File name:

MBRLock.exe

Full analysis: https://app.any.run/tasks/1512ad4f-79c6-45f2-be83-a0f9f57a5499
Verdict: Malicious activity
Analysis date: September 14, 2024, 13:42:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7E179D064B2D20B4EA5E6D492ABF8F2B

SHA1:

443F89939B9CD36A169AA04E15FA0637EC228A93

SHA256:

DFC56A704B5E031F3B0D2D0EA1D06F9157758AD950483B44AC4B77D33293CB38

SSDEEP:

12288:axPVLTOnLRrLHO0zKX1AsE7eTZni5Kyt5dh2E:a5V/OLRnHFzKFAsTTZiUyt5dh2E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MBRLock.exe (PID: 7048)

    • Scans artifacts that could help determine the target

      • RUXIMICS.exe (PID: 4560)

  • SUSPICIOUS

    • The process executes via Task Scheduler

      • PLUGScheduler.exe (PID: 872)

  • INFO

    • Reads the computer name

      • MBRLock.exe (PID: 7048)
      • RUXIMICS.exe (PID: 4560)
      • PLUGScheduler.exe (PID: 872)

    • Creates files in the program directory

      • PLUGScheduler.exe (PID: 872)
      • RUXIMICS.exe (PID: 4952)

    • Checks supported languages

      • PLUGScheduler.exe (PID: 872)
      • MBRLock.exe (PID: 7048)
      • RUXIMICS.exe (PID: 4952)
      • RUXIMICS.exe (PID: 4560)

    • Reads Environment values

      • RUXIMICS.exe (PID: 4560)

    • Reads the machine GUID from the registry

      • RUXIMICS.exe (PID: 4560)

    • Reads the software policy settings

      • RUXIMICS.exe (PID: 4560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:04 00:56:37+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 540672
InitializedDataSize: 319488
UninitializedDataSize: -
EntryPoint: 0x6594d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: Hax
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
232
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start mbrlock.exe plugscheduler.exe no specs ruximics.exe ruximics.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
872"C:\Program Files\RUXIM\PLUGscheduler.exe"C:\Program Files\RUXIM\PLUGScheduler.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Update LifeCycle Component Scheduler
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\plugscheduler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4560%ProgramFiles%\RUXIM\RUXIMICS.EXE /onlyloadcampaignsC:\Program Files\RUXIM\RUXIMICS.exe
PLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
4952%ProgramFiles%\RUXIM\RUXIMICS.EXE /nonetworkC:\Program Files\RUXIM\RUXIMICS.exePLUGScheduler.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Reusable UX Interaction Manager
Exit code:
0
Version:
10.0.19041.3623 (WinBuild.160101.0800)
Modules
Images
c:\program files\ruxim\ruximics.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
7048"C:\Users\admin\Desktop\MBRLock.exe" C:\Users\admin\Desktop\MBRLock.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
易语言程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\mbrlock.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 260
Read events
4 243
Write events
17
Delete events
0

Modification events

(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:ExecAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:MonAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:SiteAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\safemon
Operation:writeName:UDiskAccess
Value:
0
(PID) Process:(7048) MBRLock.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System
Value:
C:\Program Files\System.dll
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:ExecutionCount
Value:
5
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionResult
Value:
0
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionExitCode
Value:
0
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\OneSettings
Operation:writeName:LastExecutionTime
Value:
041AA70FAC06DB01
(PID) Process:(872) PLUGScheduler.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\PLUG\Scheduler\Activity\State\DTU
Operation:writeName:ExecutionCount
Value:
5
Executable files
0
Suspicious files
49
Text files
0
Unknown types
41

Dropped files

PID
Process
Filename
Type
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.035.etletl
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898
SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.014.etletl
MD5:B787593A02A4E0A601164A65952D0CB9
SHA256:3594AD496D8E1771BCC3E8B6F68B4C2B4190A9A331FB43F068A7DF4E1894E2CF
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.018.etletl
MD5:09359EE89B0634478ADFF73CDA7BFB12
SHA256:4D800AC7C55960B107C9D3E40F63130407835E69DF4F5C558C500FC0BD20D8ED
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.032.etletl
MD5:079890A8EC8D5CB6523FCEC2209780AA
SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.027.etletl
MD5:C8834D365FAE073DEDE1F1620454CE71
SHA256:C6DD793EEE1D5551CA507A3C5BFFECA82DD3E29C63C2C6DD218A7D4BFB37046B
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.015.etletl
MD5:F9485F2BA891697F8B6CF8FB1E7F42C0
SHA256:69146D4AAEFB8609745B6CA780B48ABC66054AA3CDB8061248CF7B32F3B32617
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.023.etletl
MD5:A7A21FBC9D00F33F186B34A50E170C13
SHA256:64CAC91E46D4FC832958232A658431CBF9D8D9F265653ACA2BEB32428D4688EC
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.022.etletl
MD5:89BD161BF7B46C9078937CF832786737
SHA256:2B83DF5532E9F54ED301C8F82E2CDD489799C8D5222A2D44C97DCB151A96FAA9
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.029.etletl
MD5:44A0E917AD0C126931B1BCD959285A9A
SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573
872PLUGScheduler.exeC:\ProgramData\PLUG\Logs\RUXIMLog.013.etletl
MD5:A477FE56C25FCDB850EA1AAB8D01B5C2
SHA256:5C85DC2B41C2D076D6B2653C0BA5F5681ADABFEBDA8883C704E625EB9338F505
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
24
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
92.123.104.46:443
https://r.bing.com/rb/4N/jnc,nj/Btu7tBP0vQIHDIMxag4vCxAtQuY.js?bu=FrYs9ir8AYcriyuNK48rtCu9LIMs_BGfLKUswSz8AfwBpSjmK_oR8RH6K-sr&or=w
unknown
GET
200
92.123.104.37:443
https://www.bing.com/fd/ls/l?IG=16800713CD244755B15D5E88DF9D3BC0&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}]
unknown
GET
200
92.123.104.46:443
https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js
unknown
s
20.3 Kb
POST
204
92.123.104.41:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
204
92.123.104.41:443
https://www.bing.com/threshold/xls.aspx
unknown
POST
204
92.123.104.49:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
POST
204
92.123.104.38:443
https://www.bing.com/fd/ls/lsp.aspx?
unknown
GET
200
92.123.104.43:443
https://www.bing.com/manifest/threshold.appcache
unknown
text
3.36 Kb
GET
200
92.123.104.47:443
https://r.bing.com/rb/17/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w
unknown
s
21.4 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
224.0.0.252:5355
whitelisted
224.0.0.251:5353
unknown
4
System
192.168.100.255:137
whitelisted
2908
OfficeClickToRun.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4560
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5052
SearchApp.exe
2.23.209.148:443
r.bing.com
Akamai International B.V.
GB
whitelisted
5052
SearchApp.exe
2.23.209.189:443
r.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
r.bing.com
  • 2.23.209.148
  • 2.23.209.185
  • 2.23.209.149
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.187
  • 2.23.209.189
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.150
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.177
whitelisted
self.events.data.microsoft.com
  • 40.79.173.40
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
MBRLock.exe