Edit tour

Windows Analysis Report
Y5JXqbeNdS.exe

Overview

General Information

Sample name:	Y5JXqbeNdS.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Analysis ID:	1419151
MD5:	cd423668f800bbdb227fa8063c33c654
SHA1:	9355b61baea1e1404f7c5b06a472affdd84e0d36
SHA256:	23cddf52736c27fecc5b7e48607f4ce60c949b238e92086841db8ac7f49155e7
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

.NET source code contains potential unpacker

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

Y5JXqbeNdS.exe (PID: 6864 cmdline: "C:\Users\user\Desktop\Y5JXqbeNdS.exe" MD5: CD423668F800BBDB227FA8063C33C654)

Y5JXqbeNdS.exe (PID: 7028 cmdline: "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544 MD5: CD423668F800BBDB227FA8063C33C654)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_0099A0BB DecryptFileW,	0_2_0099A0BB
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_009BFA62
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999E9E DecryptFileW,DecryptFileW,	0_2_00999E9E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A5A0BB DecryptFileW,	2_2_00A5A0BB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FA62 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_00A7FA62
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59E9E DecryptFileW,DecryptFileW,	2_2_00A59E9E

Source: Y5JXqbeNdS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf	Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: certificate valid

Source: Y5JXqbeNdS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009C4440 FindFirstFileW,FindClose,	0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A84440 FindFirstFileW,FindClose,	2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00A43CC4

Source: Y5JXqbeNdS.exe, 00000000.00000002.2937034701.000000000073B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://.crl0
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/welcomeview.baml
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/views/welcomeview.bamld
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.0000000003BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/views/welcomeview.xaml
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://wixtoolset.org/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Y5JXqbeNdS.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr	String found in binary or memory: http://www.thermofisher.com
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/chromeleon
Source: Y5JXqbeNdS.exe, 00000000.00000002.2939049599.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686098603.000000000309B000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685438538.000000000306F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685289944.000000000305C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686228797.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686558375.00000000030BF000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686427978.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685685338.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685825306.0000000003087000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1685963819.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000002.2938649842.0000000002E50000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000000.00000003.1686702946.00000000030D9000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693704550.0000000002E6F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1691931017.0000000002E0C000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692755823.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693880629.0000000002E89000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692092441.0000000002E1F000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2940996217.0000000002E8A000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1692906229.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Y5JXqbeNdS.exe, 00000002.00000003.1693309663.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/support
Source: Y5JXqbeNdS.exe, 00000002.00000002.2941275761.00000000031F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.thermoscientific.com/support~
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_0098A8F1	0_2_0098A8F1
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B001D	0_2_009B001D
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009A41EA	0_2_009A41EA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009862AA	0_2_009862AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B03D5	0_2_009B03D5
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AC332	0_2_009AC332
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BA560	0_2_009BA560
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B07AA	0_2_009B07AA
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BAA0E	0_2_009BAA0E
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AFB89	0_2_009AFB89
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B0B6F	0_2_009B0B6F
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B2C18	0_2_009B2C18
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B2E47	0_2_009B2E47
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BEE7C	0_2_009BEE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A4A8F1	2_2_00A4A8F1
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7001D	2_2_00A7001D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A641EA	2_2_00A641EA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A462AA	2_2_00A462AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A703D5	2_2_00A703D5
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6C332	2_2_00A6C332
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7A560	2_2_00A7A560
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A707AA	2_2_00A707AA
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7AA0E	2_2_00A7AA0E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6FB89	2_2_00A6FB89
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A70B6F	2_2_00A70B6F
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A72C18	2_2_00A72C18
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7EE7C	2_2_00A7EE7C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A72E47	2_2_00A72E47
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607866C	2_2_0607866C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607B3B9	2_2_0607B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF707C	2_2_6CBF707C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBFD6D0	2_2_6CBFD6D0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF6E4D	2_2_6CBF6E4D
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CC027F8	2_2_6CC027F8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBFDB7E	2_2_6CBFDB7E
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00EE0BC8	2_2_00EE0BC8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038AB2B0	2_2_038AB2B0
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038ABC28	2_2_038ABC28
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_06077A8D	2_2_06077A8D

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A80726 appears 33 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A832F3 appears 83 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A43821 appears 497 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A41F13 appears 52 times
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: String function: 00A80237 appears 681 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C0237 appears 678 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 00983821 appears 496 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C0726 appears 33 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 009C32F3 appears 83 times
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: String function: 00981F13 appears 52 times

Source: Y5JXqbeNdS.exe, 00000000.00000000.1684138453.0000000000B36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe	Binary or memory string: OriginalFilename vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameThermo.Chromeleon.BaExtension.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2948693965.000000006CC0E000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2938929182.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943834626.00000000061DA000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameThermo.BootstrapperApplication.dll8 vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000002.2943279233.0000000005B14000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe, 00000002.00000000.1690371667.0000000000BF6000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe
Source: Y5JXqbeNdS.exe.0.dr	Binary or memory string: OriginalFilenameInstall.exe`@ProductNameThermo Chromeleon 7.2.10 ES MUa@ vs Y5JXqbeNdS.exe

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wuapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wups.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: updatepolicy.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Section loaded: thumbcache.dll	Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: Thermo.BootstrapperApplication.dll.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Thermo.Chromeleon.BaExtension.dll.2.dr, ExtensionVariables.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Thermo.BootstrapperApplication.dll.2.dr, CommonUiViewModel.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.IO.FileInfo.SetAccessControl(System.Security.AccessControl.FileSecurity)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(string)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.IO.FileInfo.GetAccessControl()
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: Thermo.Bootstrapper.Utilities.PackageStatusLogger.SetAccessControl(System.IO.FileInfo)
Source: Thermo.BootstrapperApplication.dll.2.dr, PackageStatusLogger.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: sus24.evad.winEXE@3/15@0/0

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009BFE21 FormatMessageW,GetLastError,LocalFree,

0_2_009BFE21

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009845EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_009845EE
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A445EE GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_00A445EE

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C304F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_009C304F

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009A6B88 ChangeServiceConfigW,GetLastError,

0_2_009A6B88

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Mutant created: NULL
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{FE0F444E-3839-43DC-AA5A-1DAD8411A6B1}

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: msi.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: version.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: wininet.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: comres.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: clbcatq.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: msasn1.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: crypt32.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: feclient.dll	0_2_00981070
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	0_2_00981070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: msi.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: version.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: wininet.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: comres.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: clbcatq.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: msasn1.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: crypt32.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: feclient.dll	2_2_00A41070
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Command line argument: cabinet.dll	2_2_00A41070

Source: Y5JXqbeNdS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Y5JXqbeNdS.exe	String found in binary or memory: [PostInstall] {0}: Error parsing post-install step state
Source: Y5JXqbeNdS.exe	String found in binary or memory: views/installationqualificationview.baml
Source: Y5JXqbeNdS.exe	String found in binary or memory: /Thermo.BootstrapperApplication;component/views/installationqualificationview.xaml
Source: Y5JXqbeNdS.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

File read: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Y5JXqbeNdS.exe "C:\Users\user\Desktop\Y5JXqbeNdS.exe"
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544	Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Y5JXqbeNdS.exe

Static PE information: certificate valid

Source: Y5JXqbeNdS.exe

Static file information: File size 5999376 > 1048576

Source: Y5JXqbeNdS.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x195000

Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Y5JXqbeNdS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Y5JXqbeNdS.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Y5JXqbeNdS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe.0.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.BootstrapperApplication\obj\Release\Thermo.BootstrapperApplication.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006196000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: Y5JXqbeNdS.exe, 00000002.00000002.2948619605.000000006CC04000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.2.dr
Source:	Binary string: d:\ws\12\s\Distribution\Projects\Bootstrapper\Thermo.Chromeleon.BaExtension\obj\Release\Thermo.Chromeleon.BaExtension.pdbXXnX `X_CorDllMainmscoree.dll source: Y5JXqbeNdS.exe, 00000002.00000002.2945298126.00000000064E2000.00000002.00000001.01000000.0000000B.sdmp, Thermo.Chromeleon.BaExtension.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943251748.0000000005B02000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbT source: Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Y5JXqbeNdS.exe, Y5JXqbeNdS.exe, 00000002.00000002.2943704432.0000000006072000.00000002.00000001.01000000.0000000A.sdmp, Thermo.BootstrapperApplication.dll.2.dr

Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Y5JXqbeNdS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: Thermo.BootstrapperApplication.dll.2.dr, AssemblyHelper.cs

.Net Code: ResolveEmbeddedAssembly System.Reflection.Assembly.Load(byte[])

Source: Y5JXqbeNdS.exe	Static PE information: section name: .wixburn
Source: Y5JXqbeNdS.exe.0.dr	Static PE information: section name: .wixburn

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AEAD6 push ecx; ret	0_2_009AEAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6EAD6 push ecx; ret	2_2_00A6EAE9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_06076708 push es; ret	2_2_06076727
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_0607C2FA push es; iretd	2_2_0607C30C
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF4496 push ecx; ret	2_2_6CBF44A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_038A80E8 push esp; iretd	2_2_038A80F9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8EE12 pushfd ; iretd	2_2_05F8EE41
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8EE02 pushad ; iretd	2_2_05F8EE11
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8C3AB pushfd ; iretd	2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8B36A pushfd ; iretd	2_2_05F8B3B9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8C350 pushfd ; iretd	2_2_05F8C3A9
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_05F8F2DA push esp; retf	2_2_05F8F2E9

Source: Thermo.BootstrapperApplication.dll.2.dr

Static PE information: section name: .text entropy: 7.388050412212095

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	File created: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 38D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Memory allocated: 58D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Code function: 2_2_0607353E sldt word ptr [eax]

2_2_0607353E

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Window / User API: threadDelayed 1646			Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Window / User API: threadDelayed 681			Jump to behavior

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll	Jump to dropped file

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Evaded block: after key decision

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

API coverage: 9.4 %

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 009BFF61h	0_2_009BFEC6
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009BFEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 009BFF5Ah	0_2_009BFEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A7FF61h	2_2_00A7FEC6
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A7FEC6 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A7FF5Ah	2_2_00A7FEC6

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009C4440 FindFirstFileW,FindClose,	0_2_009C4440
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00999B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_00999B43
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_00983CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	0_2_00983CC4
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A84440 FindFirstFileW,FindClose,	2_2_00A84440
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A59B43 FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_00A59B43
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A43CC4 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00A43CC4

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C97A5 VirtualQuery,GetSystemInfo,

0_2_009C97A5

Source: Y5JXqbeNdS.exe, 00000002.00000002.2942330181.00000000038D1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: $^qEMutating a value collection derived from a dictionary is not allowed.

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_009AE88A

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B48D8 mov eax, dword ptr fs:[00000030h]	0_2_009B48D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A748D8 mov eax, dword ptr fs:[00000030h]	2_2_00A748D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF8F39 mov eax, dword ptr fs:[00000030h]	2_2_6CBF8F39

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_0098394F GetProcessHeap,RtlAllocateHeap,

0_2_0098394F

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_009AE3D8
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009AE88A
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009AE9DC SetUnhandledExceptionFilter,	0_2_009AE9DC
Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe	Code function: 0_2_009B3C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_009B3C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E3D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00A6E3D8
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E88A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00A6E88A
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A6E9DC SetUnhandledExceptionFilter,	2_2_00A6E9DC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_00A73C76 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00A73C76
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF44AB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6CBF44AB
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF7EDC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CBF7EDC
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Code function: 2_2_6CBF42CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6CBF42CD

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Process created: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe "C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544

Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C1719 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_009C1719

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C3A5F AllocateAndInitializeSid,CheckTokenMembership,

0_2_009C3A5F

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009AEC07 cpuid

0_2_009AEC07

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00994EDF ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_00994EDF

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00986037 GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

0_2_00986037

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009861DF GetUserNameW,GetLastError,

0_2_009861DF

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_009C887B GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_009C887B

Source: C:\Users\user\Desktop\Y5JXqbeNdS.exe

Code function: 0_2_00985195 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_00985195

Source: C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Windows Service	2 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Native API	Logon Script (Windows)	12 Process Injection	1 Disable or Modify Tools	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	25 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Y5JXqbeNdS.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Y5JXqbeNdS.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Y5JXqbeNdS.exe