Windows Analysis Report
nitro_pro14.exe

Overview

General Information

Sample name:	nitro_pro14.exe
Analysis ID:	1533060
MD5:	957c08652837223a7876d64f5f93f232
SHA1:	22cb448ac6bd4fc47a1889aa2643f0bd91e9c7ff
SHA256:	071dcd0fb10975eea48df1f75b3c6ecaec30c901fc7639ad8e60b99c231ee223
Infos:

Detection

Score:	25
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Potentially malicious time measurement code found

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DBCDD DecryptFileW,	0_2_000DBCDD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DBAC2 DecryptFileW,DecryptFileW,	0_2_000DBAC2
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_00104B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7BCDD DecryptFileW,	1_2_00A7BCDD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7BAC2 DecryptFileW,DecryptFileW,	1_2_00A7BAC2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_00AA4B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4578D0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	1_2_6A4578D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A459330 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	1_2_6A459330
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A458500 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,	1_2_6A458500
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40F590 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,_invalid_parameter_noinfo_noreturn,	1_2_6A40F590

Uses 32bit PE files

Source: nitro_pro14.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: nitro_pro14.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: nitro_pro14.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C3B2C FindFirstFileW,FindClose,	0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A63B2C FindFirstFileW,FindClose,	1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,	1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,	1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,	1_2_6A4E1794

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 4x nop then movd mm0, dword ptr [edx]

1_2_6A38CFF0

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: desktop.gonitro.com

Source: unknown

HTTP traffic detected: POST /v14.29.1.0/events HTTP/1.1Content-type: application/jsonUser-Agent: Nitro 14.29.1.0Host: desktop.gonitro.comContent-Length: 334Connection: Keep-AliveCache-Control: no-cache

Source: nitro_pro14.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: nitro_pro14.exe, nitro_pro14.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: nitro_pro14.exe	String found in binary or memory: http://wixtoolset.org/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: nitro_pro14.exe, Microsoft.Deployment.WindowsInstaller.dll.1.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.1.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: nitro_pro14.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch/s/dialogmessage.
Source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch4
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.chN
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.gonitro.com///support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-po
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policy09
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policyx
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=en&lr_src=retail&lr_prod=Professional&lr_
Source: nitro_pro14.exe	String found in binary or memory: http://www.google.com
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.google.com)WPD
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitro.com
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/M
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events=
Source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitro.comhttps://desktop.gonitrodev.commetrics.use_dev_servert
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitrodev.com
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2948280651.0000000003400000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2947992871.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2950438684.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.dr	String found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en/retail/nitro_pro14_ba_x64.msi
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microI
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: https://wixtoolset.org/
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: https://www.gonitro.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2

Contains functionality to communicate with device drivers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A40C340: MultiByteToWideChar,memset,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,DeviceIoControl,CloseHandle,std::_Xregex_error,fwrite,_errno,

1_2_6A40C340

Detected potential crypto function

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F712E	0_2_000F712E
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F21D9	0_2_000F21D9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F24A0	0_2_000F24A0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F74BC	0_2_000F74BC
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FA703	0_2_000FA703
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F275B	0_2_000F275B
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FEAE0	0_2_000FEAE0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F1BBD	0_2_000F1BBD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000E5CCD	0_2_000E5CCD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000EDD78	0_2_000EDD78
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F1F2F	0_2_000F1F2F
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FEF68	0_2_000FEF68
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C7FA9	0_2_000C7FA9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00103FCA	0_2_00103FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A921D9	1_2_00A921D9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9712E	1_2_00A9712E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A924A0	1_2_00A924A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A974BC	1_2_00A974BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9A703	1_2_00A9A703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9275B	1_2_00A9275B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9EAE0	1_2_00A9EAE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A91BBD	1_2_00A91BBD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A85CCD	1_2_00A85CCD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A8DD78	1_2_00A8DD78
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A67FA9	1_2_00A67FA9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA3FCA	1_2_00AA3FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A91F2F	1_2_00A91F2F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9EF68	1_2_00A9EF68
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06642050	1_2_06642050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06647AC3	1_2_06647AC3
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_0664CD43	1_2_0664CD43
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_0664CD29	1_2_0664CD29
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06DF2050	1_2_06DF2050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A412EC0	1_2_6A412EC0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A415460	1_2_6A415460
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A383A9D	1_2_6A383A9D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3B6AD0	1_2_6A3B6AD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3E2B10	1_2_6A3E2B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46FB00	1_2_6A46FB00
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4708C0	1_2_6A4708C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EC8B0	1_2_6A3EC8B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3E1880	1_2_6A3E1880
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A424940	1_2_6A424940
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D2970	1_2_6A3D2970
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3F1950	1_2_6A3F1950
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40EE50	1_2_6A40EE50
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40BED0	1_2_6A40BED0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A409EA0	1_2_6A409EA0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D2F20	1_2_6A3D2F20
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A38DF40	1_2_6A38DF40
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42AC10	1_2_6A42AC10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EBC80	1_2_6A3EBC80
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A41CDE0	1_2_6A41CDE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EC210	1_2_6A3EC210
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42B220	1_2_6A42B220
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D7250	1_2_6A3D7250
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A426290	1_2_6A426290
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3F72D0	1_2_6A3F72D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4423A0	1_2_6A4423A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381000	1_2_6A381000
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D50A0	1_2_6A3D50A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D40C0	1_2_6A3D40C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A423120	1_2_6A423120
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A415630	1_2_6A415630
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42A6F0	1_2_6A42A6F0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D6720	1_2_6A3D6720
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D9710	1_2_6A3D9710
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A43F700	1_2_6A43F700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46F430	1_2_6A46F430
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4194D0	1_2_6A4194D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D6480	1_2_6A3D6480
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3B6540	1_2_6A3B6540
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A422580	1_2_6A422580
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46E590	1_2_6A46E590
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D35E0	1_2_6A3D35E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF9E1C	1_2_6CBF9E1C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC00738	1_2_6CC00738
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF9A8E	1_2_6CBF9A8E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC002B0	1_2_6CC002B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC063CE	1_2_6CC063CE
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFC3AC	1_2_6CBFC3AC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06648703	1_2_06648703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06647E1C	1_2_06647E1C

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA534A appears 683 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A3E7AD0 appears 108 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A3E31A0 appears 87 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A613B3 appears 501 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A4E0A30 appears 50 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6CBF4460 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA78B5 appears 79 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A42DE20 appears 55 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A629F6 appears 54 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA5831 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A90AC0 appears 33 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A400440 appears 48 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000F0AC0 appears 33 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 001078B5 appears 79 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000C29F6 appears 54 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 00105831 appears 34 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000C13B3 appears 501 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 0010534A appears 683 times

Sample file is different than original file name gathered from version info

Source: nitro_pro14.exe	Binary or memory string: OriginalFilename vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2947992871.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamePageTransitions.dll@ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameGalaSoft.MvvmLight.dllF vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameNitroBA.dll< vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951420115.0000000006214000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamemetrics< vs nitro_pro14.exe

Uses 32bit PE files

Source: nitro_pro14.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: sus25.evad.winEXE@3/51@1/1

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C2A4C FormatMessageW,GetLastError,LocalFree,

0_2_000C2A4C

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C62C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_000C62C2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A662C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_00A662C2

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_00107615 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_00107615

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000E864A ChangeServiceConfigW,GetLastError,

0_2_000E864A

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

File created: C:\Users\user\AppData\Roaming\Nitro

Jump to behavior

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\nitro_pro14.exe

File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\

Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: cabinet.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: msi.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: version.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: wininet.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: comres.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: clbcatq.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: msasn1.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: crypt32.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: feclient.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: cabinet.dll	0_2_000C10E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: cabinet.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: msi.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: version.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: wininet.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: comres.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: clbcatq.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: msasn1.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: crypt32.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: feclient.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: cabinet.dll	1_2_00A610E1

Source: nitro_pro14.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nitro_pro14.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-convert.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-devices.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-customer-logos.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-edit.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-sign.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-office-scene.png
Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\nitro_pro14.exe

File read: C:\Users\user\Desktop\nitro_pro14.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nitro_pro14.exe "C:\Users\user\Desktop\nitro_pro14.exe"
Source: C:\Users\user\Desktop\nitro_pro14.exe	Process created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680
Source: C:\Users\user\Desktop\nitro_pro14.exe	Process created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nitro_pro14.exe

Static PE information: certificate valid

Source: nitro_pro14.exe

Static file information: File size 2457960 > 1048576

Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nitro_pro14.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: nitro_pro14.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr

Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: nitro_pro14.exe	Static PE information: section name: .wixburn
Source: nitro_pro14.exe.0.dr	Static PE information: section name: .wixburn

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0B06 push ecx; ret	0_2_000F0B19
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_0010CCD3 push ecx; ret	0_2_0010CCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90B06 push ecx; ret	1_2_00A90B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AACCD3 push ecx; ret	1_2_00AACCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06635B25 push es; ret	1_2_06635B2A
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0E28 push ecx; ret	1_2_6A4E0E3B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A382C10 push 89084589h; iretd	1_2_6A382C15
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF44A6 push ecx; ret	1_2_6CBF44B9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC06AE3 push ecx; ret	1_2_6CC06AF6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A6590 pushad ; iretd	1_2_031A6591
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A7590 push es; ret	1_2_031A75A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AD5F0 push E8717814h; iretd	1_2_031AD5F5
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AB440 push esp; retf	1_2_031AB449
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A6B15 pushfd ; iretd	1_2_031A6B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AAF4B pushad ; iretd	1_2_031AAF59
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AAF7B pushfd ; iretd	1_2_031AAF89

Source: NitroBA.dll.1.dr	Static PE information: section name: .text entropy: 7.17009385214746
Source: metrics.dll.1.dr	Static PE information: section name: .text entropy: 6.950457755326262

Drops PE files

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exe	File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exe	File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 4100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A381A90 rdtsc

1_2_6A381A90

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Window / User API: threadDelayed 405

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\nitro_pro14.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\nitro_pro14.exe

API coverage: 9.1 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0010506Bh	0_2_00104FD0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00105064h	0_2_00104FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00AA506Bh	1_2_00AA4FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00AA5064h	1_2_00AA4FD0

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C3B2C FindFirstFileW,FindClose,	0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A63B2C FindFirstFileW,FindClose,	1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,	1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,	1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,	1_2_6A4E1794

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000EFB9C VirtualQuery,GetSystemInfo,

0_2_000EFB9C

Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnqZ

Source: C:\Users\user\Desktop\nitro_pro14.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\nitro_pro14.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	API call chain: ExitProcess graph end node

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381A90		1_2_6A381A90
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381B00		1_2_6A381B00

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A381A90 rdtsc

1_2_6A381A90

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000F84A7

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F9808 mov ecx, dword ptr fs:[00000030h]	0_2_000F9808
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FCF2C mov eax, dword ptr fs:[00000030h]	0_2_000FCF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A99808 mov ecx, dword ptr fs:[00000030h]	1_2_00A99808
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9CF2C mov eax, dword ptr fs:[00000030h]	1_2_00A9CF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFDCB7 mov eax, dword ptr fs:[00000030h]	1_2_6CBFDCB7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFB3F1 mov ecx, dword ptr fs:[00000030h]	1_2_6CBFB3F1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C50E9 GetProcessHeap,RtlAllocateHeap,

0_2_000C50E9

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F03A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000F03A9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F84A7
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F0874
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0A07 SetUnhandledExceptionFilter,	0_2_000F0A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A903A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00A903A9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A984A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00A984A7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00A90874
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90A07 SetUnhandledExceptionFilter,	1_2_00A90A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0B10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6A4E0B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0F75 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6A4E0F75
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF44BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CBF44BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFAC7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBFAC7C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF42E6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBF42E6

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Process created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680

Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_00105CFE InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

0_2_00105CFE

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_0010801A AllocateAndInitializeSid,CheckTokenMembership,

0_2_0010801A

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000F0C37 cpuid

0_2_000F0C37

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: GetLocaleInfoEx,FormatMessageA,

1_2_6A4E14CD

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Users\user\AppData\Roaming\Nitro\PDF Pro\14 VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000D6BA2 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_000D6BA2

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_001092A6 GetSystemTimeAsFileTime,

0_2_001092A6

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C7E8C GetUserNameW,GetLastError,

0_2_000C7E8C

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_0010BDED GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_0010BDED

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C6E5B GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_000C6E5B

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.16.123.109	desktop.gonitro.com	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
desktop.gonitro.com	104.16.123.109	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://desktop.gonitro.com/v14.29.1.0/events	false	0%, Virustotal, Browse	unknown

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DBCDD DecryptFileW,	0_2_000DBCDD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DBAC2 DecryptFileW,DecryptFileW,	0_2_000DBAC2
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	0_2_00104B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7BCDD DecryptFileW,	1_2_00A7BCDD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7BAC2 DecryptFileW,DecryptFileW,	1_2_00A7BAC2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4B6F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	1_2_00AA4B6F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4578D0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,	1_2_6A4578D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A459330 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,	1_2_6A459330
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A458500 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,	1_2_6A458500
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40F590 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,_invalid_parameter_noinfo_noreturn,	1_2_6A40F590

Uses 32bit PE files

Source: nitro_pro14.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: nitro_pro14.exe

Static PE information: certificate valid

Source: unknown

HTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: nitro_pro14.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C3B2C FindFirstFileW,FindClose,	0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A63B2C FindFirstFileW,FindClose,	1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,	1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,	1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,	1_2_6A4E1794

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 4x nop then movd mm0, dword ptr [edx]

1_2_6A38CFF0

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: desktop.gonitro.com

Source: unknown

Source: nitro_pro14.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: nitro_pro14.exe, nitro_pro14.exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, mbapreq.dll.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, mbahost.dll.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: nitro_pro14.exe	String found in binary or memory: http://wixtoolset.org/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: nitro_pro14.exe, Microsoft.Deployment.WindowsInstaller.dll.1.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.1.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: nitro_pro14.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch/s/dialogmessage.
Source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.ch4
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr	String found in binary or memory: http://www.galasoft.chN
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.gonitro.com///support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-po
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policy
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004526000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policy09
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/en/support/privacy-policyx
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=
Source: nitro_pro14.exe, 00000001.00000002.2950609083.0000000004101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gonitro.com/services/linkredirector.aspx?lr_loc=en&lr_src=retail&lr_prod=Professional&lr_
Source: nitro_pro14.exe	String found in binary or memory: http://www.google.com
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, NitroBA.dll.1.dr	String found in binary or memory: http://www.google.com)WPD
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitro.com
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/M
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events
Source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop.gonitro.com/v14.29.1.0/events=
Source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitro.comhttps://desktop.gonitrodev.commetrics.use_dev_servert
Source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr	String found in binary or memory: https://desktop.gonitrodev.com
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2948280651.0000000003400000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2947992871.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2950438684.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, BootstrapperApplicationData.xml.1.dr	String found in binary or memory: https://downloads.gonitro.com/professional_14.29.1.0/en/retail/nitro_pro14_ba_x64.msi
Source: nitro_pro14.exe, 00000000.00000003.1689742811.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000003.1689862045.0000000000E90000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000000.00000002.2947590094.0000000000E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: nitro_pro14.exe, 00000001.00000003.1696687450.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microI
Source: mbapreq.dll.1.dr, mbahost.dll.1.dr, Microsoft.Deployment.WindowsInstaller.dll.1.dr, BootstrapperCore.dll.1.dr	String found in binary or memory: https://wixtoolset.org/
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: nitro_pro14.exe, NitroBA.resources.dll0.1.dr, NitroBA.resources.dll2.1.dr, GalaSoft.MvvmLight.dll.1.dr, nitro_pro14.exe.0.dr, NitroBA.resources.dll3.1.dr, metrics.dll.1.dr, NitroBA.resources.dll.1.dr, PageTransitions.dll.1.dr, NitroBA.dll.1.dr, NitroBA.resources.dll1.1.dr	String found in binary or memory: https://www.gonitro.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 104.16.123.109:443 -> 192.168.2.4:49732 version: TLS 1.2

Contains functionality to communicate with device drivers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A40C340: MultiByteToWideChar,memset,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,DeviceIoControl,CloseHandle,std::_Xregex_error,fwrite,_errno,

1_2_6A40C340

Detected potential crypto function

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F712E	0_2_000F712E
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F21D9	0_2_000F21D9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F24A0	0_2_000F24A0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F74BC	0_2_000F74BC
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FA703	0_2_000FA703
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F275B	0_2_000F275B
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FEAE0	0_2_000FEAE0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F1BBD	0_2_000F1BBD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000E5CCD	0_2_000E5CCD
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000EDD78	0_2_000EDD78
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F1F2F	0_2_000F1F2F
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FEF68	0_2_000FEF68
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C7FA9	0_2_000C7FA9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00103FCA	0_2_00103FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A921D9	1_2_00A921D9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9712E	1_2_00A9712E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A924A0	1_2_00A924A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A974BC	1_2_00A974BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9A703	1_2_00A9A703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9275B	1_2_00A9275B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9EAE0	1_2_00A9EAE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A91BBD	1_2_00A91BBD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A85CCD	1_2_00A85CCD
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A8DD78	1_2_00A8DD78
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A67FA9	1_2_00A67FA9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA3FCA	1_2_00AA3FCA
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A91F2F	1_2_00A91F2F
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9EF68	1_2_00A9EF68
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06642050	1_2_06642050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06647AC3	1_2_06647AC3
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_0664CD43	1_2_0664CD43
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_0664CD29	1_2_0664CD29
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06DF2050	1_2_06DF2050
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A412EC0	1_2_6A412EC0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A415460	1_2_6A415460
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A383A9D	1_2_6A383A9D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3B6AD0	1_2_6A3B6AD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3E2B10	1_2_6A3E2B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46FB00	1_2_6A46FB00
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4708C0	1_2_6A4708C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EC8B0	1_2_6A3EC8B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3E1880	1_2_6A3E1880
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A424940	1_2_6A424940
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D2970	1_2_6A3D2970
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3F1950	1_2_6A3F1950
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40EE50	1_2_6A40EE50
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A40BED0	1_2_6A40BED0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A409EA0	1_2_6A409EA0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D2F20	1_2_6A3D2F20
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A38DF40	1_2_6A38DF40
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42AC10	1_2_6A42AC10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EBC80	1_2_6A3EBC80
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A41CDE0	1_2_6A41CDE0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3EC210	1_2_6A3EC210
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42B220	1_2_6A42B220
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D7250	1_2_6A3D7250
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A426290	1_2_6A426290
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3F72D0	1_2_6A3F72D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4423A0	1_2_6A4423A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381000	1_2_6A381000
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D50A0	1_2_6A3D50A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D40C0	1_2_6A3D40C0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A423120	1_2_6A423120
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A415630	1_2_6A415630
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A42A6F0	1_2_6A42A6F0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D6720	1_2_6A3D6720
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D9710	1_2_6A3D9710
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A43F700	1_2_6A43F700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46F430	1_2_6A46F430
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4194D0	1_2_6A4194D0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D6480	1_2_6A3D6480
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3B6540	1_2_6A3B6540
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A422580	1_2_6A422580
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A46E590	1_2_6A46E590
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A3D35E0	1_2_6A3D35E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF9E1C	1_2_6CBF9E1C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC00738	1_2_6CC00738
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF9A8E	1_2_6CBF9A8E
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC002B0	1_2_6CC002B0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC063CE	1_2_6CC063CE
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFC3AC	1_2_6CBFC3AC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06648703	1_2_06648703
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06647E1C	1_2_06647E1C

Found potential string decryption / allocating functions

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA534A appears 683 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A3E7AD0 appears 108 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A3E31A0 appears 87 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A613B3 appears 501 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A4E0A30 appears 50 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6CBF4460 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA78B5 appears 79 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A42DE20 appears 55 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A629F6 appears 54 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00AA5831 appears 34 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 00A90AC0 appears 33 times
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: String function: 6A400440 appears 48 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000F0AC0 appears 33 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 001078B5 appears 79 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000C29F6 appears 54 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 00105831 appears 34 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 000C13B3 appears 501 times
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: String function: 0010534A appears 683 times

Sample file is different than original file name gathered from version info

Source: nitro_pro14.exe	Binary or memory string: OriginalFilename vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2947992871.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamePageTransitions.dll@ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951681502.000000000663A000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameGalaSoft.MvvmLight.dllF vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenameNitroBA.dll< vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956473751.000000006CC12000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamembahost.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2951420115.0000000006214000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameBootstrapperCore.dll\ vs nitro_pro14.exe
Source: nitro_pro14.exe, 00000001.00000002.2956329196.000000006A565000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamemetrics< vs nitro_pro14.exe

Uses 32bit PE files

Source: nitro_pro14.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP

Source: classification engine

Classification label: sus25.evad.winEXE@3/51@1/1

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C2A4C FormatMessageW,GetLastError,LocalFree,

0_2_000C2A4C

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C62C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		0_2_000C62C2
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A662C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		1_2_00A662C2

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_00107615 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

0_2_00107615

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000E864A ChangeServiceConfigW,GetLastError,

0_2_000E864A

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

File created: C:\Users\user\AppData\Roaming\Nitro

Jump to behavior

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\nitro_pro14.exe

File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\

Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: cabinet.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: msi.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: version.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: wininet.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: comres.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: clbcatq.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: msasn1.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: crypt32.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: feclient.dll	0_2_000C10E1
Source: C:\Users\user\Desktop\nitro_pro14.exe	Command line argument: cabinet.dll	0_2_000C10E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: cabinet.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: msi.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: version.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: wininet.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: comres.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: clbcatq.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: msasn1.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: crypt32.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: feclient.dll	1_2_00A610E1
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Command line argument: cabinet.dll	1_2_00A610E1

Source: nitro_pro14.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\nitro_pro14.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-convert.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-devices.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-customer-logos.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-edit.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-sign.png
Source: nitro_pro14.exe	String found in binary or memory: resources/nitro-installer-office-scene.png
Source: nitro_pro14.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls

Source: C:\Users\user\Desktop\nitro_pro14.exe

File read: C:\Users\user\Desktop\nitro_pro14.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nitro_pro14.exe "C:\Users\user\Desktop\nitro_pro14.exe"
Source: C:\Users\user\Desktop\nitro_pro14.exe	Process created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680
Source: C:\Users\user\Desktop\nitro_pro14.exe	Process created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe "C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe" -burn.clean.room="C:\Users\user\Desktop\nitro_pro14.exe" -burn.filehandle.attached=652 -burn.filehandle.self=680	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nitro_pro14.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msvcp140_atomic_wait.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: concrt140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: nitro_pro14.exe

Static PE information: certificate valid

Source: nitro_pro14.exe

Static file information: File size 2457960 > 1048576

Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nitro_pro14.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: nitro_pro14.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: nitro_pro14.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\bootstrapper_dll\obj\Win32\Release\NitroBA.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000003.1700798161.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951735153.0000000006642000.00000002.00000001.01000000.0000000B.sdmp, nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, NitroBA.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: ?\C:\Windows\dll\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000002.2951818300.00000000067A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\NitroBA.pdbpdboBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\core\BootstrapperCore.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951384555.0000000006202000.00000002.00000001.01000000.0000000A.sdmp, BootstrapperCore.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdbw source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\burn.pdb4 source: nitro_pro14.exe, nitro_pro14.exe.0.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\src\installer\bootstrapper\page_transitions\obj\Win32\Release\PageTransitions.pdbd\~\ p\_CorDllMainmscoree.dll source: nitro_pro14.exe, 00000001.00000002.2952860245.0000000006DF2000.00000002.00000001.01000000.0000000E.sdmp, PageTransitions.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: \??\C:\Windows\NitroBA.pdb source: nitro_pro14.exe, 00000001.00000003.1700853682.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\35\s\wix\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.1.dr
Source:	Binary string: C:\build\nitroapp\vs2022-windows32\bin\Release\metrics.pdb source: nitro_pro14.exe, 00000001.00000002.2956167840.000000006A4EA000.00000002.00000001.01000000.0000000D.sdmp, metrics.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\mbahost.pdb source: nitro_pro14.exe, 00000001.00000002.2956422927.000000006CC08000.00000002.00000001.01000000.00000007.sdmp, mbahost.dll.1.dr
Source:	Binary string: C:\Users\lbugn\Documents\MVVMLight\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: nitro_pro14.exe, nitro_pro14.exe, 00000001.00000002.2951653958.0000000006632000.00000002.00000001.01000000.0000000C.sdmp, GalaSoft.MvvmLight.dll.1.dr
Source:	Binary string: C:\agent\_work\35\s\wix\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.1.dr

Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nitro_pro14.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

PE file contains sections with non-standard names

Source: nitro_pro14.exe	Static PE information: section name: .wixburn
Source: nitro_pro14.exe.0.dr	Static PE information: section name: .wixburn

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0B06 push ecx; ret	0_2_000F0B19
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_0010CCD3 push ecx; ret	0_2_0010CCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90B06 push ecx; ret	1_2_00A90B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AACCD3 push ecx; ret	1_2_00AACCE6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_06635B25 push es; ret	1_2_06635B2A
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0E28 push ecx; ret	1_2_6A4E0E3B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A382C10 push 89084589h; iretd	1_2_6A382C15
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF44A6 push ecx; ret	1_2_6CBF44B9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CC06AE3 push ecx; ret	1_2_6CC06AF6
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A6590 pushad ; iretd	1_2_031A6591
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A7590 push es; ret	1_2_031A75A0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AD5F0 push E8717814h; iretd	1_2_031AD5F5
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AB440 push esp; retf	1_2_031AB449
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031A6B15 pushfd ; iretd	1_2_031A6B19
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AAF4B pushad ; iretd	1_2_031AAF59
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_031AAF7B pushfd ; iretd	1_2_031AAF89

Source: NitroBA.dll.1.dr	Static PE information: section name: .text entropy: 7.17009385214746
Source: metrics.dll.1.dr	Static PE information: section name: .text entropy: 6.950457755326262

Drops PE files

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exe	File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\nitro_pro14.exe	File created: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	File created: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 4100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A381A90 rdtsc

1_2_6A381A90

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Window / User API: threadDelayed 405

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Dropped PE file which has not been started: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\nitro_pro14.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\nitro_pro14.exe

API coverage: 9.1 %

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0010506Bh	0_2_00104FD0
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_00104FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00105064h	0_2_00104FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00AA506Bh	1_2_00AA4FD0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00AA4FD0 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00AA5064h	1_2_00AA4FD0

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C3B2C FindFirstFileW,FindClose,	0_2_000C3B2C
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FC1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_000FC1FF
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000C1700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	0_2_000C1700
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000DB76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	0_2_000DB76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A63B2C FindFirstFileW,FindClose,	1_2_00A63B2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9C1FF FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00A9C1FF
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,	1_2_00A61700
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A7B76B FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	1_2_00A7B76B
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4D48E0 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,free,_errno,_errno,FindNextFileW,WideCharToMultiByte,_errno,	1_2_6A4D48E0
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E175D ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,	1_2_6A4E175D
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E1794 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,	1_2_6A4E1794

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000EFB9C VirtualQuery,GetSystemInfo,

0_2_000EFB9C

Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.00000000067DF000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nitro_pro14.exe, 00000001.00000003.2197325293.0000000006819000.00000004.00000020.00020000.00000000.sdmp, nitro_pro14.exe, 00000001.00000002.2951818300.0000000006819000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnqZ

Source: C:\Users\user\Desktop\nitro_pro14.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\nitro_pro14.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	API call chain: ExitProcess graph end node

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381A90		1_2_6A381A90
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A381B00		1_2_6A381B00

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A381A90 rdtsc

1_2_6A381A90

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000F84A7

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: 1_2_6A414060 CreateToolhelp32Snapshot,CloseHandle,_CxxThrowException,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

1_2_6A414060

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F9808 mov ecx, dword ptr fs:[00000030h]	0_2_000F9808
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000FCF2C mov eax, dword ptr fs:[00000030h]	0_2_000FCF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A99808 mov ecx, dword ptr fs:[00000030h]	1_2_00A99808
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A9CF2C mov eax, dword ptr fs:[00000030h]	1_2_00A9CF2C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFDCB7 mov eax, dword ptr fs:[00000030h]	1_2_6CBFDCB7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFB3F1 mov ecx, dword ptr fs:[00000030h]	1_2_6CBFB3F1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C50E9 GetProcessHeap,RtlAllocateHeap,

0_2_000C50E9

Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F03A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000F03A9
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F84A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F84A7
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000F0874
Source: C:\Users\user\Desktop\nitro_pro14.exe	Code function: 0_2_000F0A07 SetUnhandledExceptionFilter,	0_2_000F0A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A903A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00A903A9
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A984A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00A984A7
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90874 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00A90874
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_00A90A07 SetUnhandledExceptionFilter,	1_2_00A90A07
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0B10 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6A4E0B10
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6A4E0F75 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6A4E0F75
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF44BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CBF44BC
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBFAC7C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBFAC7C
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Code function: 1_2_6CBF42E6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBF42E6

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

0_2_00105CFE

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_0010801A AllocateAndInitializeSid,CheckTokenMembership,

0_2_0010801A

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000F0C37 cpuid

0_2_000F0C37

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Code function: GetLocaleInfoEx,FormatMessageA,

1_2_6A4E14CD

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Users\user\AppData\Roaming\Nitro\PDF Pro\14 VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000D6BA2 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

0_2_000D6BA2

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_001092A6 GetSystemTimeAsFileTime,

0_2_001092A6

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C7E8C GetUserNameW,GetLastError,

0_2_000C7E8C

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_0010BDED GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

0_2_0010BDED

Source: C:\Users\user\Desktop\nitro_pro14.exe

Code function: 0_2_000C6E5B GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

0_2_000C6E5B

Source: C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1533060
Product:	CloudBasic
Start time:	11:36:40
Start date:	14.10.2024
Sample:	nitro_pro14.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	957c08652837223a7876d64f5f93f232
SHA1:	22cb448ac6bd4fc47a1889aa2643f0bd91e9c7ff
SHA256:	071dcd0fb10975eea48df1f75b3c6ecaec30c901fc7639ad8e60b99c231ee223
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Nitro_PDF_Pro_20241014053733.log	ASCII text, with CRLF line terminators	7AD3F18FB71F77403CF83FB6D24A78F8	E4977D809683CAB7BBAE2B5C8B3F186E718ACDA1	4B1105928F9E5D23893E701565A9330A2575F3985BAEF418C5B2FFAB30E6E3E5
C:\Users\user\AppData\Roaming\Nitro\PDF Pro\14\nitro_pro14-bugsplat-7044.log	ASCII text, with CRLF line terminators	8C5423579A025011908A2E5397E1EEDD	936F68CEA417350F3A9AB99EA719970736F047BD	A7AAB8EE5F7BD5326D6874329D96CEC8A359F7380DC4B80314CCC92242DB2394
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1028\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1D4B831F77EFEC96FFBC70BC4B59B8B5	1B3ED82655AEC8A52DAEC60F8674BC7E07F8CFEB	1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1029\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	CC8C6D04DC707B38E0F0C08BA16FE49B	95EA7F570677AEA52393D02FDB21CEBB218A7343	DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1030\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	7C6E4CE87870B3B5E71D3EF4555500F8	E831E8978A48BEAFA04AAD52A564B7EADED4311D	CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1031\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	C8E7E0B4E63B3076047B7F49C76D56E1	4E44E656A0D552B2FFD65911CB45245364E5DBF3	631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1032\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	074D5921AF07E6126049CB45814246ED	91D4BDDA8D2B703879CFE2C28550E0A46074FA57	B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1035\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	E338408F1101499EB22507A3451F7B06	83B42F9D7307265A108FC339D0460D36B66A8B94	B7D9528F29761C82C3D926EFE5E0D5036A0E0D83EB4CCA7282846C86A9D6F9F3
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1036\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	AA32A059AADD42431F7837CB1BE7257F	4CD21661E341080FB8C2DEFD9F32F134561FC3BA	88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1038\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	17FB605A2F02DA203DF06F714D1CC6DE	3A71D13D4CCA06116B111625C90DD1C451EA9228	55CF62D54EFB79801A9D94B24B3C9BA221C2465417A068950D40A67C52BA66EF
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1040\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	50261379B89457B1980FF19CFABE6A08	F80B1F416539D33206CE3C24BA3B14B799A84813	A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1041\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DB0F5BAB42403FD67C0A18E35E6880EC	C0A18C8C5BCD7B88C384B5304B56EEB85A0DA3DC	CCDCDB111EFA152C5F9FF4930033698B843390A549699AE802098D87431F16FE
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1042\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	442F8463EF5CA42B99B2EFACA696BD01	67496DB91CBAA85AC0727B12FC2D35E990537DAC	D22F6ADA97DBFFC1E7548E52163807F982B30B11A2A5109E71F42985102CCCBD
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1043\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	67F28BCDB3BA6774CD66AA198B06FF38	85D843B7248A5E1173FF9BD59CB73BB505F69B66	226B778604236931B4AE45F6F272586C884A11517444A34BF45CD5CAE49BE62E
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1044\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5454F724C9CDAB8172678A1CC7057220	241A57018ACE1210881583A9CF646E7D2E51412F	41545AC1247B61C3C3E2A7E4659D9FAD2BCCA8347C69F2EB7B9D0CF5FC31E113
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1045\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	96ACAAA5AEF7798E9048BAFF4C3FA8D3	E76629973F6C1CFC06F60BA64FE9F237B2DB9698	F4AA983E39FB29C95E3306082F034B3A43E1D26489C997B8E6697B6A3B2F9F3C
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1046\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	BD39ADB6B872163FD2D570028E9F3213	688B8A109688D3EA483548F29DE2E57A8A56C868	ECB5C22E6C2423CAF07AEBE69F4FAF22450164EEE9587B64EF45A2D7F658CA15
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1049\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DAF167AF4031EF47E562056A7D51AA73	0156B230CADD6169AC2820865E3C031ED79785EF	C91C9E87AB4A6DB078F1991F4A2CDC726B58A40E47BCE49D39168A8F8F151C3B
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1051\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	776CDF9B481F0E857758E9BE2771AFDE	06C320749964BB4107815D88A37C7451AE4284BF	63EC83F825844C8F568130FA0CA5FC72266B2F55196769327024E66E04CA2483
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1053\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	D95E81164C57B6FD75E7C3022454192E	5D5ACBC56E7078AF4D04C45B78C0FF090C02EE6A	6DD61CC6B87B53EAF28430068A2A459730FD4B2BCF876CCDF040212D04C4FE7D
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1055\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	01B200E06BA600A4EF00C00F7AAC5CE4	22234426C42637E069A46217019551E4434A4AB6	06BFB6DFBC38105C699DEA226A029DF3EF673C33E4B8928DC4EC7FB8F761487D
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\1060\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5836F0C655BDD97093F68AAF69AB2BAB	B6842E816F9E0DCC559A5692E4D26101D10B4B16	C015247D022BDC108B4FFCAE89CB55D1E313034D7E6EED18744C1BB55F108F8C
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\2052\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	A34DCF7771198C779648B89156483E83	A6E0FA91CD50048511C7BEF1BE3A8D32B42B6D1F	89C559C6765F8D643469E3C8F4AA93023F09369B0395EA647FAD5AF3C2893EB6
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\2070\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	8A278E519EF81B2847490EFB070219BC	7365EDF6E4F9E66B6CEE47933B6C70FF0B9ECFF8	E2BFDB2CF3BEAE2E988827C52C58006D7EEAD4ABA5312B5EAE1F6CCF3863C385
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\3082\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1024AA88AE01BC7BA797193CC6023375	9252A309C1CB32573F4D58A595A78660FDF54B2F	B884C4ABB8867553C1FFADD6721C2135EC5F9F1455C3F668D711CCEA65363D1A
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\AcceptandInstall.png	PNG image data, 150 x 78, 8-bit/color RGB, non-interlaced	C8B587DF6BDA0EB187B61EA58E8A4289	0A1513713AF8EE96BC7B0B3A53D33EE748A76B29	9ACEBA458711CA6C4039A518E033F99AF8CA22A1CBAE4901B6EA819F4FE01D02
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Background.png	PNG image data, 485 x 300, 8-bit/color RGBA, non-interlaced	45ED44A4086556AF0279B0845347941A	E72FE90738D1D9E7E2AC4C563A8E2AF49A84A124	0253ACAFF4FE1EC6FB5E4F93A4FA6C6CF8DD42775F90E69DA945326AA9072743
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperApplicationData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (609), with CRLF line terminators	BE61B0C2D38624DD0BE199A98E3DD425	48F64FDBEEA597DF7B2948D0D41BFF7D36E411DD	FDC9187CCD279623D101179B6954B7F61A1DE868FBA888C8A551AEB961A9A44D
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.config	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	54C6A3735B709267FF8500704C086B65	82D8C0DA44F58694DE287AD77D0D88D073838DC9	8C128F1E877E4679FD2611764C0EF1BBCA1FFF7F635BEB0AE553EF2CA3E9C89E
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\BootstrapperCore.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	60EAFF04CFA5EDD04B05E61C1F4D6E7E	35F69F0487653A5992564EF13387449CC63990B5	139E767080FCDD816A19E664ECE9E15769451D924D99288441607065CC928A8C
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Cancel.png	PNG image data, 62 x 78, 8-bit/color RGBA, non-interlaced	D400C5ED0015DC2B01583335D71D2B92	57B16DA34212D6477EE442B9C142A0C7807820C2	58FDB02764D28B307C689A7CCDC0E63A817A55FD0A681CDCDB53902092079FFC
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Close.png	PNG image data, 62 x 78, 8-bit/color RGBA, non-interlaced	E211D859CAEAE68D3135DB78D754A0BA	E3719086F5E6270C72C181D655234824287B787C	CECDAC9F2358D06E67C181E929454736FAB231959DE82B20057B627E871BAF1B
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\CloseWindow.png	PNG image data, 20 x 60, 8-bit/color RGBA, non-interlaced	70F5477CB81DBD0EAA48A73FD2440AA4	8FD544E99411FBCDEE262DC06ACB749C627EDD2F	589CF70ED7996DCF5DFDE3C4CF7866B262BB4A31F5955BD7B9A072DEF25C52C4
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\GalaSoft.MvvmLight.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	7A6B482FD8928603FAFE747BE73EFB31	AB8C16D9DE29FAFB4954F805E292CF58EF68C39D	7E650417A9FDC339D6628E2CDAC36AD84A6E372742A53DE4022B2F857CA068AC
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Microsoft.Deployment.WindowsInstaller.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A4D3EAF44156AB27772E2CF99033ED64	BD28431730BEA4908D2EA728EA70CCF48DEBC5D8	ABE1742945A10588376CD127771C3D5F3F0579D4FF1BDE15C41A494451D89444
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\Nitro.bmp	PC bitmap, Windows 3.x format, 148 x 60 x 24, image size 26640, resolution 2835 x 2835 px/m, cbSize 26694, bits offset 54	45D8FBC38103BFB1BFC282667CEB5A18	FCD08C3CDE8B68918AF496CEB356DDEB66384937	45D1B9459F60CBDE528093D29FE9E4ED553C06C644B0017A0176704B1476A3A0
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\NitroBA.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	43239CE73BEAE58CE5C0B4B66780D128	1A4694F4C96A694BBE0F6AD35813768FF6DD3E86	3B8B732F1A49A599EF3288E84D7A63C995A2A1AD61192EE6F5DE67B2A7108F6C
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\PageTransitions.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	80F29FA62F954A03ABAD24B984A45A7F	77B49D1D46F5F65BD7F1008FE009DA1DA1D69641	56AE0E660E44D378879261419D808D3DC4488E13CAE95F6BF96561471DBF48FE
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\ProgressBar.png	PNG image data, 4 x 10, 8-bit/color RGBA, non-interlaced	A07584B9A8CC8A7483FA394867D05C0A	7FCEA631D924CD811E43F4C7BB3C5DA1319CF541	03DE7CBEC2ED9A3C17E210F537F5A826FA7E43491556F8356B95F1A80DFA4CDC
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\de\NitroBA.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	0DBD65BF269B06C53BEBA80C62FBF41E	0380A5930AFB777AEA6E8E8FBEA594BFE98536D8	D3D14163B6F01350680D6FE397AF8645ED10F460BCE0ED3803547A65AE61E0F0
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\es\NitroBA.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	FF403070577AEE0069CBA5A419F97D57	43A50744C40C841374877CFAEE353FDB64F462FC	725F1BFADF02C045FDF03DB7EB1F21273E7F3603EA41412E2A3FA4782DE2B7CC
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\fr\NitroBA.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	93EB67900B4ED7E71531C12AB469495C	E9A21EFE06C41ABC673F1791FCD4AE00AAA510CA	9C39E38A43225C1C29C3B7A65B0DBB8E727A0160706B19D68D612F7E23C81862
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\it\NitroBA.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	C3F1C50260D49659620E169B5C2AF0B3	6947A233A5B392D27FCE35903A5843CA7631555B	C8135BD38827C87F3FF7AD7D15A1BB61E004AF7A83CA123C293664D4FFEE16EF
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbahost.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A98EB2617326292D3AB96E54B4BA703C	DC72B1E18930D26C16B8D5E4F25711E4DA9DA24C	7182FB48A03F653A2B87D66409599D0D11DFB197CA7F969D2C8D72E38BF13590
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	30803BDCDA5083DE8BB9FB5CCA486412	65BCF49BC81595C57B769C11F7097B9BF2968FB6	AA1DD28CC0450DCF38761E4E63BD029C46C66A9DC907E5A2A4D1B2E4261C2DCD
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.png	PNG image data, 63 x 63, 8-bit/color RGBA, non-interlaced	A356956FD269567B8F4612A33802637B	75AE41181581FD6376CA9CA88147011E48BF9A30	A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.thm	XML 1.0 document, ASCII text, with CRLF line terminators	91543B04E0EBF979D12EA3F94B6C7D28	EC5ECC2AE5D8A6BD473BF643A27C70CE03EC4170	0B2B19205A49F295FEB94B30D86CCB82B82350241DC08BD0A69F2C516C0A93A7
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	274945107A0B67B3F39C52CDF93CEB8C	538F7CC3C7EDC07A9A9762FF5F5DB1B2594BD6F7	B523C09AB79F1E0F3E667364CBAD756484A5320E477F89FFC0630F30D7AB87B0
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\metrics.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4337973905C6C14F798BB354E1785144	2F95E946DBA7F972D9F843BA03C4A894400BE95F	682A64E02DAD5AD703F05B73759714951462F5730B379E3584B27047B4630A32
C:\Windows\Temp\{6E12AC3B-4BC0-4764-A2BD-1C246CC66772}\.ba\nl\NitroBA.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A024211B529F6E3E50078ECA6E98621B	92E8A602271E4760271F873341806392C00F33EE	9B27BA7E30695945E54CF2C48E0A4BB45F25349B35D43D0649EB57B43783B432
C:\Windows\Temp\{FF9FB498-690B-42AD-8947-9DAF033FB533}\.cr\nitro_pro14.exe	PE32 executable (GUI) Intel 80386, for MS Windows	957C08652837223A7876D64F5F93F232	22CB448AC6BD4FC47A1889AA2643F0BD91E9C7FF	071DCD0FB10975EEA48DF1F75B3C6ECAEC30C901FC7639AD8E60B99C231EE223

Windows Analysis Report
nitro_pro14.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report nitro_pro14.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
nitro_pro14.exe