Malware analysis rufus-3.22p.exe Malicious activity | ANY.RUN

Add for printing

File name:	rufus-3.22p.exe
Full analysis:	https://app.any.run/tasks/d5853a1f-0cbc-4e4d-905b-c4723b72eb26
Verdict:	Malicious activity
Analysis date:	May 05, 2023, 20:56:21
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5:	F3A93569CE2AA9409E2FFBA3D7EDB4DB
SHA1:	F68E9D61523742E40FF2760972FEB40286BDEF55
SHA256:	AC2A1743BBFC19268C36280B50A003366D41854863D4808099CD87F77FA5F433
SSDEEP:	24576:hqGBPKaIPx+wa6cu0gQYBGHsk/ujEsLKhN33sYhXvDW2VIPIwzxcbMycXJnGjTXB:kGBPKaX5TkWnU5KhyaDHYIoHXcB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.1.22000.0
Adobe Acrobat (64-bit) (22.003.20314)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (69.123.49202)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java 8 Update 351 (64-bit) (8.0.3510.10)
Java Auto Updater (2.8.351.10)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Edge WebView2 Runtime (103.0.1264.77)
Microsoft Office Ev ve İş 2021 - tr-tr (16.0.15601.20142)
Microsoft Office Famille et Petite Entreprise 2021 - fr-fr (16.0.15601.20142)
Microsoft Office Hogar y Empresas 2021 - es-es (16.0.15601.20142)
Microsoft Office Home and Business 2021 - de-de (16.0.15601.20142)
Microsoft Office Home and Business 2021 - en-us (16.0.15601.20142)
Microsoft Office Home and Business 2021 - it-it (16.0.15601.20142)
Microsoft Office Home and Business 2021 - ja-jp (16.0.15601.20142)
Microsoft Office Home and Business 2021 - pt-br (16.0.15601.20142)
Microsoft Office Home 및 Business 2021 - ko-kr (16.0.15601.20142)
Microsoft Office для дома и бизнеса 2021 - ru-ru (16.0.15601.20142)
Microsoft OneDrive (22.077.0410.0007)
Microsoft Update Health Tools (4.67.0.0)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15601.20064)
Office 16 Click-to-Run Licensing Component (16.0.15601.20142)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Office 16 Click-to-Run Localization Component (16.0.15601.20064)
Opera 12.15 (12.15.1748)
VLC media player (3.0.11)
VLC media player 3.0.17 (64-bit) (3.0.17.0)
WinRAR 5.91 (64-bit) (5.91.0)

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - rufus-3.22p.exe (PID: 3280)
- Executes as Windows Service
  - vds.exe (PID: 6236)
  - vds.exe (PID: 4088)
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

EXIF

EXE

ProductVersion:	3.22.2009
ProductName:	Rufus
OriginalFileName:	rufus-3.22.exe
LegalTrademarks:	https://www.gnu.org/licenses/gpl-3.0.html
LegalCopyright:	Â© 2011-2023 Pete Batard (GPL v3)
InternalName:	Rufus
FileVersion:	3.22.2009
FileDescription:	Rufus
CompanyName:	Akeo Consulting
Comments:	https://rufus.ie
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	3.22.2009.0
FileVersionNumber:	3.22.2009.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	1
OSVersion:	4
EntryPoint:	0x3e8ef0
UninitializedDataSize:	2732032
InitializedDataSize:	45056
CodeSize:	1368064
LinkerVersion:	2.4
PEType:	PE32
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit, No debug
TimeStamp:	2023:03:25 13:50:29+00:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	25-Mar-2023 13:50:29
TLS Callbacks:	1 callback(s) detected.
Comments:	https://rufus.ie
CompanyName:	Akeo Consulting
FileDescription:	Rufus
FileVersion:	3.22.2009
InternalName:	Rufus
LegalCopyright:	Â© 2011-2023 Pete Batard (GPL v3)
LegalTrademarks:	https://www.gnu.org/licenses/gpl-3.0.html
OriginalFilename:	rufus-3.22.exe
ProductName:	Rufus
ProductVersion:	3.22.2009

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000080

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	3
Time date stamp:	25-Mar-2023 13:50:29
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_DEBUG_STRIPPED IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
UPX0	0x00001000	0x0029B000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0
UPX1	0x0029C000	0x0014E000	0x0014DC00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.99981
.rsrc	0x003EA000	0x0000B000	0x0000A600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.94705

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.21284	2238	UNKNOWN	UNKNOWN	RT_MANIFEST
2	3.68423	9640	UNKNOWN	UNKNOWN	RT_ICON
3	3.77127	4264	UNKNOWN	UNKNOWN	RT_ICON
4	3.98144	2440	UNKNOWN	UNKNOWN	RT_ICON
5	4.04318	1128	UNKNOWN	UNKNOWN	RT_ICON
101	7.92154	2398	UNKNOWN	UNKNOWN	RT_DIALOG
102	7.32466	316	UNKNOWN	UNKNOWN	RT_DIALOG
103	7.59008	470	UNKNOWN	UNKNOWN	RT_DIALOG
104	7.83572	1300	UNKNOWN	UNKNOWN	RT_DIALOG
105	6.84179	172	UNKNOWN	UNKNOWN	RT_DIALOG

Imports


ADVAPI32.dll
COMCTL32.dll
COMDLG32.DLL
CRYPT32.dll
GDI32.dll
KERNEL32.DLL
SETUPAPI.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3280

"C:\Users\admin\Desktop\rufus-3.22p.exe"

C:\Users\admin\Desktop\rufus-3.22p.exe

explorer.exe

User:

admin

Company:

Akeo Consulting

Integrity Level:

HIGH

Description:

Rufus

Exit code:

Version:

3.22.2009

Modules

Images
c:\users\admin\desktop\rufus-3.22p.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\system32\wow64base.dll

3612

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Virtual Disk Service Loader

Exit code:

Version:

10.0.22000.653 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll

4088

C:\Windows\System32\vds.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service

Exit code:

258

Version:

10.0.22000.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6236

C:\Windows\System32\vds.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service

Exit code:

Version:

10.0.22000.1 (WinBuild.160101.0800)

6788

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Virtual Disk Service Loader

Exit code:

Version:

10.0.22000.653 (WinBuild.160101.0800)

6928

Rufus -w 150

C:\Users\admin\Downloads\rufus-4.0.exe

—

rufus-3.22p.exe

User:

admin

Company:

Akeo Consulting

Integrity Level:

HIGH

Description:

Rufus

Exit code:

Version:

4.0.2035

7008

"C:\Users\admin\Desktop\rufus-3.22p.exe"

C:\Users\admin\Desktop\rufus-3.22p.exe

—

explorer.exe

User:

admin

Company:

Akeo Consulting

Integrity Level:

MEDIUM

Description:

Rufus

Exit code:

3221226540

Version:

3.22.2009

Modules

Images
c:\users\admin\desktop\rufus-3.22p.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

Add for printing

Total events

404

Read events

340

Write events

Delete events

Modification events


(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}User
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Microsoft
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Microsoft\Windows
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Microsoft\Windows\CurrentVersion
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Microsoft\Windows\CurrentVersion\Policies
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(3280) rufus-3.22p.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{396DE638-D98A-4680-8EDA-662627DB2776}Machine\Software\Policies
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3280	rufus-3.22p.exe	C:\Windows\SysWOW64\GroupPolicy\gpt.ini		text
		MD5:39DFFC602ED934569F26BE44EC645814	SHA256:B57A88E5B1ACF3A784BE88B87FA3EE1F0991CB7C1C66DA423F3595FFC6E0C5C2
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565		binary
		MD5:10318B083FB7E82F46EFC311E3DD4552	SHA256:DF7BE8EBCE39619512513436928E82252C059F9565B2D8DAF2308AAC61257D54
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565		binary
		MD5:D3D0C1AF482DF9853B872ED9A6A6C3C2	SHA256:BCD7241D7B4BB090DC61F5BB2E6E2274901B6A98D18DF8E93FAF2E59E95C1D0D
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751		binary
		MD5:60FE01DF86BE2E5331B0CDBE86165686	SHA256:C08CCBC876CD5A7CDFA9670F9637DA57F6A1282198A9BC71FC7D7247A6E5B7A8
3280	rufus-3.22p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\Fido[1].ver		text
		MD5:AB7AA76BA9A31487BB3EA74211912120	SHA256:BCCB3E965DDDB57FF7241B18790192B545300DE8EB0462DD52B5B93E8F1ECD86
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		binary
		MD5:2B98084E593C634913B8B76D8AA852ED	SHA256:03EFE16165BF50D13499486BA522E4AA078D7EC913CF75AA5E7E3D1ACE233052
3280	rufus-3.22p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\Rufus_win[1].ver		text
		MD5:9B0BB58D410A957B49995DB0FC2417FB	SHA256:22B2E6AAB7E2DEAE7C55A2143090D7EFE811CDEAEEC2F89AB30F621873BEA03A
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_D222662A57BAA60D2F5EA0D2CC7B2F1C		binary
		MD5:10E0B4A9845D361EF88AE08EC87605DA	SHA256:F27337E0DBAC0E083486379AAE40A5AD9DFBD7E371F7B6B028B8DFE4620FF908
3280	rufus-3.22p.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04		der
		MD5:5E6C2D7CD3C07FA6C9A18DE4322212D4	SHA256:245BADC5C7B935B91CDA6E0FBED06140705B58161C8486E55A0DD9F0F50F1ACC
3280	rufus-3.22p.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\5C651ZXJ\Rufus_win.ver[1].sig		binary
		MD5:5E0841A336C7D7DAD4A3E70131431163	SHA256:F0711B1C2A23A74C07A18685532F5A5769E432CE5CC2EBFDC004B7190E152FE0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	8.248.131.254:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9c054bc903043d8b	US	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	US	binary	471 b	whitelisted
—	—	GET	200	104.18.32.68:80	http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRd0JozUYXMqqW4y4zJTrLcMCRSkAQUgTKSQSsozUbIxKLGKjkS7EipPxQCEQC%2FsVABu%2FWS1JYqd5fqc2%2Bj	US	der	638 b	whitelisted
—	—	GET	200	13.107.4.52:80	http://www.msftconnecttest.com/connecttest.txt	US	text	22 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	US	binary	471 b	whitelisted
—	—	GET	200	104.18.32.68:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEDPXCKiRQFMZ4qW70zm5rW4%3D	US	der	765 b	whitelisted
—	—	GET	200	192.229.221.95:80	http://s.symcb.com/universal-root.crl	US	der	1.23 Kb	whitelisted
—	—	GET	200	152.199.19.74:80	http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHsFsdRJaFFE98mJ0pwZnRI%3D	US	binary	5 b	shared
—	—	GET	200	152.199.19.74:80	http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHsFsdRJaFFE98mJ0pwZnRI%3D	US	binary	5 b	shared
—	—	GET	200	152.199.19.74:80	http://ts-ocsp.ws.symantec.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQd11mpyHEqFCSocj4SCu93CBydHAQUr2PWyqNOhXLgp7xB8ymiOH%2BAdWICEHvU5a%2B6zAc%2FoQEjBCJBTRI%3D	US	binary	1.46 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.126.32.72:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	suspicious
—	—	8.248.131.254:80	ctldl.windowsupdate.com	LEVEL3	US	suspicious
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	suspicious
—	—	185.199.108.153:443	rufus.ie	FASTLY	US	shared
—	—	23.56.202.135:80	x1.c.lencr.org	AKAMAI-AS	GB	suspicious
—	—	185.199.108.133:443	objects.githubusercontent.com	FASTLY	US	malicious
—	—	140.82.121.4:443	github.com	GITHUB	US	malicious
—	—	104.18.32.68:80	crl.comodoca.com	CLOUDFLARENET	—	suspicious
—	—	185.199.111.153:443	rufus.ie	FASTLY	US	shared

DNS requests

Domain	IP	Reputation
login.live.com	40.126.32.72 40.126.32.76 40.126.32.136 20.190.160.22 20.190.160.20 40.126.32.134 20.190.160.17 40.126.32.68	whitelisted
ctldl.windowsupdate.com	8.248.131.254 8.248.139.254 67.27.158.254 8.238.30.254 8.241.11.254	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
rufus.ie	185.199.108.153 185.199.110.153 185.199.109.153 185.199.111.153	suspicious
x1.c.lencr.org	23.56.202.135	whitelisted
github.com	140.82.121.4	malicious
objects.githubusercontent.com	185.199.108.133 185.199.109.133 185.199.110.133 185.199.111.133	shared
www.msftconnecttest.com	13.107.4.52	whitelisted
nexusrules.officeapps.live.com	52.109.8.86	whitelisted
crl.comodoca.com	104.18.32.68 172.64.155.188	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Microsoft Connection Test

Add for printing

No debug info

General Info

rufus-3.22p.exe

F3A93569CE2AA9409E2FFBA3D7EDB4DB

F68E9D61523742E40FF2760972FEB40286BDEF55

AC2A1743BBFC19268C36280B50A003366D41854863D4808099CD87F77FA5F433

24576:hqGBPKaIPx+wa6cu0gQYBGHsk/ujEsLKhN33sYhXvDW2VIPIwzxcbMycXJnGjTXB:kGBPKaX5TkWnU5KhyaDHYIoHXcB

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Executes as Windows Service

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings