Windows Analysis Report
cylanceprotectsetupwithoptics.exe

Overview

General Information

Sample name:	cylanceprotectsetupwithoptics.exe
Analysis ID:	1426789
MD5:	796375900c5f33db332ff8143f243083
SHA1:	9baf9183df0a5ca02cd49dbe04d99578821b27f7
SHA256:	bab72dfa7eed0ce4814580312ccba4fca4a136f4bb6f93a9f8f9648614d9ec68
Infos:

Detection

Score:	10
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B19EB7 DecryptFileW,	1_2_00B19EB7
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_00B3F961
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B19C99 DecryptFileW,DecryptFileW,	1_2_00B19C99
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00899EB7 DecryptFileW,	2_2_00899EB7
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_008BF961
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00899C99 DecryptFileW,DecryptFileW,	2_2_00899C99

Uses 32bit PE files

Source: cylanceprotectsetupwithoptics.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: cylanceprotectsetupwithoptics.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393236997.000000006E844000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: e:\jenkins\sign2\workspace\UnifiedInstaller\REL\1070\exe\src\bundledinstaller\Cylance.Host.Installer.CustomBootstrapperWithOptics\obj\Release\Cylance.Host.Installer.CustomBootstrapperWithOptics.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389746389.0000000006AE9000.00000002.00000001.01000000.0000000B.sdmp, Cylance.Host.Installer.CustomBootstrapperWithOptics.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B44315 FindFirstFileW,FindClose,	1_2_00B44315
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B1993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00B1993E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B37A87 FindFirstFileExW,	1_2_00B37A87
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B03BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00B03BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008C4315 FindFirstFileW,FindClose,	2_2_008C4315
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0089993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0089993E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B7A87 FindFirstFileExW,	2_2_008B7A87
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00883BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00883BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83BF6A FindFirstFileExA,	2_2_6E83BF6A

Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Cylance.Host.Installer.CustomBootstrapperWithOptics;component/mainview.xamld
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Cylance.Host.Installer.CustomBootstrapperWithOptics;component/resources/inst
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainview.baml
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainview.bamld
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/mainview.xaml
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/resources/installerBannerProtect.bmp
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://wixtoolset.org/
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: mbapreq.thm.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v

Detected potential crypto function

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2C0FA	1_2_00B2C0FA
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B06184	1_2_00B06184
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3022D	1_2_00B3022D
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3A3B0	1_2_00B3A3B0
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B30662	1_2_00B30662
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B0A7EF	1_2_00B0A7EF
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3A85E	1_2_00B3A85E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B169CC	1_2_00B169CC
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2F919	1_2_00B2F919
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B30A97	1_2_00B30A97
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B32B21	1_2_00B32B21
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B32D50	1_2_00B32D50
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3ED4C	1_2_00B3ED4C
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2FE15	1_2_00B2FE15
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AC0FA	2_2_008AC0FA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00886184	2_2_00886184
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B022D	2_2_008B022D
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BA3B0	2_2_008BA3B0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B0662	2_2_008B0662
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0088A7EF	2_2_0088A7EF
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BA85E	2_2_008BA85E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008969CC	2_2_008969CC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AF919	2_2_008AF919
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B0A97	2_2_008B0A97
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B2B21	2_2_008B2B21
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BED4C	2_2_008BED4C
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B2D50	2_2_008B2D50
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AFE15	2_2_008AFE15
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_066C9645	2_2_066C9645
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06ADE1CE	2_2_06ADE1CE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83DCFE	2_2_6E83DCFE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E837025	2_2_6E837025
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83D850	2_2_6E83D850
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E836DF6	2_2_6E836DF6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E842978	2_2_6E842978

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B431C7 appears 83 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B01F20 appears 54 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B4061A appears 34 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B4012F appears 678 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B037D3 appears 496 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C31C7 appears 83 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 00881F20 appears 54 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008837D3 appears 496 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C061A appears 34 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C012F appears 678 times

Sample file is different than original file name gathered from version info

Source: cylanceprotectsetupwithoptics.exe	Binary or memory string: OriginalFilename vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe	Binary or memory string: OriginalFilename vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388997416.00000000066D4000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389912943.0000000006AF0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameCylance.Host.Installer.CustomBootstrapperWithOptics.dll vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393334798.000000006E84E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs cylanceprotectsetupwithoptics.exe

Uses 32bit PE files

Source: cylanceprotectsetupwithoptics.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: clean10.winEXE@3/35@0/0

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B3FD20 FormatMessageW,GetLastError,LocalFree,

1_2_00B3FD20

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B044E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_00B044E9
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008844E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_008844E9

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B42F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

1_2_00B42F23

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B26945 ChangeServiceConfigW,GetLastError,

1_2_00B26945

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\

Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: cabinet.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: msi.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: version.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: wininet.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: comres.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: clbcatq.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: msasn1.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: crypt32.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: feclient.dll	1_2_00B01070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: cabinet.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: msi.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: version.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: wininet.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: comres.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: clbcatq.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: msasn1.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: crypt32.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: feclient.dll	2_2_00881070

Source: cylanceprotectsetupwithoptics.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

File read: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe "C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe"
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Process created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe "C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe" -burn.clean.room="C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe" -burn.filehandle.attached=512 -burn.filehandle.self=528
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Process created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe "C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe" -burn.clean.room="C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe" -burn.filehandle.attached=512 -burn.filehandle.self=528	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cylanceprotectsetupwithoptics.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: cylanceprotectsetupwithoptics.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393236997.000000006E844000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: e:\jenkins\sign2\workspace\UnifiedInstaller\REL\1070\exe\src\bundledinstaller\Cylance.Host.Installer.CustomBootstrapperWithOptics\obj\Release\Cylance.Host.Installer.CustomBootstrapperWithOptics.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389746389.0000000006AE9000.00000002.00000001.01000000.0000000B.sdmp, Cylance.Host.Installer.CustomBootstrapperWithOptics.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr

Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: cylanceprotectsetupwithoptics.exe	Static PE information: section name: .wixburn
Source: cylanceprotectsetupwithoptics.exe.1.dr	Static PE information: section name: .wixburn

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E876 push ecx; ret	1_2_00B2E889
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE876 push ecx; ret	2_2_008AE889
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEADCD push ss; retf	2_2_06AEADCE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1AF push es; ret	2_2_06AEB1B0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1BA push es; ret	2_2_06AEB1BC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1B4 push es; ret	2_2_06AEB1B6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1E9 push es; ret	2_2_06AEB1EC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1E3 push es; ret	2_2_06AEB1E6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1CC push es; ret	2_2_06AEB1DA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1C7 push es; ret	2_2_06AEB1C8
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1C1 push es; ret	2_2_06AEB1C2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1DD push es; ret	2_2_06AEB1E0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB15A push es; ret	2_2_06AEB1AA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E8344E6 push ecx; ret	2_2_6E8344F9
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E8420 push es; ret	2_2_043E8436
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E7522 push esp; retf	2_2_043E7531
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E87E0 push es; ret	2_2_043E87F0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E705A pushfd ; iretd	2_2_043E7089
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E704A pushad ; iretd	2_2_043E7059
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E3268 pushfd ; iretd	2_2_043E3341
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E3343 pushfd ; iretd	2_2_043E3341
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E7ECF push es; ret	2_2_043E7ED0

Drops PE files

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 4440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

API coverage: 9.1 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B3FE5Dh	1_2_00B3FDC2
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B3FE56h	1_2_00B3FDC2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008BFE5Dh	2_2_008BFDC2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008BFE56h	2_2_008BFDC2

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B44315 FindFirstFileW,FindClose,	1_2_00B44315
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B1993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00B1993E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B37A87 FindFirstFileExW,	1_2_00B37A87
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B03BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00B03BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008C4315 FindFirstFileW,FindClose,	2_2_008C4315
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0089993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0089993E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B7A87 FindFirstFileExW,	2_2_008B7A87
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00883BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00883BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83BF6A FindFirstFileExA,	2_2_6E83BF6A

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4962D VirtualQuery,GetSystemInfo,

1_2_00B4962D

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B2E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00B2E625

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B34812 mov eax, dword ptr fs:[00000030h]	1_2_00B34812
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B4812 mov eax, dword ptr fs:[00000030h]	2_2_008B4812
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E838EB1 mov eax, dword ptr fs:[00000030h]	2_2_6E838EB1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B038D4 GetProcessHeap,RtlAllocateHeap,

1_2_00B038D4

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00B2E188
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B2E625
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E773 SetUnhandledExceptionFilter,	1_2_00B2E773
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B33BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B33BB0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008AE188
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008AE625
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE773 SetUnhandledExceptionFilter,	2_2_008AE773
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008B3BB0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E837E39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E837E39
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E834321 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E834321
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E8344FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E8344FB

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Process created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe "C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe" -burn.clean.room="C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe" -burn.filehandle.attached=512 -burn.filehandle.self=528

Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B415CB InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

1_2_00B415CB

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4393B AllocateAndInitializeSid,CheckTokenMembership,

1_2_00B4393B

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B2E9A7 cpuid

1_2_00B2E9A7

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B14CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_00B14CE8

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4858F GetSystemTime,

1_2_00B4858F

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B060BA GetUserNameW,GetLastError,

1_2_00B060BA

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B48733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_00B48733

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B0508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

1_2_00B0508D

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B19EB7 DecryptFileW,	1_2_00B19EB7
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3F961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_00B3F961
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B19C99 DecryptFileW,DecryptFileW,	1_2_00B19C99
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00899EB7 DecryptFileW,	2_2_00899EB7
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	2_2_008BF961
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00899C99 DecryptFileW,DecryptFileW,	2_2_00899C99

Uses 32bit PE files

Source: cylanceprotectsetupwithoptics.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: cylanceprotectsetupwithoptics.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393236997.000000006E844000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: e:\jenkins\sign2\workspace\UnifiedInstaller\REL\1070\exe\src\bundledinstaller\Cylance.Host.Installer.CustomBootstrapperWithOptics\obj\Release\Cylance.Host.Installer.CustomBootstrapperWithOptics.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389746389.0000000006AE9000.00000002.00000001.01000000.0000000B.sdmp, Cylance.Host.Installer.CustomBootstrapperWithOptics.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B44315 FindFirstFileW,FindClose,	1_2_00B44315
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B1993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00B1993E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B37A87 FindFirstFileExW,	1_2_00B37A87
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B03BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00B03BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008C4315 FindFirstFileW,FindClose,	2_2_008C4315
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0089993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0089993E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B7A87 FindFirstFileExW,	2_2_008B7A87
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00883BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00883BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83BF6A FindFirstFileExA,	2_2_6E83BF6A

Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Cylance.Host.Installer.CustomBootstrapperWithOptics;component/mainview.xamld
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Cylance.Host.Installer.CustomBootstrapperWithOptics;component/resources/inst
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainview.baml
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainview.bamld
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/mainview.xaml
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/resources/installerBannerProtect.bmp
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3387948625.00000000044A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://wixtoolset.org/
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: mbapreq.thm.2.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v

Detected potential crypto function

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2C0FA	1_2_00B2C0FA
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B06184	1_2_00B06184
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3022D	1_2_00B3022D
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3A3B0	1_2_00B3A3B0
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B30662	1_2_00B30662
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B0A7EF	1_2_00B0A7EF
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3A85E	1_2_00B3A85E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B169CC	1_2_00B169CC
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2F919	1_2_00B2F919
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B30A97	1_2_00B30A97
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B32B21	1_2_00B32B21
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B32D50	1_2_00B32D50
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3ED4C	1_2_00B3ED4C
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2FE15	1_2_00B2FE15
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AC0FA	2_2_008AC0FA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00886184	2_2_00886184
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B022D	2_2_008B022D
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BA3B0	2_2_008BA3B0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B0662	2_2_008B0662
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0088A7EF	2_2_0088A7EF
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BA85E	2_2_008BA85E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008969CC	2_2_008969CC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AF919	2_2_008AF919
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B0A97	2_2_008B0A97
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B2B21	2_2_008B2B21
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BED4C	2_2_008BED4C
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B2D50	2_2_008B2D50
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AFE15	2_2_008AFE15
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_066C9645	2_2_066C9645
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06ADE1CE	2_2_06ADE1CE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83DCFE	2_2_6E83DCFE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E837025	2_2_6E837025
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83D850	2_2_6E83D850
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E836DF6	2_2_6E836DF6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E842978	2_2_6E842978

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B431C7 appears 83 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B01F20 appears 54 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B4061A appears 34 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B4012F appears 678 times
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: String function: 00B037D3 appears 496 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C31C7 appears 83 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 00881F20 appears 54 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008837D3 appears 496 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C061A appears 34 times
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: String function: 008C012F appears 678 times

Sample file is different than original file name gathered from version info

Source: cylanceprotectsetupwithoptics.exe	Binary or memory string: OriginalFilename vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe	Binary or memory string: OriginalFilename vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388997416.00000000066D4000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389912943.0000000006AF0000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameCylance.Host.Installer.CustomBootstrapperWithOptics.dll vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs cylanceprotectsetupwithoptics.exe
Source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393334798.000000006E84E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs cylanceprotectsetupwithoptics.exe

Uses 32bit PE files

Source: cylanceprotectsetupwithoptics.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: clean10.winEXE@3/35@0/0

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B3FD20 FormatMessageW,GetLastError,LocalFree,

1_2_00B3FD20

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B044E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_00B044E9
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008844E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		2_2_008844E9

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B42F23 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

1_2_00B42F23

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B26945 ChangeServiceConfigW,GetLastError,

1_2_00B26945

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\

Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: cabinet.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: msi.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: version.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: wininet.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: comres.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: clbcatq.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: msasn1.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: crypt32.dll	1_2_00B01070
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Command line argument: feclient.dll	1_2_00B01070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: cabinet.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: msi.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: version.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: wininet.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: comres.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: clbcatq.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: msasn1.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: crypt32.dll	2_2_00881070
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Command line argument: feclient.dll	2_2_00881070

Source: cylanceprotectsetupwithoptics.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: cylanceprotectsetupwithoptics.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

File read: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe "C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe"
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Process created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe "C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe" -burn.clean.room="C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe" -burn.filehandle.attached=512 -burn.filehandle.self=528
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Process created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe "C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe" -burn.clean.room="C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe" -burn.filehandle.attached=512 -burn.filehandle.self=528	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cylanceprotectsetupwithoptics.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: cylanceprotectsetupwithoptics.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: cylanceprotectsetupwithoptics.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\mbahost.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000002.3393236997.000000006E844000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source:	Binary string: e:\jenkins\sign2\workspace\UnifiedInstaller\REL\1070\exe\src\bundledinstaller\Cylance.Host.Installer.CustomBootstrapperWithOptics\obj\Release\Cylance.Host.Installer.CustomBootstrapperWithOptics.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3389746389.0000000006AE9000.00000002.00000001.01000000.0000000B.sdmp, Cylance.Host.Installer.CustomBootstrapperWithOptics.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: cylanceprotectsetupwithoptics.exe, cylanceprotectsetupwithoptics.exe, 00000002.00000002.3388972113.00000000066C2000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.2.dr
Source:	Binary string: C:\agent\_work\8\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: cylanceprotectsetupwithoptics.exe, 00000002.00000003.2147458515.000000000112F000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.2.dr

Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: cylanceprotectsetupwithoptics.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: cylanceprotectsetupwithoptics.exe	Static PE information: section name: .wixburn
Source: cylanceprotectsetupwithoptics.exe.1.dr	Static PE information: section name: .wixburn

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E876 push ecx; ret	1_2_00B2E889
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE876 push ecx; ret	2_2_008AE889
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEADCD push ss; retf	2_2_06AEADCE
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1AF push es; ret	2_2_06AEB1B0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1BA push es; ret	2_2_06AEB1BC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1B4 push es; ret	2_2_06AEB1B6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1E9 push es; ret	2_2_06AEB1EC
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1E3 push es; ret	2_2_06AEB1E6
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1CC push es; ret	2_2_06AEB1DA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1C7 push es; ret	2_2_06AEB1C8
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1C1 push es; ret	2_2_06AEB1C2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB1DD push es; ret	2_2_06AEB1E0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_06AEB15A push es; ret	2_2_06AEB1AA
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E8344E6 push ecx; ret	2_2_6E8344F9
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E8420 push es; ret	2_2_043E8436
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E7522 push esp; retf	2_2_043E7531
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E87E0 push es; ret	2_2_043E87F0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E705A pushfd ; iretd	2_2_043E7089
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E704A pushad ; iretd	2_2_043E7059
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E3268 pushfd ; iretd	2_2_043E3341
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E3343 pushfd ; iretd	2_2_043E3341
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_043E7ECF push es; ret	2_2_043E7ED0

Drops PE files

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	File created: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 4440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Dropped PE file which has not been started: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Evaded block: after key decision

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

API coverage: 9.1 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B3FE5Dh	1_2_00B3FDC2
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B3FDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B3FE56h	1_2_00B3FDC2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008BFE5Dh	2_2_008BFDC2
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008BFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008BFE56h	2_2_008BFDC2

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B44315 FindFirstFileW,FindClose,	1_2_00B44315
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B1993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00B1993E
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B37A87 FindFirstFileExW,	1_2_00B37A87
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B03BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	1_2_00B03BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008C4315 FindFirstFileW,FindClose,	2_2_008C4315
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_0089993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	2_2_0089993E
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B7A87 FindFirstFileExW,	2_2_008B7A87
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_00883BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	2_2_00883BC3
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E83BF6A FindFirstFileExA,	2_2_6E83BF6A

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4962D VirtualQuery,GetSystemInfo,

1_2_00B4962D

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B2E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00B2E625

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B34812 mov eax, dword ptr fs:[00000030h]	1_2_00B34812
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B4812 mov eax, dword ptr fs:[00000030h]	2_2_008B4812
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E838EB1 mov eax, dword ptr fs:[00000030h]	2_2_6E838EB1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B038D4 GetProcessHeap,RtlAllocateHeap,

1_2_00B038D4

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00B2E188
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B2E625
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B2E773 SetUnhandledExceptionFilter,	1_2_00B2E773
Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe	Code function: 1_2_00B33BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00B33BB0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_008AE188
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008AE625
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008AE773 SetUnhandledExceptionFilter,	2_2_008AE773
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_008B3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_008B3BB0
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E837E39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E837E39
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E834321 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E834321
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Code function: 2_2_6E8344FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E8344FB

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

1_2_00B415CB

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4393B AllocateAndInitializeSid,CheckTokenMembership,

1_2_00B4393B

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B2E9A7 cpuid

1_2_00B2E9A7

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemCore\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B14CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

1_2_00B14CE8

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B4858F GetSystemTime,

1_2_00B4858F

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B060BA GetUserNameW,GetLastError,

1_2_00B060BA

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B48733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

1_2_00B48733

Source: C:\Users\user\Desktop\cylanceprotectsetupwithoptics.exe

Code function: 1_2_00B0508D GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

1_2_00B0508D

Source: C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1426789
Product:	CloudBasic
Start time:	16:16:16
Start date:	16.04.2024
Sample:	cylanceprotectsetupwithoptics.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	796375900c5f33db332ff8143f243083
SHA1:	9baf9183df0a5ca02cd49dbe04d99578821b27f7
SHA256:	bab72dfa7eed0ce4814580312ccba4fca4a136f4bb6f93a9f8f9648614d9ec68
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Cylance_PROTECT_with_OPTICS_20240416161711.log	ASCII text, with CRLF line terminators	08DBCD484B726835209E5BE0DF4B242A	795770CCB41268C21A53468214166ECE755BFCAD	A25B411A0A8ABE78F81415044305D731C5853739021CBB7CCE60447D8260A45F
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1028\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1D4B831F77EFEC96FFBC70BC4B59B8B5	1B3ED82655AEC8A52DAEC60F8674BC7E07F8CFEB	1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1029\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	CC8C6D04DC707B38E0F0C08BA16FE49B	95EA7F570677AEA52393D02FDB21CEBB218A7343	DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1030\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	7C6E4CE87870B3B5E71D3EF4555500F8	E831E8978A48BEAFA04AAD52A564B7EADED4311D	CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1031\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	C8E7E0B4E63B3076047B7F49C76D56E1	4E44E656A0D552B2FFD65911CB45245364E5DBF3	631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1032\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	074D5921AF07E6126049CB45814246ED	91D4BDDA8D2B703879CFE2C28550E0A46074FA57	B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1035\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	E338408F1101499EB22507A3451F7B06	83B42F9D7307265A108FC339D0460D36B66A8B94	B7D9528F29761C82C3D926EFE5E0D5036A0E0D83EB4CCA7282846C86A9D6F9F3
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1036\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	AA32A059AADD42431F7837CB1BE7257F	4CD21661E341080FB8C2DEFD9F32F134561FC3BA	88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1038\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	17FB605A2F02DA203DF06F714D1CC6DE	3A71D13D4CCA06116B111625C90DD1C451EA9228	55CF62D54EFB79801A9D94B24B3C9BA221C2465417A068950D40A67C52BA66EF
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1040\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	50261379B89457B1980FF19CFABE6A08	F80B1F416539D33206CE3C24BA3B14B799A84813	A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1041\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DB0F5BAB42403FD67C0A18E35E6880EC	C0A18C8C5BCD7B88C384B5304B56EEB85A0DA3DC	CCDCDB111EFA152C5F9FF4930033698B843390A549699AE802098D87431F16FE
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1042\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	442F8463EF5CA42B99B2EFACA696BD01	67496DB91CBAA85AC0727B12FC2D35E990537DAC	D22F6ADA97DBFFC1E7548E52163807F982B30B11A2A5109E71F42985102CCCBD
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1043\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	67F28BCDB3BA6774CD66AA198B06FF38	85D843B7248A5E1173FF9BD59CB73BB505F69B66	226B778604236931B4AE45F6F272586C884A11517444A34BF45CD5CAE49BE62E
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1044\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5454F724C9CDAB8172678A1CC7057220	241A57018ACE1210881583A9CF646E7D2E51412F	41545AC1247B61C3C3E2A7E4659D9FAD2BCCA8347C69F2EB7B9D0CF5FC31E113
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1045\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	96ACAAA5AEF7798E9048BAFF4C3FA8D3	E76629973F6C1CFC06F60BA64FE9F237B2DB9698	F4AA983E39FB29C95E3306082F034B3A43E1D26489C997B8E6697B6A3B2F9F3C
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1046\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	BD39ADB6B872163FD2D570028E9F3213	688B8A109688D3EA483548F29DE2E57A8A56C868	ECB5C22E6C2423CAF07AEBE69F4FAF22450164EEE9587B64EF45A2D7F658CA15
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1049\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DAF167AF4031EF47E562056A7D51AA73	0156B230CADD6169AC2820865E3C031ED79785EF	C91C9E87AB4A6DB078F1991F4A2CDC726B58A40E47BCE49D39168A8F8F151C3B
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1051\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	016C278E515F87F589AD22C856B201F7	F20C7DB38B3161B143DEC4E578CE71D7F585F436	4A7FDF4A9033FE05C31F565ED3AE5B8C67D324B7AEADB737CE95DBB416D46868
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1053\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	D95E81164C57B6FD75E7C3022454192E	5D5ACBC56E7078AF4D04C45B78C0FF090C02EE6A	6DD61CC6B87B53EAF28430068A2A459730FD4B2BCF876CCDF040212D04C4FE7D
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1055\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	01B200E06BA600A4EF00C00F7AAC5CE4	22234426C42637E069A46217019551E4434A4AB6	06BFB6DFBC38105C699DEA226A029DF3EF673C33E4B8928DC4EC7FB8F761487D
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\1060\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5836F0C655BDD97093F68AAF69AB2BAB	B6842E816F9E0DCC559A5692E4D26101D10B4B16	C015247D022BDC108B4FFCAE89CB55D1E313034D7E6EED18744C1BB55F108F8C
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\2052\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	A34DCF7771198C779648B89156483E83	A6E0FA91CD50048511C7BEF1BE3A8D32B42B6D1F	89C559C6765F8D643469E3C8F4AA93023F09369B0395EA647FAD5AF3C2893EB6
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\2070\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	8A278E519EF81B2847490EFB070219BC	7365EDF6E4F9E66B6CEE47933B6C70FF0B9ECFF8	E2BFDB2CF3BEAE2E988827C52C58006D7EEAD4ABA5312B5EAE1F6CCF3863C385
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\3082\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1024AA88AE01BC7BA797193CC6023375	9252A309C1CB32573F4D58A595A78660FDF54B2F	B884C4ABB8867553C1FFADD6721C2135EC5F9F1455C3F668D711CCEA65363D1A
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperApplicationData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (558), with CRLF line terminators	52E0225A599446003ABB5BEB5530D709	6C1A100CDD61B92CA90E2D13B27D34D2A3351762	231F2A6BEB7F597EFF02CBFF46A192619CB62877D5DCF4A9D0062ED050023176
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.config	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	7FEC4F8A43998BCABBB10BE207DDE83F	76F8442CFF5A13BF266C62469ECE7E2869248054	6DB97AB6973D1E3E961FC89900668FC39FE9706F0CE8C42AADF903E6A4CF09C6
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\BootstrapperCore.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	08E1610005BBBEC45BDF744BC93509BE	1FAC1E92074DC662DB14F1FCE43D0CA301BCA64C	F8597F37A2687017ED2B33FB06770D47BF7BA672B3E813E611F41B7C79230425
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Cylance.Host.Installer.CustomBootstrapperWithOptics.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	35DFC4020B5867733FFE5465174C1A51	EAE3DE772A66F4F2C0370FD2BEDA39EE403B9E0F	6A99FEACD5CBC11BB8BEDF758F796D6DFDCD04DD1A4E377D5CD1241995A495AA
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\Microsoft.Deployment.WindowsInstaller.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	345299551A530B716BC4E406377B36A9	505BBEE0EB47F5DFCF7FD28A5525390D8D3A4010	9AEBC76CB8C864593E0419162B2BF40B81BD52B3FF12EDAC1D032828DF83DCFA
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbahost.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	64FF2C64FE4FD30CCB8A9C8A0DB806AA	73607DACBAB36214943E22CB1FDF6BC5E466D0AE	BBF38F1779A4ACCD152A01B19F296C646F23ABDC43FF3A92D6B17E0120F2271C
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0E2E0DDA2C6B9CABFA99394ACB97B025	1EC84920AF81C250B204356D24F435FCA4FA54DD	8271912B7C7616EC04C2C19C608713E03651D91D404715376A1535E72D4BA2D7
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.png	PNG image data, 63 x 63, 8-bit/color RGBA, non-interlaced	A356956FD269567B8F4612A33802637B	75AE41181581FD6376CA9CA88147011E48BF9A30	A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.thm	XML 1.0 document, ASCII text, with CRLF line terminators	A20778EC90A094A62A6C3A6AB2A6DC7D	74C131B5FD80446FFDF2AFAD723762DD36621309	F8C3A03F47F0B9B3C20F0522A2481DA28C77FECDBB302F8DD8FBED87758CBAEA
C:\Windows\Temp\{2386AC95-A39D-40D2-9EDA-FF9EA8E5DA36}\.ba\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	035FB1B3661CA2FCE4DD6B7151CA34FD	D0BDAB5F415A7591276580C7C62D21003E7390A9	97B20444592C26211BABE655D54AE98A9ADDA671382A3F7B90AE62665759FB30
C:\Windows\Temp\{D29CB8BE-513E-4B9E-B69F-E8CB205B8828}\.cr\cylanceprotectsetupwithoptics.exe	PE32 executable (GUI) Intel 80386, for MS Windows	796375900C5F33DB332FF8143F243083	9BAF9183DF0A5CA02CD49DBE04D99578821B27F7	BAB72DFA7EED0CE4814580312CCBA4FCA4A136F4BB6F93A9F8F9648614D9EC68

Windows Analysis Report
cylanceprotectsetupwithoptics.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report cylanceprotectsetupwithoptics.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
cylanceprotectsetupwithoptics.exe