Malware analysis rufus-4.11p.exe Malicious activity | ANY.RUN

Add for printing

File name:	rufus-4.11p.exe
Full analysis:	https://app.any.run/tasks/732c69b1-2900-41b0-893e-0e17120b7102
Verdict:	Malicious activity
Analysis date:	December 13, 2025, 16:27:39
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	github upx
Indicators:
MD5:	5B86D4F2CE7D2AB212914C634D20F714
SHA1:	FD96FD51231E449678D71C7A5F8A2308B1C88375
SHA256:	ABBF04D50A44A9612C027FC8072F6DA67F5BCDA2B826F1F852C9C24D7A1FCDFF
SSDEEP:	98304:/tLadtyVqWVX1+JhThc5lBH9IR3/kxjcLjhs4ArFt/a6M7dMI9IDi6pBYcyXnoA2:Fg4Cly

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the Windows auto-update feature
  - rufus-4.11p.exe (PID: 7652)
SUSPICIOUS
- Executes as Windows Service
  - vds.exe (PID: 7728)
- Reads security settings of Internet Explorer
  - rufus-4.11p.exe (PID: 7652)
INFO
- Checks supported languages
  - rufus-4.11p.exe (PID: 7652)
- Reads the computer name
  - rufus-4.11p.exe (PID: 7652)
- Reads the machine GUID from the registry
  - rufus-4.11p.exe (PID: 7652)
- Process checks whether UAC notifications are on
  - rufus-4.11p.exe (PID: 7652)
- Checks proxy server information
  - rufus-4.11p.exe (PID: 7652)
- Create files in a temporary directory
  - rufus-4.11p.exe (PID: 7652)
- UPX packer has been detected
  - rufus-4.11p.exe (PID: 7652)
- Creates files or folders in the user directory
  - rufus-4.11p.exe (PID: 7652)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

5996

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7500

"C:\Users\admin\AppData\Local\Temp\rufus-4.11p.exe"

C:\Users\admin\AppData\Local\Temp\rufus-4.11p.exe

—

explorer.exe

User:

admin

Company:

Akeo Consulting

Integrity Level:

MEDIUM

Description:

Rufus

Exit code:

3221226540

Version:

4.11.2285

Modules

Images
c:\users\admin\appdata\local\temp\rufus-4.11p.exe
c:\windows\system32\ntdll.dll

7652

"C:\Users\admin\AppData\Local\Temp\rufus-4.11p.exe"

C:\Users\admin\AppData\Local\Temp\rufus-4.11p.exe

explorer.exe

User:

admin

Company:

Akeo Consulting

Integrity Level:

HIGH

Description:

Rufus

Version:

4.11.2285

Modules

Images
c:\users\admin\appdata\local\temp\rufus-4.11p.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

7692

C:\WINDOWS\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Virtual Disk Service Loader

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

7728

C:\WINDOWS\System32\vds.exe

C:\Windows\System32\vds.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

1 456

Read events

1 392

Write events

Delete events

Modification events


(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\AppHVSI
Operation:	write	Name:	AllowAppHVSI_ProviderSet
Value: 0
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:	write	Name:	UpdateDefault
Value: 0
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:	write	Name:	NC_DoNotShowLocalOnlyIcon
Value: 1
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\System
Operation:	write	Name:	EnableSmartScreen
Value: 0
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\System
Operation:	write	Name:	**del.ShellSmartScreenLevel
Value:
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:	write	Name:	EnableFeeds
Value: 0
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUServer
Value: http://neverupdatewindows10.com
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	WUStatusServer
Value: http://neverupdatewindows10.com
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	UpdateServiceUrlAlternate
Value: http://neverupdatewindows10.com
(PID) Process:	(7652) rufus-4.11p.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3317BA7D-29BC-432E-8B98-0EEE93EC7FB2}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	**del.FillEmptyContentUrls
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7652	rufus-4.11p.exe	C:\Users\admin\AppData\Local\Temp\rufus.ini		text
		MD5:25F951ACCB182500A1A135F7556724C3	SHA256:DEE26225B0313E2A75B3A5B75C615E67C6C20617D50C5A0C17B2A425EAD98609
7652	rufus-4.11p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\sbat_level[1].txt		text
		MD5:56DE005EB20181CDD68ED3032AF86F60	SHA256:87E6B80F7E1DFD4C76FE0D5A0B4671265FC59BB4D25BFAC08DEA489927B58A87
7652	rufus-4.11p.exe	C:\Users\admin\AppData\Local\Temp\rufus.ini~		text
		MD5:25F951ACCB182500A1A135F7556724C3	SHA256:DEE26225B0313E2A75B3A5B75C615E67C6C20617D50C5A0C17B2A425EAD98609
7652	rufus-4.11p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E		binary
		MD5:C484584F52D005F386C3F9ECE5A147F2	SHA256:0A9910CB508464C856E1A699E157425BE12787A2EEC2DCB535CFF11245C3016D
7652	rufus-4.11p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\Fido[1].ver		text
		MD5:4F0A92FE2AD62C25CE054BD105D28950	SHA256:6F88D439DDBB7CEB615B7D89BE676E7961283042CF840D114CC848A5415ADE5C
7652	rufus-4.11p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\sb_active[1].txt		text
		MD5:F9DE156D8B9211931375866FFCCE7206	SHA256:AF66D72417F654CB1C75FB6874D6694A9868257B3E1E31E8A2C1C4C39C736146
7652	rufus-4.11p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A52B1279D1978AD051FB954C866B901		binary
		MD5:A85F73F83100B32C252B68964A716F70	SHA256:89212A0AA8269919271820D9D21E20B4559C5F3E738E73A38D1F1D700CD8B681
7652	rufus-4.11p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A52B1279D1978AD051FB954C866B901		binary
		MD5:FA58DF62EF5DC32EF84F9C010337DF4B	SHA256:E564CA23B271843ED80FB5413C286AE94848EFD214D7A37CF09E3A8629458E3E
7652	rufus-4.11p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751		binary
		MD5:7F924EAEA21BB91214FF7B4525F3BD29	SHA256:E718475014C8F51A8F2746FBE90A7BFF516B65BEF36EE6340A5FC746BC5DFC32
7652	rufus-4.11p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90		binary
		MD5:0675520727FFF85A9D4FB045D210DBA1	SHA256:E80FAD64A4859233C6EA1D3E2A3490B071A59F148F4F38D58E4469B41B1585F3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7652	rufus-4.11p.exe	GET	302	140.82.121.4:443	https://github.com/pbatard/Fido/releases/download/v1.67/Fido.ps1.lzma	unknown	—	—	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	unknown	—	—	whitelisted
7652	rufus-4.11p.exe	GET	200	104.18.20.213:80	http://r12.c.lencr.org/39.crl	unknown	—	—	whitelisted
7652	rufus-4.11p.exe	GET	200	185.199.108.153:443	https://rufus.ie/sbat_level.txt	unknown	text	290 b	whitelisted
7652	rufus-4.11p.exe	GET	200	185.199.108.153:443	https://rufus.ie/Fido.ver	unknown	text	75 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	304	20.73.194.208:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	unknown	—	—	whitelisted
7652	rufus-4.11p.exe	GET	200	185.199.108.153:443	https://rufus.ie/sb_active.txt	unknown	text	163 b	whitelisted
7652	rufus-4.11p.exe	GET	200	185.199.108.153:443	https://rufus.ie/sb_revoked.txt	unknown	text	40 b	whitelisted
7652	rufus-4.11p.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D	unknown	—	—	whitelisted
7652	rufus-4.11p.exe	GET	200	104.18.38.233:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4828	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
1348	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	2.16.204.135:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
2292	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted
2292	svchost.exe	224.0.0.251:5353	—	—	—	whitelisted
7652	rufus-4.11p.exe	185.199.108.153:443	rufus.ie	FASTLY	US	whitelisted
7652	rufus-4.11p.exe	104.18.20.213:80	r12.c.lencr.org	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59	whitelisted
www.bing.com	2.16.204.135 2.16.204.134 2.16.204.158 2.16.204.161 2.16.204.155 2.16.204.157 2.16.204.141 2.16.204.148 2.16.204.138	whitelisted
google.com	142.251.208.14	whitelisted
rufus.ie	185.199.108.153 185.199.109.153 185.199.110.153 185.199.111.153	whitelisted
r12.c.lencr.org	104.18.20.213 104.18.21.213	whitelisted
github.com	140.82.121.4	whitelisted
ocsp.comodoca.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.usertrust.com	104.18.38.233 172.64.149.23	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
release-assets.githubusercontent.com	185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133	whitelisted

Threats

PID	Process	Class	Message
2292	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access release user assets on GitHub
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)

Add for printing

Process	Message
rufus-4.11p.exe	* Rufus init *
rufus-4.11p.exe	Tmp dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.11p.exe	Sys dir: 'C:\WINDOWS\system32'
rufus-4.11p.exe	Dat dir: 'C:\Users\admin\AppData\Local'
rufus-4.11p.exe	Usr dir: 'C:\Users\admin'
rufus-4.11p.exe	Cur dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.11p.exe	App dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.11p.exe	Will use settings from INI file
rufus-4.11p.exe	Binary executable is signed by 'Akeo Consulting'
rufus-4.11p.exe	localization: found locale 'en-US'

General Info

rufus-4.11p.exe

5B86D4F2CE7D2AB212914C634D20F714

FD96FD51231E449678D71C7A5F8A2308B1C88375

ABBF04D50A44A9612C027FC8072F6DA67F5BCDA2B826F1F852C9C24D7A1FCDFF

98304:/tLadtyVqWVX1+JhThc5lBH9IR3/kxjcLjhs4ArFt/a6M7dMI9IDi6pBYcyXnoA2:Fg4Cly

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the Windows auto-update feature

SUSPICIOUS

Executes as Windows Service

Reads security settings of Internet Explorer

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Process checks whether UAC notifications are on

Checks proxy server information

Create files in a temporary directory

UPX packer has been detected

Creates files or folders in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings