Windows Analysis Report
https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA..

Overview

General Information

Sample URL:	https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAu
Analysis ID:	1528374
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Signatures

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Qobuz\Update.exe, type: DROPPED

Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://api.github.com/#
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://github.com/myuser/myrepo

PE file contains executable resources (Code or Archives)

Source: Unconfirmed 118702.crdownload.0.dr

Static PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

PE file does not import any functions

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: sus25.troj.win@29/17@0/11

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Mutant created: NULL

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-0FEF7D82B19CDAC5BEB5C9BE96BA9FAABA7A8D70

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA.."
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Downloads\Qobuz_Installer.exe "C:\Users\user\Downloads\Qobuz_Installer.exe"
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .	Jump to behavior

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

PE file contains an invalid checksum

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: real checksum: 0x7930f55 should be: 0x5ab6

Drops PE files

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 118702.crdownload	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Qobuz_Installer.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\Qobuz\Update.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1350000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Window / User API: threadDelayed 577

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 1940	Thread sleep count: 577 > 30			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.238	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
142.250.185.68	unknown	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
172.217.18.3	unknown	United States	15169	GOOGLEUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false
18.239.83.39	unknown	United States	16509	AMAZON-02US	false
66.102.1.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Qobuz\Update.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	322669DD7E99D0C179E205CFA903E102	69C4B44915CCCC69401740CFD01C1B05CACFC3BD	CBA85A24C989182FE8A993C84BDA795E10CA9036BB77914D91E3F24E9C04B447
C:\Users\user\AppData\Local\Qobuz\packages\Qobuz-7.1.4-b008-full.nupkg	Zip archive data, at least v2.0 to extract, compression method=store	0ABE86B1F3F4B2ABF82D42869EB11D05	0450B01403D9CD57E2551B06C84ECDC3CDFEFF1E	F15F3CF08349A0CF9CC649B4D8A65AD5D52C53679D9BAA634A061F4F8F21A1DF
C:\Users\user\AppData\Local\SquirrelTemp\Qobuz-7.1.4-b008-full.nupkg	Zip archive data, at least v2.0 to extract, compression method=store	0ABE86B1F3F4B2ABF82D42869EB11D05	0450B01403D9CD57E2551B06C84ECDC3CDFEFF1E	F15F3CF08349A0CF9CC649B4D8A65AD5D52C53679D9BAA634A061F4F8F21A1DF
C:\Users\user\AppData\Local\SquirrelTemp\RELEASES	Unicode text, UTF-8 (with BOM) text, with no line terminators	9804023C935B4A504DDDCB0130129006	4C8EC8C10DF7A3CAA2AECB512AA50939228C8BA1	EEC0EFD447C2AB0C55D6DE9E3A9406891B2D953239C03C2651CF90ECB9697F79
C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	C3BE6545B87112FD3608F53EF74FDFCD	C4B1F52DBDC720041470FF27F7841C4C06394EBD	E385837CCE113C6B4714D0A276C827112D5AB6D5862B5CE7717E5806E925C76A
C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	322669DD7E99D0C179E205CFA903E102	69C4B44915CCCC69401740CFD01C1B05CACFC3BD	CBA85A24C989182FE8A993C84BDA795E10CA9036BB77914D91E3F24E9C04B447
C:\Users\user\AppData\Local\SquirrelTemp\background.gif	GIF image data, version 89a, 400 x 400	806A5048AF545F6DD028A821195CAD04	DC86F9EA36DF8836AD514179DF9E109D84B3BF40	8C9BC304920566BFE182153AA2904781427396B19639104D8131638C5F6CDEFA
C:\Users\user\AppData\Local\SquirrelTemp\setupIcon.ico	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel	328B22E25FB1724E626A0957AC93FAFA	C70FDE3658E3EFBB5F3399ABFD4A40F780345391	72858A5D9771432A5FBD5BA30F6A91415E6324C10FC7AB892B1235921F4E1C3E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:20:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	7F1971A795C02EE65E09B7882BB5C40C	0C5C2F94FE5CE529AE287DA228E67C44CEDD1590	A1B0ED56CF25D98FCFDFD9CF2AA8A441C9E14DFF00136E94AD67D41959A6EC28
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:20:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	81F0DD245305B17FC0EB18DF38A566C0	258B9EC1F10F21733CF052F806BB4F3B1A7E1C67	5846AB2C78F6BC9CB59110B87D80BA71A403225E8193AC59551F90381F0D9B1F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	AFCD5317E53EF6FA4827B05DF14AEA1F	FC88AD62F8BFC1172D3B43A9027098A24A120525	D0EA8FC1348608AF36CF555685E728DCE874048C0A1AD2E1EFE3B3394F343D98
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:20:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	C433A0C93044A2B4C1280C27C0BF7EB7	5B247813EEBCA59245EBF2356ED0487D4D2D6FEE	4818C8F3297ED78EEA1F711E00C070591BC9A5E6FB3E94780558459311249F04
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:20:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	547D3029B2BFE2F6CFD7BF0250659A48	1973AB7E8613B8E68814356B77C2EE4471F62BF3	1B672CBFC3538BD948AFC8393946DDEF2D9E509786BED47A2147DAFB9152101D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Oct 7 18:20:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	824556D2C49B5A7695ED97660ED80CEC	4EE14B1ABAECFEF608F310C4EDDB81DCDCFEDE1B	14BBD62E0BBCA070D468DC318949572DB8C5883D8A5992DF2389CFF82CE5701E
C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	05C038D30B66FEB6DA3EF05CC0575781	8000EF1ED3E72AB28A9036AC6A599036E7D2569D	7E810C5ECC212FE799AD31CEA091275DD02BE27C510C01FDC65AD9AA5E16265B
C:\Users\user\Downloads\Qobuz_Installer.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	E3C287CB89AB1C6DCD675468A70EF62E	3B2DD39C8A188FD940E92A3F5AA8854E4FEBFDC6	E230EBF49579575EEAD5AC6CE852B59AC5775680990125BD20E1F4084932A5C8
C:\Users\user\Downloads\Unconfirmed 118702.crdownload	PE32 executable (GUI) Intel 80386, for MS Windows	E3C287CB89AB1C6DCD675468A70EF62E	3B2DD39C8A188FD940E92A3F5AA8854E4FEBFDC6	E230EBF49579575EEAD5AC6CE852B59AC5775680990125BD20E1F4084932A5C8

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Qobuz\Update.exe, type: DROPPED

Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://api.github.com/#
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://github.com/myuser/myrepo

PE file contains executable resources (Code or Archives)

Source: Unconfirmed 118702.crdownload.0.dr

Static PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

PE file does not import any functions

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: Data appended to the last section found

Source: classification engine

Classification label: sus25.troj.win@29/17@0/11

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Mutant created: NULL

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-0FEF7D82B19CDAC5BEB5C9BE96BA9FAABA7A8D70

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA.."
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Downloads\Qobuz_Installer.exe "C:\Users\user\Downloads\Qobuz_Installer.exe"
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .	Jump to behavior

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: profapi.dll	Jump to behavior

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

PE file contains an invalid checksum

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: real checksum: 0x7930f55 should be: 0x5ab6

Drops PE files

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 118702.crdownload	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Qobuz_Installer.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\Qobuz\Update.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1350000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Window / User API: threadDelayed 577

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 1940	Thread sleep count: 577 > 30			Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1528374
Product:	CloudBasic
Start time:	21:20:13
Start date:	07.10.2024
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report
https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA..

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1*a1991m*_up*MQ..*_ga*MTkzODU0OTg5OC4xNzI4MzI2MTA4*_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA..

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1a1991m_upMQ.._gaMTkzODU0OTg5OC4xNzI4MzI2MTA4_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA..