Windows Analysis Report
Kor-1.3.5.0-Setup.exe

Overview

General Information

Sample name: Kor-1.3.5.0-Setup.exe
Analysis ID: 1430159
MD5: d3abb41627ab98b5f1b28f407cdee216
SHA1: 849fdff3f96430061e4ac4dfa60fac8d0f3dd37e
SHA256: d0c5f2569567af24d71c0e0d8e5d6b68f6c6b72071cb8315f014d6ba475ea956
Infos:

Detection

Score: 18
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Compliance

Score: 51
Range: 0 - 100

Signatures

Yara detected Generic Downloader
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00995A3A DecryptFileW,DecryptFileW, 0_2_00995A3A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B6BF7 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_009B6BF7
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00994CBD CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError, 0_2_00994CBD
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00995C58 DecryptFileW, 0_2_00995C58
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00994E30 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust, 0_2_00994E30
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00585C58 DecryptFileW, 12_2_00585C58
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00585A3A DecryptFileW,DecryptFileW, 12_2_00585A3A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A6BF7 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 12_2_005A6BF7
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00584CBD CryptHashPublicKeyInfo,_memcmp,_memcmp,GetLastError, 12_2_00584CBD
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00584E30 _memset,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,CryptCATAdminCalcHashFromFileHandle,GetLastError,GetLastError,GetLastError,WinVerifyTrust,WinVerifyTrust,WinVerifyTrust, 12_2_00584E30

Compliance
barindex
Uses 32bit PE files
Source: Kor-1.3.5.0-Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Window detected: License AgreementIMPORTANT-READ THESE TERMS CAREFULLY BEFORE INSTALLING KOR. BY DOWNLOADING OR USING THIS PRODUCT YOU ACKNOWLEDGE THAT YOU HAVE READ THIS LICENSE AGREEMENT THAT YOU UNDERSTAND IT AND THAT YOU AGREE TO BE BOUND BY ITS TERMS. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT PROMPTY EXIT THIS PAGE WITHOUT DOWNLOADING OR WITHOUT INSTALLING THE PRODUCT AND FURTHERMORE UNINSTALL ANY PRIOR PRODUCT INSTALLATIONS.1. Grant of License YSI Incorporated grants you a non-exclusive non-transferable license to use the program with which this license is distributed (the "Product") including any documentation files accompanying the Product ("Documentation") on a personal computer provided that: (i) the Product is NOT modified; (ii) all copyright notices are maintained on the Product; and (iii) you agree to be bound by the terms of this License Agreement. 2. OwnershipYou have no ownership rights in the Product. Rather you have a license to use the Product as long as this License Agreement remains in full force and effect. Ownership of the Product Documentation and all intellectual property rights therein shall remain at all times with YSI Incorporated. Any other use of the Product by any person business corporation government organization or any other entity is strictly forbidden and is a violation of this License Agreement.3. CopyrightThe Product and Documentation contain material that is protected by United States Copyright Law and trade secret law and by international treaty provisions. All rights not granted to you herein are expressly reserved by YSI Incorporated. You may not remove any proprietary notice of YSI Incorporated from any copy of the Product or Documentation. 4. RestrictionsYou may not publish display disclose rent lease modify loan distribute or create derivative works based on the Product or any part thereof. You may not reverse engineer decompile translate adapt or disassemble the Product nor shall you attempt to create the source code from the object code for the Product. 5. ConfidentialityYou acknowledge that the Product contains proprietary trade secrets of YSI Incorporated and you hereby agree to maintain the confidentiality of the Product using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information. 6. Limited WarrantyYSI INCORPORATED WARRANTS FOR A PERIOD OF ONE YEAR AFTER PURCHASE THAT THE PRODUCT WILL OPERATE SUBSTANTIALLY IN ACCORDANCE WITH THE DOCUMENTATION. SHOULD THE PRODUCT NOT SO OPERATE YOUR EXCLUSIVE REMEDY AND YSI INCORPORATED'S SOLE OBLIGATION UNDER THIS WARRANTY SHALL BE AT YSI INCORPORATED'S SOLE DISCRETION CORRECTION OF THE DEFECT OR REFUND OF THE PURCHASE PRICE PAID FOR THE PRODUCT. ANY USE BY YOU OF THE PRODUCT IS AT YOUR OWN RISK. THESE MATERIALS ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESSED OR IMPLIED TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW. YSI INCORPORATED DOES
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\Kor_20240423082129_0_Setup.log Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba1\license.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Resources\Documents\license.rtf Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\license.rtf Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\license.rtf Jump to behavior
Source: Kor-1.3.5.0-Setup.exe Static PE information: certificate valid
Source: Kor-1.3.5.0-Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\src\wix39r2\build\ship\x86\burn.pdb source: Kor-1.3.5.0-Setup.exe
Source: Binary string: C:\Users\mark\Documents\ploeh\AutoFixture\Src\AutoFixture\obj\Release\Ploeh.AutoFixture.pdbpd source: Ploeh.AutoFixture.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Calibration\Ysi.KorExo.Modules.Calibration\obj\Release\Ysi.KorExo.Modules.Calibration.pdb source: Ysi.KorExo.Modules.Calibration.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.X509Certificates/net461\System.Security.Cryptography.X509Certificates.pdbAf[f Mf_CorDllMainmscoree.dll source: System.Security.Cryptography.X509Certificates.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Home\Ysi.KorExo.Modules.Home\obj\Release\Ysi.KorExo.Modules.Home.pdb source: Ysi.KorExo.Modules.Home.dll.10.dr
Source: Binary string: C:\Projects\YsiP\Ysi-Ysip\Ysi.YsiProtocol\obj\Release\Ysi.YsiProtocol.pdb source: Ysi.YsiProtocol.dll.10.dr
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Microsoft.Practices.Unity.dll.10.dr
Source: Binary string: C:\dev\git\nsubstitute\Output\Release\NET45\NSubstitute\NSubstitute.pdb source: NSubstitute.dll.10.dr
Source: Binary string: d:\Build\WPFToolkit_RTM\Source\Src\Xceed.Wpf.ListBox.Themes.Metro\obj\Release\Xceed.Wpf.ListBox.Themes.Metro.pdbL source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr
Source: Binary string: C:\Users\mark\Documents\ploeh\AutoFixture\Src\AutoFixture\obj\Release\Ploeh.AutoFixture.pdb source: Ploeh.AutoFixture.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/AnyOS.AnyCPU.Release/Microsoft.Win32.Primitives/net46\Microsoft.Win32.Primitives.pdb source: Microsoft.Win32.Primitives.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.X509Certificates/net461\System.Security.Cryptography.X509Certificates.pdb source: System.Security.Cryptography.X509Certificates.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\YsiPAdapter\Ysi.KorExo.YsiPAdapter.TestUtilities\obj\Release\Ysi.KorExo.YsiPAdapter.TestUtilities.pdb source: Ysi.KorExo.YsiPAdapter.TestUtilities.dll.10.dr
Source: Binary string: C:\Users\alan\Documents\Visual Studio 2008\Projects\32feet clean2\InTheHand.Net.Personal\InTheHand.Net.Personal\obj\Release\InTheHand.Net.Personal.pdb source: InTheHand.Net.Personal.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Home\Ysi.KorExo.Modules.Home\obj\Release\Ysi.KorExo.Modules.Home.pdb` source: Ysi.KorExo.Modules.Home.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/AnyOS.AnyCPU.Release/System.Runtime.Extensions/net462\System.Runtime.Extensions.pdb source: System.Runtime.Extensions.dll.10.dr
Source: Binary string: C:\src\wix39r2\build\ship\x86\WixStdBA.pdb source: Kor-1.3.5.0-Setup.exe, 00000001.00000003.1726284541.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Kor-1.3.5.0-Setup.exe, 00000001.00000002.2981714552.000000006CBDA000.00000002.00000001.01000000.00000005.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000002.2981515794.000000006F8DA000.00000002.00000001.01000000.0000000B.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000003.2076746137.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\CSharp\NH\NH\nhibernate\build\NHibernate-3.2.0.GA\bin\net-3.5\Iesi.Collections.pdb source: Iesi.Collections.dll.10.dr
Source: Binary string: d:\Working Copy Referee\AttachedCommandBehavior 2.0\AttachedCommandBehavior\obj\Release\AttachedCommandBehavior.pdb source: AttachedCommandBehavior.dll.10.dr
Source: Binary string: d:\Build\WPFToolkit_RTM\Source\Src\Xceed.Wpf.ListBox.Themes.Metro\obj\Release\Xceed.Wpf.ListBox.Themes.Metro.pdb source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BDBED _memset,FindFirstFileW,FindClose, 0_2_009BDBED
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009956DE _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_009956DE
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BE72A _memset,_memset,GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 0_2_009BE72A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBC5CDA _memset,FindFirstFileW,FindClose, 1_2_6CBC5CDA
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005AE72A _memset,_memset,GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 12_2_005AE72A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005ADBED _memset,FindFirstFileW,FindClose, 12_2_005ADBED
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005856DE _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 12_2_005856DE
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8C5CDA _memset,FindFirstFileW,FindClose, 13_2_6F8C5CDA
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64 Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532 Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\NULL Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL Jump to behavior

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.dll, type: DROPPED
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009C00A4 InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError, 0_2_009C00A4
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: System.Windows.Forms.dll.10.dr String found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
Source: Ploeh.AutoFixture.dll.10.dr String found in binary or memory: http://blog.ploeh.dk/2010/08/19/AutoFixtureasanauto-mockingcontainer
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://commercial.ocsp.identrust.com0C
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://commercial.ocsp.identrust.com0G
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://commercial.ocsp.identrust.com0K
Source: Ysi.KorExo.Modules.Home.dll.10.dr String found in binary or memory: http://info.xyleminc.com/YSI-KorEXO-Feedback.html
Source: Ysi.KorExo.Modules.Calibration.dll.10.dr String found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls
Source: turbidity_cal_instructions.html.10.dr String found in binary or memory: http://or.water.usgs.gov/grapher/fnu.html
Source: Ysi.KorExo.Modules.Calibration.dll.10.dr String found in binary or memory: http://oxyplot.org/wpf
Source: Ysi.KorExo.Modules.Calibration.dll.10.dr String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/editors
Source: Ysi.KorExo.Modules.Calibration.dll.10.dr String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printing
Source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr String found in binary or memory: http://schemas.xceed.com/wpf/xaml/listbox
Source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr String found in binary or memory: http://schemas.xceed.com/wpf/xaml/listbox/themes
Source: Ysi.KorExo.Modules.Calibration.dll.10.dr String found in binary or memory: http://schemas.xceed.com/wpf/xaml/toolkit
Source: System.Xml.dll.10.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: System.Xml.dll.10.dr String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Ploeh.AutoFixture.dll.10.dr String found in binary or memory: http://tinyurl.com/lg38t3g.
Source: Ploeh.AutoFixture.dll.10.dr String found in binary or memory: http://tinyurl.com/pegtw57
Source: Kor-1.3.5.0-Setup.exe, 00000001.00000002.2976252005.00000000008FB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://validation.identrust.c0m/roots/commercialrootca1.p7c0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/certs/timestamping3.p7c0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/certs/trustidevcodesigning4.p7c0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/crl/commercialrootca1.crl0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/crl/timestamping3.crl0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/crl/trustidevcodesigning4.crl0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: http://validation.identrust.com/roots/commercialrootca1.p7c0
Source: Kor-1.3.5.0-Setup.exe, 0000000D.00000002.2980627085.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000003.2076746137.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000002.2979868926.0000000003200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: Iesi.Collections.dll.10.dr String found in binary or memory: http://www.codeproject.com/csharp/sets.asp
Source: Iesi.Collections.dll.10.dr String found in binary or memory: http://www.codeproject.com/csharp/sets.asp#xx703510xx.
Source: Ploeh.AutoFixture.dll.10.dr String found in binary or memory: https://github.com/AutoFixture/AutoFixture/issues/475
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: https://secure.identrust.com/certificates/policy/ts/0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: https://secure.identrust.com/certificates/policy/ts/0N
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: https://secure.identrust.com/certificates/policy/ts/index.html0
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: https://secure.identrust.com/certificates/policy/ts/index.html0F
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: https://secure.identrust.com/certificates/policy/ts/index.html0J
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/asmld
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/coll1.
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/depr1
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diaal
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diaal;
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diadt
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diadt:
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diagnostics
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/dialm
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/dialm:
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diasc
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diasc3
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diasr
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diasr4
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diatl
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diatlD
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diaut
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/diaut8
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/lifetimes#scoped
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/locked
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/one-constructor
Source: SimpleInjector.dll.10.dr String found in binary or memory: https://simpleinjector.org/ovrrd.%RegisterCollection#Container.Options9AllowOverridingRegistrations
Source: Ysi.KorExo.Modules.Home.dll.10.dr String found in binary or memory: https://video.ysi.com/ysi-university-exo
Source: barometer_cal_instructions.html.10.dr, turbidity_cal_instructions.html.10.dr, orp_cal_instructions.html.10.dr String found in binary or memory: https://www.ysi.com/File%20Library/Documents/Guides/EXO-SmartQC-Handbook-E135.pdf
Source: Ysi.KorExo.Modules.Home.dll.10.dr String found in binary or memory: https://www.ysi.com/kor-software
Source: Ysi.KorExo.Modules.Home.dll.10.dr String found in binary or memory: https://www.ysi.com/products/multiparameter-sondes
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4425bd.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2A51.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{53E0FAA0-9538-4877-97AB-25EF3F737367} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2CB3.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{53E0FAA0-9538-4877-97AB-25EF3F737367} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{53E0FAA0-9538-4877-97AB-25EF3F737367}\Kor.ico Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4425c0.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4425c0.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI2A51.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AB1CC 0_2_009AB1CC
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AA97F 0_2_009AA97F
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B3242 0_2_009B3242
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AA48B 0_2_009AA48B
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B2CD0 0_2_009B2CD0
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B4C1A 0_2_009B4C1A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AC430 0_2_009AC430
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009A1450 0_2_009A1450
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AAD97 0_2_009AAD97
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009A75A7 0_2_009A75A7
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00991DFA 0_2_00991DFA
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009856F0 0_2_009856F0
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AB601 0_2_009AB601
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B562B 0_2_009B562B
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B37B4 0_2_009B37B4
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00986FFB 0_2_00986FFB
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B072A 0_2_009B072A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBC2216 1_2_6CBC2216
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD38AF 1_2_6CBD38AF
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD900C 1_2_6CBD900C
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD7534 1_2_6CBD7534
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD6A50 1_2_6CBD6A50
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD87A1 1_2_6CBD87A1
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD07F8 1_2_6CBD07F8
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD6FC2 1_2_6CBD6FC2
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00581DFA 12_2_00581DFA
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059A97F 12_2_0059A97F
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059B1CC 12_2_0059B1CC
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A3242 12_2_005A3242
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00591450 12_2_00591450
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A4C1A 12_2_005A4C1A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059C430 12_2_0059C430
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A2CD0 12_2_005A2CD0
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059A48B 12_2_0059A48B
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059AD97 12_2_0059AD97
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005975A7 12_2_005975A7
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059B601 12_2_0059B601
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A562B 12_2_005A562B
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005756F0 12_2_005756F0
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A072A 12_2_005A072A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00576FFB 12_2_00576FFB
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A37B4 12_2_005A37B4
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8C2216 13_2_6F8C2216
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D87A1 13_2_6F8D87A1
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D6FC2 13_2_6F8D6FC2
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D07F8 13_2_6F8D07F8
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D6A50 13_2_6F8D6A50
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D7534 13_2_6F8D7534
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D38AF 13_2_6F8D38AF
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D900C 13_2_6F8D900C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 6CBC38B0 appears 78 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 009B789D appears 34 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 009B65E8 appears 481 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 009BCABD appears 74 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 009B73C4 appears 656 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 6CBCC3FB appears 37 times
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: String function: 009BA969 appears 51 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 005AA969 appears 51 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 005ACABD appears 74 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 005A73C4 appears 656 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 6F8C38B0 appears 78 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 6F8CC3FB appears 37 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 005A65E8 appears 481 times
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: String function: 005A789D appears 34 times
Sample file is different than original file name gathered from version info
Source: Kor-1.3.5.0-Setup.exe, 00000001.00000003.1726284541.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewixstdba.dll\ vs Kor-1.3.5.0-Setup.exe
Source: Kor-1.3.5.0-Setup.exe, 00000001.00000002.2981872150.000000006CBE8000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenamewixstdba.dll\ vs Kor-1.3.5.0-Setup.exe
Source: Kor-1.3.5.0-Setup.exe, 0000000D.00000002.2981740335.000000006F8E8000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: OriginalFilenamewixstdba.dll\ vs Kor-1.3.5.0-Setup.exe
Source: Kor-1.3.5.0-Setup.exe, 0000000D.00000003.2076746137.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewixstdba.dll\ vs Kor-1.3.5.0-Setup.exe
Uses 32bit PE files
Source: Kor-1.3.5.0-Setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean18.troj.evad.winEXE@11/243@0/0
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B6FB6 FormatMessageW,GetLastError,LocalFree, 0_2_009B6FB6
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00981248 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_00981248
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_00571248 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 12_2_00571248
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BC81A GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_009BC81A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBCBD94 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError, 1_2_6CBCBD94
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009A1E52 ChangeServiceConfigW,GetLastError, 0_2_009A1E52
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Desktop\Kor.lnk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\Kor_20240423082129_0_Setup.log Jump to behavior
Source: Kor-1.3.5.0-Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: Kor-1.3.5.0-Setup.exe String found in binary or memory: <UDWixBundleLayoutDirectoryFailed to initialize engine state.Failed to initialize COM.Failed to initialize Cryputil.Failed to initialize Regutil.Failed to initialize Wiutil.Failed to initialize XML util.engine.cppFailed to get OS info.3.9.1208.0Failed to initialize core.Failed to run per-user mode.Failed to run per-machine mode.Failed to run embedded mode.Failed to run RunOnce mode.Invalid run mode.txt_FailedSetupFailed to initialize engine section.Failed to open log.Failed to initialize internal cache functionality.Failed to create pipes to connect to elevated parent process.Failed to connect to elevated parent process.Failed to check global conditionsFailed to create the message window.Failed to query registration.Failed to set action variables.Failed to set registration variables.Failed to set layout directory variable to value provided from command-line.Failed while running Failed to create implicit elevated connection name and secret.Failed to launch unelevated process.Failed to connect to unelevated process.Failed to allocate thread local storage for logging.Failed to set elevated pipe into thread local storage for logging.Failed to pump messages from parent process.Failed to connect to parent of embedded process.Failed to run bootstrapper application embedded.Unable to get resume command line from the registryFailed to get current process path.Failed to re-launch bundle process after RunOnce: %lsFailed to create engine for UX.Failed to load UX.Failed to start bootstrapper application.Unexpected return value from message pump.Failed to get process token.SeShutdownPrivilegeFailed to get shutdown privilege LUID.Failed to adjust token to add shutdown privileges.Failed to schedule restart.
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File read: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe "C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe"
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Process created: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe "C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe" -burn.unelevated BurnPipe.{4C76BB18-D643-46AC-B29F-8C96F4C6DDC8} {498B697F-8CEA-4946-9F22-28FC8D89DBCC} 6372
Source: unknown Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 701DD997AD27E1C9A69425AFC0186725
Source: unknown Process created: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe "C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Process created: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe "C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\Kor_20240423082129.log"
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Process created: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe "C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe" -burn.unelevated BurnPipe.{4C76BB18-D643-46AC-B29F-8C96F4C6DDC8} {498B697F-8CEA-4946-9F22-28FC8D89DBCC} 6372 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 701DD997AD27E1C9A69425AFC0186725 Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Process created: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe "C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe" /burn.log.append "C:\Users\user\AppData\Local\Temp\Kor_20240423082129.log" Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: sxproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: srcore.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vss_ps.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: feclient.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: feclient.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Automated click: I agree to the license terms and conditions
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Automated click: Install
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Window detected: License AgreementIMPORTANT-READ THESE TERMS CAREFULLY BEFORE INSTALLING KOR. BY DOWNLOADING OR USING THIS PRODUCT YOU ACKNOWLEDGE THAT YOU HAVE READ THIS LICENSE AGREEMENT THAT YOU UNDERSTAND IT AND THAT YOU AGREE TO BE BOUND BY ITS TERMS. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT PROMPTY EXIT THIS PAGE WITHOUT DOWNLOADING OR WITHOUT INSTALLING THE PRODUCT AND FURTHERMORE UNINSTALL ANY PRIOR PRODUCT INSTALLATIONS.1. Grant of License YSI Incorporated grants you a non-exclusive non-transferable license to use the program with which this license is distributed (the "Product") including any documentation files accompanying the Product ("Documentation") on a personal computer provided that: (i) the Product is NOT modified; (ii) all copyright notices are maintained on the Product; and (iii) you agree to be bound by the terms of this License Agreement. 2. OwnershipYou have no ownership rights in the Product. Rather you have a license to use the Product as long as this License Agreement remains in full force and effect. Ownership of the Product Documentation and all intellectual property rights therein shall remain at all times with YSI Incorporated. Any other use of the Product by any person business corporation government organization or any other entity is strictly forbidden and is a violation of this License Agreement.3. CopyrightThe Product and Documentation contain material that is protected by United States Copyright Law and trade secret law and by international treaty provisions. All rights not granted to you herein are expressly reserved by YSI Incorporated. You may not remove any proprietary notice of YSI Incorporated from any copy of the Product or Documentation. 4. RestrictionsYou may not publish display disclose rent lease modify loan distribute or create derivative works based on the Product or any part thereof. You may not reverse engineer decompile translate adapt or disassemble the Product nor shall you attempt to create the source code from the object code for the Product. 5. ConfidentialityYou acknowledge that the Product contains proprietary trade secrets of YSI Incorporated and you hereby agree to maintain the confidentiality of the Product using at least as great a degree of care as you use to maintain the confidentiality of your own most confidential information. 6. Limited WarrantyYSI INCORPORATED WARRANTS FOR A PERIOD OF ONE YEAR AFTER PURCHASE THAT THE PRODUCT WILL OPERATE SUBSTANTIALLY IN ACCORDANCE WITH THE DOCUMENTATION. SHOULD THE PRODUCT NOT SO OPERATE YOUR EXCLUSIVE REMEDY AND YSI INCORPORATED'S SOLE OBLIGATION UNDER THIS WARRANTY SHALL BE AT YSI INCORPORATED'S SOLE DISCRETION CORRECTION OF THE DEFECT OR REFUND OF THE PURCHASE PRICE PAID FOR THE PRODUCT. ANY USE BY YOU OF THE PRODUCT IS AT YOUR OWN RISK. THESE MATERIALS ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESSED OR IMPLIED TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW. YSI INCORPORATED DOES
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Window detected: Number of UI elements: 19
Source: Kor-1.3.5.0-Setup.exe Static PE information: certificate valid
Source: Kor-1.3.5.0-Setup.exe Static file information: File size 85336088 > 1048576
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Kor-1.3.5.0-Setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Kor-1.3.5.0-Setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\src\wix39r2\build\ship\x86\burn.pdb source: Kor-1.3.5.0-Setup.exe
Source: Binary string: C:\Users\mark\Documents\ploeh\AutoFixture\Src\AutoFixture\obj\Release\Ploeh.AutoFixture.pdbpd source: Ploeh.AutoFixture.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Calibration\Ysi.KorExo.Modules.Calibration\obj\Release\Ysi.KorExo.Modules.Calibration.pdb source: Ysi.KorExo.Modules.Calibration.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.X509Certificates/net461\System.Security.Cryptography.X509Certificates.pdbAf[f Mf_CorDllMainmscoree.dll source: System.Security.Cryptography.X509Certificates.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Home\Ysi.KorExo.Modules.Home\obj\Release\Ysi.KorExo.Modules.Home.pdb source: Ysi.KorExo.Modules.Home.dll.10.dr
Source: Binary string: C:\Projects\YsiP\Ysi-Ysip\Ysi.YsiProtocol\obj\Release\Ysi.YsiProtocol.pdb source: Ysi.YsiProtocol.dll.10.dr
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: Microsoft.Practices.Unity.dll.10.dr
Source: Binary string: C:\dev\git\nsubstitute\Output\Release\NET45\NSubstitute\NSubstitute.pdb source: NSubstitute.dll.10.dr
Source: Binary string: d:\Build\WPFToolkit_RTM\Source\Src\Xceed.Wpf.ListBox.Themes.Metro\obj\Release\Xceed.Wpf.ListBox.Themes.Metro.pdbL source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr
Source: Binary string: C:\Users\mark\Documents\ploeh\AutoFixture\Src\AutoFixture\obj\Release\Ploeh.AutoFixture.pdb source: Ploeh.AutoFixture.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/AnyOS.AnyCPU.Release/Microsoft.Win32.Primitives/net46\Microsoft.Win32.Primitives.pdb source: Microsoft.Win32.Primitives.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.X509Certificates/net461\System.Security.Cryptography.X509Certificates.pdb source: System.Security.Cryptography.X509Certificates.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\YsiPAdapter\Ysi.KorExo.YsiPAdapter.TestUtilities\obj\Release\Ysi.KorExo.YsiPAdapter.TestUtilities.pdb source: Ysi.KorExo.YsiPAdapter.TestUtilities.dll.10.dr
Source: Binary string: C:\Users\alan\Documents\Visual Studio 2008\Projects\32feet clean2\InTheHand.Net.Personal\InTheHand.Net.Personal\obj\Release\InTheHand.Net.Personal.pdb source: InTheHand.Net.Personal.dll.10.dr
Source: Binary string: C:\Projects\KorDesktop\KorDesktop\KorDesktop\Modules\Home\Ysi.KorExo.Modules.Home\obj\Release\Ysi.KorExo.Modules.Home.pdb` source: Ysi.KorExo.Modules.Home.dll.10.dr
Source: Binary string: D:\A\_work\21\s\bin/obj/AnyOS.AnyCPU.Release/System.Runtime.Extensions/net462\System.Runtime.Extensions.pdb source: System.Runtime.Extensions.dll.10.dr
Source: Binary string: C:\src\wix39r2\build\ship\x86\WixStdBA.pdb source: Kor-1.3.5.0-Setup.exe, 00000001.00000003.1726284541.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, Kor-1.3.5.0-Setup.exe, 00000001.00000002.2981714552.000000006CBDA000.00000002.00000001.01000000.00000005.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000002.2981515794.000000006F8DA000.00000002.00000001.01000000.0000000B.sdmp, Kor-1.3.5.0-Setup.exe, 0000000D.00000003.2076746137.0000000002F3E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\CSharp\NH\NH\nhibernate\build\NHibernate-3.2.0.GA\bin\net-3.5\Iesi.Collections.pdb source: Iesi.Collections.dll.10.dr
Source: Binary string: d:\Working Copy Referee\AttachedCommandBehavior 2.0\AttachedCommandBehavior\obj\Release\AttachedCommandBehavior.pdb source: AttachedCommandBehavior.dll.10.dr
Source: Binary string: d:\Build\WPFToolkit_RTM\Source\Src\Xceed.Wpf.ListBox.Themes.Metro\obj\Release\Xceed.Wpf.ListBox.Themes.Metro.pdb source: Xceed.Wpf.ListBox.Themes.Metro.dll.10.dr
Source: Kor-1.3.5.0-Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Kor-1.3.5.0-Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Kor-1.3.5.0-Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Kor-1.3.5.0-Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Kor-1.3.5.0-Setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBC1B81 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary, 1_2_6CBC1B81
PE file contains sections with non-standard names
Source: Kor-1.3.5.0-Setup.exe Static PE information: section name: .wixburn
Source: Kor-1.3.5.0-Setup.exe.0.dr Static PE information: section name: .wixburn
Source: Kor-1.3.5.0-Setup.exe.1.dr Static PE information: section name: .wixburn
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AD415 push ecx; ret 0_2_009AD428
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD1635 push ecx; ret 1_2_6CBD1648
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059D415 push ecx; ret 12_2_0059D428
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D1635 push ecx; ret 13_2_6F8D1648
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Mvvm.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Diagnostics.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\LiveCharts.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Printing.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Deployment.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\de\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Serial.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ControlzEx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Common.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.Compression.ZipFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Globalization.Calendars.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\it\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentMigrator.Runner.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Serial.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\zh-Hans\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Charts.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MathNet.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ru\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.StaticDataView.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.ConfigureHandheld.TestsUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NModbus4.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\Kor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Configuration.dll Jump to dropped file
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba1\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.LiveExplorer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Windows.Interactivity.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.MetroAccent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Windows.Shell.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reflection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\InTheHand.Net.Personal.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.Xps.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MVVm.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Interfaces.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.DataAccess.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.SessionDataFile.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Interception.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sensors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Domain.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Core.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Themes.Office2013LightGray.v14.1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.be\Kor-1.3.5.0-Setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sonde.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Printing.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ploeh.AutoFixture.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Home.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\x86\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Calibration.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NSubstitute.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Interception.Configuration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.InTheHandBluetooth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Handheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\LiveCharts.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\PresentationCore.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\fr\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentMigrator.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Console.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\AttachedCommandBehavior.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Xaml.Behaviors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Shared.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Windows.Threading.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.XmlSerializers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.dll Jump to dropped file
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xaml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ro\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.ExoGo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2A51.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.YsiPAdapter.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Map.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentNHibernate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\HibernatingRhinos.Profiler.Appender.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.VS2010.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Localization.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.InteropServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Docking.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Iesi.Collections.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.ServiceLocation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\GalaSoft.MvvmLight.WPF4.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Instrument.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\hu\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Localization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Sites.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Map.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Calibration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\pt-BR\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Instrument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.ConfigureHandheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Handheld.HandheldAccessor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Layout.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MahApps.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.x86.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Network.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Data.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NHibernate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NCrunch.Framework.dll Jump to dropped file
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Diagnostics.DiagnosticSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sensors.Par.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.FileSystem.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Windows.Forms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Firmware.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Diagnostics.Tracing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Grid.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\PresentationFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.PlatformServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Net.Http.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\WindowsBase.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Deployment.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.ComAdapters.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\SimpleInjector.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Tracker.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Themes.DXStyle.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Fluent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Grid.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.YsiPAdapter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ICSharpCode.SharpZipLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Net.Sockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\nunit.framework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Domain.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.SessionDataFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.ReactiveExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Bluetooth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\es\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\sv\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Algorithms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.LiveDataView.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Wpf.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.WMP11.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.InteropServices.RuntimeInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ploeh.AutoFixture.AutoNSubstitute.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.DssHandheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.Tracker.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Aero.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.IntelHex.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Moq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.AppContext.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Win32.Primitives.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2A51.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\Kor_20240423082129_0_Setup.log Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba1\license.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Resources\Documents\license.rtf Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\license.rtf Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe File created: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\license.rtf Jump to behavior
Creates or modifies windows services
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\SrTasks.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kor Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kor\Kor.lnk Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {9217b7d9-4734-4961-b8b7-5763fc11b75e} Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {9217b7d9-4734-4961-b8b7-5763fc11b75e} Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {9217b7d9-4734-4961-b8b7-5763fc11b75e} Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {9217b7d9-4734-4961-b8b7-5763fc11b75e} Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AC430 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_009AC430
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Mvvm.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Diagnostics.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\LiveCharts.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Printing.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Deployment.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\de\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Serial.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ControlzEx.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Common.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.Compression.ZipFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\it\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Globalization.Calendars.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentMigrator.Runner.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Serial.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\zh-Hans\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MathNet.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Charts.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ru\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.StaticDataView.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.ConfigureHandheld.TestsUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NModbus4.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\Kor.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Configuration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.dll Jump to dropped file
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba1\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.LiveExplorer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Windows.Interactivity.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.MetroAccent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Windows.Shell.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reflection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\InTheHand.Net.Personal.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.Xps.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MVVm.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Interfaces.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.DataAccess.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Interception.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.SessionDataFile.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sensors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Domain.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Core.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Themes.Office2013LightGray.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sonde.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Printing.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ploeh.AutoFixture.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Home.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\x86\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Calibration.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NSubstitute.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.Interception.Configuration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.InTheHandBluetooth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Data.SQLite.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Handheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\LiveCharts.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\PresentationCore.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\fr\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Console.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentMigrator.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\AttachedCommandBehavior.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Xaml.Behaviors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Shared.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.Windows.Threading.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.XmlSerializers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Themes.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xaml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ro\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.ExoGo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.YsiPAdapter.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2A51.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\FluentNHibernate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Map.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\HibernatingRhinos.Profiler.Appender.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.VS2010.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\x64\SQLite.Interop.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Localization.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.InteropServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Docking.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Iesi.Collections.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.ServiceLocation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\GalaSoft.MvvmLight.WPF4.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Instrument.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Localization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\hu\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Sites.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Map.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Calibration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\pt-BR\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Instrument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Practices.Unity.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.ConfigureHandheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Handheld.HandheldAccessor.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Layout.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\MahApps.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.x86.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Network.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\OxyPlot.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Data.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NHibernate.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\NCrunch.Framework.dll Jump to dropped file
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Diagnostics.DiagnosticSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.Sensors.Par.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.FileSystem.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Firmware.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Windows.Forms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Diagnostics.Tracing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Grid.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.IO.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\PresentationFramework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Net.Http.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Reactive.PlatformServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\WindowsBase.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.Deployment.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.ComAdapters.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\SimpleInjector.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Tracker.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Themes.DXStyle.v14.1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Fluent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\DevExpress.Xpf.Grid.v14.1.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\ICSharpCode.SharpZipLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.YsiPAdapter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\nunit.framework.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Net.Sockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Domain.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.SessionDataFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.ReactiveExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Bluetooth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Wpf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\es\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\sv\Xceed.Wpf.AvalonDock.resources.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Security.Cryptography.Algorithms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Modules.LiveDataView.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.KorExo.Wpf.TestUtilities.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.ListBox.Themes.WMP11.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.x64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.Runtime.InteropServices.RuntimeInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.DataGrid.Themes.Office2007.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ploeh.AutoFixture.AutoNSubstitute.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.YsiProtocol.Commands.DssHandheld.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.Toolkit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Trackerbird.Tracker.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Metro.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Ysi.IntelHex.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Xceed.Wpf.AvalonDock.Themes.Aero.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Moq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\Microsoft.Win32.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\YSI\Kor\1.3.5.0\System.AppContext.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\SrTasks.exe TID: 6892 Thread sleep time: -290000s >= -30000s Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B7058 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 009B70F3h 0_2_009B7058
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B7058 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 009B70ECh 0_2_009B7058
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A7058 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 005A70F3h 12_2_005A7058
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005A7058 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 005A70ECh 12_2_005A7058
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File Volume queried: C:\Windows FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BDBED _memset,FindFirstFileW,FindClose, 0_2_009BDBED
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009956DE _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_009956DE
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BE72A _memset,_memset,GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 0_2_009BE72A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBC5CDA _memset,FindFirstFileW,FindClose, 1_2_6CBC5CDA
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005AE72A _memset,_memset,GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose, 12_2_005AE72A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005ADBED _memset,FindFirstFileW,FindClose, 12_2_005ADBED
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_005856DE _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 12_2_005856DE
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8C5CDA _memset,FindFirstFileW,FindClose, 13_2_6F8C5CDA
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64 Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532 Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\NULL Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL Jump to behavior
Source: Kor-1.3.5.0-Setup.exe Binary or memory string: `qemu
Source: SrTasks.exe, 00000008.00000003.1987433662.000001EFBFDCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:((
Source: SrTasks.exe, 00000008.00000002.2100553831.000001EFBFDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:22
Source: SrTasks.exe, 00000008.00000002.2100553831.000001EFBFDCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AD93D _memset,IsDebuggerPresent, 0_2_009AD93D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B03D5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_009B03D5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBC1B81 LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary, 1_2_6CBC1B81
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B79EF GetProcessHeap,RtlAllocateHeap, 0_2_009B79EF
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AD33A SetUnhandledExceptionFilter, 0_2_009AD33A
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AD36B SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009AD36B
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 1_2_6CBD14BF SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6CBD14BF
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059D36B SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0059D36B
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 12_2_0059D33A SetUnhandledExceptionFilter, 12_2_0059D33A
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Code function: 13_2_6F8D14BF SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_6F8D14BF
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B967F _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_009B967F
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009BD231 AllocateAndInitializeSid,CheckTokenMembership, 0_2_009BD231
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009AD7C4 cpuid 0_2_009AD7C4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba1\logo.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\Package Cache\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\Kor-1.3.5.0-Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{9217b7d9-4734-4961-b8b7-5763fc11b75e}\.ba2\logo.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00990FE0 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_00990FE0
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009B7058 EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection, 0_2_009B7058
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00982C05 GetUserNameW,GetLastError, 0_2_00982C05
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_009C25D0 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_009C25D0
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Code function: 0_2_00981BFB _memset,_memset,CoInitializeEx,GetModuleHandleW,GetVersionExW,GetLastError,CoUninitialize, 0_2_00981BFB
Source: C:\Users\user\Desktop\Kor-1.3.5.0-Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430159 Sample: Kor-1.3.5.0-Setup.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 18 40 Yara detected Generic Downloader 2->40 6 msiexec.exe 305 262 2->6         started        9 Kor-1.3.5.0-Setup.exe 37 8 2->9         started        11 Kor-1.3.5.0-Setup.exe 10 2->11         started        13 SrTasks.exe 1 2->13         started        process3 file4 28 C:\Program Files (x86)\YSI\Kor\...\System.dll, PE32 6->28 dropped 30 C:\Windows\Installer\MSI2A51.tmp, PE32 6->30 dropped 32 C:\Program Files (x86)\YSI\Kor\Kor.exe, PE32 6->32 dropped 38 174 other files (none is malicious) 6->38 dropped 15 msiexec.exe 6->15         started        34 C:\ProgramData\...\Kor-1.3.5.0-Setup.exe, PE32 9->34 dropped 17 Kor-1.3.5.0-Setup.exe 15 9->17         started        36 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 11->36 dropped 20 Kor-1.3.5.0-Setup.exe 11 11->20         started        22 conhost.exe 13->22         started        process5 file6 24 C:\Users\user\...\Kor-1.3.5.0-Setup.exe, PE32 17->24 dropped 26 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 17->26 dropped
No contacted IP infos