Windows Analysis Report
https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe

Overview

General Information

Sample URL: https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe
Analysis ID: 1544169
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Uses bcdedit to modify the Windows boot settings
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates Visual Basic Runtime Dlls
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\NIR Technology Analysis Software\Watchdog.exe Avira: detection malicious, Label: TR/Spy.Gen
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: C:\SoftwareLocalPC\CereaDll\CereaDllOriginal2022 - CheckHundFile\Release\Cerea.pdbC source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: C:\SoftwareLocalPC\CereaDll\CereaDllOriginal2022 - CheckHundFile\Release\Cerea.pdb source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: _queue.pyd.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: _hashlib.pyd.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: api-ms-win-crt-string-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: _ctypes.pyd.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: hhctrl.pdb source: NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 00000011.00000002.1594508121.0000000002A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: _socket.pyd.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: Can't Read Text FileCan't Open Text File.pdb.mdb%f.mdtAn Error OccurreduserbrationFile Method: SaveToBinFileSaving userbration to File...wbCan't Open Binary FileCan't Write Binary FileNo ErroruserbrationFile Method: ReadFromBinFileReading userbraiton From File...rbCan't Read Binary FileuserbrationFile Method: GetAverageAndStDeviationGetting Average and Standard Deviation Data...Do First DerivativeConstituentConstituent Name: %s source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.17.dr
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: global traffic HTTP traffic detected: GET /dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe HTTP/1.1Host: on-combine-data.s3.us-west-2.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KZdzvYaHPw644zO&MD=zyh75GoL HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=KZdzvYaHPw644zO&MD=zyh75GoL HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: on-combine-data.s3.us-west-2.amazonaws.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: libffi-7.dll.17.dr, _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: libffi-7.dll.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: libffi-7.dll.17.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: libffi-7.dll.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: libffi-7.dll.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: libffi-7.dll.17.dr, _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: libffi-7.dll.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: LogonUI.exe, 0000001D.00000003.2203071590.0000020C2F38F000.00000004.00000020.00020000.00000000.sdmp, LogonUI.exe, 0000001D.00000002.2428817500.0000020C2F38F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.a.0/sTy
Source: LogonUI.exe, 0000001D.00000003.2203071590.0000020C2F38F000.00000004.00000020.00020000.00000000.sdmp, LogonUI.exe, 0000001D.00000002.2428817500.0000020C2F38F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.hotosh
Source: NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 0000000E.00000000.1416626041.000000000040A000.00000008.00000001.01000000.00000006.sdmp, NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 00000011.00000002.1593006457.000000000040A000.00000004.00000001.01000000.00000006.sdmp, chromecache_171.1.dr, uninstall.exe.17.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://ocsp.digicert.com0
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: libffi-7.dll.17.dr, _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: libffi-7.dll.17.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: libffi-7.dll.17.dr String found in binary or memory: http://ocsp.thawte.com0
Source: libffi-7.dll.17.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: libffi-7.dll.17.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: libffi-7.dll.17.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: libffi-7.dll.17.dr, _queue.pyd.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49710 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nsq53E3.tmp, type: DROPPED
Contains functionality to call native functions
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Code function: 17_2_100010A5 GetVersionExA,LoadLibraryA,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CloseHandle,lstrlenA,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary, 17_2_100010A5
Creates Visual Basic Runtime Dlls
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSWINSCK.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\SYSINFO.ocx Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Cerea.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\NSIS.Library.RegTool.v3.{760CC695-7C3A-465F-9E6C-D3931A64AC97}.exe Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Mahalanobis.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\PLSObj.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\msstdfmt.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\VB6STKIT.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\TrendGraph.tlb Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT232.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT332.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCTL32.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMDLG32.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\DBGRID32.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCHRT20.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCT2.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCTL.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMM32.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSDATGRD.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSFLXGRD.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSHFLXGD.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSWINSCK.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\SYSINFO.ocx Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\vbGraph.ocx Jump to behavior
PE file contains executable resources (Code or Archives)
Source: unicodedata.pyd.17.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.17.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: api-ms-win-core-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: 06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp.0.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-louserzation-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.17.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: 06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp.0.dr Static PE information: Data appended to the last section found
Source: 06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 00000011.00000002.1594508121.0000000002F81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *\AC:\Joel\OdourScan\UI\Alternative MSChart\vbGraph.vbp$
Source: classification engine Classification label: mal52.win@40/120@4/4
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Program Files (x86)\NIR Technology Analysis Software Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsq5394.tmp Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Watchdog.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RestartApp.exe")
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "ReadWeight.exe")
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 00000011.00000002.1594508121.0000000002CAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Selects the chart legend.W9Returns/sets the number of data columns in the data grid.WMReturns/sets the number of levels of labels on data columns in the data grid.WJReturns/sets the number of levels of labels on data rows in the data grid.6Returns/sets the number of data rows in the data grid.GDeletes columns of data and their associated labels from the data grid.WWW/Adds one or more data columns to the data grid.WWW>Deletes levels of labels from the data columns in a data grid.GAdds one or more levels of labels to the data columns in the data grid.WWWDDeletes rows of data and their associated labels from the data grid.WW,Adds one or more data rows to the data grid.WW;Deletes levels of labels from the data rows in a data grid.WWWDAdds one or more levels of labels to the data rows in the data grid.WW1Fills the data grid with randomly generated data.W4Sets the number and levels of data columns and rows.WWNAssigns each label in the first level of data grid labels a unique identifier.HFills one or more columns of the data grid with randomly generated data.WWEFills one or more rows of the data grid with randomly generated data.W(Moves a block of cells on the data grid.WW#Gets the value of a data grid cell.WWW#Sets the value of a data grid cell.WWW9Returns/sets the label on a data column in the data grid.WHReturns the multi-level label that identifies a column in the data grid.WWEReturns the multi-level label that identifies a row in the data grid.W6Returns/sets the label on a data row in the data grid.EReturns/sets the strength of the light coming from the light source.WCReturns/sets the X coordinate for the location of the LightSource.WWWCReturns/sets the Y coordinate for the location of the LightSource.WWWCReturns/sets the Z coordinate for the location of the LightSource.WWW]Sets the X,Y,Z coordinates for the LightSource location and the intensity of the LightSource.W
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1936,i,14282950788006197663,4562122908551355024,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3140 --field-trial-handle=1936,i,14282950788006197663,4562122908551355024,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe "C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe"
Source: unknown Process created: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe "C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe"
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\System32\bcdedit.exe "bcdedit" /set {current} bootstatuspolicy ignoreallfailures
Source: C:\Windows\System32\bcdedit.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM Watchdog.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM RestartApp.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM NTAS 3000X /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM ReadWeight.exe /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3ff7055 /state1:0x41c64e6d
Source: unknown Process created: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" -ServerName:WindowsDefaultLockScreen.AppX7y4nbzq37zn4ks9k7amqjywdat7d3j2z.mca
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1936,i,14282950788006197663,4562122908551355024,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3140 --field-trial-handle=1936,i,14282950788006197663,4562122908551355024,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\System32\bcdedit.exe "bcdedit" /set {current} bootstatuspolicy ignoreallfailures Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM Watchdog.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM RestartApp.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM NTAS 3000X /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM ReadWeight.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: cerea.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: mahalanobis.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: plsobj.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\bcdedit.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: logoncontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.logon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xamlhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.blockedshutdown.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.ui.xaml.controls.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: threadpoolwinrt.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.graphics.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wuceffects.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.applicationmodel.lockscreen.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: lockcontroller.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprovdatamodel.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: networkicon.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: networkuxbroker.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ethernetmediamanager.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprovhost.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprovs.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprovslegacy.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: facecredentialprovider.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: smartcardcredentialprovider.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.devices.enumeration.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: biocredprov.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ngckeyenum.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: cxcredprov.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: ngccredprov.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wlidcredprov.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: rasplap.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprov2fahelper.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: credprovhelper.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: shacct.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: icu.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: mswb7.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: idstore.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: devdispitemprovider.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: windows.media.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: winbio.dll Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: wincorlib.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.ui.xaml.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.staterepositorycore.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.staterepositoryclient.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: languageoverlayutil.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: uiamanager.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.ui.core.textinput.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: lockappbroker.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: contentdeliverymanager.utilities.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: threadpoolwinrt.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.internal.shell.broker.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.applicationmodel.lockscreen.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: lockcontroller.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.services.targetedcontent.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.graphics.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: networkicon.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: networkuxbroker.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: profext.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: windows.storage.applicationdata.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: NTAS MS3000X.lnk.17.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\NIR Technology Analysis Software\NTAS MS3000X.exe
Source: Uninstall.lnk.17.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\NIR Technology Analysis Software\uninstall.exe
Source: NTAS Help.lnk.17.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\NIR Technology Analysis Software\NTAS Help.chm
Source: NTAS MS3000X.lnk0.17.dr LNK file: ..\..\..\..\..\..\..\Program Files (x86)\NIR Technology Analysis Software\NTAS MS3000X.exe
Source: NTAS MS3000X.lnk1.17.dr LNK file: ..\..\..\Program Files (x86)\NIR Technology Analysis Software\NTAS MS3000X.exe
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File written: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\ioSpecial.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: C:\SoftwareLocalPC\CereaDll\CereaDllOriginal2022 - CheckHundFile\Release\Cerea.pdbC source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: C:\SoftwareLocalPC\CereaDll\CereaDllOriginal2022 - CheckHundFile\Release\Cerea.pdb source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: _queue.pyd.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: _hashlib.pyd.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: api-ms-win-crt-string-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: _ctypes.pyd.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: hhctrl.pdb source: NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe, 00000011.00000002.1594508121.0000000002A14000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: _socket.pyd.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: Can't Read Text FileCan't Open Text File.pdb.mdb%f.mdtAn Error OccurreduserbrationFile Method: SaveToBinFileSaving userbration to File...wbCan't Open Binary FileCan't Write Binary FileNo ErroruserbrationFile Method: ReadFromBinFileReading userbraiton From File...rbCan't Read Binary FileuserbrationFile Method: GetAverageAndStDeviationGetting Average and Standard Deviation Data...Do First DerivativeConstituentConstituent Name: %s source: Cerea.dll.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.17.dr
Binary contains a suspicious time stamp
Source: api-ms-win-crt-process-l1-1-0.dll.17.dr Static PE information: 0xFB3E7718 [Sun Jul 29 17:55:36 2103 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Code function: 17_2_100010A5 GetVersionExA,LoadLibraryA,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CloseHandle,lstrlenA,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary, 17_2_100010A5
PE file contains sections with non-standard names
Source: libcrypto-1_1.dll.17.dr Static PE information: section name: .00cfg
Source: libssl-1_1.dll.17.dr Static PE information: section name: .00cfg
Source: python310.dll.17.dr Static PE information: section name: PyRuntim
Source: socketcropscan.exe.17.dr Static PE information: section name: _RDATA
Source: Cerea.dll.17.dr Static PE information: section name: _RDATA
Source: RestartApp.exe.17.dr Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll.17.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Uses bcdedit to modify the Windows boot settings
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\System32\bcdedit.exe "bcdedit" /set {current} bootstatuspolicy ignoreallfailures
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\System32\bcdedit.exe "bcdedit" /set {current} bootstatuspolicy ignoreallfailures Jump to behavior
Drops PE files
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSWINSCK.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\NSIS.Library.RegTool.v3.{760CC695-7C3A-465F-9E6C-D3931A64AC97}.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Program Files (x86)\NIR Technology Analysis Software\uninstall.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\socketcropscan\socketcropscan.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSFLXGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Program Files (x86)\NIR Technology Analysis Software\Watchdog.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMM32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCTL.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 171 Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-louserzation-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT332.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\RestartApp.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe (copy) Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\select.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\PLSObj.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\vbGraph.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT232.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\DBGRID32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCT2.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\psutil\_psutil_windows.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\SYSINFO.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSHFLXGD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\msstdfmt.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\UserInfo.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCTL32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSDATGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_queue.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Cerea.dll Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\Unconfirmed 279108.crdownload Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_socket.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCHRT20.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMDLG32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\VB6STKIT.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Program Files (x86)\NIR Technology Analysis Software\NTAS MS3000X.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Mahalanobis.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_curses.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\_decimal.pyd Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\Downloads\06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\wga\Scripts\RestartApp\python310.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\SYSINFO.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCHRT20.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\NSIS.Library.RegTool.v3.{760CC695-7C3A-465F-9E6C-D3931A64AC97}.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\msstdfmt.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSHFLXGD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSWINSCK.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Mahalanobis.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\PLSObj.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCTL32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMDLG32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCTL.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\vbGraph.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSDATGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\Cerea.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT232.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\COMCT332.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSFLXGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\DBGRID32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMCT2.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\VB6STKIT.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File created: C:\Windows\SysWOW64\MSCOMM32.ocx Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 171
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: Chrome Cache Entry: 171 Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce NSIS.Library.RegTool.v3 Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce NSIS.Library.RegTool.v3 Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce NSIS.Library.RegTool.v3 Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce NSIS.Library.RegTool.v3 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\nsProcess.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\select.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSWINSCK.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_multiprocessing.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vbGraph.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\COMCT232.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\InstallOptions.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\DBGRID32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSCOMCT2.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\psutil\_psutil_windows.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\SYSINFO.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSHFLXGD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\msstdfmt.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\NSIS.Library.RegTool.v3.{760CC695-7C3A-465F-9E6C-D3931A64AC97}.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\pyexpat.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsl5413.tmp\UserInfo.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Program Files (x86)\NIR Technology Analysis Software\uninstall.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\COMCTL32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_asyncio.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSDATGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_queue.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_lzma.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_ssl.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_overlapped.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_socket.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSCHRT20.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\COMDLG32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_elementtree.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\socketcropscan\socketcropscan.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSFLXGRD.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Program Files (x86)\NIR Technology Analysis Software\Watchdog.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\VB6STKIT.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSCOMM32.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Program Files (x86)\NIR Technology Analysis Software\NTAS MS3000X.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_bz2.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\MSCOMCTL.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-louserzation-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_curses.cp310-win_amd64.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\_decimal.pyd Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\COMCT332.ocx Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\RestartApp.exe Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Dropped PE file which has not been started: C:\wga\Scripts\RestartApp\python310.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe TID: 4636 Thread sleep count: 49 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe File Volume queried: C:\Program Files (x86) FullSizeInformation Jump to behavior
Source: LogonUI.exe, 0000001D.00000002.2420450600.0000020C2AC10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: bcdedit.exe, 00000012.00000002.1482266588.000001B7FAF38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pEFI VMware Virtual SATA CDROM Drive (0.0)
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\LogonUI.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Code function: 17_2_100010A5 GetVersionExA,LoadLibraryA,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CloseHandle,lstrlenA,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary, 17_2_100010A5
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM Watchdog.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM RestartApp.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM NTAS 3000X /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM ReadWeight.exe /F Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM Watchdog.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM RestartApp.exe /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM NTAS 3000X /F Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /IM ReadWeight.exe /F Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\LogonUI.exe Queries volume information: C:\Windows\Web\Screen\img103.png VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Downloads\NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe Code function: 17_2_100010A5 GetVersionExA,LoadLibraryA,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CloseHandle,lstrlenA,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,FreeLibrary, 17_2_100010A5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544169 URL: https://on-combine-data.s3.... Startdate: 28/10/2024 Architecture: WINDOWS Score: 52 68 Antivirus detection for dropped file 2->68 7 NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe 55 141 2->7         started        11 chrome.exe 20 2->11         started        14 NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 42 C:\wga\Scripts\...\socketcropscan.exe, PE32+ 7->42 dropped 44 C:\wga\Scripts\RestartApp\unicodedata.pyd, PE32+ 7->44 dropped 46 C:\wga\Scripts\RestartApp\select.pyd, PE32+ 7->46 dropped 54 89 other files (68 malicious) 7->54 dropped 70 Uses bcdedit to modify the Windows boot settings 7->70 18 bcdedit.exe 9 1 7->18         started        20 taskkill.exe 1 7->20         started        22 taskkill.exe 1 7->22         started        30 2 other processes 7->30 64 192.168.2.16, 138, 443, 49698 unknown unknown 11->64 66 239.255.255.250 unknown Reserved 11->66 48 C:\Users\...\Unconfirmed 279108.crdownload, PE32 11->48 dropped 50 NTAS_MS3000X_Insta...4_NO_UPS.exe (copy), PE32 11->50 dropped 52 06dc3f2a-0d04-4237-8c43-2058ccd60562.tmp, PE32 11->52 dropped 24 chrome.exe 11->24         started        28 chrome.exe 11->28         started        file5 signatures6 process7 dnsIp8 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        58 www.google.com 142.250.185.228, 443, 49705, 49712 GOOGLEUS United States 24->58 60 s3-r-w.us-west-2.amazonaws.com 52.218.247.225, 443, 49698, 49699 AMAZON-02US United States 24->60 62 on-combine-data.s3.us-west-2.amazonaws.com 24->62 56 Chrome Cache Entry: 171, PE32 24->56 dropped 38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        file9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.228
 www.google.com United States
15169 GOOGLEUS false
52.218.247.225
 s3-r-w.us-west-2.amazonaws.com United States
16509 AMAZON-02US false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.16

Contacted Domains

Name IP Active
s3-r-w.us-west-2.amazonaws.com 52.218.247.225 true
www.google.com 142.250.185.228 true
on-combine-data.s3.us-west-2.amazonaws.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exe false
    		unknown