Loading ...

Play interactive tourEdit tour

Analysis Report rufus-3.8.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:184269
Start date:21.10.2019
Start time:18:34:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:rufus-3.8.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus39.spre.evad.winEXE@3/9@3/3
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 16.2% (good quality ratio 2.5%)
  • Quality average: 6.6%
  • Quality standard deviation: 13.9%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 8.248.141.254, 8.248.131.254, 8.248.115.254, 67.27.157.126, 8.248.113.254, 23.0.174.185, 23.0.174.200, 8.248.117.254, 8.253.95.249, 67.26.83.254, 8.253.95.121, 13.107.4.50, 52.109.88.39, 52.109.76.34
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, au.au-msedge.net, prod-w.nexus.live.com.akadns.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, nexus.officeapps.live.com, a767.dscg3.akamai.net, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net
  • Execution Graph export aborted for target rufus-3.8.exe, PID 5360 because there are no executed function
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold390 - 100falsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold00 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media11Execution through API1Winlogon Helper DLLProcess Injection1Masquerading11Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted12Standard Cryptographic Protocol22
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingQuery Registry1Replication Through Removable Media11Data from Removable MediaExfiltration Over Other Network MediumRemote File Copy1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing11Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesPeripheral Device Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationSecurity Software Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information21Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery12Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0042580D CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptReleaseContext,0_2_0042580D
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004249E3 calloc,GetModuleHandleW,GetModuleFileNameW,GetLastError,CryptQueryObject,Sleep,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,calloc,CryptMsgGetParam,CertGetNameStringA,_strcmpi,CertGetNameStringA,0_2_004249E3
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004249E3 calloc,GetModuleHandleW,GetModuleFileNameW,GetLastError,CryptQueryObject,Sleep,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,calloc,CryptMsgGetParam,CertGetNameStringA,_strcmpi,CertGetNameStringA,8_2_004249E3
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00436A0E CryptMsgGetParam,GetLastError,_snprintf,calloc,FormatMessageW,GetLastError,WideCharToMultiByte,??3@YAXPAX@Z,SetLastError,SetLastError,GetLastError,_snprintf,SetLastError,_snprintf,8_2_00436A0E

Spreading:

barindex
Changes autostart functionality of drivesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\group policy objects\{486F8C57-C7DE-4AFD-BFC1-38FC191A4BEE}Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutorunJump to behavior
May infect USB drivesShow sources
Source: rufus-3.8.exeBinary or memory string: hod that will be used to make the drive bootable" t MSG_165 "Click to select or download an image..." t MSG_166 "Check this box to allow the display of international labels " "and set a device icon (creates an autorun.inf)" t MSG_167 "Install an MBR that
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: . (autorun.inf .)" t MSG_167 " MBR BIO
Source: rufus-3.8.exeBinary or memory string: ge..." t MSG_166 "Centang kotak ini untuk menampilkan label internasional dan menyetel ikon perangkat (membuat autorun.inf)" t MSG_167 "Menginstal MBR memungkinkan untuk boot dan dapat memanipulasi ID perangkat USB di BIOS" t MSG_168 "Mencoba menyamarkan pe
Source: rufus-3.8.exeBinary or memory string: tellen (maakt een autorun.inf aan)" t MSG_167 "Installeert een MBR die een opstartselectie toestaat en de BIOS USB-drive ID kan verbergen" t MSG_168 "Probeert de eerste opstartbare USB drive (gewoonlijk 0x80) voor te laten doen als een andere schijf.\nDit is
Source: rufus-3.8.exeBinary or memory string: Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: Using autorun.inf label for drive %c: '%s'
Source: rufus-3.8.exeBinary or memory string: #:\autorun.inf
Source: rufus-3.8.exeBinary or memory string: Ignoring autorun.inf label for drive %c: %s
Source: rufus-3.8.exeBinary or memory string: %sautorun.inf
Source: rufus-3.8.exeBinary or memory string: [autorun] icon = autorun.ico label = %s
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: [autorun]icon = autorun.icolabel = %s
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmpBinary or memory string: NtQueryVolumeInformationFileGetLogicalDriveStrings failed: %sGetLogicalDriveStrings: Buffer too small (required %d vs. %d)\\.\%c:\\.\#:NO_LABELNo medialabelIgnoring autorun.inf label for drive %c: %sUsing autorun.inf label for drive %c: '%s'#:\autorun.infMaster Boot Record%s does not have an x86 %s%s has a %s %s%s has an unknown %sPartition Boot RecordVolume does not have an x86 %sDrive has a %s %sVolume has an unknown FAT16 or FAT32 %sVolume has an unknown %sCould not unmount drive: %s%s is already mounted as %C: instead of %C: - Will now use this target instead...%s is already mounted, but volume GUID could not be checked: %s%s is mounted, but volume GUID doesn't match:
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmpBinary or memory string: @iconUnable to create icon '%s': %s.Could not write icon header: %s.Could not write ICONDIRENTRY[%d]: %s.Could not write ICONDIRENTRY[%d] offset: %s.Could not write icon data #%d: %s.Created: %s%sautorun.infr%s already exists - keeping itw, ccs=UTF-16LEUnable to create %sNOTE: This may be caused by a poorly designed security solution. See https://goo.gl/QTobxX.; Created by %s
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmpBinary or memory string: [autorun]
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmpBinary or memory string: %s%s/Could not access directory %s...rufus_files%s/syslinux-%s/%s Replaced with local version %s Could not replace file: %s File name sanitized to '%s' Ignoring Rock Ridge symbolic link to '%s' Unable to create file: %sautorun.inf NOTE: This is usually caused by a poorly designed security solution. See https://goo.gl/QTobxX.
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmpBinary or memory string: International characters are accepted.Toggle advanced optionse select)Toggle advanced optionsationCheck the device for bad blocks using a test patternUncheck this box to use the "slow" format methodMethod that will be used to make the drive bootableClick to select or download an image...Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)Install an MBR that allows boot selection and can masquerade the BIOS USB drive IDTry to masquerade first bootable USB drive (usually 0x80) as a different disk.
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: "and set a device icon (creates an autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Potvrdite ovo da dozvolite prikaz internacijonalnih oznaka i napravite ikonu (stvara autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: m souboru autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: lg denne mulighed for at tillade visning af internationale etiketter og skabe et enheds-ikon (opretter en autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Aanvinken om weergave van internationale labels toe te laten en een apparaat-pictogram in te stellen (maakt een autorun.inf aan)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: misen ja asettaaksesi laitekuvakkeen (luo autorun.inf-tiedoston)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: e un fichier autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: tesymbol zu erzeugen (Datei autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: hoz (egy autorun.inf f
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Centang kotak ini untuk menampilkan label internasional dan menyetel ikon perangkat (membuat autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: un file autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: . (autorun.inf
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: ces ikonas izveidei (tiek izveidots fails autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: (sukuria autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Klik kotak ini untuk membenarkan paparan label antarabangsa dan menetapkan ikon cakera (akan membuat fail autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: tillate visning av internasjonal merkelapp og lage et stasjonsikon (lager en autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: dzenia (tworzy plik autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: cone para a unidade (cria um arquivo autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: cone para a unidade (cria um ficheiro autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: ier autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: uje autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: boru autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: iti prikaz \"mednarodnih\" oznak nosilca in nastaviti ikono za napravo (to ustvari datoteko autorun.inf)."
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: n para permitir que se muestren caracteres internacionales y establecer un icono para la unidad (crea un archivo autorun.inf)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: tta en enhetsikon (en autorun.inf skapas)"
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t simgesini belirleyin (autorun.inf olu
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmpBinary or memory string: t autorun.inf)"
Source: rufus-3.8.exeBinary or memory string: hod that will be used to make the drive bootable" t MSG_165 "Click to select or download an image..." t MSG_166 "Check this box to allow the display of international labels " "and set a device icon (creates an autorun.inf)" t MSG_167 "Install an MBR that
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: . (autorun.inf .)" t MSG_167 " MBR BIO
Source: rufus-3.8.exeBinary or memory string: ge..." t MSG_166 "Centang kotak ini untuk menampilkan label internasional dan menyetel ikon perangkat (membuat autorun.inf)" t MSG_167 "Menginstal MBR memungkinkan untuk boot dan dapat memanipulasi ID perangkat USB di BIOS" t MSG_168 "Mencoba menyamarkan pe
Source: rufus-3.8.exeBinary or memory string: tellen (maakt een autorun.inf aan)" t MSG_167 "Installeert een MBR die een opstartselectie toestaat en de BIOS USB-drive ID kan verbergen" t MSG_168 "Probeert de eerste opstartbare USB drive (gewoonlijk 0x80) voor te laten doen als een andere schijf.\nDit is
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: Using autorun.inf label for drive %c: '%s'
Source: rufus-3.8.exeBinary or memory string: #:\autorun.inf
Source: rufus-3.8.exeBinary or memory string: Ignoring autorun.inf label for drive %c: %s
Source: rufus-3.8.exeBinary or memory string: %sautorun.inf
Source: rufus-3.8.exeBinary or memory string: [autorun] icon = autorun.ico label = %s
Source: rufus-3.8.exeBinary or memory string: autorun.inf
Source: rufus-3.8.exeBinary or memory string: [autorun]icon = autorun.icolabel = %s
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: NtQueryVolumeInformationFileGetLogicalDriveStrings failed: %sGetLogicalDriveStrings: Buffer too small (required %d vs. %d)\\.\%c:\\.\#:NO_LABELNo medialabelIgnoring autorun.inf label for drive %c: %sUsing autorun.inf label for drive %c: '%s'#:\autorun.infMaster Boot Record%s does not have an x86 %s%s has a %s %s%s has an unknown %sPartition Boot RecordVolume does not have an x86 %sDrive has a %s %sVolume has an unknown FAT16 or FAT32 %sVolume has an unknown %sCould not unmount drive: %s%s is already mounted as %C: instead of %C: - Will now use this target instead...%s is already mounted, but volume GUID could not be checked: %s%s is mounted, but volume GUID doesn't match:
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: @iconUnable to create icon '%s': %s.Could not write icon header: %s.Could not write ICONDIRENTRY[%d]: %s.Could not write ICONDIRENTRY[%d] offset: %s.Could not write icon data #%d: %s.Created: %s%sautorun.infr%s already exists - keeping itw, ccs=UTF-16LEUnable to create %sNOTE: This may be caused by a poorly designed security solution. See https://goo.gl/QTobxX.; Created by %s
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: [autorun]
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: %s%s/Could not access directory %s...rufus_files%s/syslinux-%s/%s Replaced with local version %s Could not replace file: %s File name sanitized to '%s' Ignoring Rock Ridge symbolic link to '%s' Unable to create file: %sautorun.inf NOTE: This is usually caused by a poorly designed security solution. See https://goo.gl/QTobxX.
Source: rufus-3.8.exe, 00000008.00000002.4690161794.0000000000FA0000.00000004.00000001.sdmpBinary or memory string: Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: "and set a device icon (creates an autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Potvrdite ovo da dozvolite prikaz internacijonalnih oznaka i napravite ikonu (stvara autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: m souboru autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: lg denne mulighed for at tillade visning af internationale etiketter og skabe et enheds-ikon (opretter en autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Aanvinken om weergave van internationale labels toe te laten en een apparaat-pictogram in te stellen (maakt een autorun.inf aan)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: misen ja asettaaksesi laitekuvakkeen (luo autorun.inf-tiedoston)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: e un fichier autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: tesymbol zu erzeugen (Datei autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: hoz (egy autorun.inf f
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Centang kotak ini untuk menampilkan label internasional dan menyetel ikon perangkat (membuat autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: un file autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: . (autorun.inf
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: ces ikonas izveidei (tiek izveidots fails autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: (sukuria autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t MSG_166 "Klik kotak ini untuk membenarkan paparan label antarabangsa dan menetapkan ikon cakera (akan membuat fail autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: tillate visning av internasjonal merkelapp og lage et stasjonsikon (lager en autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: dzenia (tworzy plik autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: cone para a unidade (cria um arquivo autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: cone para a unidade (cria um ficheiro autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: ier autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: uje autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: boru autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: iti prikaz \"mednarodnih\" oznak nosilca in nastaviti ikono za napravo (to ustvari datoteko autorun.inf)."
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: n para permitir que se muestren caracteres internacionales y establecer un icono para la unidad (crea un archivo autorun.inf)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: tta en enhetsikon (en autorun.inf skapas)"
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: autorun.inf
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t simgesini belirleyin (autorun.inf olu
Source: rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpBinary or memory string: t autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: "and set a device icon (creates an autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_166 "Potvrdite ovo da dozvolite prikaz internacijonalnih oznaka i napravite ikonu (stvara autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: m souboru autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: lg denne mulighed for at tillade visning af internationale etiketter og skabe et enheds-ikon (opretter en autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_166 "Aanvinken om weergave van internationale labels toe te laten en een apparaat-pictogram in te stellen (maakt een autorun.inf aan)"
Source: Ruf1C85.tmp.8.drBinary or memory string: misen ja asettaaksesi laitekuvakkeen (luo autorun.inf-tiedoston)"
Source: Ruf1C85.tmp.8.drBinary or memory string: e un fichier autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: tesymbol zu erzeugen (Datei autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: hoz (egy autorun.inf f
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_166 "Centang kotak ini untuk menampilkan label internasional dan menyetel ikon perangkat (membuat autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: un file autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: autorun.inf
Source: Ruf1C85.tmp.8.drBinary or memory string: . (autorun.inf
Source: Ruf1C85.tmp.8.drBinary or memory string: ces ikonas izveidei (tiek izveidots fails autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: (sukuria autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_166 "Klik kotak ini untuk membenarkan paparan label antarabangsa dan menetapkan ikon cakera (akan membuat fail autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: tillate visning av internasjonal merkelapp og lage et stasjonsikon (lager en autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: autorun.inf"
Source: Ruf1C85.tmp.8.drBinary or memory string: dzenia (tworzy plik autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: cone para a unidade (cria um arquivo autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: cone para a unidade (cria um ficheiro autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: ier autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: uje autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: boru autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: iti prikaz \"mednarodnih\" oznak nosilca in nastaviti ikono za napravo (to ustvari datoteko autorun.inf)."
Source: Ruf1C85.tmp.8.drBinary or memory string: n para permitir que se muestren caracteres internacionales y establecer un icono para la unidad (crea un archivo autorun.inf)"
Source: Ruf1C85.tmp.8.drBinary or memory string: tta en enhetsikon (en autorun.inf skapas)"
Source: Ruf1C85.tmp.8.drBinary or memory string: autorun.inf
Source: Ruf1C85.tmp.8.drBinary or memory string: t simgesini belirleyin (autorun.inf olu
Source: Ruf1C85.tmp.8.drBinary or memory string: t autorun.inf)"
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0040CAEB GetLogicalDriveStringsA,isalpha,toupper,0_2_0040CAEB

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 140.82.118.3 140.82.118.3
Source: Joe Sandbox ViewIP Address: 185.199.109.153 185.199.109.153
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041E833 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetCrackUrlA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,SetLastError,HttpQueryInfoA,_atoi64,_snprintf,calloc,InternetReadFile,WriteFile,GetLastError,FlushFileBuffers,CloseHandle,??3@YAXPAX@Z,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,SetLastError,0_2_0041E833
Found strings which match to known social media urlsShow sources
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: rufus.ie
Urls found in memory or binary dataShow sources
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.
Source: rufus-3.8.exe, 00000000.00000003.4701179683.0000000000B6E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertBaltimoreCA-2G2.crt0
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: rufus-3.8.exe, 00000000.00000003.4701273691.0000000000BAF000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencryptF
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: rufus-3.8.exe, 00000000.00000003.4621724042.0000000000AED000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.co
Source: rufus-3.8.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: rufus-3.8.exe, 00000000.00000002.5037853163.0000000000AD0000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACodeS
Source: rufus-3.8.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX
Source: rufus-3.8.exe, 00000000.00000003.4701179683.0000000000B6E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlc
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl0:
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertBaltimoreCA-2G2.crl0L
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://e2fsprogs.sourceforge.net/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmpString found in binary or memory: http://freedos.sourceforge.net/freecom
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://fsf.org/
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmp, Ruf1C85.tmp.8.drString found in binary or memory: http://halamix2.pl
Source: rufus-3.8.exe, 00000000.00000003.4701179683.0000000000B6E000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://ms-sys.sourceforge.net/
Source: rufus-3.8.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0R
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: rufus-3.8.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: rufus-3.8.exeString found in binary or memory: http://s.symcd.com06
Source: rufus-3.8.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: rufus-3.8.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: rufus-3.8.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://7-zip.org/
Source: rufus-3.8.exe, 00000000.00000002.5038070992.0000000000B6E000.00000004.00000020.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://axialis.com/
Source: rufus-3.8.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: rufus-3.8.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: rufus-3.8.exeString found in binary or memory: https://d.symcb.com/rpa0.
Source: rufus-3.8.exe, 00000000.00000002.5037853163.0000000000AD0000.00000004.00000020.sdmpString found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmp, rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/165325376/3540fb80-7d69-11e9-8fc1-91
Source: rufus-3.8.exe, 00000000.00000002.5036912352.000000000050F000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689113138.000000000050F000.00000040.00020000.sdmp, Ruf1C85.tmp.8.drString found in binary or memory: https://github.com/Chocobo1
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://github.com/Y0
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/chenall/grub4dos
Source: rufus-3.8.exeString found in binary or memory: https://github.com/pbatard/Fido
Source: rufus-3.8.exe, 00000000.00000002.5037601582.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pbatard/Fido/rel
Source: rufus-3.8.exe, 00000000.00000002.5037601582.0000000000927000.00000004.00000001.sdmp, Fido[1].ver.0.drString found in binary or memory: https://github.com/pbatard/Fido/releases/download/v1.11/Fido.ps1
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmp, Fido[1].ver.0.drString found in binary or memory: https://github.com/pbatard/Fido/releases/download/v1.12/Fido.ps1.lzma
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://github.com/pbatard/Fido/releases/download/v1.12/Fido.ps1.lzma=?
Source: rufus-3.8.exe, 00000000.00000002.5037601582.0000000000927000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pbatard/Fido/rels/do
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/bled
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/rufus/issues
Source: rufus-3.8.exe, 00000000.00000002.5038138761.0000000000BA3000.00000004.00000001.sdmp, rufus-3.8.exe, 00000000.00000002.5039495850.0000000002F77000.00000004.00000001.sdmp, Rufus_win[1].ver.0.drString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8.exe
Source: rufus-3.8.exe, 00000000.00000002.5039495850.0000000002F77000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8.exedownload_url_arm
Source: rufus-3.8.exe, 00000000.00000002.5038138761.0000000000BA3000.00000004.00000001.sdmp, Rufus_win[1].ver.0.drString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8_arm.exe
Source: rufus-3.8.exe, 00000000.00000002.5039495850.0000000002F77000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8_arm.exedownload_url_arm64
Source: rufus-3.8.exe, 00000000.00000002.5038138761.0000000000BA3000.00000004.00000001.sdmp, Rufus_win[1].ver.0.drString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8_arm64.exe
Source: rufus-3.8.exe, 00000000.00000002.5039495850.0000000002F77000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pbatard/rufus/releases/download/v3.8/rufus-3.8_arm64.exerelease_notes
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/rufus/wiki/FAQ#BSODs_with_Windows_To_Go_drives_created_from_Windows_10_18
Source: rufus-3.8.exeString found in binary or memory: https://github.com/pbatard/rufus/wiki/FAQ#Why_do_I_need_to_disable_Secure_Boot_to_use_UEFINTFS
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/rufus/wiki/FAQ#Why_do_I_need_to_disable_Secure_Boot_to_use_UEFINTFSSecure
Source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmpString found in binary or memory: https://github.com/pbatard/uefi-ntfs.
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://github.com/w0b
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://github.com/weidai11/cryptopp/
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://goo.gl/QTobxX.
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://goo.gl/QTobxX.;
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://kolibrios.org/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://processhacker.sourceforge.io/
Source: rufus-3.8.exeString found in binary or memory: https://rufus.ie
Source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmpString found in binary or memory: https://rufus.ie).
Source: rufus-3.8.exeString found in binary or memory: https://rufus.ie/
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmp, rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie//Rufus_win.ver.sig
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie//Rufus_win.ver.sig5
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie//Rufus_win.ver.sige
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://rufus.ie/CheckForBetashttps://rufus.ieUsing
Source: rufus-3.8.exeString found in binary or memory: https://rufus.ie/Fido.ver
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Fido.ver89v
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://rufus.ie/Fido.verz1https://github.com/pbatard/FidoWARNING:
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Rufus_win.ver
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie/Rufus_win.verZ
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Rufus_win.vergm
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmp, rufus-3.8.exe, 00000000.00000003.4701219111.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64.ver
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64.verC
Source: rufus-3.8.exe, 00000000.00000003.5014823804.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64.verW
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64_10.0.ver
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64_10.0.vertop
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpString found in binary or memory: https://rufus.ie/Rufus_win_x64_10.ver
Source: rufus-3.8.exeString found in binary or memory: https://rufus.ie/files
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://rufus.ie/files%s/%s-%s/%sGrub2%s
Source: rufus-3.8.exe, 00000000.00000003.4701219111.0000000000B87000.00000004.00000001.sdmpString found in binary or memory: https://rufus.ie/ver
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://rufus.ie321Failed
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://sourceforge.net/projects/smartmontools
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://svn.reactos.org/reactos/trunk
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://svn.reactos.org/reactos/trunk/reactos/dll/win32/fmifs
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://syslinux.org/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://tortoisegit.org/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://tortoisesvn.net/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://winscp.net/
Source: rufus-3.8.exeString found in binary or memory: https://www.7-zip.org
Source: rufus-3.8.exe, 00000000.00000002.5036651902.0000000000401000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.7-zip.orgopen2.04rufus_filescore.imggrub%s-%s/%srbWill
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.busybox.net/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.codeguru.com/forum/showthread.php?p=1951973
Source: rufus-3.8.exe, 00000000.00000003.4644615746.0000000000BA0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.freedos.org/
Source: rufus-3.8.exeString found in binary or memory: https://www.gnu.org/licenses/gpl-3.0.htmlD
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.gnu.org/software/fdisk
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.gnu.org/software/grub
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.gnu.org/software/libcdio
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.gnu.org/software/wget
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.gnupg.org/
Source: rufus-3.8.exe, rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpString found in binary or memory: https://www.reactos.org/
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0042580D CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptReleaseContext,0_2_0042580D

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0042704D GetProcAddress,GetProcAddress,GetProcAddress,NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,_snprintf,0_2_0042704D
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0040B19D: CreateFileA,DeviceIoControl,FindCloseChangeNotification,0_2_0040B19D
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile created: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeMutant created: \Sessions\1\BaseNamedObjects\Global/Rufus
Source: C:\Users\user\Desktop\rufus-3.8.exeMutant created: \Sessions\1\BaseNamedObjects\Global/Rufus_CmdLine
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004229590_2_00422959
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041F3B80_2_0041F3B8
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0040D96C0_2_0040D96C
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004019CA0_2_004019CA
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0046E2480_2_0046E248
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0040FA930_2_0040FA93
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0045C3480_2_0045C348
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004023D40_2_004023D4
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041AC6F0_2_0041AC6F
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00402C780_2_00402C78
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0044741B0_2_0044741B
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041064A0_2_0041064A
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041A6CE0_2_0041A6CE
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00477EB00_2_00477EB0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0046670E0_2_0046670E
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00461FDC0_2_00461FDC
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 1_2_0071C1501_2_0071C150
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004229598_2_00422959
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0040D96C8_2_0040D96C
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004019CA8_2_004019CA
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0046E2488_2_0046E248
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0040FA938_2_0040FA93
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0045C3488_2_0045C348
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004023D48_2_004023D4
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0041AC6F8_2_0041AC6F
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00402C788_2_00402C78
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0044741B8_2_0044741B
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0041064A8_2_0041064A
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0041A6CE8_2_0041A6CE
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00477EB08_2_00477EB0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0046670E8_2_0046670E
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00461FDC8_2_00461FDC
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\rufus.com 5F819F6EAE4B5845C082EDF14CB389AB9805BC3C17440F3B5398D4FDD0079FFE
Enables driver privilegesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeProcess token adjusted: Load DriverJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: String function: 00436597 appears 1521 times
PE file contains executable resources (Code or Archives)Show sources
Source: rufus-3.8.exeStatic PE information: Resource name: RT_RCDATA type: COM executable for DOS
PE file contains strange resourcesShow sources
Source: rufus-3.8.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\rufus-3.8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\rufus-3.8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\rufus-3.8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: rufus-3.8.exe, 00000000.00000002.5036546251.00000000001E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs rufus-3.8.exe
Source: rufus-3.8.exe, 00000000.00000002.5039779705.0000000003130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLLj% vs rufus-3.8.exe
Source: rufus-3.8.exe, 00000000.00000002.5047670388.0000000004C80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs rufus-3.8.exe
Source: rufus-3.8.exe, 00000000.00000002.5054693421.0000000006BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecomdlg32.dll.muij% vs rufus-3.8.exe
Source: rufus-3.8.exe, 00000008.00000002.4688543608.00000000001E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs rufus-3.8.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\rufus-3.8.exeSection loaded: wow64log.dllJump to behavior
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: rufus-3.8.exeStatic PE information: Section: UPX1 ZLIB complexity 0.999147860837
Classification labelShow sources
Source: classification engineClassification label: sus39.spre.evad.winEXE@3/9@3/3
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00436A0E GetLastError,_snprintf,calloc,FormatMessageW,GetLastError,WideCharToMultiByte,??3@YAXPAX@Z,SetLastError,SetLastError,GetLastError,_snprintf,SetLastError,_snprintf,0_2_00436A0E
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00435812 FindResourceA,LoadResource,SizeofResource,malloc,LockResource,LockResource,0_2_00435812
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile created: C:\Users\user\Desktop\rufus.comJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile created: C:\Users\user~1\AppData\Local\Temp\RufE3E1.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile read: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: rufus-3.8.exeString found in binary or memory: gen worden als het bestand al bestaat. Als er geen bestand online wordt gevonden, dan zal de standaard versie worden gebruikt." t MSG_117 "Standaard Windows-installatie" t MSG_119 "Geavanceerde eigenschappen van drive" t MSG_120 "Geavanceerde opties voor fo
Source: rufus-3.8.exeString found in binary or memory: :size Sets maximum size of line edit buffer (default:128) /MACROS Displays all DOSKey macros /OVERSTRIKE Overwrites new characters onto line when typing (default) /REINSTALL Installs a new copy of DOSKey macroname Specifie
Source: rufus-3.8.exeString found in binary or memory: -h, --help
Source: rufus-3.8.exeString found in binary or memory: -h, --help
Source: rufus-3.8.exeString found in binary or memory: /boot/i386/loader/isolinux.cfg
Source: rufus-3.8.exeString found in binary or memory: /boot/x86_64/loader/isolinux.cfg
Source: rufus-3.8.exeString found in binary or memory: the command to carry out for each file. command-parameters Specifies parameters or switches for the specified command. To use the FOR command in a batch program, specify %%variable instead of %variable. For example: FOR %f IN (---start--- a*
Source: rufus-3.8.exeString found in binary or memory: gen worden als het bestand al bestaat. Als er geen bestand online wordt gevonden, dan zal de standaard versie worden gebruikt." t MSG_117 "Standaard Windows-installatie" t MSG_119 "Geavanceerde eigenschappen van drive" t MSG_120 "Geavanceerde opties voor fo
Source: rufus-3.8.exeString found in binary or memory: :size Sets maximum size of line edit buffer (default:128) /MACROS Displays all DOSKey macros /OVERSTRIKE Overwrites new characters onto line when typing (default) /REINSTALL Installs a new copy of DOSKey macroname Specifie
Source: rufus-3.8.exeString found in binary or memory: -h, --help
Source: rufus-3.8.exeString found in binary or memory: -h, --help
Source: rufus-3.8.exeString found in binary or memory: /boot/i386/loader/isolinux.cfg
Source: rufus-3.8.exeString found in binary or memory: /boot/x86_64/loader/isolinux.cfg
Source: rufus-3.8.exeString found in binary or memory: the command to carry out for each file. command-parameters Specifies parameters or switches for the specified command. To use the FOR command in a batch program, specify %%variable instead of %variable. For example: FOR %f IN (---start--- a*
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\rufus-3.8.exe 'C:\Users\user\Desktop\rufus-3.8.exe'
Source: unknownProcess created: C:\Users\user\Desktop\rufus-3.8.exe unknown
Source: unknownProcess created: C:\Users\user\Desktop\rufus-3.8.exe 'C:\Users\user\Desktop\rufus-3.8.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile written: C:\Windows\SysWOW64\GroupPolicy\gpt.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeWindow detected: Number of UI elements: 28
Source: C:\Users\user\Desktop\rufus-3.8.exeWindow detected: Number of UI elements: 33
PE file has a valid certificateShow sources
Source: rufus-3.8.exeStatic PE information: certificate valid
Submission file is bigger than most known malware samplesShow sources
Source: rufus-3.8.exeStatic file information: File size 1138744 > 1048576
PE file has a big raw sectionShow sources
Source: rufus-3.8.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x109e00
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\efifs\x64\Release\ntfs_x64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\aa64\Release\ntfs_aa64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: C:\uefi-ntfs\aa64\Release\bootaa64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\aa64\Release\ntfs_aa64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\arm\Release\ntfs_arm.pdb$ source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\ia32\Release\ntfs_ia32.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: C:\uefi-ntfs\arm\Release\bootarm.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\arm\Release\ntfs_arm.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: C:\uefi-ntfs\ia32\Release\bootia32.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\ia32\Release\ntfs_ia32.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: D:\efifs\x64\Release\ntfs_x64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp
Source: Binary string: C:\uefi-ntfs\x64\Release\bootx64.pdb source: rufus-3.8.exe, 00000000.00000002.5037373678.000000000069C000.00000040.00020000.sdmp, rufus-3.8.exe, 00000008.00000002.4689645271.000000000069C000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00401500 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401500
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041E833 push edi; mov dword ptr [esp], ebx0_2_0041F2FA
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0043EB59 push eax; mov dword ptr [esp], 00000C4Dh0_2_0043ECD0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00435DEE push ecx; mov dword ptr [esp], esi0_2_00436006
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00435950 push ecx; mov dword ptr [esp], eax0_2_00435CA0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00405166 push edx; mov dword ptr [esp], eax0_2_00405356
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00405166 push edx; mov dword ptr [esp], eax0_2_00405384
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00419A09 push eax; mov dword ptr [esp], ebx0_2_00419EC7
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00417AE0 push edx; mov dword ptr [esp], eax0_2_00417E03
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041AC6F push eax; mov dword ptr [esp], esi0_2_0041B379
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004134A4 push eax; iretd 0_2_004134B1
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00426D72 push edx; mov dword ptr [esp], 00491F58h0_2_00426EED
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041064A push eax; mov dword ptr [esp], ebx0_2_00411398
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00439FD2 push eax; mov dword ptr [esp], ebx0_2_0043A036
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00435950 push ecx; mov dword ptr [esp], eax8_2_00435CA0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00405166 push edx; mov dword ptr [esp], eax8_2_00405356
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00405166 push edx; mov dword ptr [esp], eax8_2_00405384
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00419A09 push eax; mov dword ptr [esp], ebx8_2_00419EC7
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00417AE0 push edx; mov dword ptr [esp], eax8_2_00417E03
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0043EB59 push eax; mov dword ptr [esp], 00000C4Dh8_2_0043ECD0
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0041AC6F push eax; mov dword ptr [esp], esi8_2_0041B379
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004134A4 push eax; iretd 8_2_004134B1
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00426D72 push edx; mov dword ptr [esp], 00491F58h8_2_00426EED
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00435DEE push ecx; mov dword ptr [esp], esi8_2_00436006
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_0041064A push eax; mov dword ptr [esp], ebx8_2_00411398
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_00439FD2 push eax; mov dword ptr [esp], ebx8_2_0043A036
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extensionShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile created: C:\Users\user\Desktop\rufus.comJump to dropped file
Drops PE filesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile created: C:\Users\user\Desktop\rufus.comJump to dropped file

Malware Analysis System Evasion:

barindex
Contains functionality to read device registry values (via SetupAPI)Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004072EB SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,_strcmpi,0_2_004072EB
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeDropped PE file which has not been started: C:\Users\user\Desktop\rufus.comJump to dropped file
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-31652
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeAPI coverage: 5.1 %
Source: C:\Users\user\Desktop\rufus-3.8.exeAPI coverage: 1.6 %
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0040CAEB GetLogicalDriveStringsA,isalpha,toupper,0_2_0040CAEB
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: rufus-3.8.exeBinary or memory string: VMware__VMware_Virtual_S
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "A detetar disco VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare-Laufwerks-Erkennung"
Source: rufus-3.8.exeBinary or memory string: dimensione CORRETTA" t MSG_264 "Eliminazione cartella '%s'" t MSG_265 "Rilevamento disco VMWare" t MSG_266 "Modo duale UEFI/BIOS" t MSG_267 "Applicazione immagine Windows: %s" t MSG_268 "Applicazione immagine Windows..." t MSG_269 "Preserva data/ora" t
Source: Ruf1C85.tmp.8.drBinary or memory string: w VMWare"
Source: rufus-3.8.exe, 00000000.00000002.5037979797.0000000000B1B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: rufus-3.8.exeBinary or memory string: w VMWare" t MSG_266 "Tryb dual UEFI/BIOS" t MSG_267 "Zastosowywanie obrazu Windows: %s" t MSG_268 "Zastosowywanie obrazu Windows..." t MSG_269 "Zachowaj znacziki czasu" t MSG_270 "Debugowanie USB" t MSG_271 "Obliczanie sum kontrolnych obrazu: %s" t MSG_
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare-levyn havaitseminen"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare-schijfdetectie"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Deteksi VMWare disk"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Detectare disc VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare disk detection"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMware lemez
Source: Ruf1C85.tmp.8.drBinary or memory string: tection de disque VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: o de disco VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare detekce disk"
Source: rufus-3.8.exe, 00000008.00000002.4690224347.0000000001107000.00000004.00000040.sdmpBinary or memory string: VMWare disk detection+y
Source: Ruf1C85.tmp.8.drBinary or memory string: vanie VMWare disku"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Zaznavanje diskov VMware"
Source: rufus-3.8.exe, 00000008.00000002.4690224347.0000000001107000.00000004.00000040.sdmpBinary or memory string: VMWare disk detection
Source: rufus-3.8.exeBinary or memory string: sche Ordner '%s'" t MSG_265 "VMWare-Laufwerks-Erkennung" t MSG_266 "Dualer UEFI/BIOS-Modus" t MSG_267 "Spiele Windows-Abbild auf: %s" t MSG_268 "Windows-Abbild aufspielen..." t MSG_269 "Zeitstempel bewahren" t MSG_270 "USB Testmodus" t MSG_271 "Berechne
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Pengesanan cakera VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: a VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare
Source: rufus-3.8.exeBinary or memory string: on" t MSG_261 "Writing image: %s" t MSG_262 "ISO Support" t MSG_263 "Use PROPER size units" t MSG_264 "Deleting directory '%s'" t MSG_265 "VMWare disk detection" t MSG_266 "Dual UEFI/BIOS mode" t MSG_267 "Applying Windows image: %s" t MSG_268 "Applying
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare disk detektering"
Source: rufus-3.8.exeBinary or memory string: rrelsesenhet" t MSG_264 "Sletter mappe '%s'" t MSG_265 "VMWare-disk oppdagelse" t MSG_266 "Dobbel UEFI/BIOS-innstilling" t MSG_267 "Legger til Windows-bilde: %s" t MSG_268 "Legger til Windows-bilde..." t MSG_269 "Bevarer tidskode" t MSG_270 "USB-avkodin
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Rilevamento disco VMWare"
Source: rufus-3.8.exeBinary or memory string: o NTFS" t MSG_261 "A criar imagem: %s" t MSG_262 "Suporte ISO" t MSG_263 "Usar unidade de tamanho APROPRIADO" t MSG_264 "A eliminar pasta '%s'" t MSG_265 "A detetar disco VMWare" t MSG_266 "Modo duplo UEFI/BIOS" t MSG_267 "Aplicar imagem Windows: %s" t
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare diskdetekteringen
Source: rufus-3.8.exeBinary or memory string: VMware VMKCORE
Source: rufus-3.8.exeBinary or memory string: t MSG_263 "Guna saiz seunit yang BETUL" t MSG_264 "Memadam direktori '%s'" t MSG_265 "Pengesanan cakera VMWare" t MSG_266 "Mod dwi UEFI/BIOS" t MSG_267 "Menggunakan imej Windows: %s" t MSG_268 "Menggunakan imej Windows..." t MSG_269 "Mengekalkan cap masa
Source: Ruf1C85.tmp.8.drBinary or memory string: n de discos VMWare"
Source: rufus-3.8.exeBinary or memory string: VMware VMFS
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare disk alg
Source: rufus-3.8.exeBinary or memory string: "NTFS-compressie" t MSG_261 "Image schrijven: %s" t MSG_262 "ISO-ondersteuning" t MSG_263 "JUISTE grootte-eenheden gebruiken" t MSG_264 "Map '%s' verwijderen" t MSG_265 "VMWare-schijfdetectie" t MSG_266 "Dubbele UEFI/BIOS-modus" t MSG_267 "Windows-image
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: USBSTORRTSUERCMIUCREUCRUASPSTORVUSBSTORETRONSTORASUSSTPTSCSISDPCISTORRTSORJMCRJMCFRIMMPTSKRIMSPTSKRISDRIXDPTSKTI21SONYESD7SKESM7SKO2MDO2SDVIACR_SD__SDHC__MMC__MS__MSPro__xDPicture__O2Media_USBUSB 1.0USB 1.1USB 2.0USB 3.0USB 3.1Arsenal_________Virtual_KernSafeVirtual_________Msft____Virtual_Disk____VMware__VMware_Virtual_SYou must wait at least 10 seconds before trying to reset a deviceThe device you are trying to reset does not appear to be a USB device...Could not open %s: %sCycling port %d (reset) on %s Failed to cycle port: %sPlease wait for the device to re-appear...<NULL>Could not get classes for device cycling: %sCould not cycle device (D1): %sCould not cycle device (D2): %sCould not cycle device (E1): %sCould not cycle device (E2): %sCould not find a device to cycle!SetupDiGetClassDevs (Interface) failed: %sSetupDiGetDeviceRegistryProperty (Friendly Name) failed: %sGeneric Optical DriveFound '%s' optical deviceSetupDiEnumDeviceInterfaces failed: %sUnable to allocate data for SP_DEVICE_INTERFACE_DETAIL_
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare-disk oppdagelse"
Source: rufus-3.8.exeBinary or memory string: G_265 "VMWare " t MSG_266 " UEFI/BIOS " t MSG_267 "Windows : %s" t MSG_268 "Windows
Source: rufus-3.8.exe, 00000008.00000002.4688649899.0000000000401000.00000040.00020000.sdmpBinary or memory string: \\?\GLOBALROOTSuper Floppy DiskEmptyFAT12XENIX rootXENIX usrSmall FAT16ExtendedFAT16NTFS/exFAT/UDFAIXAIX BootableOS/2 Boot ManagerFAT32FAT32 LBAFAT16 LBAExtended LBAOPUSHidden FAT12Compaq DiagnosticsHidden Small FAT16Hidden FAT16Hidden NTFSAST SmartSleepHidden FAT32Hidden FAT32 LBAHidden FAT16 LBAWindows Mobile XIPSpeedStorNEC DOSWindows Mobile IMGFSHidden NTFS WinREPlan 9PMagic RecoveryVenix 80286PPC PReP BootSFSQNX4.xOnTrack DMCP/MEZ DriveGolden BowPriam EDiskGNU HURD/SysVNetwareDiskSecure MultiBootPC/IXNovellXOSLF.I.X.AODPSMinixGNU/Linux SwapGNU/LinuxWindows HibernationGNU/Linux ExtendedNTFS Volume SetGNU/Linux PlaintextFreeDOS Hidden FAT12GNU/Linux LVMFreeDOS Hidden FAT16FreeDOS Hidden ExtendedGNU/Linux HiddenCHRP ISO-9660FreeDOS Hidden FAT32BSD/OSHibernationFreeBSDOpenBSDNeXTSTEPDarwin UFSNetBSDDarwin BootHFS/HFS+BootStar DummyQNXBSDIBSDI SwapBootWizard HiddenAcronis SZSolaris BootSolarisSecured FATDR DOS FAT12GNU/Linux Hidden SwapDR DOS FAT16DR DOS ExtendedSyrinxNon-FS DataDell UtilityBootItST AVFSLUKSRu
Source: Ruf1C85.tmp.8.drBinary or memory string: VMWare"
Source: Ruf1C85.tmp.8.drBinary or memory string: VMWare
Source: rufus-3.8.exeBinary or memory string: PROPER" t MSG_264 "Menghapus direktori '%s'" t MSG_265 "Deteksi VMWare disk" t MSG_266 "Modus Dual UEFI/BIOS" t MSG_267 "Menerapkan image Windows: %s" t MSG_268 "Menerapkan image Windows..." t MSG_269 "Pertahankan timestamps" t MSG_271 "Menghitung ceksu
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Otkrivanje VMware diska"
Source: Ruf1C85.tmp.8.drBinary or memory string: enje VMWare diska"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "VMWare disko aptikimas"
Source: Ruf1C85.tmp.8.drBinary or memory string: t MSG_265 "Noteikts VMWare disks"
Source: rufus-3.8.exeBinary or memory string: ttelse" t MSG_263 "MiB notation" t MSG_264 "Sletter mappen '%s'" t MSG_265 "VMWare disk detektering" t MSG_267 "Anvender Windows-image: %s" t MSG_268 "Anvender Windows-image..." t MSG_269 "Bevar tidsstempler" t MSG_271 "Beregner imagechecksumme: %s" t

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\rufus-3.8.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_00401500 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401500
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004011A3 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_amsg_exit,_initterm,_cexit,exit,0_2_004011A3
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 8_2_004011A3 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,_amsg_exit,_initterm,_cexit,exit,8_2_004011A3

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0043628C GetCurrentProcess,OpenProcessToken,GetTokenInformation,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,FindCloseChangeNotification,0_2_0043628C
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rufus-3.8.exe, 00000000.00000002.5038217251.0000000001560000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rufus-3.8.exe, 00000000.00000002.5038217251.0000000001560000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rufus-3.8.exe, 00000000.00000002.5039495850.0000000002F77000.00000004.00000001.sdmpBinary or memory string: Program Managerr]
Source: rufus-3.8.exe, 00000000.00000002.5038217251.0000000001560000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: rufus-3.8.exe, 00000000.00000002.5038217251.0000000001560000.00000002.00000001.sdmpBinary or memory string: 9Program Manager

Language, Device and Operating System Detection:

barindex
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_004072EB SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,_strcmpi,0_2_004072EB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041F3B8 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,GetVersionExA,InternetCrackUrlA,_snprintf,InternetConnectA,_snprintf,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetCloseHandle,HttpQueryInfoA,SystemTimeToFileTime,_snprintf,HttpQueryInfoA,??3@YAXPAX@Z,calloc,InternetReadFile,_snprintf,??3@YAXPAX@Z,??3@YAXPAX@Z,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,PostMessageW,RtlExitUserThread,_strtoi64,??3@YAXPAX@Z,_snprintf,GetSystemTime,SystemTimeToFileTime,0_2_0041F3B8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeCode function: 0_2_0041F3B8 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,Sleep,GetVersionExA,InternetCrackUrlA,_snprintf,InternetConnectA,_snprintf,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetCloseHandle,HttpQueryInfoA,SystemTimeToFileTime,_snprintf,HttpQueryInfoA,??3@YAXPAX@Z,calloc,InternetReadFile,_snprintf,??3@YAXPAX@Z,??3@YAXPAX@Z,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,PostMessageW,RtlExitUserThread,_strtoi64,??3@YAXPAX@Z,_snprintf,GetSystemTime,SystemTimeToFileTime,0_2_0041F3B8
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies Group Policy settingsShow sources
Source: C:\Users\user\Desktop\rufus-3.8.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rufus-3.8.exe1%VirustotalBrowse
rufus-3.8.exe3%MetadefenderBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\rufus.com1%VirustotalBrowse
C:\Users\user\Desktop\rufus.com3%MetadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
rufus.ie0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://cps.letsencrypt0%Avira URL Cloudsafe
https://rufus.ie//Rufus_win.ver.sige0%Avira URL Cloudsafe
https://kolibrios.org/0%VirustotalBrowse
https://kolibrios.org/0%Avira URL Cloudsafe
https://rufus.ie).0%Avira URL Cloudsafe
https://rufus.ie/Fido.verz1https://github.com/pbatard/FidoWARNING:0%Avira URL Cloudsafe
https://rufus.ie/Fido.ver89v0%Avira URL Cloudsafe
https://rufus.ie/Fido.ver0%VirustotalBrowse
https://rufus.ie/Fido.ver0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win.ver0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win.verZ0%Avira URL Cloudsafe
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm0%VirustotalBrowse
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64.ver0%Avira URL Cloudsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
https://rufus.ie//Rufus_win.ver.sig50%Avira URL Cloudsafe
https://rufus.ie/CheckForBetashttps://rufus.ieUsing0%Avira URL Cloudsafe
https://rufus.ie/0%VirustotalBrowse
https://rufus.ie/0%Avira URL Cloudsafe
https://rufus.ie0%VirustotalBrowse
https://rufus.ie0%Avira URL Cloudsafe
http://halamix2.pl0%VirustotalBrowse
http://halamix2.pl0%Avira URL Cloudsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://rufus.ie/files0%VirustotalBrowse
https://rufus.ie/files0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64_10.0.vertop0%Avira URL Cloudsafe
https://rufus.ie/ver0%Avira URL Cloudsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
https://axialis.com/0%Avira URL Cloudsafe
https://rufus.ie//Rufus_win.ver.sig0%Avira URL Cloudsafe
https://syslinux.org/0%Avira URL Cloudsafe
https://rufus.ie/files%s/%s-%s/%sGrub2%s0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64.verC0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win.vergm0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64_10.ver0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64_10.0.ver0%Avira URL Cloudsafe
https://rufus.ie321Failed0%Avira URL Cloudsafe
https://rufus.ie/Rufus_win_x64.verW0%Avira URL Cloudsafe
http://cps.letsencryptF0%Avira URL Cloudsafe
https://www.7-zip.orgopen2.04rufus_filescore.imggrub%s-%s/%srbWill0%Avira URL Cloudsafe
http://crl.comodoca.co0%VirustotalBrowse
http://crl.comodoca.co0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
140.82.118.3test.pdfGet hashmaliciousBrowse
    https://github.com/ytisf/theZoo/raw/master/malwares/Binaries/Android.Skygofree/Android.Skygofree.zipGet hashmaliciousBrowse
      60RFQ19092019.exeGet hashmaliciousBrowse
        3Mt94tjHEK.exeGet hashmaliciousBrowse
          akdlsj.shGet hashmaliciousBrowse
            18868900.exeGet hashmaliciousBrowse
              https://crx.dam.io/ext/nonjdcjchghhkdoolnlbekcfllmednbl.htmlGet hashmaliciousBrowse
                rufus-3.5.exeGet hashmaliciousBrowse
                  executable.3512.exeGet hashmaliciousBrowse
                    http://github.com/premierviajes/tcheck/raw/gh-pages/DOUBLON.zipGet hashmaliciousBrowse
                      https://github.com/mj2445507/tempData/blob/gh-pages/DOUBLON.zip?raw=trueGet hashmaliciousBrowse
                        1067890.exeGet hashmaliciousBrowse
                          Document1.docGet hashmaliciousBrowse
                            9000098766.pdf.exeGet hashmaliciousBrowse
                              swift7737.docGet hashmaliciousBrowse
                                73Locowise_Protected.exeGet hashmaliciousBrowse
                                  15CONTRAC.exeGet hashmaliciousBrowse
                                    9PO#805543.exeGet hashmaliciousBrowse
                                      3Y3EG35IOY57MK.EXEGet hashmaliciousBrowse
                                        185.199.109.153https://craftware.xyz/securitybricks/2017/07/09/keepass-password-manager-with-2fa.htmlGet hashmaliciousBrowse
                                        • craftware.xyz/tips/
                                        http://3389.space/nw/vm.exeGet hashmaliciousBrowse
                                        • 3389.space/nw/vm.exe
                                        http://3389.space/nw/vm.exeGet hashmaliciousBrowse
                                        • 3389.space/nw/ver2.txt

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        github.comtest.pdfGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        Office 365.pdfGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        Untitled attachment 00022.pdfGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        https://github.com/ytisf/theZoo/raw/master/malwares/Binaries/Android.Skygofree/Android.Skygofree.zipGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        qXyzpTFADg.exeGet hashmaliciousBrowse
                                        • 192.30.253.120
                                        https://github.com/mintty/wsltty/releases/download/3.0.2.3/wsltty-3.0.2.3-install.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        60RFQ19092019.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        http%3a%2f%2fwww.ctmsds.com%2fuploads%2fallimg%2f160128%2f1-16012PT31N47.png%c2%a0Get hashmaliciousBrowse
                                        • 140.82.118.4
                                        3Mt94tjHEK.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        akdlsj.shGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        3676890.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        62767898.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        2987890.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        https://sway.office.com/KbTVvKKqMiLsQvOj?ref=nkGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        2676890.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        31676891.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        17768901.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        https://az764295.vo.msecnd.net/stable/2213894ea0415ee8c85c5eea0d0ff81ecc191529/VSCodeUserSetup-x64-1.36.1.exeGet hashmaliciousBrowse
                                        • 140.82.118.5
                                        18868900.exeGet hashmaliciousBrowse
                                        • 140.82.118.4
                                        https://crx.dam.io/ext/nonjdcjchghhkdoolnlbekcfllmednbl.htmlGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        s3-1-w.amazonaws.comhttp://rotatethecrops.com/class.php?ms=bxhv_xpnt&id=Z2VvZmYuYmVsc2hlckBibGFrZXMuY29tGet hashmaliciousBrowse
                                        • 52.216.19.8
                                        tiempo.apkGet hashmaliciousBrowse
                                        • 52.216.134.91
                                        https://urldefense.proofpoint.com/v2/url?u=http-3A__onedrive.gov-2Donline.net_6a6d760ef1-3Fl-3D71&d=DwMFaQ&c=jvUANN7rYqzaQJvTqI-69lgi41yDEZ3CXTgIEaHlx7c&r=TcTD4XwFmQ9kOZl7O_6E2pFLgBCDNBk0nXWeGZlm-BI&m=zn482Fgd66sLrjnfPJPZ0orvwIS_ucgztCX0DiUM6Zo&s=GFjdnkJA-p21_Uj02kj1svhhX5pRtSDFOUyNAQOZgEc&e=Get hashmaliciousBrowse
                                        • 52.216.144.99
                                        http://aws.amazon.com.signin.redirect.uri.new.session.12.thepagemaster.de/?Z289MSZzMT01NzkyNTEmczI9MTYyNTkyOTcxJnMzPUdMQg==Get hashmaliciousBrowse
                                        • 52.216.177.115
                                        https://github.com/mintty/wsltty/releases/download/3.0.2.3/wsltty-3.0.2.3-install.exeGet hashmaliciousBrowse
                                        • 52.216.146.19
                                        https://apprasialsforstaffnow.securechkout.com/Get hashmaliciousBrowse
                                        • 52.216.32.112
                                        http://email.sendgrid-com.click.upnadyn91odqr4lptk7urw9lhuzn7l6mauzwdespo.henkohealth.com?Z289MSZzMT01MzY2NDEmczI9NDgwMjIzMzImczM9R0xCGet hashmaliciousBrowse
                                        • 52.216.144.243
                                        YourFootballTickets.pdfGet hashmaliciousBrowse
                                        • 52.216.145.195
                                        http://telerik-fiddler.s3.amazonaws.com/fiddler/FiddlerSetup.exeGet hashmaliciousBrowse
                                        • 52.216.80.0
                                        {KEYWORD}_2067955247.exeGet hashmaliciousBrowse
                                        • 52.216.112.67
                                        {KEYWORD}_2067955247.exeGet hashmaliciousBrowse
                                        • 52.216.134.11
                                        3Mt94tjHEK.exeGet hashmaliciousBrowse
                                        • 52.216.114.211
                                        akdlsj.shGet hashmaliciousBrowse
                                        • 52.216.146.219
                                        http://www.mirovideoconverter.comGet hashmaliciousBrowse
                                        • 52.216.229.227
                                        RevisedSpreadsheet.xlsxGet hashmaliciousBrowse
                                        • 52.216.187.11
                                        ServicioDeInPuestoInternoJunio2019.vbsGet hashmaliciousBrowse
                                        • 52.216.133.227
                                        OYFXR67uwz.exeGet hashmaliciousBrowse
                                        • 52.216.185.107
                                        https://crx.dam.io/ext/nonjdcjchghhkdoolnlbekcfllmednbl.htmlGet hashmaliciousBrowse
                                        • 52.216.100.107
                                        rufus-3.5.exeGet hashmaliciousBrowse
                                        • 52.216.179.195
                                        ServicioDeInPuestoInternoJunio2019.vbsGet hashmaliciousBrowse
                                        • 52.216.232.123

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        unknownsecure-message_download.pdfGet hashmaliciousBrowse
                                        • 3.3.0.2
                                        SjggMFre44.exeGet hashmaliciousBrowse
                                        • 54.91.121.97
                                        183227448.exeGet hashmaliciousBrowse
                                        • 89.25.238.170
                                        183227448.exeGet hashmaliciousBrowse
                                        • 23.23.73.124
                                        183227448.exeGet hashmaliciousBrowse
                                        • 46.30.41.229
                                        http://dl.verypdf.net/pdf2txtocrcmd.zipGet hashmaliciousBrowse
                                        • 96.126.117.29
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        mal.batGet hashmaliciousBrowse
                                        • 216.58.207.148
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        http://hrsurveyemploye.comGet hashmaliciousBrowse
                                        • 52.2.115.72
                                        http://www.infonovice.fr/guide-dactivation-des-cases-a-cocher-word-2010/Get hashmaliciousBrowse
                                        • 172.217.22.226
                                        2.exeGet hashmaliciousBrowse
                                        • 172.217.22.229
                                        {71257279-042b-371d-a1d3-fbf8d2fadffa}.exeGet hashmaliciousBrowse
                                        • 212.71.250.4
                                        Nuovo_79.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        unknownsecure-message_download.pdfGet hashmaliciousBrowse
                                        • 3.3.0.2
                                        SjggMFre44.exeGet hashmaliciousBrowse
                                        • 54.91.121.97
                                        183227448.exeGet hashmaliciousBrowse
                                        • 89.25.238.170
                                        183227448.exeGet hashmaliciousBrowse
                                        • 23.23.73.124
                                        183227448.exeGet hashmaliciousBrowse
                                        • 46.30.41.229
                                        http://dl.verypdf.net/pdf2txtocrcmd.zipGet hashmaliciousBrowse
                                        • 96.126.117.29
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        mal.batGet hashmaliciousBrowse
                                        • 216.58.207.148
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        http://hrsurveyemploye.comGet hashmaliciousBrowse
                                        • 52.2.115.72
                                        http://www.infonovice.fr/guide-dactivation-des-cases-a-cocher-word-2010/Get hashmaliciousBrowse
                                        • 172.217.22.226
                                        2.exeGet hashmaliciousBrowse
                                        • 172.217.22.229
                                        {71257279-042b-371d-a1d3-fbf8d2fadffa}.exeGet hashmaliciousBrowse
                                        • 212.71.250.4
                                        Nuovo_79.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        unknownsecure-message_download.pdfGet hashmaliciousBrowse
                                        • 3.3.0.2
                                        SjggMFre44.exeGet hashmaliciousBrowse
                                        • 54.91.121.97
                                        183227448.exeGet hashmaliciousBrowse
                                        • 89.25.238.170
                                        183227448.exeGet hashmaliciousBrowse
                                        • 23.23.73.124
                                        183227448.exeGet hashmaliciousBrowse
                                        • 46.30.41.229
                                        http://dl.verypdf.net/pdf2txtocrcmd.zipGet hashmaliciousBrowse
                                        • 96.126.117.29
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Nuovo_1.docGet hashmaliciousBrowse
                                        • 185.189.151.22
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Notificazione-8376.docGet hashmaliciousBrowse
                                        • 185.189.151.24
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        mal.batGet hashmaliciousBrowse
                                        • 216.58.207.148
                                        Payment _copy.docGet hashmaliciousBrowse
                                        • 47.74.210.43
                                        http://hrsurveyemploye.comGet hashmaliciousBrowse
                                        • 52.2.115.72
                                        http://www.infonovice.fr/guide-dactivation-des-cases-a-cocher-word-2010/Get hashmaliciousBrowse
                                        • 172.217.22.226
                                        2.exeGet hashmaliciousBrowse
                                        • 172.217.22.229
                                        {71257279-042b-371d-a1d3-fbf8d2fadffa}.exeGet hashmaliciousBrowse
                                        • 212.71.250.4
                                        Nuovo_79.docGet hashmaliciousBrowse
                                        • 185.189.151.22

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        37f463bf4616ecd445d4a1937da06e19mal.batGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        http://4f0e38d1.ngrok.ioGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        f7HXofF7Mf.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://nab-online-verification-guide.com/cgiGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        http://rotatethecrops.com/class.php?ms=bxhv_xpnt&id=Z2VvZmYuYmVsc2hlckBibGFrZXMuY29tGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        The Southern Alberta Institute of Technology Shared Document.pdfGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://youmail10.firebaseapp.com/youmail.htmlGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://badboybilliards.net/Remit/uhuru/No_cap/FBGGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        EWoCPTWw1k.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        tezpQxSWPw.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://manager.wazeefa1.com/federalgrant/PDFpagers/Get hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        Oct_Report.xlsGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        YEA9sHm2oL.chmGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://bangstationery.in/%23%24%25%5e&&%5e%25%24%25%5e&*(*&%5e%25%24%23@%23%24%25%5e&*(*&%5e%25%24%23@%23%24%25%5e&*&%5e%25%24%23%24%25%5e&**&%5e%25%24/Get hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://akdenizhaliyika.com/DHL/retrieve/index.php?email=M.Augstell@dnp.imgcomm.comGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        http://up-shorty.com/preview/XCPG7EataN/Landmark_Healthplan_Acu_$1520v_Inv_docx.pdfGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        http://up-shorty.com/preview/XCPG7EataN/Landmark_Healthplan_Acu_$1520v_Inv_docx.pdfGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        webext_dl.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        report cyber security.exeGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67
                                        https://www.0365security.com/x/wEw0BQACv3yZGet hashmaliciousBrowse
                                        • 140.82.118.3
                                        • 185.199.109.153
                                        • 52.216.93.67

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\Desktop\rufus.comrufus-3.5.exeGet hashmaliciousBrowse
                                          rufus-3.5.exeGet hashmaliciousBrowse
                                            Rufus 2.10.exeGet hashmaliciousBrowse

                                              Screenshots

                                              Thumbnails

                                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.