Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Y5JXqbeNdS.exe

Overview

General Information

Sample name:Y5JXqbeNdS.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Analysis ID:1419151
MD5:cd423668f800bbdb227fa8063c33c654
SHA1:9355b61baea1e1404f7c5b06a472affdd84e0d36
SHA256:23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

.NET source code contains potential unpacker
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
  • System is w10x64
  • Y5JXqbeNdS.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\Y5JXqbeNdS.exe" MD5: CD423668F800BBDB227FA8063C33C654)
    • Y5JXqbeNdS.exe (PID: 7028 cmdline: "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 MD5: CD423668F800BBDB227FA8063C33C654)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_0099A0BB DecryptFileW,0_2_0099A0BB
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009BFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,0_2_009BFA62
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_00999E9E DecryptFileW,DecryptFileW,0_2_00999E9E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A5A0BB DecryptFileW,2_2_00A5A0BB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A7FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,2_2_00A7FA62
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A59E9E DecryptFileW,DecryptFileW,2_2_00A59E9E
Source: Y5JXqbeNdS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeFile created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtfJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeFile created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtfJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeFile created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtfJump to behavior
Source: Y5JXqbeNdS.exeStatic PE information: certificate valid
Source: Y5JXqbeNdS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009C4440 FindFirstFileW,FindClose,0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A84440 FindFirstFileW,FindClose,2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,2_2_00A43CC4
Source: Y5JXqbeNdS.exe, 00000000.00000002.2937034701.000000000073B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://.crl0
Source: Y5JXqbeNdS.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/views/welcomeview.baml
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/views/welcomeview.bamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/views/welcomeview.xaml
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://s2.symcb.com0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://sv.symcd.com0&
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Y5JXqbeNdS.exeString found in binary or memory: http://wixtoolset.org/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.drString found in binary or memory: http://wixtoolset.org/news/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.drString found in binary or memory: http://wixtoolset.org/releases/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.drString found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.2.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Y5JXqbeNdS.exeString found in binary or memory: http://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.drString found in binary or memory: http://www.thermofisher.com
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.thermoscientific.com/chromeleon
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.thermoscientific.com/support
Source: Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.thermoscientific.com/support~
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_0098A8F10_2_0098A8F1
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B001D0_2_009B001D
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009A41EA0_2_009A41EA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009862AA0_2_009862AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B03D50_2_009B03D5
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009AC3320_2_009AC332
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009BA5600_2_009BA560
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B07AA0_2_009B07AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009BAA0E0_2_009BAA0E
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009AFB890_2_009AFB89
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B0B6F0_2_009B0B6F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B2C180_2_009B2C18
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009B2E470_2_009B2E47
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009BEE7C0_2_009BEE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A4A8F12_2_00A4A8F1
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A7001D2_2_00A7001D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A641EA2_2_00A641EA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A462AA2_2_00A462AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A703D52_2_00A703D5
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A6C3322_2_00A6C332
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A7A5602_2_00A7A560
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A707AA2_2_00A707AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A7AA0E2_2_00A7AA0E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A6FB892_2_00A6FB89
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A70B6F2_2_00A70B6F
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A72C182_2_00A72C18
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A7EE7C2_2_00A7EE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A72E472_2_00A72E47
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_0607866C2_2_0607866C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_0607B3B92_2_0607B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CBF707C2_2_6CBF707C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CBFD6D02_2_6CBFD6D0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CBF6E4D2_2_6CBF6E4D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CC027F82_2_6CC027F8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CBFDB7E2_2_6CBFDB7E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00EE0BC82_2_00EE0BC8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_038AB2B02_2_038AB2B0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_038ABC282_2_038ABC28
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_06077A8D2_2_06077A8D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: String function: 00A80726 appears 33 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: String function: 00A832F3 appears 83 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: String function: 00A43821 appears 497 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: String function: 00A41F13 appears 52 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: String function: 00A80237 appears 681 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: String function: 009C0237 appears 678 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: String function: 00983821 appears 496 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: String function: 009C0726 appears 33 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: String function: 009C32F3 appears 83 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: String function: 00981F13 appears 52 times
Source: Y5JXqbeNdS.exe, 00000000.00000000.1684138453.0000000000B36000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exeBinary or memory string: OriginalFilename vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenameThermo.Chromeleon.BaExtension.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2948693965.000000006CC0E000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamembahost.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2938929182.0000000000DA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943834626.00000000061DA000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilenameThermo.BootstrapperApplication.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943279233.0000000005B14000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameBootstrapperCore.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000000.1690371667.0000000000BF6000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exeBinary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe.0.drBinary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: feclient.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msvcp140_clr0400.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wuapi.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wups.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: updatepolicy.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: mscms.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: coloradapterclient.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: windowscodecsext.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: msctfui.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: d3dcompiler_47.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeSection loaded: thumbcache.dllJump to behavior
Source: Y5JXqbeNdS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: Thermo.BootstrapperApplication.dll.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Thermo.Chromeleon.BaExtension.dll.2.dr, ExtensionVariables.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.csSecurity API names: System.IO.FileInfo.SetAccessControl(System.Security.AccessControl.FileSecurity)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.csSecurity API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(string)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.csSecurity API names: System.IO.FileInfo.GetAccessControl()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.csSecurity API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(System.IO.FileInfo)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engineClassification label: sus24.evad.winEXE@3/15@0/0
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009BFE21 FormatMessageW,GetLastError,LocalFree,0_2_009BFE21
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009845EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,0_2_009845EE
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,2_2_00A445EE
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009C304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,0_2_009C304F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009A6B88 ChangeServiceConfigW,GetLastError,0_2_009A6B88
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeMutant created: NULL
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{FE0F444E-3839-43DC-AA5A-1DAD8411A6B1}
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeFile created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: cabinet.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: msi.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: version.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: wininet.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: comres.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: clbcatq.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: msasn1.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: crypt32.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: feclient.dll0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCommand line argument: cabinet.dll0_2_00981070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: cabinet.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: msi.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: version.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: wininet.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: comres.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: clbcatq.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: msasn1.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: crypt32.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: feclient.dll2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCommand line argument: cabinet.dll2_2_00A41070
Source: Y5JXqbeNdS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Y5JXqbeNdS.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exeString found in binary or memory: [PostInstall] {0}: Error parsing post-install step state
Source: Y5JXqbeNdS.exeString found in binary or memory: views/installationqualificationview.baml
Source: Y5JXqbeNdS.exeString found in binary or memory: /Thermo.BootstrapperApplication;component/views/installationqualificationview.xaml
Source: Y5JXqbeNdS.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeFile read: C:\Users\user\Desktop\Y5JXqbeNdS.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Y5JXqbeNdS.exe "C:\Users\user\Desktop\Y5JXqbeNdS.exe"
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeProcess created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeProcess created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: Y5JXqbeNdS.exeStatic PE information: certificate valid
Source: Y5JXqbeNdS.exeStatic file information: File size 5999376 > 1048576
Source: Y5JXqbeNdS.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195000
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Y5JXqbeNdS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Y5JXqbeNdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source: Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source: Y5JXqbeNdS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Y5JXqbeNdS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Y5JXqbeNdS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Y5JXqbeNdS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Y5JXqbeNdS.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

barindex
Source: Thermo.BootstrapperApplication.dll.2.dr, AssemblyHelper.cs.Net Code: ResolveEmbeddedAssembly System.Reflection.Assembly.Load(byte[])
Source: Y5JXqbeNdS.exeStatic PE information: section name: .wixburn
Source: Y5JXqbeNdS.exe.0.drStatic PE information: section name: .wixburn
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exeCode function: 0_2_009AEAD6 push ecx; ret 0_2_009AEAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_00A6EAD6 push ecx; ret 2_2_00A6EAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_06076708 push es; ret 2_2_06076727
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_0607C2FA push es; iretd 2_2_0607C30C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_6CBF4496 push ecx; ret 2_2_6CBF44A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_038A80E8 push esp; iretd 2_2_038A80F9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8EE12 pushfd ; iretd 2_2_05F8EE41
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8EE02 pushad ; iretd 2_2_05F8EE11
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8C3AB pushfd ; iretd 2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8B36A pushfd ; iretd 2_2_05F8B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8C350 pushfd ; iretd 2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exeCode function: 2_2_05F8F2DA push esp; retf 2_2_05F8F2E9
Source: Thermo.BootstrapperApplication.dll.2.drStatic PE information: section name: .text entropy: 7.388050412212095