File name:

rufus-4.5p.exe

Full analysis: https://app.any.run/tasks/33e9f3f2-1064-405f-81a4-ada211b08f25
Verdict: Malicious activity
Analysis date: August 02, 2024, 15:33:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

129E5BBF63D8299D027186EAFE92754A

SHA1:

C50BD94AF6AF186EDC536EC6FF83BDD233586618

SHA256:

C6E6CDBA209F899E5087F1A1A4BABC759414B4A687B60BA4BCE62B6B37E8E82B

SSDEEP:

49152:fylf3tq20TVtna0ErcAD9tFM8rQB+ddDu31xwW+P03D4Ih8vvXXM9wpA7tiwLShJ:e3QZrErcADTqEd0nwxOJ46wiTShAVfGp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rufus-4.5p.exe (PID: 6560)

    • Changes the Windows auto-update feature

      • rufus-4.5p.exe (PID: 6560)

  • SUSPICIOUS

    • Executes as Windows Service

      • vds.exe (PID: 6648)

    • Reads security settings of Internet Explorer

      • rufus-4.5p.exe (PID: 6560)

    • Checks Windows Trust Settings

      • rufus-4.5p.exe (PID: 6560)

  • INFO

    • Reads the computer name

      • rufus-4.5p.exe (PID: 6560)

    • Create files in a temporary directory

      • rufus-4.5p.exe (PID: 6560)

    • Checks supported languages

      • rufus-4.5p.exe (PID: 6560)

    • Process checks whether UAC notifications are on

      • rufus-4.5p.exe (PID: 6560)

    • Reads the machine GUID from the registry

      • rufus-4.5p.exe (PID: 6560)

    • UPX packer has been detected

      • rufus-4.5p.exe (PID: 6560)

    • Checks proxy server information

      • rufus-4.5p.exe (PID: 6560)

    • Reads the software policy settings

      • rufus-4.5p.exe (PID: 6560)

    • Creates files or folders in the user directory

      • rufus-4.5p.exe (PID: 6560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:22 11:06:27+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.42
CodeSize: 1462272
InitializedDataSize: 45056
UninitializedDataSize: 2809856
EntryPoint: 0x412bc0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 4.5.2180.0
ProductVersionNumber: 4.5.2180.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: https://rufus.ie
CompanyName: Akeo Consulting
FileDescription: Rufus
FileVersion: 4.5.2180
InternalName: Rufus
LegalCopyright: � 2011-2024 Pete Batard (GPL v3)
LegalTrademarks: https://www.gnu.org/licenses/gpl-3.0.html
OriginalFileName: rufus-4.5.exe
ProductName: Rufus
ProductVersion: 4.5.2180
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT rufus-4.5p.exe vdsldr.exe no specs vds.exe no specs rufus-4.5p.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6512"C:\Users\admin\AppData\Local\Temp\rufus-4.5p.exe" C:\Users\admin\AppData\Local\Temp\rufus-4.5p.exeexplorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
MEDIUM
Description:
Rufus
Exit code:
3221226540
Version:
4.5.2180
Modules
Images
c:\users\admin\appdata\local\temp\rufus-4.5p.exe
c:\windows\system32\ntdll.dll
6560"C:\Users\admin\AppData\Local\Temp\rufus-4.5p.exe" C:\Users\admin\AppData\Local\Temp\rufus-4.5p.exe
explorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
HIGH
Description:
Rufus
Exit code:
0
Version:
4.5.2180
Modules
Images
c:\users\admin\appdata\local\temp\rufus-4.5p.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6612C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6648C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
7 752
Read events
7 586
Write events
99
Delete events
67

Modification events

(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\AppHVSI
Operation:writeName:AllowAppHVSI_ProviderSet
Value:
0
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:writeName:UpdateDefault
Value:
0
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:writeName:NC_DoNotShowLocalOnlyIcon
Value:
1
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:writeName:EnableFeeds
Value:
0
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUStatusServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:UpdateServiceUrlAlternate
Value:
http://neverupdatewindows10.com
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:**del.FillEmptyContentUrls
Value:
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:UseWUServer
Value:
1
(PID) Process:(6560) rufus-4.5p.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{892DC977-EFBA-4C40-87A0-AA93546F0E9F}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
0
Executable files
0
Suspicious files
3
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Temp\rufus.ini~text
MD5:25F951ACCB182500A1A135F7556724C3
SHA256:DEE26225B0313E2A75B3A5B75C615E67C6C20617D50C5A0C17B2A425EAD98609
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\Rufus_win[1].vertext
MD5:B071392D8264070FF6E4CA0FA0FD06A6
SHA256:7C1D2CFAF6CF893C186ABF59B21B63FD38C818267F179F36E90171F80C91641E
6560rufus-4.5p.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:3DFCA46E00FFA4795C72A41375F159D3
SHA256:DCBA1A505396539BAC40A7253C9F5DCCF06CBB79957E21D56305E1FC3AF5F40E
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Temp\rufus.initext
MD5:25F951ACCB182500A1A135F7556724C3
SHA256:DEE26225B0313E2A75B3A5B75C615E67C6C20617D50C5A0C17B2A425EAD98609
6560rufus-4.5p.exeC:\Windows\System32\GroupPolicy\gpt.initext
MD5:3D89F23265C9E30A0CF055C3EB4D637C
SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\Rufus_win.ver[1].sigbinary
MD5:2C85BF12103135E5B608A713AA2C588D
SHA256:12C0A821F3341D537672D5B8B3C144D5ADDC49597F5655A1447C9955FDF46F77
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Temp\Rufus\rufus.logtext
MD5:C13D771BBB9DC355E5BBAB7991F25948
SHA256:4B7CF3E05782DA979CAF26DEE55695D60D17C7C4BA17AAFAC67135331EFE7F62
6560rufus-4.5p.exeC:\Users\admin\AppData\Local\Temp\Ruf56E6.tmptext
MD5:711B1476D716A52EEB5EE7565F612D0E
SHA256:B5C7B62A8281A940A479D8E6496710A7B96F45B406D10FB2E09C910FCE50949D
6560rufus-4.5p.exeC:\Windows\System32\GroupPolicy\Machine\Registry.polbinary
MD5:0C014C71A70DC7758BFDC822E974F1F3
SHA256:8EBD915268E16B55A3ABDE6F612363576FAB5DF656F955D672CCE8889C5FF9CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3160
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
188
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2324
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4060
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4708
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2256
svchost.exe
224.0.0.251:5353
unknown
2256
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
4060
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
92.123.104.43:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.bing.com
  • 92.123.104.43
  • 92.123.104.34
  • 92.123.104.60
  • 92.123.104.40
  • 92.123.104.32
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.59
  • 92.123.104.33
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
th.bing.com
  • 92.123.104.59
  • 92.123.104.49
  • 92.123.104.33
  • 92.123.104.43
  • 92.123.104.40
  • 92.123.104.32
  • 92.123.104.52
  • 92.123.104.34
  • 92.123.104.7
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted

Threats

No threats detected
Process
Message
rufus-4.5p.exe
*** Rufus init ***
rufus-4.5p.exe
Cur dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.5p.exe
App dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.5p.exe
Sys dir: 'C:\WINDOWS\system32'
rufus-4.5p.exe
Usr dir: 'C:\Users\admin'
rufus-4.5p.exe
Dat dir: 'C:\Users\admin\AppData\Local'
rufus-4.5p.exe
Tmp dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.5p.exe
Binary executable is signed by 'Akeo Consulting'
rufus-4.5p.exe
Will use settings from INI file
rufus-4.5p.exe
loc file not found in current directory - embedded one will be used
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rufus-4.5p.exe