Play interactive tourEdit tour

Windows Analysis Report
https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1*a1991m*_up*MQ..*_ga*MTkzODU0OTg5OC4xNzI4MzI2MTA4*_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA..

Overview

General Information

Sample URL:	https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1*a1991m*_up*MQ..*_ga*MTkzODU0OTg5OC4xNzI4MzI2MTA4*_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAu
Analysis ID:	1528374
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

PE file overlay found

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

×

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Creates install or setup log file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Qobuz\Update.exe, type: DROPPED

URLs found in memory or binary data

Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Update.exe.16.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2357008515.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: Qobuz_Installer.exe, 00000010.00000003.2356612221.0000000008827000.00000004.00000020.00020000.00000000.sdmp, Qobuz_Installer.exe, 00000010.00000003.2356612221.000000000881A000.00000004.00000020.00020000.00000000.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://api.github.com/#
Source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr	String found in binary or memory: https://github.com/myuser/myrepo

System Summary

PE file contains executable resources (Code or Archives)

Source: Unconfirmed 118702.crdownload.0.dr

Static PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

PE file does not import any functions

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: Data appended to the last section found

Classification label

Source: classification engine

Classification label: sus25.troj.win@29/17@0/11

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Mutant created: NULL

Creates temporary files

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\Temp\.squirrel-lock-0FEF7D82B19CDAC5BEB5C9BE96BA9FAABA7A8D70

Jump to behavior

Reads software policies

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://desktop.qobuz.com/releases/win32/x64/windows7_8_10/7.1.4-b008/Qobuz_Installer.exe?_gl=1*a1991m*_up*MQ..*_ga*MTkzODU0OTg5OC4xNzI4MzI2MTA4*_ga_BCS72N6MDF*MTcyODMyNjEwNy4xLjEuMTcyODMyNjc2OS4wLjAuMTM1MzY5NjE3NA.."
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Downloads\Qobuz_Installer.exe "C:\Users\user\Downloads\Qobuz_Installer.exe"
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1800,i,16295125349097330652,7967667769422856774,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Process created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install .			Jump to behavior

Tries to load missing DLLs

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: logoncli.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Downloads\Qobuz_Installer.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: msvcp140_clr0400.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Section loaded: profapi.dll			Jump to behavior

Windows shortcut file (LNK) contains relative path

Source: Google Drive.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Binary contains paths to debug symbols

Source:	Binary string: netstandard.pdb.mdb source: Update.exe, 00000011.00000000.2357546299.00000000006B2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000011.00000002.2421409702.000000001B960000.00000004.00000020.00020000.00000000.sdmp, Update.exe.16.dr
Source:	Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\Setup.pdb source: Qobuz_Installer.exe, 00000010.00000000.2104901404.0000000000BFF000.00000002.00000001.01000000.00000006.sdmp, Unconfirmed 118702.crdownload.0.dr

Data Obfuscation

PE file contains an invalid checksum

Source: 4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp.0.dr

Static PE information: real checksum: 0x7930f55 should be: 0x5ab6

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Downloads\Qobuz_Installer.exe	File created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 118702.crdownload			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Qobuz_Installer.exe (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	File created: C:\Users\user\AppData\Local\Qobuz\Update.exe			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\4a4df6e5-2dec-4712-a072-5d2a1109b3f6.tmp			Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

File created: C:\Users\user\AppData\Local\SquirrelTemp\Squirrel-Install.log

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk			Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1350000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe	Memory allocated: 1AB50000 memory reserve | memory write watch			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Window / User API: threadDelayed 577

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 6936	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 1940	Thread sleep count: 577 > 30			Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Anti Debugging

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Memory allocated: page read and write | page guard

Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Queries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.