Windows Analysis Report
jlK7Q70gbN.exe

Overview

General Information

Sample name: jlK7Q70gbN.exe
renamed because original name is a hash value
Original sample name: 39e87c245f3df670592eac79160e0de43421742c0e0ab1cfb1452790f07747c9.exe
Analysis ID: 1528470
MD5: fa7b382660c277341e573e54ea81ac1f
SHA1: b84161e5c80dadd9efd6a8307e5d6cdd607b8bc8
SHA256: 39e87c245f3df670592eac79160e0de43421742c0e0ab1cfb1452790f07747c9
Infos:

Detection

Score: 8
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006E9FA4 DecryptFileW, 0_2_006E9FA4
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006E9D87 DecryptFileW,DecryptFileW, 0_2_006E9D87
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070FD8F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 0_2_0070FD8F
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A29D87 DecryptFileW,DecryptFileW, 3_2_00A29D87
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4FD8F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 3_2_00A4FD8F
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A29FA4 DecryptFileW, 3_2_00A29FA4
Uses 32bit PE files
Source: jlK7Q70gbN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: jlK7Q70gbN.exe Static PE information: certificate valid
Source: jlK7Q70gbN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\burn.pdb/ source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\mbahost.pdb source: mbahost.dll.2.dr
Source: Binary string: ./Installer/UI/obj/Release/ema3d.UI.Boot.pdb8 source: ema3d.UI.Boot.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: ./Installer/UI/obj/Release/ema3d.UI.Boot.pdb source: ema3d.UI.Boot.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\burn.pdb source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007146C4 FindFirstFileW,FindClose, 0_2_007146C4
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00707767 FindFirstFileExW, 0_2_00707767
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006E9A30 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_006E9A30
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_006D3D4E
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A546C4 FindFirstFileW,FindClose, 3_2_00A546C4
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A47767 FindFirstFileExW, 3_2_00A47767
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A29A30 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 3_2_00A29A30
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A13D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 3_2_00A13D4E
Source: jlK7Q70gbN.exe, EMA3D.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: jlK7Q70gbN.exe, 00000000.00000003.2042647450.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2043591191.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2042973845.0000000002E1A000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2043286088.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2042310528.0000000002DEB000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000002.3297850430.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2044058097.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2042377711.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2044698951.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2044580204.0000000002E60000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2041684832.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000002.3299565162.0000000002E61000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000000.00000003.2045538277.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2048888766.000000000376B000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2046899780.000000000371B000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2047556826.000000000373A000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2049646636.0000000003790000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2049229983.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2048511892.000000000375B000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2048235598.000000000374A000.00000004.00000800.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2046950182.000000000372C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ema3d.com
Source: jlK7Q70gbN.exe, 00000002.00000003.2052420419.000000000131F000.00000004.00000020.00020000.00000000.sdmp, jlK7Q70gbN.exe, 00000002.00000003.2052117809.000000000131F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ema3d.com$E
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: EMA3D.exe, 00000003.00000002.3298190467.0000000000B38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.ce6
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: http://wixtoolset.org
Source: BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: BootstrapperCore.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr String found in binary or memory: http://wixtoolset.org/news/
Source: Microsoft.Deployment.WindowsInstaller.dll.2.dr String found in binary or memory: http://wixtoolset.org/releases/
Source: BootstrapperCore.dll.2.dr String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.2.dr String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: ema3d.UI.Boot.dll.2.dr String found in binary or memory: http://www.ansys.com/privacy
Source: jlK7Q70gbN.exe, 00000000.00000002.3297556859.000000000085B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS
Source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr, ema3d.UI.Boot.dll.2.dr String found in binary or memory: https://sectigo.com/CPS0
Source: jlK7Q70gbN.exe, 00000002.00000003.2079705659.0000000008E31000.00000004.00000020.00020000.00000000.sdmp, ema3d.UI.Boot.dll.2.dr String found in binary or memory: https://www.ansys.com.mcas.ms/legal/terms-and
Source: ema3d.UI.Boot.dll.2.dr String found in binary or memory: https://www.ansys.com.mcas.ms/legal/terms-and-conditions/ansys-hybrid-compute-environment-security
Source: BootstrapperCore.dll.2.dr, mbahost.dll.2.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr, mbapreq.dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Detected potential crypto function
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FC041 0_2_006FC041
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007001C6 0_2_007001C6
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070F1B2 0_2_0070F1B2
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D62CC 0_2_006D62CC
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00700481 0_2_00700481
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070A510 0_2_0070A510
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007025E1 0_2_007025E1
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00702815 0_2_00702815
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FF8E3 0_2_006FF8E3
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070A9A8 0_2_0070A9A8
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070DB2E 0_2_0070DB2E
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0070DC52 0_2_0070DC52
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FFC55 0_2_006FFC55
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FFEFF 0_2_006FFEFF
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006F3F96 0_2_006F3F96
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3C041 3_2_00A3C041
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4F1B2 3_2_00A4F1B2
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A401C6 3_2_00A401C6
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A162CC 3_2_00A162CC
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A40481 3_2_00A40481
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A425E1 3_2_00A425E1
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4A510 3_2_00A4A510
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3F8E3 3_2_00A3F8E3
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A42815 3_2_00A42815
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4A9A8 3_2_00A4A9A8
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4DB2E 3_2_00A4DB2E
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A4DC52 3_2_00A4DC52
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3FC55 3_2_00A3FC55
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3FEFF 3_2_00A3FEFF
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A33F96 3_2_00A33F96
Found potential string decryption / allocating functions
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: String function: 00A12022 appears 53 times
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: String function: 00A138BA appears 500 times
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: String function: 00A5055B appears 681 times
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: String function: 00A50A42 appears 34 times
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: String function: 00A535AF appears 79 times
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: String function: 00710A42 appears 34 times
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: String function: 006D38BA appears 499 times
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: String function: 0071055B appears 681 times
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: String function: 006D2022 appears 53 times
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: String function: 007135AF appears 81 times
Sample file is different than original file name gathered from version info
Source: jlK7Q70gbN.exe, 00000000.00000000.2041163595.000000000073E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameEMA3D.exe< vs jlK7Q70gbN.exe
Source: jlK7Q70gbN.exe, 00000002.00000000.2045485722.000000000083E000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameEMA3D.exe< vs jlK7Q70gbN.exe
Source: jlK7Q70gbN.exe Binary or memory string: OriginalFilenameEMA3D.exe< vs jlK7Q70gbN.exe
Source: jlK7Q70gbN.exe.0.dr Binary or memory string: OriginalFilenameEMA3D.exe< vs jlK7Q70gbN.exe
Uses 32bit PE files
Source: jlK7Q70gbN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP
Source: classification engine Classification label: clean8.evad.winEXE@5/36@0/0
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D2078 FormatMessageW,GetLastError,LocalFree, 0_2_006D2078
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D4639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 0_2_006D4639
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A14639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 3_2_00A14639
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0071330F GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 0_2_0071330F
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006F6913 ChangeServiceConfigW,GetLastError, 0_2_006F6913
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Mutant created: NULL
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe File created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\ Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: cabinet.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: msi.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: version.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: wininet.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: clbcatq.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: msasn1.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: crypt32.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: feclient.dll 0_2_006D1070
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Command line argument: cabinet.dll 0_2_006D1070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: _`AB 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: cabinet.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: msi.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: version.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: wininet.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: comres.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: clbcatq.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: msasn1.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: crypt32.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: feclient.dll 3_2_00A11070
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Command line argument: cabinet.dll 3_2_00A11070
Source: jlK7Q70gbN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jlK7Q70gbN.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: EMA3D.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: jlK7Q70gbN.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe File read: C:\Users\user\Desktop\jlK7Q70gbN.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jlK7Q70gbN.exe "C:\Users\user\Desktop\jlK7Q70gbN.exe"
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe "C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe" -burn.clean.room="C:\Users\user\Desktop\jlK7Q70gbN.exe" -burn.filehandle.attached=528 -burn.filehandle.self=540
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe "C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe" -q -burn.elevated BurnPipe.{01823A2F-6092-4017-B70C-7D2B2DE988B6} {636B081A-FA87-43E7-BB2F-5B923C0323C7} 6180
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe "C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe" -burn.clean.room="C:\Users\user\Desktop\jlK7Q70gbN.exe" -burn.filehandle.attached=528 -burn.filehandle.self=540 Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe "C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe" -q -burn.elevated BurnPipe.{01823A2F-6092-4017-B70C-7D2B2DE988B6} {636B081A-FA87-43E7-BB2F-5B923C0323C7} 6180 Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: jlK7Q70gbN.exe Static PE information: certificate valid
Source: jlK7Q70gbN.exe Static file information: File size 1204392 > 1048576
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jlK7Q70gbN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: jlK7Q70gbN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\burn.pdb/ source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: BootstrapperCore.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\mbahost.pdb source: mbahost.dll.2.dr
Source: Binary string: ./Installer/UI/obj/Release/ema3d.UI.Boot.pdb8 source: ema3d.UI.Boot.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.2.dr
Source: Binary string: ./Installer/UI/obj/Release/ema3d.UI.Boot.pdb source: ema3d.UI.Boot.dll.2.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\burn.pdb source: jlK7Q70gbN.exe, EMA3D.exe.2.dr, jlK7Q70gbN.exe.0.dr
Source: jlK7Q70gbN.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jlK7Q70gbN.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jlK7Q70gbN.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jlK7Q70gbN.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jlK7Q70gbN.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: jlK7Q70gbN.exe Static PE information: section name: .wixburn
Source: jlK7Q70gbN.exe.0.dr Static PE information: section name: .wixburn
Source: EMA3D.exe.2.dr Static PE information: section name: .wixburn
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE826 push ecx; ret 0_2_006FE839
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3E826 push ecx; ret 3_2_00A3E839
Drops PE files
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbahost.dll Jump to dropped file
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe File created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\BootstrapperCore.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\ema3d.UI.Boot.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbahost.dll Jump to dropped file
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe File created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\BootstrapperCore.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe File created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\ema3d.UI.Boot.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Memory allocated: 33F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Memory allocated: 4770000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Memory allocated: 6770000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Dropped PE file which has not been started: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\Microsoft.Deployment.WindowsInstaller.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Dropped PE file which has not been started: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbahost.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Dropped PE file which has not been started: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\mbapreq.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Dropped PE file which has not been started: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\ema3d.UI.Boot.dll Jump to dropped file
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Dropped PE file which has not been started: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\BootstrapperCore.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe TID: 5448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe TID: 5448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007101F0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0071028Bh 0_2_007101F0
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007101F0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00710284h 0_2_007101F0
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A501F0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00A5028Bh 3_2_00A501F0
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A501F0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00A50284h 3_2_00A501F0
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007146C4 FindFirstFileW,FindClose, 0_2_007146C4
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00707767 FindFirstFileExW, 0_2_00707767
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006E9A30 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 0_2_006E9A30
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 0_2_006D3D4E
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A546C4 FindFirstFileW,FindClose, 3_2_00A546C4
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A47767 FindFirstFileExW, 3_2_00A47767
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A29A30 FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 3_2_00A29A30
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A13D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose, 3_2_00A13D4E
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_0071994A VirtualQuery,GetSystemInfo, 0_2_0071994A
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006FE594
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00704413 mov eax, dword ptr fs:[00000030h] 0_2_00704413
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00708491 mov eax, dword ptr fs:[00000030h] 0_2_00708491
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A48491 mov eax, dword ptr fs:[00000030h] 3_2_00A48491
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A44413 mov eax, dword ptr fs:[00000030h] 3_2_00A44413
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D39DF GetProcessHeap,RtlAllocateHeap, 0_2_006D39DF
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006FE0C8
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006FE594
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE727 SetUnhandledExceptionFilter, 0_2_006FE727
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007037AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007037AA
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3E0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00A3E0C8
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3E594 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A3E594
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A437AA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A437AA
Source: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe Code function: 3_2_00A3E727 SetUnhandledExceptionFilter, 3_2_00A3E727
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe "C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe" -burn.clean.room="C:\Users\user\Desktop\jlK7Q70gbN.exe" -burn.filehandle.attached=528 -burn.filehandle.self=540 Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Process created: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe "C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.be\EMA3D.exe" -q -burn.elevated BurnPipe.{01823A2F-6092-4017-B70C-7D2B2DE988B6} {636B081A-FA87-43E7-BB2F-5B923C0323C7} 6180 Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_007119F8 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 0_2_007119F8
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00713D0B AllocateAndInitializeSid,CheckTokenMembership, 0_2_00713D0B
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006FE957 cpuid 0_2_006FE957
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\BootstrapperCore.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Temp\{FFE22A89-11FD-4A47-9FF0-982DA2A5AD2F}\.ba\ema3d.UI.Boot.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006E4E67 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 0_2_006E4E67
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D605F GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError, 0_2_006D605F
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D6203 GetUserNameW,GetLastError, 0_2_006D6203
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_00718A8F GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 0_2_00718A8F
Source: C:\Users\user\Desktop\jlK7Q70gbN.exe Code function: 0_2_006D51D2 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize, 0_2_006D51D2
Source: C:\Windows\Temp\{562041EC-09A3-44AA-87AE-CC1700EABB21}\.cr\jlK7Q70gbN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1528470 Sample: jlK7Q70gbN.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 8 6 jlK7Q70gbN.exe 3 2->6         started        file3 14 C:\Windows\Temp\...\jlK7Q70gbN.exe, PE32 6->14 dropped 9 jlK7Q70gbN.exe 67 6->9         started        process4 file5 16 C:\Windows\Temp\...MA3D.exe, PE32 9->16 dropped 18 C:\Windows\Temp\...\mbapreq.dll, PE32 9->18 dropped 20 C:\Windows\Temp\...\mbahost.dll, PE32 9->20 dropped 22 3 other files (none is malicious) 9->22 dropped 12 EMA3D.exe 9->12         started        process6
No contacted IP infos