe (PID: 2236)
      • slui.exe (PID: 3240)
      • slui.exe (PID: 8024)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6656)

    • Create files in a temporary directory

      • rundll32.exe (PID: 1188)

    • Checks supported languages

      • jPTV9jsIUp.exe (PID: 4180)
      • MSBuild.exe (PID: 2236)
      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)
      • UeIHkHBjFt.exe (PID: 1568)
      • UeIHkHBjFt.exe (PID: 6476)
      • uhssvc.exe (PID: 648)
      • WindowsAutHost (PID: 7728)

    • Reads the computer name

      • MSBuild.exe (PID: 2236)
      • UjyjtqNYJp.exe (PID: 3676)
      • UjyjtqNYJp.exe (PID: 6744)

    • Process checks computer location settings

      • UjyjtqNYJp.exe (PID: 3676)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 2236)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • The executable file from the user directory is run by the Powershell process

      • UeIHkHBjFt.exe (PID: 1568)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 6656)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4180)
      • powershell.exe (PID: 7760)

    • UPX packer has been detected

      • dialer.exe (PID: 6752)

    • The sample compiled with japanese language support

      • WindowsAutHost (PID: 7728)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3112)

    • Checks proxy server information

      • slui.exe (PID: 8024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(2236) MSBuild.exe
C2 (9)onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:17 10:10:42+00:00
ImageFileCharacteristics: Executable, Large address aware, DLL
PEType: PE32+
LinkerVersion: 14.43
CodeSize: 298496
InitializedDataSize: 415744
UninitializedDataSize: -
EntryPoint: 0x2a88
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
198
Monitored processes
163
Malicious processes
100
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rundll32.exe rundll32.exe svchost.exe werfault.exe no specs svchost.exe jptv9jsiup.exe no specs conhost.exe no specs #LUMMA msbuild.exe #LUMMA svchost.exe ujyjtqnyjp.exe no specs ujyjtqnyjp.exe wmiprvse.exe ueihkhbjft.exe no specs powershell.exe no specs conhost.exe no specs ueihkhbjft.exe powershell.exe no specs conhost.exe no specs wmiprvse.exe cmd.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs THREAT windowsauthost powershell.exe no specs conhost.exe no specs cmd.exe no specs sc.exe no specs conhost.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wusa.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe no specs powercfg.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs dialer.exe no specs dialer.exe no specs #MINER dialer.exe slui.exe svchost.exe uhssvc.exe lsass.exe svchost.exe ctfmon.exe runtimebroker.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe dashost.exe runtimebroker.exe svchost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sihost.exe runtimebroker.exe sppextcomobj.exe explorer.exe mousocoreworker.exe svchost.exe dllhost.exe svchost.exe runtimebroker.exe audiodg.exe dllhost.exe svchost.exe svchost.exe dwm.exe svchost.exe winlogon.exe dllhost.exe applicationframehost.exe

Process information

PID
CMD
Path
Indicators
Parent process
468C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
648"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"C:\Program Files\Microsoft Update Health Tools\uhssvc.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Update Health Service
Version:
10.0.19041.3626 (WinBuild.160101.0800)
Modules
Images
c:\program files\microsoft update health tools\uhssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
668C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartC:\Windows\System32\cmd.exeUeIHkHBjFt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
87
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
736\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
756C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812C:\WINDOWS\system32\powercfg.exe /x -standby-timeout-ac 0C:\Windows\System32\powercfg.exeUeIHkHBjFt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\powrprof.dll
860C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvcC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
956"ctfmon.exe"C:\Windows\System32\ctfmon.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CTF Loader
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
40 373
Read events
40 213
Write events
117
Delete events
43

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000004400000044000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
0000000000000000000000000000000003000100010001000F000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000110000000000000064006500620074006700720061006E0064002E0070006E0067003E00200020000000180000000000000069006E0069007400690061006C00640065007400650072006D0069006E0065002E007200740066003E0020002000000014000000000000006C006F006E0064006F006E0075006E0069007400650064002E0070006E0067003E0020002000000015000000000000007000610079006D0065006E007400720065006E00740061006C002E007200740066003E002000200000001300000000000000700072006100630074006900630065006200750074002E007200740066003E0020002000000012000000000000007400680065006F00720079007400650072006D002E0070006E0067003E002000200000000E00000000000000560042006F007800520054002E0064006C006C003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000000F00000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000000400E00
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
2B80286800000000
(PID) Process:(3284) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FTH
Operation:writeName:CheckPointTime
Value:
223199305
(PID) Process:(956) ctfmon.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Input\TypingInsights
Operation:writeName:Insights
Value:
02000000071DE8C131CC8360A3D6D9C1330A686B165ABA2E235F5A5C
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler
Operation:writeName:Index
Value:
2
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Hash
Value:
616EF862EC8F7E8ED858D89898FB22EF900ABC366B1E9928E10AF3530ADF5430
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Schema
Value:
65540
Executable files
5
Suspicious files
41
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_VBo_548e252fecf521961740fa78c6abc8ae9ddf49dc_0729c91a_9caedc33-71f0-4121-9fc9-c79c4ff31f9c\Report.wer
MD5:
SHA256:
4408svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC6FB.tmp.csvbinary
MD5:56156567F0A789C510B1BB57DB2F21CF
SHA256:C0BCFB7CF8868753D5C6A3C9452AD7534F8B56815A85F2B00367BC7E00441933
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC6EE.tmp.xmlxml
MD5:33A6D1263442B57BEEE9669E5FC60CA1
SHA256:FD83E5BE38983AB055D9AEA8CA5D1FD13C018D1BD6A4295E444F63A5E835FBE3
4408svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC72B.tmp.txtbinary
MD5:591D2B9E931A652664696A57138B26CB
SHA256:8F18266D0C03559C7575F6BAF790C76ECAC61351550B58D52646336E9B524132
6656WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\rundll32.exe.1660.dmpbinary
MD5:099AC8478B294AC4DF1E7F441011AC21
SHA256:9918171C6BADB9EFE51EDD65154C924E9F573DAE5B4C1EE9CBF432AABB2B15AE
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC69E.tmp.WERInternalMetadata.xmlbinary
MD5:235D1B778E9F6E636DBF971E2473E0CF
SHA256:9E51CD4B22095F531047ECE51E1E1684ABBE31F02A2B7E2A857DD231570D14B1
6656WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC611.tmp.dmpbinary
MD5:8DEAA7CB072F678623EA8BABABDF0E48
SHA256:C1BA08BECAB94F3E290703A64A3C8B590726B481321129CDEF3D977EA0172C04
1772svchost.exeC:\Windows\Prefetch\WERFAULT.EXE-E69F695A.pfbinary
MD5:C9B7F006580BF4BA9B195A74C4958FF0
SHA256:B540B8F2D2F50B0DA83C85A551EBA88006431A5DCF8DF4F13B923333A6334F0B
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1772svchost.exeC:\Windows\Prefetch\SLUI.EXE-724E99D9.pfbinary
MD5:745C7F3EB9BBD85D9CE18F350AA16B17
SHA256:C53E37122200E976D513C57A2EDF823332987FD3FBB32F769E24B34F61737DC1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
17
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4212
RUXIMICS.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1188
rundll32.exe
POST
200
185.100.157.137:7999
http://185.100.157.137:7999/collect1
unknown
unknown
4212
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/1.exe
unknown
malicious
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/11.exe
unknown
malicious
1188
rundll32.exe
GET
404
45.150.34.140:80
http://xabanak.online/ptcgvr/1111.exe
unknown
malicious
1188
rundll32.exe
GET
200
45.150.34.140:80
http://xabanak.online/ptcgvr/111.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4212
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1188
rundll32.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
shared
4212
RUXIMICS.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1188
rundll32.exe
185.100.157.137:7999
LLC Digital Network
TR
unknown
4212
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1188
rundll32.exe
45.150.34.140:80
xabanak.online
CLOUD-SOUTH
GB
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.173
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
xabanak.online
  • 45.150.34.140
malicious
cornerdurv.top
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.96.1
  • 104.21.80.1
unknown
narrathfpt.top
  • 104.21.83.105
  • 172.67.222.194
unknown
jackthyfuc.run
  • 104.21.77.252
  • 172.67.214.17
unknown
onehunqpom.life
  • 172.67.215.238
  • 104.21.16.209
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1188
rundll32.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1188
rundll32.exe
Potential Corporate Privacy Violation
ET INFO Possible IP Check api.ipify.org
Potential Corporate Privacy Violation
ET INFO External IP Lookup (ipify .org)
1188
rundll32.exe
A Network Trojan was detected
ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
1188
rundll32.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
1188
rundll32.exe
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M2
1188
rundll32.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1188
rundll32.exe
Misc activity
ET INFO Packed Executable Download
1188
rundll32.exe
Potentially Bad Traffic
ET HUNTING Request for EXE via WinHTTP M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VBoxRT.dll