Windows Analysis Report
Y5JXqbeNdS.exe

Overview

General Information

Sample name: Y5JXqbeNdS.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Analysis ID: 1419151
MD5: cd423668f800bbdb227fa8063c33c654
SHA1: 9355b61baea1e1404f7c5b06a472affdd84e0d36
SHA256: 23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

.NET source code contains potential unpacker
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_0099A0BB DecryptFileW, 0_2_0099A0BB
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_009BFA62
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00999E9E DecryptFileW,DecryptFileW, 0_2_00999E9E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A5A0BB DecryptFileW, 2_2_00A5A0BB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 2_2_00A7FA62
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A59E9E DecryptFileW,DecryptFileW, 2_2_00A59E9E
Uses 32bit PE files
Source: Y5JXqbeNdS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf Jump to behavior
Source: Y5JXqbeNdS.exe Static PE information: certificate valid
Source: Y5JXqbeNdS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C4440 FindFirstFileW,FindClose, 0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A84440 FindFirstFileW,FindClose, 2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 2_2_00A43CC4
Source: Y5JXqbeNdS.exe, 00000000.00000002.2937034701.000000000073B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://.crl0
Source: Y5JXqbeNdS.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/views/welcomeview.baml
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/bar/views/welcomeview.bamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo/views/welcomeview.xaml
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://s2.symcb.com0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Y5JXqbeNdS.exe String found in binary or memory: http://wixtoolset.org/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr String found in binary or memory: http://wixtoolset.org/news/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.2.dr String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Y5JXqbeNdS.exe String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr String found in binary or memory: http://www.thermofisher.com
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.thermoscientific.com/chromeleon
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.thermoscientific.com/support
Source: Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.thermoscientific.com/support~
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Detected potential crypto function
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_0098A8F1 0_2_0098A8F1
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B001D 0_2_009B001D
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009A41EA 0_2_009A41EA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009862AA 0_2_009862AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B03D5 0_2_009B03D5
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AC332 0_2_009AC332
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BA560 0_2_009BA560
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B07AA 0_2_009B07AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BAA0E 0_2_009BAA0E
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AFB89 0_2_009AFB89
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B0B6F 0_2_009B0B6F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B2C18 0_2_009B2C18
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B2E47 0_2_009B2E47
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BEE7C 0_2_009BEE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A4A8F1 2_2_00A4A8F1
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7001D 2_2_00A7001D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A641EA 2_2_00A641EA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A462AA 2_2_00A462AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A703D5 2_2_00A703D5
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6C332 2_2_00A6C332
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7A560 2_2_00A7A560
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A707AA 2_2_00A707AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7AA0E 2_2_00A7AA0E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6FB89 2_2_00A6FB89
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A70B6F 2_2_00A70B6F
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A72C18 2_2_00A72C18
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7EE7C 2_2_00A7EE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A72E47 2_2_00A72E47
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_0607866C 2_2_0607866C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_0607B3B9 2_2_0607B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF707C 2_2_6CBF707C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBFD6D0 2_2_6CBFD6D0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF6E4D 2_2_6CBF6E4D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CC027F8 2_2_6CC027F8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBFDB7E 2_2_6CBFDB7E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00EE0BC8 2_2_00EE0BC8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_038AB2B0 2_2_038AB2B0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_038ABC28 2_2_038ABC28
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_06077A8D 2_2_06077A8D
Found potential string decryption / allocating functions
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: String function: 00A80726 appears 33 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: String function: 00A832F3 appears 83 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: String function: 00A43821 appears 497 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: String function: 00A41F13 appears 52 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: String function: 00A80237 appears 681 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: String function: 009C0237 appears 678 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: String function: 00983821 appears 496 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: String function: 009C0726 appears 33 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: String function: 009C32F3 appears 83 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: String function: 00981F13 appears 52 times
Sample file is different than original file name gathered from version info
Source: Y5JXqbeNdS.exe, 00000000.00000000.1684138453.0000000000B36000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe Binary or memory string: OriginalFilename vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilenameThermo.Chromeleon.BaExtension.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2948693965.000000006CC0E000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: OriginalFilenamembahost.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2938929182.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943834626.00000000061DA000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenameThermo.BootstrapperApplication.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943279233.0000000005B14000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000000.1690371667.0000000000BF6000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe.0.dr Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wuapi.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wups.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: updatepolicy.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: windowscodecsext.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Section loaded: thumbcache.dll Jump to behavior
Uses 32bit PE files
Source: Y5JXqbeNdS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: Thermo.BootstrapperApplication.dll.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Thermo.Chromeleon.BaExtension.dll.2.dr, ExtensionVariables.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs Security API names: System.IO.FileInfo.SetAccessControl(System.Security.AccessControl.FileSecurity)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(string)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs Security API names: System.IO.FileInfo.GetAccessControl()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(System.IO.FileInfo)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: sus24.evad.winEXE@3/15@0/0
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BFE21 FormatMessageW,GetLastError,LocalFree, 0_2_009BFE21
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009845EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_009845EE
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 2_2_00A445EE
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_009C304F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009A6B88 ChangeServiceConfigW,GetLastError, 0_2_009A6B88
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Mutant created: NULL
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{FE0F444E-3839-43DC-AA5A-1DAD8411A6B1}
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\ Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: cabinet.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: msi.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: version.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: wininet.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: comres.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: clbcatq.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: msasn1.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: crypt32.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: feclient.dll 0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Command line argument: cabinet.dll 0_2_00981070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: cabinet.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: msi.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: version.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: wininet.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: comres.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: clbcatq.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: msasn1.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: crypt32.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: feclient.dll 2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Command line argument: cabinet.dll 2_2_00A41070
Source: Y5JXqbeNdS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Y5JXqbeNdS.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe String found in binary or memory: [PostInstall] {0}: Error parsing post-install step state
Source: Y5JXqbeNdS.exe String found in binary or memory: views/installationqualificationview.baml
Source: Y5JXqbeNdS.exe String found in binary or memory: /Thermo.BootstrapperApplication;component/views/installationqualificationview.xaml
Source: Y5JXqbeNdS.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe File read: C:\Users\user\Desktop\Y5JXqbeNdS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Y5JXqbeNdS.exe "C:\Users\user\Desktop\Y5JXqbeNdS.exe"
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Y5JXqbeNdS.exe Static PE information: certificate valid
Source: Y5JXqbeNdS.exe Static file information: File size 5999376 > 1048576
Source: Y5JXqbeNdS.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195000
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Y5JXqbeNdS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Y5JXqbeNdS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Y5JXqbeNdS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Y5JXqbeNdS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Y5JXqbeNdS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Y5JXqbeNdS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Y5JXqbeNdS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Thermo.BootstrapperApplication.dll.2.dr, AssemblyHelper.cs .Net Code: ResolveEmbeddedAssembly System.Reflection.Assembly.Load(byte[])
PE file contains sections with non-standard names
Source: Y5JXqbeNdS.exe Static PE information: section name: .wixburn
Source: Y5JXqbeNdS.exe.0.dr Static PE information: section name: .wixburn
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AEAD6 push ecx; ret 0_2_009AEAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6EAD6 push ecx; ret 2_2_00A6EAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_06076708 push es; ret 2_2_06076727
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_0607C2FA push es; iretd 2_2_0607C30C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF4496 push ecx; ret 2_2_6CBF44A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_038A80E8 push esp; iretd 2_2_038A80F9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8EE12 pushfd ; iretd 2_2_05F8EE41
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8EE02 pushad ; iretd 2_2_05F8EE11
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8C3AB pushfd ; iretd 2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8B36A pushfd ; iretd 2_2_05F8B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8C350 pushfd ; iretd 2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_05F8F2DA push esp; retf 2_2_05F8F2E9
Source: Thermo.BootstrapperApplication.dll.2.dr Static PE information: section name: .text entropy: 7.388050412212095
Drops PE files
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Memory allocated: 38D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Memory allocated: 58D0000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_0607353E sldt word ptr [eax] 2_2_0607353E
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Window / User API: threadDelayed 1646 Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Window / User API: threadDelayed 681 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe API coverage: 9.4 %
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 009BFF61h 0_2_009BFEC6
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 009BFF5Ah 0_2_009BFEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A7FF61h 2_2_00A7FEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A7FF5Ah 2_2_00A7FEC6
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C4440 FindFirstFileW,FindClose, 0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A84440 FindFirstFileW,FindClose, 2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 2_2_00A43CC4
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C97A5 VirtualQuery,GetSystemInfo, 0_2_009C97A5
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^qEMutating a value collection derived from a dictionary is not allowed.
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009AE88A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B48D8 mov eax, dword ptr fs:[00000030h] 0_2_009B48D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A748D8 mov eax, dword ptr fs:[00000030h] 2_2_00A748D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF8F39 mov eax, dword ptr fs:[00000030h] 2_2_6CBF8F39
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_0098394F GetProcessHeap,RtlAllocateHeap, 0_2_0098394F
Enables debug privileges
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_009AE3D8
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009AE88A
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AE9DC SetUnhandledExceptionFilter, 0_2_009AE9DC
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009B3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009B3C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00A6E3D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00A6E88A
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A6E9DC SetUnhandledExceptionFilter, 2_2_00A6E9DC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_00A73C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00A73C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF44AB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6CBF44AB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF7EDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6CBF7EDC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Code function: 2_2_6CBF42CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6CBF42CD
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_009C1719
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C3A5F AllocateAndInitializeSid,CheckTokenMembership, 0_2_009C3A5F
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009AEC07 cpuid 0_2_009AEC07
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00994EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_00994EDF
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00986037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError, 0_2_00986037
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009861DF GetUserNameW,GetLastError, 0_2_009861DF
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_009C887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_009C887B
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe Code function: 0_2_00985195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize, 0_2_00985195
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1419151 Sample: Y5JXqbeNdS Startdate: 03/04/2024 Architecture: WINDOWS Score: 24 22 .NET source code contains potential unpacker 2->22 6 Y5JXqbeNdS.exe 3 2->6         started        process3 file4 12 C:\Windows\Temp\...\Y5JXqbeNdS.exe, PE32 6->12 dropped 9 Y5JXqbeNdS.exe 28 6->9         started        process5 file6 14 C:\Windows\Temp\...\mbapreq.dll, PE32 9->14 dropped 16 C:\Windows\Temp\...\mbahost.dll, PE32 9->16 dropped 18 C:\...\Thermo.Chromeleon.BaExtension.dll, PE32 9->18 dropped 20 2 other files (none is malicious) 9->20 dropped
No contacted IP infos