IOC Report
Y5JXqbeNdS

loading gif

Files

File Path
Type
Category
Malicious
Y5JXqbeNdS.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
C:\Users\user\AppData\Local\Temp\Thermo_Chromeleon_7.2.10_ES_MUa_20240403070104.log
Unicode text, UTF-8 text, with CRLF line terminators
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperApplicationData.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (3622), with CRLF line terminators
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.config
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\BootstrapperCore.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Eula.rtf
Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Individual License Agreement.rtf
Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Installation Guide - Chromeleon 7.2.10.pdf
PDF document, version 1.4
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.BootstrapperApplication.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\Thermo.Chromeleon.BaExtension.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbahost.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.png
PNG image data, 427 x 519, 8-bit/color RGBA, non-interlaced
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.thm
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\Temp\{C1068606-A2DC-4449-96C7-3E7413773EA0}\.ba\mbapreq.wxl
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
There are 6 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Y5JXqbeNdS.exe
"C:\Users\user\Desktop\Y5JXqbeNdS.exe"
C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe
"C:\Windows\Temp\{FA80094D-F9A9-4117-87F4-0E9C1E31A138}\.cr\Y5JXqbeNdS.exe" -burn.clean.room="C:\Users\user\Desktop\Y5JXqbeNdS.exe" -burn.filehandle.attached=528 -burn.filehandle.self=544

URLs

Name
IP
Malicious
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/GlobalStyles.xamld
unknown
http://schemas.xmlsoap.org/soap/encoding/
unknown
http://wixtoolset.org/schemas/thmutil/2010
unknown
http://defaultcontainer/Thermo.BootstrapperApplication;component/views/welcomeview.xamld
unknown
http://ocsp.thawte.com0
unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
unknown
http://foo/bar/views/welcomeview.baml
unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
unknown
http://wixtoolset.org/news/
unknown
http://www.symauth.com/cps0(
unknown
http://wixtoolset.org/releases/SCreating
unknown
http://www.thermofisher.com
unknown
http://wixtoolset.org/releases/
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0
unknown
http://foo/views/welcomeview.xaml
unknown
http://www.symauth.com/rpa00
unknown
http://schemas.xmlsoap.org/wsdl/
unknown
http://foo/bar/views/welcomeview.bamld
unknown
http://www.thermoscientific.com/support
unknown
http://wixtoolset.org/
unknown
http://wixtoolset.org/telemetry/v
unknown
http://www.thermoscientific.com/support~
unknown
http://schemas.datacontract.org/2004/07/System
unknown
http://.crl0
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://www.thermoscientific.com/chromeleon
unknown
http://appsyndication.org/2006/appsyn
unknown
There are 17 hidden URLs, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
3116000
trusted library allocation
page read and write
BE5B000
heap
page read and write
BE86000
heap
page read and write
5F50000
trusted library allocation
page read and write
30BB000
trusted library allocation
page read and write
BED2000
heap
page read and write
349E000
trusted library allocation
page read and write
BC11000
heap
page read and write
6633000
heap
page read and write
BEAB000
heap
page read and write
3080000
trusted library allocation
page read and write
6ABB000
heap
page read and write
6678000
heap
page read and write
BECB000
heap
page read and write
2E38000
trusted library allocation
page read and write
BF28000
heap
page read and write
6AB7000
heap
page read and write
66BC000
heap
page read and write
3438000
heap
page read and write
3085000
trusted library allocation
page read and write
A40000
unkown
page readonly
2C24000
trusted library allocation
page read and write
980000
unkown
page readonly
BF0B000
heap
page read and write
66CA000
heap
page read and write
C57000
heap
page read and write
73AB000
heap
page read and write
3483000
heap
page read and write
BE3E000
heap
page read and write
347C000
heap
page read and write