File name:

rufus-4.4(1).exe

Full analysis: https://app.any.run/tasks/29be4d5a-e820-4bd3-9e58-310f06f07916
Verdict: Malicious activity
Analysis date: July 09, 2024, 09:48:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

386F1EB5BC98C168431E036C29215C2A

SHA1:

BD97608896320B46684656915778A32EC92ED2C2

SHA256:

FB7D511E9A3D737BC9AFAAF645D666FCE72496D20A184F82F7632ECA01490F7C

SSDEEP:

49152:3VDHlx7SwaaRhXjrt2n11roEyeJvQ2PNZLOylTYazB0fRki1S4La2FMhwCYUuFQx:3VXTRZjrtG11rHy8vTlZL7TYazWR5FLG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rufus-4.4(1).exe (PID: 6376)

    • Changes the Windows auto-update feature

      • rufus-4.4(1).exe (PID: 6376)

  • SUSPICIOUS

    • Executes as Windows Service

      • vds.exe (PID: 6480)

  • INFO

    • Checks supported languages

      • rufus-4.4(1).exe (PID: 6376)

    • Reads the computer name

      • rufus-4.4(1).exe (PID: 6376)

    • Reads the machine GUID from the registry

      • rufus-4.4(1).exe (PID: 6376)

    • Process checks whether UAC notifications are on

      • rufus-4.4(1).exe (PID: 6376)

    • UPX packer has been detected

      • rufus-4.4(1).exe (PID: 6376)

    • Create files in a temporary directory

      • rufus-4.4(1).exe (PID: 6376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:01:17 14:16:26+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.41
CodeSize: 1380352
InitializedDataSize: 45056
UninitializedDataSize: 2629632
EntryPoint: 0x3d3270
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 4.4.2103.0
ProductVersionNumber: 4.4.2103.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: https://rufus.ie
CompanyName: Akeo Consulting
FileDescription: Rufus
FileVersion: 4.4.2103
InternalName: Rufus
LegalCopyright: © 2011-2024 Pete Batard (GPL v3)
LegalTrademarks: https://www.gnu.org/licenses/gpl-3.0.html
OriginalFileName: rufus-4.4.exe
ProductName: Rufus
ProductVersion: 4.4.2103
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT rufus-4.4(1).exe vdsldr.exe no specs vds.exe no specs rufus-4.4(1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6328"C:\Users\admin\AppData\Local\Temp\rufus-4.4(1).exe" C:\Users\admin\AppData\Local\Temp\rufus-4.4(1).exeexplorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
MEDIUM
Description:
Rufus
Exit code:
3221226540
Version:
4.4.2103
6376"C:\Users\admin\AppData\Local\Temp\rufus-4.4(1).exe" C:\Users\admin\AppData\Local\Temp\rufus-4.4(1).exe
explorer.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
HIGH
Description:
Rufus
Version:
4.4.2103
6444C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6480C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Exit code:
258
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
474
Read events
413
Write events
29
Delete events
32

Modification events

(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\AppHVSI
Operation:writeName:AllowAppHVSI_ProviderSet
Value:
0
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\EdgeUpdate
Operation:writeName:UpdateDefault
Value:
0
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\Network Connections
Operation:writeName:NC_DoNotShowLocalOnlyIcon
Value:
1
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\Windows Feeds
Operation:writeName:EnableFeeds
Value:
0
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:WUStatusServer
Value:
http://neverupdatewindows10.com
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:UpdateServiceUrlAlternate
Value:
http://neverupdatewindows10.com
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate
Operation:writeName:**del.FillEmptyContentUrls
Value:
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:UseWUServer
Value:
1
(PID) Process:(6376) rufus-4.4(1).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{6AA7488E-2AB7-4A57-A953-F3AC07CB1222}Machine\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:writeName:NoAutoUpdate
Value:
0
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6376rufus-4.4(1).exeC:\WINDOWS\System32\GroupPolicy\gpt.initext
MD5:3D89F23265C9E30A0CF055C3EB4D637C
SHA256:806582F6221C79BD4C7EACDC4B63E937CE247EEE2BA159F55C545CDFB2B1C25B
6376rufus-4.4(1).exeC:\WINDOWS\System32\GroupPolicy\Machine\Registry.polbinary
MD5:0C014C71A70DC7758BFDC822E974F1F3
SHA256:8EBD915268E16B55A3ABDE6F612363576FAB5DF656F955D672CCE8889C5FF9CA
6376rufus-4.4(1).exeC:\Users\admin\AppData\Local\Temp\RufEC4C.tmptext
MD5:F7204FBC5D78282AA1BF46EF1A806D46
SHA256:8DDC928624AB5B4AFC2D26E27BD224959FF1318F9494372DF7780C4A95D3DB16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
30
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6808
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
3508
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6940
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
6808
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3508
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1060
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
unknown
3040
OfficeClickToRun.exe
52.111.243.29:443
nexusrules.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2168
svchost.exe
224.0.0.252:5355
whitelisted
2168
svchost.exe
224.0.0.251:5353
unknown
4656
SearchApp.exe
2.16.110.171:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.71
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
www.bing.com
  • 2.16.110.171
  • 2.16.110.168
  • 2.16.110.186
  • 2.16.110.177
  • 2.16.110.179
  • 2.16.110.169
  • 2.16.110.161
  • 2.16.110.153
  • 2.16.110.176
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 13.85.23.86
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
Process
Message
rufus-4.4(1).exe
*** Rufus init ***
rufus-4.4(1).exe
Cur dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.4(1).exe
App dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.4(1).exe
Sys dir: 'C:\WINDOWS\system32'
rufus-4.4(1).exe
Usr dir: 'C:\Users\admin'
rufus-4.4(1).exe
Dat dir: 'C:\Users\admin\AppData\Local'
rufus-4.4(1).exe
Tmp dir: 'C:\Users\admin\AppData\Local\Temp\'
rufus-4.4(1).exe
Binary executable is signed by 'Microsoft Windows'
rufus-4.4(1).exe
Will use settings from registry
rufus-4.4(1).exe
loc file not found in current directory - embedded one will be used
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rufus-4.4(1).exe