File name:

MBRLock.exe

Full analysis: https://app.any.run/tasks/1512ad4f-79c6-45f2-be83-a0f9f57a5499
Verdict: Malicious activity
Analysis date: September 14, 2024, 13:42:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7E179D064B2D20B4EA5E6D492ABF8F2B

SHA1:

443F89939B9CD36A169AA04E15FA0637EC228A93

SHA256:

DFC56A704B5E031F3B0D2D0EA1D06F9157758AD950483B44AC4B77D33293CB38

SSDEEP:

12288:axPVLTOnLRrLHO0zKX1AsE7eTZni5Kyt5dh2E:a5V/OLRnHFzKFAsTTZiUyt5dh2E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MBRLock.exe (PID: 7048)

    • Scans artifacts that could help determine the target

      • RUXIMICS.exe (PID: 4560)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 872)

  • INFO

    • Reads the computer name

      • MBRLock.exe (PID: 7048)
      • RUXIMICS.exe (PID: 4560)
      • PLUGScheduler.exe (PID: 872)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 872)
      • RUXIMICS.exe (PID: 4952)

    • Checks supported languages

      • MBRLock.exe (PID: 7048)
      • RUXIMICS.exe (PID: 4560)
      • PLUGScheduler.exe (PID: 872)
      • RUXIMICS.exe (PID: 4952)

    • Reads Environment values

      • RUXIMICS.exe (PID: 4560)

    • Reads the software policy settings

      • RUXIMICS.exe (PID: 4560)

    • Reads the machine GUID from the registry

      • RUXIMICS.exe (PID: 4560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:04 00:56:37+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 540672
InitializedDataSize: 319488
UninitializedDataSize: -
EntryPoint: 0x6594d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: Hax
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start mbrlock.exe plugscheduler.exe no specs ruximics.exe ruximics.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
872"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4560%ProgramFiles%\RUXIM\RUXIMICS.EXE /onlyloadcampaignsC:\Program Files\RUXIM\RUXIMICS.exe
PLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4952%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
7048"C:\Users\admin\Desktop\MBRLock.exe" C:\Users\admin\Desktop\MBRLock.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\mbrlock.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 260
Read events
4 243
Write events
17
Delete events
0

Modification events

(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:ExecAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:MonAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:SiteAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:UDiskAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System
Value:
C:\Program Files\System.dll
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:ExecutionCount
Value:
5
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionResult
Value:
0
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionExitCode
Value:
0
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionTime
Value:
041AA70FAC06DB01
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\DTU
Operation:writeName:ExecutionCount
Value:
5
Executable files
0
Suspicious files
49
Text files
0
Unknown types
41

Dropped files

PID
Process
Filename
Type
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.033.etletl
MD5:673727AF7C6805E869C9F8BE1E468F4A
SHA256:6B16B7DE97F397BCEC36EB3F18C7B64CD3DB6D2974DDF319A251CE27B80D837B
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.029.etletl
MD5:44A0E917AD0C126931B1BCD959285A9A
SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.027.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.026.etletl
MD5:5EA68411BF8E9EAF4621BAF73F61449E
SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.031.etletl
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB
SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.021.etletl
MD5:B53B2070E686FFB1FBC8B06994E7C8D7
SHA256:A3ABD06F4E40CB700B1908AB6BCD2E27455E13EF076E0BF2345BB2FA369EF802
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.030.etletl
MD5:868E79A00A8204448B2FFC4F4D5C08EA
SHA256:148FE324431CB4C826BCF0436147D946AC389A877732612CF40629048B8517DC
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.022.etletl
MD5:89BD161BF7B46C9078937CF832786737
SHA256:2B83DF5532E9F54ED301C8F82E2CDD489799C8D5222A2D44C97DCB151A96FAA9
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.025.etletl
MD5:A23907B6FDD47DCABFDFD7CF2FCD7671
SHA256:0C9C33FE9E984A2E5A70EBA51F36B9929A86199E424AF2F8080E1267B87DC970
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.035.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
24
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
92.123.104.46:443
https://r.bing.com/rb/4N/jnc,nj/Btu7tBP0vQIHDIMxag4vCxAtQuY.js?bu=FrYs9ir8AYcriyuNK48rtCu9LIMs_BGfLKUswSz8AfwBpSjmK_oR8RH6K-sr&or=w
unknown
GET
200
92.123.104.37:443
https://www.bing.com/fd/ls/l?IG=16800713CD244755B15D5E88DF9D3BC0&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}]
unknown
GET
200
92.123.104.47:443
https://r.bing.com/rp/1p7Pm8MlCViA2LDR4P2jaN0n9x8.gz.js
unknown
binary
1.85 Kb
POST
204
92.123.104.40:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
POST
204
92.123.104.49:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
POST
204
92.123.104.41:443
https://www.bing.com/threshold/xls.aspx
unknown
GET
200
92.123.104.46:443
https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js
unknown
s
20.3 Kb
POST
204
92.123.104.41:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
204
92.123.104.38:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
224.0.0.252:5355
whitelisted
224.0.0.251:5353
unknown
4
System
192.168.100.255:137
whitelisted
2908
OfficeClickToRun.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4560
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5052
SearchApp.exe
2.23.209.148:443
r.bing.com
Akamai International B.V.
GB
whitelisted
5052
SearchApp.exe
2.23.209.189:443
r.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r.bing.com
  • 2.23.209.148
  • 2.23.209.185
  • 2.23.209.149
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.189
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.177
whitelisted
self.events.data.microsoft.com
  • 40.79.173.40
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MBRLock.exe