Edit tour

Windows Analysis Report
upx_rufus.exe

Overview

General Information

Sample name:	upx_rufus.exe
Analysis ID:	1569101
MD5:	d48615fa37605e2f53162f1d7021d937
SHA1:	d0054fc533603004a107436f47bc020afd54fa05
SHA256:	e82abd7f2c8f8c866141634a1ce10da8ebf3c58b68cb2eaa351345777bb3f67c
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Changes autostart functionality of drives

Machine Learning detection for sample

Modifies Group Policy settings

Creates files inside the system directory

Enables debug privileges

Enables driver privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

upx_rufus.exe (PID: 3720 cmdline: "C:\Users\user\Desktop\upx_rufus.exe" MD5: D48615FA37605E2F53162F1D7021D937)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: upx_rufus.exe

Joe Sandbox ML: detected

Source: upx_rufus.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: upx_rufus.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49743 version: TLS 1.2

Source:	Binary string: C:\efifs\x64\Release\ntfs_x64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\arm\Release\ntfs_arm.pdb$$ source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\ia32\Release\ntfs_ia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\arm\Release\bootarm.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\ia32\Release\ntfs_ia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\ia32\Release\bootia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\arm\Release\ntfs_arm.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\x64\Release\ntfs_x64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\x64\Release\bootx64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp

Spreading

Changes autostart functionality of drives

Source: C:\Users\user\Desktop\upx_rufus.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{728A7203-262A-4F9F-B3D6-124E5E316627}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutorun

Jump to behavior

Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Ignoring autorun.inf label for drive %c: %s
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Using autorun.inf label for drive %c: '%s'
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: #:\autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: bnbxfxixkxnengpxsxuxmnphcerxcoskhesharedexclusive???Waiting for access on %s [%s]...Warning: Could not obtain exclusive rights. Retrying with write sharing enabled...Opened %s for %s write accessI/O boundary checks disabledRequesting lock...Could not lock access to %s: %sCould not open %s: %s\\.\MountPointManagerERROR: Bad index value %d. Please check the code!\\.\PHYSICALDRIVE%luCould not access first GUID volume: %sCould not access next GUID volume: %s\\?\'%s' is not a GUID volume name\Device\CdRom\Device\FloppyFailed to get device path for GUID volume '%s': %sSkipping GUID volume for '%s'Could not open GUID volume '%s': %sCould not get Disk Extents: %sTimeout while waiting for logical driveNo logical drive found (unpartitioned?)Could not get device number for device %s: %sIgnoring drive '%s' as it spans multiple disks (RAID?)Device Number for device %s is too big (%d) - ignoring deviceGetLogicalDriveStrings failed: %sGetLogicalDriveStrings: Buffer too small (required %d vs. %d)\\.\%c:\\.\#:No mediaNO_LABELlabelIgnoring autorun.inf label for drive %c: %sUsing autorun.inf label for drive %c: '%s'#:\autorun.infMaster Boot Record%s does not have an x86 %s%s has a %s %s%s has an unknown %sPartition Boot RecordVolume does not have an x86 %sDrive has a %s %sVolume has an unknown FAT16 or FAT32 %sVolume has an unknown %sCould not unmount drive: %s<NULL>Volume is already mounted, but as %c: instead of %c: - Unmounting...Failed to unmount volume: %s%s already mounted, but volume GUID could not be checked: %s%s already mounted, but volume GUID doesn't match:
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: B%sautorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: B%sautorun.infr%s already exists - keeping itw, ccs=UTF-16LEUnable to create %sNOTE: This may be caused by a poorly designed security solution. See https://rufus.akeo.ie/compatibility.; Created by %s
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Error allocating file name%s%s/%srufus_files%s/syslinux-%s/%s Replaced with local version %s Could not replace file: %s File name sanitized to '%s' Unable to create file: %sautorun.inf NOTE: This is usually caused by a poorly designed security solution. See https://rufus.akeo.ie/compatibility.
Source: upx_rufus.exe, 00000000.00000002.2963030477.000000000048D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: upx_rufus.exe, 00000000.00000002.2963030477.000000000048D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: International characters are acceptedISO Imageinformation and creditsDD ImageISO Image box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: upx_rufus.exe, 00000000.00000002.2963757573.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "and set a device icon (creates an autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: n edin (autorun.inf yarad
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "i napravite ikonu (stvara autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: m souboru autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "og skabe et enheds-ikon (opretter en autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ert een autorun.inf bestand)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "ja asettaaksesi laitekuvakkeen (luo autorun.inf-tiedoston)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: era un fichier autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: tesymbol zu erzeugen (Datei autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: hoz (egy autorun.inf f
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "dan menyetel ikon perangkat (membuat autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: un file autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "(autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "ikonas izveidei (tiek izveidots fails autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: (sukuria autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "dan menetapkan ikon cakera (akan membuat fail autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "og lage et stasjons ikon (lager en autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: dzenia (tworzy plik autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: cone para a unidade (cria um arquivo autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: cone para a unidade (cria um ficheiro autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ier autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: uje autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: boru autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "in nastaviti ikono za napravo (to ustvari datoteko autorun.inf)."
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: "y establecer un icono para la unidad (crea un archivo autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: tt en enhetsikon (en autorun.inf skapas)"
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: t simgesini belirleyin (autorun.inf olu
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: t autorun.inf)"
Source: upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)D&
Source: upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Check this box to allow the display of international labels and set a device icon (creates an autorun.inf)
Source: RufAB7F.tmp.0.dr	Binary or memory string: "and set a device icon (creates an autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: n edin (autorun.inf yarad
Source: RufAB7F.tmp.0.dr	Binary or memory string: "i napravite ikonu (stvara autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: m souboru autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: "og skabe et enheds-ikon (opretter en autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: ert een autorun.inf bestand)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: "ja asettaaksesi laitekuvakkeen (luo autorun.inf-tiedoston)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: era un fichier autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: tesymbol zu erzeugen (Datei autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: hoz (egy autorun.inf f
Source: RufAB7F.tmp.0.dr	Binary or memory string: "dan menyetel ikon perangkat (membuat autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: un file autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: (autorun.inf
Source: RufAB7F.tmp.0.dr	Binary or memory string: "autorun.inf
Source: RufAB7F.tmp.0.dr	Binary or memory string: "(autorun.inf
Source: RufAB7F.tmp.0.dr	Binary or memory string: "ikonas izveidei (tiek izveidots fails autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: (sukuria autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: "dan menetapkan ikon cakera (akan membuat fail autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: "og lage et stasjons ikon (lager en autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: autorun.inf"
Source: RufAB7F.tmp.0.dr	Binary or memory string: dzenia (tworzy plik autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: cone para a unidade (cria um arquivo autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: cone para a unidade (cria um ficheiro autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: ier autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: uje autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: boru autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: "in nastaviti ikono za napravo (to ustvari datoteko autorun.inf)."
Source: RufAB7F.tmp.0.dr	Binary or memory string: "y establecer un icono para la unidad (crea un archivo autorun.inf)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: tt en enhetsikon (en autorun.inf skapas)"
Source: RufAB7F.tmp.0.dr	Binary or memory string: autorun.inf
Source: RufAB7F.tmp.0.dr	Binary or memory string: t simgesini belirleyin (autorun.inf olu
Source: RufAB7F.tmp.0.dr	Binary or memory string: t autorun.inf)"

Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153
Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64_10.0.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ieConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64_10.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ieConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ieConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Rufus_win.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ieConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64_10.0.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ie
Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64_10.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ie
Source: global traffic	HTTP traffic detected: GET /Rufus_win_x64.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ie
Source: global traffic	HTTP traffic detected: GET /Rufus_win.ver HTTP/1.1Accept: /User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64)Host: rufus.akeo.ie

Source: global traffic

DNS traffic detected: DNS query: rufus.akeo.ie

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 9379Server: GitHub.comContent-Type: text/html; charset=utf-8Access-Control-Allow-Origin: *ETag: "64d39a40-24a3"Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'x-proxy-cache: MISSX-GitHub-Request-Id: A694:4C9B8:364FA48:3AFFBDD:675194ADAccept-Ranges: bytesAge: 1164Date: Thu, 05 Dec 2024 12:14:51 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740072-EWRX-Cache: HITX-Cache-Hits: 0X-Timer: S1733400892.728579,VS0,VE1Vary: Accept-EncodingX-Fastly-Request-ID: 4cacb7df3c7e26c69a10747716705c9638db13e4
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 9379Server: GitHub.comContent-Type: text/html; charset=utf-8Access-Control-Allow-Origin: *ETag: "64d39a40-24a3"Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'x-proxy-cache: MISSX-GitHub-Request-Id: F2BF:1FE25D:33CF255:387F18A:675194B0Accept-Ranges: bytesAge: 1165Date: Thu, 05 Dec 2024 12:14:53 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740077-EWRX-Cache: HITX-Cache-Hits: 0X-Timer: S1733400894.691136,VS0,VE1Vary: Accept-EncodingX-Fastly-Request-ID: 22b28560fac26c4920e4d9458e20e9e05ec48fc8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 9379Server: GitHub.comContent-Type: text/html; charset=utf-8Access-Control-Allow-Origin: *ETag: "64d39a40-24a3"Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'x-proxy-cache: MISSX-GitHub-Request-Id: 7197:192E96:36CAAC7:3B8343D:67519936Accept-Ranges: bytesAge: 0Date: Thu, 05 Dec 2024 12:14:55 GMTVia: 1.1 varnishX-Served-By: cache-nyc-kteb1890027-NYCX-Cache: MISSX-Cache-Hits: 0X-Timer: S1733400896.723168,VS0,VE16Vary: Accept-EncodingX-Fastly-Request-ID: 9583847f80af87182cb0f36e0ecdb310295feb2d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 9379Server: GitHub.comContent-Type: text/html; charset=utf-8Access-Control-Allow-Origin: *ETag: "64d39a40-24a3"Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'x-proxy-cache: MISSX-GitHub-Request-Id: 4E38:2204EF:37D0B2E:3C80E86:675194B5Accept-Ranges: bytesAge: 1164Date: Thu, 05 Dec 2024 12:14:57 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740035-EWRX-Cache: HITX-Cache-Hits: 0X-Timer: S1733400898.706222,VS0,VE2Vary: Accept-EncodingX-Fastly-Request-ID: e77d9a83f9aec4b4a5417b362309ad256a682f87

Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://7-zip.org
Source: upx_rufus.exe	String found in binary or memory: http://akeo.ie)4
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://code.google.com/p/tortoisegit/
Source: upx_rufus.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: upx_rufus.exe	String found in binary or memory: http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0w
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microt
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://doc.sch130.nsc.ru/www.sysinternals.com/ntw2k/source/fmifs.shtml
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://e2fsprogs.sourceforge.net
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://freedos.sourceforge.net/freecom
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://fsf.org/
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	String found in binary or memory: http://halamix2.pl
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://kolibrios.org
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ms-sys.sourceforge.net
Source: upx_rufus.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://pcunleashed.com
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://processhacker.sourceforge.net/
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://rufus.akeo.ie/
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://rufus.akeo.ie/Rufus/%d.%d.%d
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rufus.akeo.ie/Rufus_win.ver
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rufus.akeo.ie/Rufus_win.verver5
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rufus.akeo.ie/Rufus_win_x64.ver
Source: upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://rufus.akeo.ie/Rufus_win_x64_10.0.ver
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://rufus.akeo.ie/files
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://rufus.akeo.ie/files%s/%s-%s/%sExtended
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://svn.reactos.org/svn/reactos/trunk/reactos
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://svn.reactos.org/svn/reactos/trunk/reactos/include/reactos/libs/fmifs
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tortoisesvn.net/
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://winscp.net
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.7-zip.org
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.7-zip.orgopen2.02rufus_filescore.imggrub%s-%s/%srbWill
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.busybox.net/
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.codeguru.com/forum/showthread.php?p=1951973
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.freedos.org
Source: upx_rufus.exe	String found in binary or memory: http://www.gnu.org/copyleft/gpl.html
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.gnu.org/software/fdisk
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.gnu.org/software/grub
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.gnu.org/software/libcdio
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	String found in binary or memory: http://www.napisy.info
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.reactos.org
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.syslinux.org
Source: upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	String found in binary or memory: https://github.com/Chocobo1
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/chenall/grub4dos
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/pbatard/bled
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp, upx_rufus.exe, 00000000.00000002.2963030477.000000000049A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/pbatard/rufus/blob/master/res/localization/ChangeLog.txt
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/pbatard/rufus/issues
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/pbatard/uefi-ntfs.
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/weidai11/cryptopp/
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rufus.akeo.ie
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rufus.akeo.ie).
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/6122658-3693405117-2476756634-1002
Source: upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/E/l
Source: upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win.ver
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win.ver7
Source: upx_rufus.exe, 00000000.00000003.2013790137.0000000000990000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win.verver
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win.verver?
Source: upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win_x64.ver
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win_x64_10.0.ver
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win_x64_10.0.verk
Source: upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963613388.000000000095E000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win_x64_10.ver
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/Rufus_win_x64_10.verQ
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rufus.akeo.ie/compatibility.
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rufus.akeo.ie/compatibility.;
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/rosoft
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/s.akeo.ie/Rufus_win_x64_10.0.ver
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rufus.akeo.ie/ufus_win_x64_10.0.ver
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://rufus.akeo.ieFailed
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://sourceforge.net/projects/smartmontools
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gnupg.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443

Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.4:49743 version: TLS 1.2

Source: C:\Users\user\Desktop\upx_rufus.exe	File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	File created: C:\Windows\System32\GroupPolicy\Machine	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	File created: C:\Windows\System32\GroupPolicy\User	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	File created: C:\Windows\System32\GroupPolicy\GPT.INI	Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Process token adjusted: Load Driver

Jump to behavior

Source: upx_rufus.exe, 00000000.00000002.2963423502.000000000068A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerufus.exe, vs upx_rufus.exe
Source: upx_rufus.exe, 00000000.00000000.1709388438.000000000068A000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerufus.exe, vs upx_rufus.exe
Source: upx_rufus.exe	Binary or memory string: OriginalFilenamerufus.exe, vs upx_rufus.exe

Source: upx_rufus.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: upx_rufus.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9988294365556799

Source: classification engine

Classification label: mal52.spre.evad.winEXE@1/6@2/1

Source: C:\Users\user\Desktop\upx_rufus.exe

File created: C:\Users\user\Desktop\rufus.ini

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global/Rufus

Source: C:\Users\user\Desktop\upx_rufus.exe

File created: C:\Users\user\AppData\Local\Temp\RufAB7F.tmp

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

File read: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: upx_rufus.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: gpedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: dssec.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: dsuiext.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: userlanguagescpl.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\upx_rufus.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA502722-A23D-11D1-A7D3-0000F87571E3}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

File written: C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Window detected: Number of UI elements: 30

Source: upx_rufus.exe

Static PE information: certificate valid

Source:	Binary string: C:\efifs\x64\Release\ntfs_x64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\arm\Release\ntfs_arm.pdb$$ source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\ia32\Release\ntfs_ia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\arm\Release\bootarm.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\ia32\Release\ntfs_ia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\ia32\Release\bootia32.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\arm\Release\ntfs_arm.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\efifs\x64\Release\ntfs_x64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\uefi-ntfs\x64\Release\bootx64.pdb source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMware__VMware_Virtual_S
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Pengesanan cakera VMWare"
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Device eliminated because it contains a mounted partition that is set as non-removableDevice eliminated because it was detected as a Hard Drive (score %d > 0)If this device is not a Hard Drive, please e-mail the author of this applicationNOTE: You can enable the listing of Hard Drives in 'Advanced Options' (after clicking the white triangle)Removing %C: from the list: This is the %s!%s [%s]USBSTORRTSUERCMIUCREUCRVUSBSTORETRONSTORASUSSTPTSCSIPCISTORRTSORJMCRJMCFRIMMPTSKRIMSPTSKRIXDPTSKTI21SONYESD7SKESM7SKO2MDO2SDVIACR_SD__SDHC__MMC__MS__MSPro__xDPicture__O2Media_USBUSB 1.0USB 1.1USB 2.0USB 3.0?:\EFI\Rufus\ntfs_x64.efiArsenal_________Virtual_KernSafeVirtual_________Msft____Virtual_Disk____VMware__VMware_Virtual_S
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk oppdagelse"
Source: RufAB7F.tmp.0.dr	Binary or memory string: a VMWare"
Source: upx_rufus.exe, 00000000.00000003.1719613442.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk gedetecteerd"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "A detetar disco VMWare"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk detektering"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare-Laufwerks-Erkennung"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Rilevamento disco VMWare"
Source: RufAB7F.tmp.0.dr	Binary or memory string: w VMWare"
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RufAB7F.tmp.0.dr	Binary or memory string: VMware"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare-levyn havaitseminen"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk detekcija"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare diskdetekteringen
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMware VMKCORE
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Deteksi VMWare disk"
Source: upx_rufus.exe, 00000000.00000003.1719613442.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&00000000a0c906bed8}KK
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Detectando disco VMWare"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Detectare disc VMWare"
Source: upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Found non-USB removable device 'VMware Virtual disk SCSI Disk Device' => Eliminated
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk detection"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMware lemez
Source: RufAB7F.tmp.0.dr	Binary or memory string: n de discos VMWare"
Source: RufAB7F.tmp.0.dr	Binary or memory string: tection de disque VMWare"
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMware VMFS
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk alg
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disk tapma"
Source: upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: EmptyFAT12XENIX rootXENIX usrSmall FAT16ExtendedFAT16NTFS/exFAT/UDFAIXAIX BootableOS/2 Boot ManagerFAT32FAT32 LBAFAT16 LBAExtended LBAOPUSHidden FAT12Compaq DiagnosticsHidden Small FAT16Hidden FAT16Hidden NTFSAST SmartSleepHidden FAT32Hidden FAT32 LBAHidden FAT16 LBAWindows Mobile XIPSpeedStorNEC DOSWindows Mobile IMGFSHidden NTFS WinREPlan 9PMagic RecoveryVenix 80286PPC PReP BootSFSQNX4.xOnTrack DMCP/MEZ DriveGolden BowPriam EDiskGNU HURD/SysVNetwareDiskSecure MultiBootPC/IXNovellXOSLF.I.X.AODPSMinixGNU/Linux SwapGNU/LinuxWindows HibernationGNU/Linux ExtendedNTFS Volume SetGNU/Linux PlaintextFreeDOS Hidden FAT12GNU/Linux LVMFreeDOS Hidden FAT16FreeDOS Hidden ExtendedGNU/Linux HiddenCHRP ISO-9660FreeDOS Hidden FAT32BSD/OSHibernationFreeBSDOpenBSDNeXTSTEPDarwin UFSNetBSDDarwin BootHFS/HFS+BootStar DummyQNXBSDIBSDI SwapBootWizard HiddenAcronis SZSolaris BootSolarisSecured FATDR DOS FAT12GNU/Linux Hidden SwapDR DOS FAT16DR DOS ExtendedSyrinxNon-FS DataDell UtilityBootItST AVFSLUKSRufus ExtraBeOS/HaikuSkyFSGPT Hybrid MBRGPT Protective MBREFI FATPA-RISC BootDOS secondaryBochsVMware VMFSVMware VMKCOREGNU/Linux RAID AutoLANstepXENIX BBT%sErasing %d sectorsWriting Image...Zeroing drive...Warning: Unable to rewind image position - wrong data might be copied!Writing compressed image...Could not write compressed image: %I64iCould not allocate disk write bufferWrite buffer is not alignedread error: %swrite error: Wrote %d bytes, expected %d byteswrite error at sector %d: %s RETRYING...
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare detekce disk"
Source: RufAB7F.tmp.0.dr	Binary or memory string: vanie VMWare disku"
Source: RufAB7F.tmp.0.dr	Binary or memory string: VMWare"
Source: RufAB7F.tmp.0.dr	Binary or memory string: VMWare
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Zaznavanje diskov VMware"
Source: upx_rufus.exe, 00000000.00000002.2963757573.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare disk detection
Source: RufAB7F.tmp.0.dr	Binary or memory string: enje VMWare diska"
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "VMWare disko aptikimas"
Source: upx_rufus.exe, 00000000.00000002.2963757573.0000000002BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare disk detection'
Source: RufAB7F.tmp.0.dr	Binary or memory string: t MSG_265 "Noteikts VMWare disks"
Source: upx_rufus.exe, 00000000.00000002.2963457761.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\upx_rufus.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\upx_rufus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Group Policy settings

Source: C:\Users\user\Desktop\upx_rufus.exe

File written: C:\Windows\System32\GroupPolicy\GPT.INI

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	11 Replication Through Removable Media	2 Command and Scripting Interpreter	1 LSASS Driver	1 LSASS Driver	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
upx_rufus.exe	0%	ReversingLabs
upx_rufus.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://rufus.akeo.ie/Rufus_win.verver?	0%	Avira URL Cloud	safe
http://www.codeguru.com/forum/showthread.php?p=1951973	0%	Avira URL Cloud	safe
http://www.syslinux.org	0%	Avira URL Cloud	safe
http://e2fsprogs.sourceforge.net	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/files	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/Rufus_win_x64.ver	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/	0%	Avira URL Cloud	safe
http://doc.sch130.nsc.ru/www.sysinternals.com/ntw2k/source/fmifs.shtml	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win_x64_10.verQ	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/s.akeo.ie/Rufus_win_x64_10.0.ver	0%	Avira URL Cloud	safe
http://www.busybox.net/	0%	Avira URL Cloud	safe
https://rufus.akeo.ie	0%	Avira URL Cloud	safe
http://svn.reactos.org/svn/reactos/trunk/reactos	0%	Avira URL Cloud	safe
http://www.reactos.org	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/files%s/%s-%s/%sExtended	0%	Avira URL Cloud	safe
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/compatibility.	0%	Avira URL Cloud	safe
http://www.7-zip.orgopen2.02rufus_filescore.imggrub%s-%s/%srbWill	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win.ver7	0%	Avira URL Cloud	safe
http://pcunleashed.com	0%	Avira URL Cloud	safe
http://ms-sys.sourceforge.net	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win_x64_10.0.ver	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/ufus_win_x64_10.0.ver	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/E/l	0%	Avira URL Cloud	safe
http://tortoisesvn.net/	0%	Avira URL Cloud	safe
https://rufus.akeo.ie).	0%	Avira URL Cloud	safe
http://www.freedos.org	0%	Avira URL Cloud	safe
http://halamix2.pl	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win.ver	0%	Avira URL Cloud	safe
https://rufus.akeo.ieFailed	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win_x64_10.0.verk	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/Rufus/%d.%d.%d	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win_x64.ver	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/rosoft	0%	Avira URL Cloud	safe
http://www.napisy.info	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/Rufus_win.verver5	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win_x64_10.ver	0%	Avira URL Cloud	safe
https://www.gnupg.org	0%	Avira URL Cloud	safe
http://processhacker.sourceforge.net/	0%	Avira URL Cloud	safe
http://svn.reactos.org/svn/reactos/trunk/reactos/include/reactos/libs/fmifs	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/Rufus_win.verver	0%	Avira URL Cloud	safe
http://akeo.ie)4	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/Rufus_win_x64_10.0.ver	0%	Avira URL Cloud	safe
http://freedos.sourceforge.net/freecom	0%	Avira URL Cloud	safe
http://rufus.akeo.ie/Rufus_win.ver	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/6122658-3693405117-2476756634-1002	0%	Avira URL Cloud	safe
https://rufus.akeo.ie/compatibility.;	0%	Avira URL Cloud	safe
http://crl.microt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pbatard.github.io	185.199.108.153	true	false		unknown
rufus.akeo.ie	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rufus.akeo.ie/Rufus_win_x64_10.0.ver	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/Rufus_win.ver	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/Rufus_win_x64.ver	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/Rufus_win_x64_10.ver	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://rufus.akeo.ie/Rufus_win_x64.ver	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.syslinux.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/Rufus_win.verver?	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://7-zip.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://rufus.akeo.ie/files	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeguru.com/forum/showthread.php?p=1951973	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://e2fsprogs.sourceforge.net	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pbatard/rufus/blob/master/res/localization/ChangeLog.txt	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp, upx_rufus.exe, 00000000.00000002.2963030477.000000000049A000.00000040.00000001.01000000.00000003.sdmp	false		high
http://rufus.akeo.ie/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/Rufus_win_x64_10.verQ	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://doc.sch130.nsc.ru/www.sysinternals.com/ntw2k/source/fmifs.shtml	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/s.akeo.ie/Rufus_win_x64_10.0.ver	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.reactos.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://sourceforge.net/projects/smartmontools	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://code.google.com/p/tortoisegit/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://rufus.akeo.ie/files%s/%s-%s/%sExtended	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/weidai11/cryptopp/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://svn.reactos.org/svn/reactos/trunk/reactos	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pbatard/rufus/issues	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rufus.akeo.ie	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/compatibility.	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7-zip.orgopen2.02rufus_filescore.imggrub%s-%s/%srbWill	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://kolibrios.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rufus.akeo.ie/Rufus_win.ver7	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.busybox.net/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ridgecrop.demon.co.uk/index.htm?fat32format.htm	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://pcunleashed.com	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://ms-sys.sourceforge.net	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/E/l	upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/ufus_win_x64_10.0.ver	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tortoisesvn.net/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://halamix2.pl	upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	false	Avira URL Cloud: safe	unknown
http://www.gnu.org/software/libcdio	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.gnu.org/software/grub	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.freedos.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie).	upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ieFailed	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.7-zip.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rufus.akeo.ie/Rufus_win_x64_10.0.verk	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.napisy.info	upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/pbatard/bled	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rufus.akeo.ie/rosoft	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rufus.akeo.ie/Rufus/%d.%d.%d	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://rufus.akeo.ie/Rufus_win.verver5	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://processhacker.sourceforge.net/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://winscp.net	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://www.gnupg.org	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pbatard/uefi-ntfs.	upx_rufus.exe, 00000000.00000002.2963030477.0000000000648000.00000040.00000001.01000000.00000003.sdmp	false		high
http://www.gnu.org/software/fdisk	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://svn.reactos.org/svn/reactos/trunk/reactos/include/reactos/libs/fmifs	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://rufus.akeo.ie/Rufus_win.ver	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/chenall/grub4dos	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
http://akeo.ie)4	upx_rufus.exe	false	Avira URL Cloud: safe	unknown
https://github.com/Chocobo1	upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp, RufAB7F.tmp.0.dr	false		high
http://fsf.org/	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rufus.akeo.ie/Rufus_win.verver	upx_rufus.exe, 00000000.00000003.2013790137.0000000000990000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rufus.akeo.ie/Rufus_win_x64_10.0.ver	upx_rufus.exe, 00000000.00000002.2963457761.0000000000935000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://freedos.sourceforge.net/freecom	upx_rufus.exe, 00000000.00000002.2963030477.00000000004D0000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/6122658-3693405117-2476756634-1002	upx_rufus.exe, 00000000.00000002.2963457761.00000000008F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rufus.akeo.ie/compatibility.;	upx_rufus.exe, 00000000.00000002.2963030477.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microt	upx_rufus.exe, 00000000.00000002.2963631354.0000000000961000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013812131.0000000000960000.00000004.00000020.00020000.00000000.sdmp, upx_rufus.exe, 00000000.00000003.2013612417.000000000095E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gnu.org/copyleft/gpl.html	upx_rufus.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.108.153	pbatard.github.io	Netherlands		54113	FASTLYUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1569101
Start date and time:	2024-12-05 13:13:36 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	upx_rufus.exe
Detection:	MAL
Classification:	mal52.spre.evad.winEXE@1/6@2/1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: upx_rufus.exe

Simulations

Behavior and APIs

Time	Type	Description
07:14:59	API Interceptor	1x Sleep call for process: upx_rufus.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.108.153	http://ikergalindez.github.io/gofish/	Get hash	malicious	HTMLPhisher	Browse	ikergalindez.github.io/gofish/
	http://hassan6077224.github.io/netflixclonetechtitans	Get hash	malicious	HTMLPhisher	Browse	hassan6077224.github.io/netflixclonetechtitans
	http://barik-ankita.github.io/Netflix-clone	Get hash	malicious	HTMLPhisher	Browse	barik-ankita.github.io/Netflix-clone
	http://kashishoza.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	kashishoza.github.io/Netflix-Clone
	http://shreyascyber.github.io/Netflix-Clone	Get hash	malicious	HTMLPhisher	Browse	shreyascyber.github.io/Netflix-Clone
	http://amit-7890.github.io/Netflix	Get hash	malicious	HTMLPhisher	Browse	amit-7890.github.io/Netflix
	http://pranjalirmane.github.io/netflix-homepage	Get hash	malicious	HTMLPhisher	Browse	pranjalirmane.github.io/netflix-homepage
	http://sachinchaunal.github.io/Netflix-Clone-Old-Version	Get hash	malicious	HTMLPhisher	Browse	sachinchaunal.github.io/Netflix-Clone-Old-Version
	http://him9155.github.io/Netflix_clone	Get hash	malicious	HTMLPhisher	Browse	him9155.github.io/Netflix_clone
	http://anoshandrews.github.io/Netflix_clone	Get hash	malicious	HTMLPhisher	Browse	anoshandrews.github.io/Netflix_clone

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pbatard.github.io	YPOAp14Hoy.exe	Get hash	malicious	CryptOne Mofksys	Browse	185.199.108.153
pbatard.github.io	rufus-2.9.exe	Get hash	malicious	Unknown	Browse	185.199.108.153

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://yrcisodockdxc.wixsite.com/so/ffPELWCGk/c?w=fTz-zc0Je0uykVBAmif5UmM6Rsu4kk-G5MXIVA5XOqg.eyJ1IjoiaHR0cHM6Ly9zZGtmaW93ZWkuY2xpY2svaG9tZS5waHAiLCJyIjoiZTU4NTRhMDUtMTAwNS00YjFmLTk5YzYtZjNhOTEzZjg3NDlmIiwibSI6Im1haWwiLCJjIjoiOTkwNzEzOGMtZWE2My00ODc4LTg3YTItZGEyMGZkMmQwZWY0In0	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://lavender-rosamund-62.tiiny.site/	Get hash	malicious	Unknown	Browse	199.232.168.157
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	dIPYIbWXs1.exe	Get hash	malicious	GuLoader	Browse	185.199.108.153
	sNifdpWiY9.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	185.199.108.153
	payload_1.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	185.199.108.153
	List of Required items xlsx.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	185.199.108.153
	ab.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	185.199.108.153
	REQUEST FOR QUOATION AND PRICES 0106-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	185.199.108.153
	comp#U00e1rtilhar080425-000800-66000544000.exe	Get hash	malicious	Unknown	Browse	185.199.108.153
	file.exe	Get hash	malicious	Unknown	Browse	185.199.108.153
	file.exe	Get hash	malicious	Unknown	Browse	185.199.108.153

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	950890
Entropy (8bit):	6.414270009417479
Encrypted:	false
SSDEEP:	12288:axHNL6lZy0dii6u2YFXHFNJmEV9nV8k+to83+4vBW/xgxkKp+hCW9CkRgxqF1DE+:aSii6uzHn2kh83+4vBW/xgaFMI
MD5:	97F1600F3FC2BCBF40A3A51573BC82DE
SHA1:	76243E6E3318738CB0E7B4DFB5599BB7EBC62363
SHA-256:	A7E57B7AD3A29A474DC57E65607B0AAE59EDED0754F928EA4417E3E6B8E23008
SHA-512:	627BEF5F1FACDD306C49D027CB650D14C8174B949D9627C93A8A35F78E7A1C9EBD7107D3A6E09C3C4660B4A05023A5E25A073A70C82FAD4079BE2B53BAA8299D
Malicious:	false
Reputation:	low
Preview:	l "en-US" "English (English)" 0x0409, 0x0809, 0x0c09, 0x1009, 0x1409, 0x1809, 0x1c09, 0x2009, 0x2409, 0x2809, 0x2c09, 0x3009, 0x3409, 0x3809, 0x3c09, 0x4009, 0x4409, 0x4809..v 1.0.22..t MSG_001 "Other instance detected"..t MSG_002 "Another Rufus application is running.\n"..."Please close the first application before running another one."..t MSG_003 "WARNING: ALL DATA ON DEVICE '%s' WILL BE DESTROYED.\n"..."To continue with this operation, click OK. To quit click CANCEL."..t MSG_004 "Rufus update policy"..t MSG_005 "Do you want to allow Rufus to check for application updates online?"..t MSG_006 "Close"..t MSG_007 "Cancel"..t MSG_008 "Yes"..t MSG_009 "No"..t MSG_010 "Bad blocks found"..t MSG_011 "Check completed: %d bad block(s) found\n"..." %d read error(s)\n %d write error(s)\n %d corruption error(s)\n"..t MSG_012 "%s\nA more detailed report can be found in:\n%s"..t MSG_013 "Disabled"..t MSG_014 "Daily"..t MSG_015 "Weekly"..t MSG_016 "Monthly"..t MSG_017 "Custom"..t MSG_018 "Your ve

C:\Users\user\Desktop\rufus.ini

Download File

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.777776811456786
Encrypted:	false
SSDEEP:	3:5HQAFoRLWX51jXDJiFddVs:5BZJ1jlmdXs
MD5:	569A22ED77A4002A47EEDC73D7AE6CE7
SHA1:	E3A13C12BEF469DC08BDF025CF83363A43D4582A
SHA-256:	6BB4FE9A6346DED17D47355715E3EAF00C58A3B8DAFAB26766FED3925D2786D5
SHA-512:	4225A8E06DD2A0D57DDD5DF5F035CCBBC46B44CECD2E29E5B7543B3BE3DF3FF9EFC75598326C30FE44C9B4666191D69BF25F87B32F0FFC5A7EBA39F0250EE201
Malicious:	false
Reputation:	low
Preview:	Locale = en-US..CommCheck64 = 4173203..UpdateCheckInterval = 86400..

C:\Users\user\Desktop\rufus.ini~

Download File

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.777776811456786
Encrypted:	false
SSDEEP:	3:5HQAFoRLWX51jXDJiFddVs:5BZJ1jlmdXs
MD5:	569A22ED77A4002A47EEDC73D7AE6CE7
SHA1:	E3A13C12BEF469DC08BDF025CF83363A43D4582A
SHA-256:	6BB4FE9A6346DED17D47355715E3EAF00C58A3B8DAFAB26766FED3925D2786D5
SHA-512:	4225A8E06DD2A0D57DDD5DF5F035CCBBC46B44CECD2E29E5B7543B3BE3DF3FF9EFC75598326C30FE44C9B4666191D69BF25F87B32F0FFC5A7EBA39F0250EE201
Malicious:	false
Reputation:	low
Preview:	Locale = en-US..CommCheck64 = 4173203..UpdateCheckInterval = 86400..

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

Download File

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1EX:10
MD5:	EC3584F3DB838942EC3669DB02DC908E
SHA1:	8DCEB96874D5C6425EBB81BFEE587244C89416DA
SHA-256:	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
SHA-512:	35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[General]..

C:\Windows\System32\GroupPolicy\GPT.INI

Download File

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	127
Entropy (8bit):	5.090003435843543
Encrypted:	false
SSDEEP:	3:1ELGUAgKLMzY+eWgTckbnnkBfERvI3eovzFLsUov:1WsMzYHxbnKv3eoIv
MD5:	F9A49A3E2415016FA85DDFF0B8B38419
SHA1:	F8C987119269E58D22A6B17AE2E8ECA7744FB385
SHA-256:	14694DBEE3897B6BD5AA596EBFD893E727179B67811920C174DC70E6EEE8E579
SHA-512:	91EA129A51D2C3B342287C1250F5B0DA6BA2A61EFF11791D1CFAE1F5C6DD2654C935BE1452F4A681E794FD723A3C295E9BC9E59B9005AA4D8BD55ED36C9AD91C
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[General]..gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{3D271CFC-2BC6-4AC2-B633-3BDFF5BDAB2A}]..Version=1..

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Download File

Process:	C:\Users\user\Desktop\upx_rufus.exe
File Type:	RAGE Package Format (RPF),
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.2791226694111044
Encrypted:	false
SSDEEP:	3:CFlE3A5loWcNylRjlyWdl+Sli5lm+1XMRpvLZOal7EQlXYlWj0zG+EX8e7lll6zf:CFlEEoWcHWn+SkirHNblPl4Wj0S+fehW
MD5:	3679852D86D944EB0A0C1A29DC85E623
SHA1:	C8D898775714206A49355D1D7538E42F7235E2D9
SHA-256:	0372CB9877228AC59386A962D2E49B51F671E546A7BA112D43D6B2B15165AA7F
SHA-512:	6DA335F7F330DD75FED52BAB9A67442BF37AF876026B4C218F00F0264F068CBC865144546F3CFDFCE675DFDB3F2DABEBF55F6468A958AAF12E0396F22004EBD2
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PReg....[.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.P.o.l.i.c.i.e.s.\.E.x.p.l.o.r.e.r...;.N.o.D.r.i.v.e.T.y.p.e.A.u.t.o.r.u.n...;.....;.....;.....].

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):	7.949112062205288
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	upx_rufus.exe
File size:	967'800 bytes
MD5:	d48615fa37605e2f53162f1d7021d937
SHA1:	d0054fc533603004a107436f47bc020afd54fa05
SHA256:	e82abd7f2c8f8c866141634a1ce10da8ebf3c58b68cb2eaa351345777bb3f67c
SHA512:	d7e50af3b0c25c2b43cb8943b14ff730195aada67ff887f824087fc1b6445501b584feca7b03783f49892503ccb282e93c998c1b7d6c9be0849d7c4ec6b29da8
SSDEEP:	24576:F15UCERUa4iQwBYAor7t4wdAMz5XvFKD69:LuCutQAoJ4eAMVXV
TLSH:	542523EA0771995DC2D204348F584B247932BACE2F56D73F7385FA8F39B1741282D89A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................................(.......(...@..........................P).....%......... ............................

File Icon


Icon Hash:	3afd6633914d2601

Static PE Info

General

Entrypoint:	0x6888b0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x689461
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f44087a5f9857072750bf414ec8a1aa9

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/11/2012 00:00:00 12/11/2017 23:59:59
Subject Chain	CN=Akeo Consulting, O=Akeo Consulting, STREET="24, Grey Rock", L=Milford, S=Co. Donegal, PostalCode=Co. Donegal, C=IE
Version:	3
Thumbprint MD5:	840101AAA50043A0202F10ADA980B5A0
Thumbprint SHA-1:	655F6413A8F721E3286ACE95025C9E0EA132A984
Thumbprint SHA-256:	0161D4FBA099EC7E72600A620DD9EE96D6595A0B296927AC3E94F49418E621BE
Serial:	47D73D146614770CB3DAAF5502C48D9C

Entrypoint Preview

Instruction
pushad
mov esi, 005AA015h
lea edi, dword ptr [esi-001A9015h]
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007F500917891Dh
inc esi
inc esi
push ebx
push 00286B75h
push edi
add ebx, 04h
push ebx
push 000DE88Eh
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00020003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+54h], 00000001h
mov dword ptr [esp+50h], 00000001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x293d9c	0x348	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x28a000	0x9d9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe9a00	0x2a78	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x289480	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x1a9000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x1aa000	0xe0000	0xdf600	45429cf9d404c749d46ae2e8dc1d91de	False	0.9988294365556799	data	7.999595810285694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x28a000	0xb000	0xa200	8fdb388cd1b96c45412a21974432f3e6	False	0.29583815586419754	data	3.9399531853287897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x28ac14	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.24385923476617855
RT_ICON	0x28ee40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.30145228215767633
RT_ICON	0x2913ec	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3468574108818011
RT_ICON	0x292498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.42131147540983604
RT_ICON	0x292e24	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5150709219858156
RT_ICON	0xd0278	0x468	empty	0
RT_ICON	0xd06e0	0x468	empty	0
RT_DIALOG	0xd0b48	0x816	empty	0
RT_DIALOG	0xd1360	0x16c	empty	0
RT_DIALOG	0xd14d0	0x16e	empty	0
RT_DIALOG	0xd1640	0x4f4	empty	0
RT_DIALOG	0xd1b38	0xac	empty	0
RT_DIALOG	0xd1be8	0x102	empty	0
RT_DIALOG	0xd1cf0	0x252	empty	0
RT_DIALOG	0xd1f48	0x330	empty	0
RT_DIALOG	0xd2278	0x160	empty	0
RT_DIALOG	0xd23d8	0x3e2	empty	0
RT_RCDATA	0xd27c0	0x10581	empty	0
RT_RCDATA	0xe2d48	0xb65d	empty	0
RT_RCDATA	0xee3a8	0xe43	empty	0
RT_RCDATA	0xef1f0	0x2cb6	empty	0
RT_RCDATA	0xf1ea8	0x3f74	empty	0
RT_RCDATA	0xf5e20	0x9da8	empty	0
RT_RCDATA	0xffbc8	0x7436	empty	0
RT_RCDATA	0x107000	0x7db2	empty	0
RT_RCDATA	0x10edb8	0x3331	empty	0
RT_RCDATA	0x1120f0	0x1940	empty	0
RT_RCDATA	0x113a30	0x1b93	empty	0
RT_RCDATA	0x1155c8	0x155d	empty	0
RT_RCDATA	0x116b28	0x114f	empty	0
RT_RCDATA	0x117c78	0x1c31	empty	0
RT_RCDATA	0x1198b0	0x1cf1	empty	0
RT_RCDATA	0x11b5a8	0x150b	empty	0
RT_RCDATA	0x11cab8	0x1b3d	empty	0
RT_RCDATA	0x11e5f8	0x1699	empty	0
RT_RCDATA	0x11fc98	0x15a7	empty	0
RT_RCDATA	0x121240	0x1c3c	empty	0
RT_RCDATA	0x122e80	0x1fb7	empty	0
RT_RCDATA	0x124e38	0x1889	empty	0
RT_RCDATA	0x1266c8	0x1e4e	empty	0
RT_RCDATA	0x128518	0x193a	empty	0
RT_RCDATA	0x129e58	0x1e71	empty	0
RT_RCDATA	0x12bcd0	0x22e1	empty	0
RT_RCDATA	0x12dfb8	0x1426	empty	0
RT_RCDATA	0x12f3e0	0x200	empty	0
RT_RCDATA	0x12f5e0	0x8e88	empty	0
RT_RCDATA	0x138468	0x200	empty	0
RT_RCDATA	0x138668	0x10bf7	empty	0
RT_RCDATA	0x149260	0x855c	empty	0
RT_RCDATA	0x1517c0	0x2000	empty	0
RT_RCDATA	0x1537c0	0x7c80	empty	0
RT_RCDATA	0x15b440	0xe826a	empty	0
RT_RCDATA	0x2436b0	0x800	data	1.00537109375
RT_RCDATA	0x243eb0	0x40000	data	1.0003280639648438
RT_RCDATA	0x283eb0	0x332	data	1.0134474327628362
RT_RCDATA	0x2841e8	0x34b	data	1.0130486358244366
RT_GROUP_ICON	0x293290	0x4c	data	0.8026315789473685
RT_GROUP_ICON	0x284588	0x14	data	1.45
RT_GROUP_ICON	0x2845a0	0x14	OpenPGP Secret Key	1.45
RT_VERSION	0x2932e0	0x350	data	0.47877358490566035
RT_MANIFEST	0x293634	0x767	XML 1.0 document, ASCII text, with CRLF line terminators	0.44485488126649075

Imports

DLL	Import
ADVAPI32.dll	FreeSid
COMDLG32.DLL	GetOpenFileNameW
CRYPT32.dll	CryptMsgClose
GDI32.dll	SetBkMode
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
msvcrt.dll	_iob
ole32.dll	CoCreateGuid
PSAPI.DLL	GetModuleFileNameExW
SETUPAPI.dll	CM_Get_Child
SHELL32.dll	ShellExecuteA
SHLWAPI.dll	PathFileExistsA
USER32.dll	GetDC
WININET.DLL	InternetOpenA
WINTRUST.dll	WinVerifyTrustEx

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 13:14:49.004338026 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:49.124952078 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:49.125031948 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:49.125530958 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:49.245301962 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:50.209250927 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:50.209386110 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:50.217870951 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:50.217901945 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:50.218291998 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:50.235244989 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:50.235260010 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.450005054 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.450082064 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.567322016 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.567342997 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.567614079 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.567667961 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.571599960 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.615331888 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.886915922 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.886979103 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887001038 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887043953 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887048960 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887089968 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887094021 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887130976 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887135983 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887175083 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887178898 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887217999 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887300968 CET	443	49740	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:51.887316942 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.887346029 CET	49740	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:51.888777971 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:52.008624077 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:52.203156948 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:52.203219891 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:52.205431938 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:52.205473900 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:52.205698967 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:52.206590891 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:52.206604004 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.416174889 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.416284084 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.418251038 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.418271065 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.418519974 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.418584108 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.418920040 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.463330984 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850564957 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850687027 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850728989 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850778103 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.850788116 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850805044 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850807905 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.850826979 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.850887060 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.850899935 CET	443	49741	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:53.850939035 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.855391026 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.855412006 CET	49741	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:53.910336971 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:54.030980110 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:54.224662066 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:54.224720955 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:54.225573063 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:54.225620031 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:54.226001024 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:54.226509094 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:54.226522923 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.448066950 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.448203087 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.450774908 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.450799942 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.451138020 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.453254938 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.453634977 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.499325991 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.896683931 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.896796942 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.896821022 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.896925926 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.896979094 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.896981001 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.896998882 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.897039890 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.897062063 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.897105932 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.897310019 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.897345066 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.897347927 CET	443	49742	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:55.897816896 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:55.897833109 CET	49742	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:56.017592907 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:56.212284088 CET	80	49739	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:56.212702036 CET	49739	80	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:56.214067936 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:56.214113951 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:56.214176893 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:56.215220928 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:56.215234995 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.429886103 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.429944038 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.431693077 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.431704998 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.431940079 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.431993961 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.432454109 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.475327969 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865154028 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865297079 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865298986 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865324020 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865360975 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865401983 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865410089 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865459919 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865510941 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865515947 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865555048 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865700006 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865730047 CET	49743	443	192.168.2.4	185.199.108.153
Dec 5, 2024 13:14:57.865732908 CET	443	49743	185.199.108.153	192.168.2.4
Dec 5, 2024 13:14:57.865778923 CET	49743	443	192.168.2.4	185.199.108.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 5, 2024 13:14:48.126315117 CET	56845	53	192.168.2.4	1.1.1.1
Dec 5, 2024 13:14:48.997237921 CET	53	56845	1.1.1.1	192.168.2.4
Dec 5, 2024 13:15:02.540909052 CET	58010	53	192.168.2.4	1.1.1.1
Dec 5, 2024 13:15:02.689635992 CET	53	58010	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 5, 2024 13:14:48.126315117 CET	192.168.2.4	1.1.1.1	0x5aee	Standard query (0)	rufus.akeo.ie	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:15:02.540909052 CET	192.168.2.4	1.1.1.1	0xef5b	Standard query (0)	rufus.akeo.ie	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 5, 2024 13:14:48.997237921 CET	1.1.1.1	192.168.2.4	0x5aee	No error (0)	rufus.akeo.ie	pbatard.github.io		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 13:14:48.997237921 CET	1.1.1.1	192.168.2.4	0x5aee	No error (0)	pbatard.github.io		185.199.108.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:14:48.997237921 CET	1.1.1.1	192.168.2.4	0x5aee	No error (0)	pbatard.github.io		185.199.109.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:14:48.997237921 CET	1.1.1.1	192.168.2.4	0x5aee	No error (0)	pbatard.github.io		185.199.110.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:14:48.997237921 CET	1.1.1.1	192.168.2.4	0x5aee	No error (0)	pbatard.github.io		185.199.111.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:15:02.689635992 CET	1.1.1.1	192.168.2.4	0xef5b	No error (0)	rufus.akeo.ie	pbatard.github.io		CNAME (Canonical name)	IN (0x0001)	false
Dec 5, 2024 13:15:02.689635992 CET	1.1.1.1	192.168.2.4	0xef5b	No error (0)	pbatard.github.io		185.199.110.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:15:02.689635992 CET	1.1.1.1	192.168.2.4	0xef5b	No error (0)	pbatard.github.io		185.199.111.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:15:02.689635992 CET	1.1.1.1	192.168.2.4	0xef5b	No error (0)	pbatard.github.io		185.199.108.153	A (IP address)	IN (0x0001)	false
Dec 5, 2024 13:15:02.689635992 CET	1.1.1.1	192.168.2.4	0xef5b	No error (0)	pbatard.github.io		185.199.109.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rufus.akeo.ie

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	185.199.108.153	80	3720	C:\Users\user\Desktop\upx_rufus.exe

Timestamp	Bytes transferred	Direction	Data
Dec 5, 2024 13:14:49.125530958 CET	128	OUT	GET /Rufus_win_x64_10.0.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie
Dec 5, 2024 13:14:50.209250927 CET	683	IN	HTTP/1.1 301 Moved Permanently Connection: keep-alive Content-Length: 162 Server: GitHub.com Content-Type: text/html Location: https://rufus.akeo.ie/Rufus_win_x64_10.0.ver X-GitHub-Request-Id: A979:192E96:366DD0A:3B1DF39:675194AC Accept-Ranges: bytes Age: 1165 Date: Thu, 05 Dec 2024 12:14:50 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740044-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400890.051517,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: f923b9b580cb68432b3affbc3b6e482a858ce674 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Dec 5, 2024 13:14:51.888777971 CET	126	OUT	GET /Rufus_win_x64_10.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie
Dec 5, 2024 13:14:52.203156948 CET	681	IN	HTTP/1.1 301 Moved Permanently Connection: keep-alive Content-Length: 162 Server: GitHub.com Content-Type: text/html Location: https://rufus.akeo.ie/Rufus_win_x64_10.ver X-GitHub-Request-Id: 29AE:3BC88D:38C0D7B:3D71215:675194AF Accept-Ranges: bytes Age: 1164 Date: Thu, 05 Dec 2024 12:14:52 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740044-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400892.045609,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: b0cb35ad623530930fef466afd2852987a00d442 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Dec 5, 2024 13:14:53.910336971 CET	123	OUT	GET /Rufus_win_x64.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie
Dec 5, 2024 13:14:54.224662066 CET	678	IN	HTTP/1.1 301 Moved Permanently Connection: keep-alive Content-Length: 162 Server: GitHub.com Content-Type: text/html Location: https://rufus.akeo.ie/Rufus_win_x64.ver X-GitHub-Request-Id: E80E:3D54C3:369620D:3B46534:675194B0 Accept-Ranges: bytes Age: 1165 Date: Thu, 05 Dec 2024 12:14:54 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740044-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400894.067034,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: 9335721426318430030da3a5c730750a5d490baa Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>
Dec 5, 2024 13:14:55.897816896 CET	119	OUT	GET /Rufus_win.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie
Dec 5, 2024 13:14:56.212284088 CET	673	IN	HTTP/1.1 301 Moved Permanently Connection: keep-alive Content-Length: 162 Server: GitHub.com Content-Type: text/html Location: https://rufus.akeo.ie/Rufus_win.ver X-GitHub-Request-Id: 2EC1:D3DB5:36A67F9:3B569D7:675194B3 Accept-Ranges: bytes Age: 1163 Date: Thu, 05 Dec 2024 12:14:56 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740044-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400896.054545,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: dc4ac2b13890943ec58c645d8b4a74d2e56033d6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	185.199.108.153	443	3720	C:\Users\user\Desktop\upx_rufus.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 12:14:51 UTC	152	OUT	GET /Rufus_win_x64_10.0.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie Connection: Keep-Alive
2024-12-05 12:14:51 UTC	650	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 9379 Server: GitHub.com Content-Type: text/html; charset=utf-8 Access-Control-Allow-Origin: * ETag: "64d39a40-24a3" Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' x-proxy-cache: MISS X-GitHub-Request-Id: A694:4C9B8:364FA48:3AFFBDD:675194AD Accept-Ranges: bytes Age: 1164 Date: Thu, 05 Dec 2024 12:14:51 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740072-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400892.728579,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: 4cacb7df3c7e26c69a10747716705c9638db13e4
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 73 74 79 6c 65 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 3b 20 69 6d 67 2d 73 72 63 20 64 61 74 61 3a 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'"> <title>P
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 20 32 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 39 32 64 70 69 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 32 64 70 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 31 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 20 7d 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 32 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 23 73 75 Data Ascii: ice-pixel-ratio: 2), only screen and ( min-resolution: 192dpi), only screen and ( min-resolution: 2dppx) { .logo-img-1x { display: none; } .logo-img-2x { display: inline-block; } } #su
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 32 22 20 68 65 69 67 68 74 3d 22 33 32 22 20 74 69 74 6c 65 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 43 41 41 41 41 41 67 43 41 59 41 41 41 42 7a 65 6e 72 30 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 Data Ascii: 2" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prY
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 2f 38 37 37 47 59 64 48 52 67 33 5a 6a 4d 58 46 78 65 70 51 4b 4e 53 36 73 4c 43 77 4a 78 71 4e 4e 75 46 70 69 4d 66 6a 56 73 34 5a 6a 55 61 2f 70 6d 6d 6a 65 44 36 56 6c 4a 53 38 4e 70 76 4e 54 34 51 51 37 6d 78 77 6a 53 73 4a 69 45 51 69 6d 2f 31 2b 2f 39 6c 67 4d 48 67 49 72 35 6f 68 75 78 47 31 57 43 77 39 56 71 76 31 63 6c 46 52 30 64 43 71 42 4f 44 45 6c 56 36 76 39 30 6f 67 45 44 6a 47 64 59 62 56 6a 58 68 70 61 65 6e 64 69 6f 71 4b 30 37 43 49 52 37 5a 41 71 45 34 39 50 54 30 39 42 50 4c 32 50 4d 67 54 42 79 51 47 73 59 69 5a 6c 51 44 34 75 4d 58 74 64 72 2b 4a 78 57 49 4e 68 67 49 4e 59 68 47 54 32 4d 73 4b 67 4d 72 6d 32 64 6e 5a 58 67 52 58 68 61 48 41 67 35 6a 45 4a 6f 64 55 41 48 78 75 78 34 4c 75 64 48 4a 45 39 52 64 45 64 41 2b 69 33 4a 75 Data Ascii: /877GYdHRg3ZjMXFxepQKNS6sLCwJxqNNuFpiMfjVs4ZjUa/pmmjeD6VlJS8NpvNT4QQ7mxwjSsJiEQim/1+/9lgMHgIr5ohuxG1WCw9Vqv1clFR0dCqBODElV6v90ogEDjGdYbVjXhpaendioqK07CIR7ZAqE49PT09BPL2PMgTByQGsYiZlQD4uMXtdr+JxWINhgINYhGT2MsKgMrm2dnZXgRXhaHAg5jEJodUAHxux4LudHJE9RdEdA+i3Ju
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 7a 6c 6b 49 6a 38 2b 49 44 78 34 4f 6e 68 74 63 47 31 6c 64 47 45 67 65 47 31 73 62 6e 4d 36 65 44 30 69 59 57 52 76 59 6d 55 36 62 6e 4d 36 62 57 56 30 59 53 38 69 49 48 67 36 65 47 31 Data Ascii: Rw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1
2024-12-05 12:14:51 UTC	1378	IN	Data Raw: 62 74 34 6d 65 73 56 6d 73 57 64 31 71 53 70 48 68 64 58 64 32 66 75 50 2f 41 66 63 70 75 74 35 2f 41 38 38 78 77 79 6d 63 64 42 67 4c 71 65 6e 70 36 46 75 52 79 75 57 56 34 7a 75 2f 76 37 35 39 51 79 57 42 6a 78 6f 7a 35 74 37 36 2b 2f 67 75 6e 30 39 6d 4b 35 78 46 79 61 6b 6f 43 41 50 53 61 54 43 61 7a 4e 70 76 4e 50 6f 59 56 62 68 36 4f 31 59 4b 47 52 46 30 75 31 33 73 4e 44 51 32 37 51 4d 7a 66 70 69 41 41 4b 6a 30 6c 6e 55 36 2f 67 42 56 66 41 5a 57 32 57 57 70 77 77 56 7a 79 30 49 67 50 33 47 37 33 46 70 6a 49 36 52 45 68 41 47 41 39 71 56 52 71 41 31 62 39 6d 56 6f 42 56 79 49 43 32 74 44 69 38 58 67 32 34 2b 64 55 7a 51 69 41 62 53 2f 73 37 4f 78 38 47 32 6f 2f 33 6d 4b 43 43 2b 5a 77 30 65 66 7a 50 51 45 66 63 56 6a 59 72 41 52 58 33 64 62 56 31 Data Ascii: bt4mesVmsWd1qSpHhdXd2fuP/Afcput5/A88xwymcdBgLqenp6FuRyuWV4zu/v759QyWBjxoz5t76+/gun09mK5xFyakoCAPSaTCazNpvNPoYVbh6O1YKGRF0u13sNDQ27QMzfpiAAKj0lnU6/gBVfAZW2WWpwwVzy0IgP3G73FpjI6REhAGA9qVRqA1b9mVoBVyIC2tDi8Xg24+dUzQiAbS/s7Ox8G2o/3mKCC+Zw0efzPQEfcVjYrARX3dbV1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	185.199.108.153	443	3720	C:\Users\user\Desktop\upx_rufus.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 12:14:53 UTC	150	OUT	GET /Rufus_win_x64_10.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie Connection: Keep-Alive
2024-12-05 12:14:53 UTC	651	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 9379 Server: GitHub.com Content-Type: text/html; charset=utf-8 Access-Control-Allow-Origin: * ETag: "64d39a40-24a3" Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' x-proxy-cache: MISS X-GitHub-Request-Id: F2BF:1FE25D:33CF255:387F18A:675194B0 Accept-Ranges: bytes Age: 1165 Date: Thu, 05 Dec 2024 12:14:53 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740077-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400894.691136,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: 22b28560fac26c4920e4d9458e20e9e05ec48fc8
2024-12-05 12:14:53 UTC	1378	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 73 74 79 6c 65 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 3b 20 69 6d 67 2d 73 72 63 20 64 61 74 61 3a 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'"> <title>P
2024-12-05 12:14:53 UTC	1378	IN	Data Raw: 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 20 32 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 39 32 64 70 69 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 32 64 70 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 31 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 20 7d 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 32 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 23 73 75 Data Ascii: ice-pixel-ratio: 2), only screen and ( min-resolution: 192dpi), only screen and ( min-resolution: 2dppx) { .logo-img-1x { display: none; } .logo-img-2x { display: inline-block; } } #su
2024-12-05 12:14:53 UTC	1378	IN	Data Raw: 32 22 20 68 65 69 67 68 74 3d 22 33 32 22 20 74 69 74 6c 65 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 43 41 41 41 41 41 67 43 41 59 41 41 41 42 7a 65 6e 72 30 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 Data Ascii: 2" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prY
2024-12-05 12:14:53 UTC	1378	IN	Data Raw: 2f 38 37 37 47 59 64 48 52 67 33 5a 6a 4d 58 46 78 65 70 51 4b 4e 53 36 73 4c 43 77 4a 78 71 4e 4e 75 46 70 69 4d 66 6a 56 73 34 5a 6a 55 61 2f 70 6d 6d 6a 65 44 36 56 6c 4a 53 38 4e 70 76 4e 54 34 51 51 37 6d 78 77 6a 53 73 4a 69 45 51 69 6d 2f 31 2b 2f 39 6c 67 4d 48 67 49 72 35 6f 68 75 78 47 31 57 43 77 39 56 71 76 31 63 6c 46 52 30 64 43 71 42 4f 44 45 6c 56 36 76 39 30 6f 67 45 44 6a 47 64 59 62 56 6a 58 68 70 61 65 6e 64 69 6f 71 4b 30 37 43 49 52 37 5a 41 71 45 34 39 50 54 30 39 42 50 4c 32 50 4d 67 54 42 79 51 47 73 59 69 5a 6c 51 44 34 75 4d 58 74 64 72 2b 4a 78 57 49 4e 68 67 49 4e 59 68 47 54 32 4d 73 4b 67 4d 72 6d 32 64 6e 5a 58 67 52 58 68 61 48 41 67 35 6a 45 4a 6f 64 55 41 48 78 75 78 34 4c 75 64 48 4a 45 39 52 64 45 64 41 2b 69 33 4a 75 Data Ascii: /877GYdHRg3ZjMXFxepQKNS6sLCwJxqNNuFpiMfjVs4ZjUa/pmmjeD6VlJS8NpvNT4QQ7mxwjSsJiEQim/1+/9lgMHgIr5ohuxG1WCw9Vqv1clFR0dCqBODElV6v90ogEDjGdYbVjXhpaendioqK07CIR7ZAqE49PT09BPL2PMgTByQGsYiZlQD4uMXtdr+JxWINhgINYhGT2MsKgMrm2dnZXgRXhaHAg5jEJodUAHxux4LudHJE9RdEdA+i3Ju
2024-12-05 12:14:53 UTC	1378	IN	Data Raw: 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 7a 6c 6b 49 6a 38 2b 49 44 78 34 4f 6e 68 74 63 47 31 6c 64 47 45 67 65 47 31 73 62 6e 4d 36 65 44 30 69 59 57 52 76 59 6d 55 36 62 6e 4d 36 62 57 56 30 59 53 38 69 49 48 67 36 65 47 31 Data Ascii: Rw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	185.199.108.153	443	3720	C:\Users\user\Desktop\upx_rufus.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 12:14:55 UTC	147	OUT	GET /Rufus_win_x64.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie Connection: Keep-Alive
2024-12-05 12:14:55 UTC	650	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 9379 Server: GitHub.com Content-Type: text/html; charset=utf-8 Access-Control-Allow-Origin: * ETag: "64d39a40-24a3" Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' x-proxy-cache: MISS X-GitHub-Request-Id: 7197:192E96:36CAAC7:3B8343D:67519936 Accept-Ranges: bytes Age: 0 Date: Thu, 05 Dec 2024 12:14:55 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890027-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1733400896.723168,VS0,VE16 Vary: Accept-Encoding X-Fastly-Request-ID: 9583847f80af87182cb0f36e0ecdb310295feb2d
2024-12-05 12:14:55 UTC	1378	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 73 74 79 6c 65 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 3b 20 69 6d 67 2d 73 72 63 20 64 61 74 61 3a 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'"> <title>P
2024-12-05 12:14:55 UTC	1378	IN	Data Raw: 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 20 32 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 39 32 64 70 69 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 32 64 70 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 31 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 20 7d 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 32 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 23 73 75 Data Ascii: ice-pixel-ratio: 2), only screen and ( min-resolution: 192dpi), only screen and ( min-resolution: 2dppx) { .logo-img-1x { display: none; } .logo-img-2x { display: inline-block; } } #su
2024-12-05 12:14:55 UTC	1378	IN	Data Raw: 32 22 20 68 65 69 67 68 74 3d 22 33 32 22 20 74 69 74 6c 65 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 43 41 41 41 41 41 67 43 41 59 41 41 41 42 7a 65 6e 72 30 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 Data Ascii: 2" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prY
2024-12-05 12:14:55 UTC	1378	IN	Data Raw: 2f 38 37 37 47 59 64 48 52 67 33 5a 6a 4d 58 46 78 65 70 51 4b 4e 53 36 73 4c 43 77 4a 78 71 4e 4e 75 46 70 69 4d 66 6a 56 73 34 5a 6a 55 61 2f 70 6d 6d 6a 65 44 36 56 6c 4a 53 38 4e 70 76 4e 54 34 51 51 37 6d 78 77 6a 53 73 4a 69 45 51 69 6d 2f 31 2b 2f 39 6c 67 4d 48 67 49 72 35 6f 68 75 78 47 31 57 43 77 39 56 71 76 31 63 6c 46 52 30 64 43 71 42 4f 44 45 6c 56 36 76 39 30 6f 67 45 44 6a 47 64 59 62 56 6a 58 68 70 61 65 6e 64 69 6f 71 4b 30 37 43 49 52 37 5a 41 71 45 34 39 50 54 30 39 42 50 4c 32 50 4d 67 54 42 79 51 47 73 59 69 5a 6c 51 44 34 75 4d 58 74 64 72 2b 4a 78 57 49 4e 68 67 49 4e 59 68 47 54 32 4d 73 4b 67 4d 72 6d 32 64 6e 5a 58 67 52 58 68 61 48 41 67 35 6a 45 4a 6f 64 55 41 48 78 75 78 34 4c 75 64 48 4a 45 39 52 64 45 64 41 2b 69 33 4a 75 Data Ascii: /877GYdHRg3ZjMXFxepQKNS6sLCwJxqNNuFpiMfjVs4ZjUa/pmmjeD6VlJS8NpvNT4QQ7mxwjSsJiEQim/1+/9lgMHgIr5ohuxG1WCw9Vqv1clFR0dCqBODElV6v90ogEDjGdYbVjXhpaendioqK07CIR7ZAqE49PT09BPL2PMgTByQGsYiZlQD4uMXtdr+JxWINhgINYhGT2MsKgMrm2dnZXgRXhaHAg5jEJodUAHxux4LudHJE9RdEdA+i3Ju
2024-12-05 12:14:55 UTC	1378	IN	Data Raw: 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 7a 6c 6b 49 6a 38 2b 49 44 78 34 4f 6e 68 74 63 47 31 6c 64 47 45 67 65 47 31 73 62 6e 4d 36 65 44 30 69 59 57 52 76 59 6d 55 36 62 6e 4d 36 62 57 56 30 59 53 38 69 49 48 67 36 65 47 31 Data Ascii: Rw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	185.199.108.153	443	3720	C:\Users\user\Desktop\upx_rufus.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-05 12:14:57 UTC	143	OUT	GET /Rufus_win.ver HTTP/1.1 Accept: / User-Agent: Rufus/2.18.1213 (Windows NT 10.0; WOW64) Host: rufus.akeo.ie Connection: Keep-Alive
2024-12-05 12:14:57 UTC	651	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 9379 Server: GitHub.com Content-Type: text/html; charset=utf-8 Access-Control-Allow-Origin: * ETag: "64d39a40-24a3" Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self' x-proxy-cache: MISS X-GitHub-Request-Id: 4E38:2204EF:37D0B2E:3C80E86:675194B5 Accept-Ranges: bytes Age: 1164 Date: Thu, 05 Dec 2024 12:14:57 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740035-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1733400898.706222,VS0,VE2 Vary: Accept-Encoding X-Fastly-Request-ID: e77d9a83f9aec4b4a5417b362309ad256a682f87
2024-12-05 12:14:57 UTC	1378	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 73 74 79 6c 65 2d 73 72 63 20 27 75 6e 73 61 66 65 2d 69 6e 6c 69 6e 65 27 3b 20 69 6d 67 2d 73 72 63 20 64 61 74 61 3a 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'unsafe-inline'; img-src data:; connect-src 'self'"> <title>P
2024-12-05 12:14:57 UTC	1378	IN	Data Raw: 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 20 32 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 31 39 32 64 70 69 29 2c 0a 20 20 20 20 20 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 20 32 64 70 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 31 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 20 7d 0a 20 20 20 20 20 20 20 20 2e 6c 6f 67 6f 2d 69 6d 67 2d 32 78 20 7b 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 23 73 75 Data Ascii: ice-pixel-ratio: 2), only screen and ( min-resolution: 192dpi), only screen and ( min-resolution: 2dppx) { .logo-img-1x { display: none; } .logo-img-2x { display: inline-block; } } #su
2024-12-05 12:14:57 UTC	1378	IN	Data Raw: 32 22 20 68 65 69 67 68 74 3d 22 33 32 22 20 74 69 74 6c 65 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 43 41 41 41 41 41 67 43 41 59 41 41 41 42 7a 65 6e 72 30 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 Data Ascii: 2" height="32" title="" alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prY
2024-12-05 12:14:57 UTC	1378	IN	Data Raw: 2f 38 37 37 47 59 64 48 52 67 33 5a 6a 4d 58 46 78 65 70 51 4b 4e 53 36 73 4c 43 77 4a 78 71 4e 4e 75 46 70 69 4d 66 6a 56 73 34 5a 6a 55 61 2f 70 6d 6d 6a 65 44 36 56 6c 4a 53 38 4e 70 76 4e 54 34 51 51 37 6d 78 77 6a 53 73 4a 69 45 51 69 6d 2f 31 2b 2f 39 6c 67 4d 48 67 49 72 35 6f 68 75 78 47 31 57 43 77 39 56 71 76 31 63 6c 46 52 30 64 43 71 42 4f 44 45 6c 56 36 76 39 30 6f 67 45 44 6a 47 64 59 62 56 6a 58 68 70 61 65 6e 64 69 6f 71 4b 30 37 43 49 52 37 5a 41 71 45 34 39 50 54 30 39 42 50 4c 32 50 4d 67 54 42 79 51 47 73 59 69 5a 6c 51 44 34 75 4d 58 74 64 72 2b 4a 78 57 49 4e 68 67 49 4e 59 68 47 54 32 4d 73 4b 67 4d 72 6d 32 64 6e 5a 58 67 52 58 68 61 48 41 67 35 6a 45 4a 6f 64 55 41 48 78 75 78 34 4c 75 64 48 4a 45 39 52 64 45 64 41 2b 69 33 4a 75 Data Ascii: /877GYdHRg3ZjMXFxepQKNS6sLCwJxqNNuFpiMfjVs4ZjUa/pmmjeD6VlJS8NpvNT4QQ7mxwjSsJiEQim/1+/9lgMHgIr5ohuxG1WCw9Vqv1clFR0dCqBODElV6v90ogEDjGdYbVjXhpaendioqK07CIR7ZAqE49PT09BPL2PMgTByQGsYiZlQD4uMXtdr+JxWINhgINYhGT2MsKgMrm2dnZXgRXhaHAg5jEJodUAHxux4LudHJE9RdEdA+i3Ju
2024-12-05 12:14:57 UTC	1378	IN	Data Raw: 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 45 41 41 41 41 42 41 43 41 59 41 41 41 43 71 61 58 48 65 41 41 41 41 47 58 52 46 57 48 52 54 62 32 5a 30 64 32 46 79 5a 51 42 42 5a 47 39 69 5a 53 42 4a 62 57 46 6e 5a 56 4a 6c 59 57 52 35 63 63 6c 6c 50 41 41 41 41 79 52 70 56 46 68 30 57 45 31 4d 4f 6d 4e 76 62 53 35 68 5a 47 39 69 5a 53 35 34 62 58 41 41 41 41 41 41 41 44 77 2f 65 48 42 68 59 32 74 6c 64 43 42 69 5a 57 64 70 62 6a 30 69 37 37 75 2f 49 69 42 70 5a 44 30 69 56 7a 56 4e 4d 45 31 77 51 32 56 6f 61 55 68 36 63 6d 56 54 65 6b 35 55 59 33 70 72 59 7a 6c 6b 49 6a 38 2b 49 44 78 34 4f 6e 68 74 63 47 31 6c 64 47 45 67 65 47 31 73 62 6e 4d 36 65 44 30 69 59 57 52 76 59 6d 55 36 62 6e 4d 36 62 57 56 30 59 53 38 69 49 48 67 36 65 47 31 Data Ascii: Rw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1

Target ID:	0
Start time:	07:14:30
Start date:	05/12/2024
Path:	C:\Users\user\Desktop\upx_rufus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\upx_rufus.exe"
Imagebase:	0x400000
File size:	967'800 bytes
MD5 hash:	D48615FA37605E2F53162F1D7021D937
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report upx_rufus.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\RufAB7F.tmp

C:\Users\user\Desktop\rufus.ini

C:\Users\user\Desktop\rufus.ini~

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

C:\Windows\System32\GroupPolicy\GPT.INI

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
upx_rufus.exe