Edit tour

Windows Analysis Report
cfrv_4_0_setup_ALL.exe

Overview

General Information

Sample name:	cfrv_4_0_setup_ALL.exe
Analysis ID:	1379637
MD5:	9197aeadf996dd8cd3885a205927671e
SHA1:	3bf1368b4dae680e580d3958299f9636e255cba8
SHA256:	94e6740812caeb857ef6065984ab4138d56ad4b517c62f2611f303eab519676c
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

DLL side loading technique detected

Injects code into the Windows Explorer (explorer.exe)

May use the Tor software to hide its network traffic

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Creates Visual Basic Runtime Dlls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

PE file does not import any functions

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

cfrv_4_0_setup_ALL.exe (PID: 6948 cmdline: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe MD5: 9197AEADF996DD8CD3885A205927671E)

cfrv_4_0_setup_ALL.exe (PID: 6252 cmdline: .\cfrv_4_0_setup_ALL.exe /m="C:\Users\user\Desktop\CFRV_4~1.EXE" /k="" MD5: 3B2D532673D1567116105D04C621CDBA)

regsvr32.exe (PID: 3452 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\mscomctl.ocx" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 1196 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMDLG32.OCX" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 7080 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMCT332.OCX" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 7140 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\TABCTL32.OCX" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 3372 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO350.DLL" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 4600 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_CR_control.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 5004 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_DB_Connect.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 2004 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Data.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 6312 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Export.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 5228 cmdline: "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_Rmt_DB4_Update.dll" /s MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

explorer.exe (PID: 6920 cmdline: "C:\Windows\explorer.exe" /separate /root,::{21ec2020-3aea-1069-a2dd-08002b30309d} MD5: 662F4F92FDE3557E86D110526BB578D5)

msiexec.exe (PID: 1028 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5496 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9F821CD8835F26EFA91C6F67DA97DD7D MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6544 cmdline: C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\craxdrt.dll MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6920 cmdline: C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6972 cmdline: C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\Crystal\Cdo32.dll MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7048 cmdline: C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crtslv.dll MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 2208 cmdline: C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\ExportModeller.dll MD5: 9D09DC1EDA745A5F87553048E57620CF)

explorer.exe (PID: 7072 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\cfrv_4_0_setup_ALL.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.1735223416.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: cfrv_4_0_setup_ALL.exe PID: 6948	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.cfrv_4_0_setup_ALL.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: cfrv_4_0_setup_ALL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File created: c:\tmp\log\installs\CF_Remote\install.log

Jump to behavior

Source:	Binary string: MsiHnd.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsiHnd.pdbV source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shfolder.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rF,c:\Windows\System32\ImgXTwain61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shfolder.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb(0 source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapiu.pdbU source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usp10.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msisip.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp, msisip.dll.0.dr
Source:	Binary string: c:\Windows\System32\ImgXPrint61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rFXc:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapiu.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: riched20.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mspatcha.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\EPFXlate\HTML\ReleaseSym\exlate32.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000057A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Windows\System32\ImgXTwain61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rFWc:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sdbapi.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi_l.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usp10.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdbh source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000057A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mspatcha.pdbtvbl01\LOCALS~1\Temp\2\DBGtoPDB\mspatcha.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: riched20.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\EPFXlate\HTML\ReleaseSym\exlate32.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapi.pdbU source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tvbl01\LOCALS~1\Temp\2\DBGtoPDB\mspatcha.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msisip.pdb3 source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp, msisip.dll.0.dr
Source:	Binary string: rF,c:\Windows\System32\ImgXPrint61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutlrc.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\explorer.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00407E20 FindNextFileW,FindClose,FindFirstFileW,FindFirstFileW,	0_2_00407E20
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC2A30 _memset,FindFirstFileW,LoadLibraryW,FindClose,FindResourceW,LoadLibraryW,	1_2_6CEC2A30
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEB2470 FindClose,FindFirstFileW,FindFirstFileW,	1_2_6CEB2470

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance\CF Remote.lnk	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows	Jump to behavior

Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.MYWEBSITE.COM/NEW
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002833000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.NCSBE.GOVMICROSOFT
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: explorer.exe, 00000018.00000002.2879083790.0000000008DF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com02
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com05
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ImgX.net/
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ImgX.net/ImgX/purchase.asp
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/0
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/InstallAware
Source: cfrv_4_0_setup_ALL.exe	String found in binary or memory: http://www.installaware.comz
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mywebsite.com/New
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ncsbe.gov
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ncsbe.govMicrosoft
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.seagatesoftware.com/xml/schema.xsdxsddtdw
Source: explorer.exe, 00000018.00000003.2060166385.00000000067A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000003.2060001241.00000000067A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2878512791.00000000067A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000018.00000003.2060166385.00000000067A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000003.2060001241.00000000067A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2878512791.00000000067A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.00000000007AE000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFC7D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.installaware.com/buydirect.aspopen

Source: Yara match

File source: Process Memory Space: cfrv_4_0_setup_ALL.exe PID: 6948, type: MEMORYSTR

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msi.cat

Jump to dropped file

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\msvbvm60.dll

Jump to behavior

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File created: C:\Windows\NCSBOE

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI3C42.tmp

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_0040B1D0	0_2_0040B1D0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00419D20	0_2_00419D20
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_0041FF60	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00401000	0_2_00401000
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00401100	0_2_00401100
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004011C0	0_2_004011C0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004011D8	0_2_004011D8
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00409180	0_2_00409180
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004042D0	0_2_004042D0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_0040F2F0	0_2_0040F2F0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004013F0	0_2_004013F0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004234D0	0_2_004234D0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004105D0	0_2_004105D0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004055E0	0_2_004055E0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004045A0	0_2_004045A0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004015B0	0_2_004015B0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_0040E740	0_2_0040E740
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00403760	0_2_00403760
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00425AE7	0_2_00425AE7
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00401AB0	0_2_00401AB0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00412B50	0_2_00412B50
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_0040DC00	0_2_0040DC00
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055D887D	1_3_055D887D
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0568EAC0	1_3_0568EAC0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055AD4C4	1_3_055AD4C4
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_05603311	1_3_05603311
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0560326F	1_3_0560326F
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055D9265	1_3_055D9265
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0560321C	1_3_0560321C
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10001000	1_2_10001000
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10009028	1_2_10009028
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10017330	1_2_10017330
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_100153E0	1_2_100153E0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1000D450	1_2_1000D450
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10017710	1_2_10017710
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_100178D0	1_2_100178D0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10017DC0	1_2_10017DC0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001E5C3	1_2_1001E5C3
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001E751	1_2_1001E751
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1000E770	1_2_1000E770
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_100127E0	1_2_100127E0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001E82B	1_2_1001E82B
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1000C8E0	1_2_1000C8E0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10014A40	1_2_10014A40
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1000EB10	1_2_1000EB10
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1000CCA0	1_2_1000CCA0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001AD1A	1_2_1001AD1A
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10016D80	1_2_10016D80
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10012F00	1_2_10012F00
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_10016F80	1_2_10016F80
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEB4C00	1_2_6CEB4C00
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEAAE70	1_2_6CEAAE70
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEA8AB0	1_2_6CEA8AB0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEA6460	1_2_6CEA6460
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEB35F0	1_2_6CEB35F0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC8E1B	1_2_6CEC8E1B
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEBE950	1_2_6CEBE950
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CECE6B0	1_2_6CECE6B0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEAE670	1_2_6CEAE670
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CECE78B	1_2_6CECE78B
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEBFEE0	1_2_6CEBFEE0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEBB9C0	1_2_6CEBB9C0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEAB447	1_2_6CEAB447
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEAD1B0	1_2_6CEAD1B0
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055CE64B	1_3_055CE64B
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055CE6F1	1_3_055CE6F1
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055C288E	1_3_055C288E

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: String function: 6CEC7AA4 appears 37 times
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: String function: 10018EB0 appears 94 times
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: String function: 6CEA4C80 appears 39 times
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: String function: 00405140 appears 35 times
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: String function: 00423A98 appears 36 times

Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Source: msi.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: msi.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)

Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: crviewer.dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST

Source: stdole2.tlb.0.dr	Static PE information: No import functions for PE file found
Source: CRxmlx07r.dll.0.dr	Static PE information: No import functions for PE file found

Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000050D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCS40_CA.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsihnd.dllX vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsihnd.dllD vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsimsg.dllX vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSISIP.DLLX vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSISIP.DLLD vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1731016611.00000000074F9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCS40_CA.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImgXPrint61.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImgXTwain61.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameimplode.dllL vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1731328809.0000000007170000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCS40_CA.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSSCsdk32.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogFile.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExportModeller.DLL vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameimagehlp.dllz- vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImgX61.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006999000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSCOMCTL.OCX2 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006804000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImgX61.ocx, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000050F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCS40_CA.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000050F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXLATE32.DLL" vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSLS31.DLLR vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspatcha.dll: vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSLS31.DLLR vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000663D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2fxml.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000663D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2l2000.dllP vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000663D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2lcom.dll@ vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSSubTmr6.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu252000.dllP vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameU25dts.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxdapp.dllP vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxddisk.dllDisk file vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxdmapi.dll" vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxdnotes.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000058C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllD vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1731328809.0000000007150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCS40_CA.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOLEPRO32.DLL( vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamep2ixbse.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepdlodbc.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamep2smon.dll@ vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamep2sodbc.dll" vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VerQueryValueAGetFileVersionInfoAGetFileVersionInfoSizeALegalCopyrightInternalNameOriginalFilenameFileVersionProductNameCompanyNameFileDescriptionProductVersionDOSWIN32WIN16NONETAGIDTAGSTRTAB_ITEMINDEX_BITSINDEX_KEYINDEX_TAGINDEXINDEXESSTRINGTABLEMATCH_MODEDATABASE_ID(GUID)MSI_PACKAGE_ID(GUID)DATA_BITSEXE_ID(GUID)FILE_BITSPATCH_BITSFLAGS_NTVDM3FLAGS_NTVDM2FLAGS_NTVDM1DATA_QWORDUPTO_BIN_FILE_VERSIONUPTO_BIN_PRODUCT_VERSIONFLAG_MASK_SHELLFLAG_MASK_USERFLAG_MASK_KERNELMODTIMEBIN_PRODUCT_VERSIONBIN_FILE_VERSIONTIMEAPPLY_ALL_SHIMSMATCH_LOGIC_NOTGENERALINCLUDERUNTIME_PLATFORMMSI_TRANSFORM_TAGIDDATA_DWORDVALUETYPEFLAGSENGINEAPPHELP_LANGIDINDEXFLAGSHTMLHELPIDPROBLEM_SEVERITYPREVOSBUILDNOPREVOSPLATFORMIDPREVOSMINORVERSIONPREVOSMAJORVERSIONVER_LANGUAGEOS_SERVICE_PACKUPTO_LINK_DATELINK_DATELINKER_VERSIONPE_CHECKSUMVERFILETYPEVERFILEOSVERFILEDATELOVERFILEDATEHIMODULE_TYPEFLAG_TAGIDLAYER_TAGIDPATCH_TAGIDSHIM_TAGIDCHECKSUMOFFSETSIZECOMPILER_VERSIONLAYER_DISPLAYNAMES16BIT_MODULE_NAMEMSI_TRANSFORM_FILEDATA_STRINGSXS_MANIFESTAPPHELP_CONTACTAPPHELP_TITLELINK_TEXTLINK_URLPROBLEM_DETAILSS16BIT_DESCRIPTIONLEGAL_COPYRIGHTINTERNAL_NAMEORIGINAL_FILENAMEFILE_VERSIONFILE_DESCRIPTIONPRODUCT_VERSIONPRODUCT_NAMEWILDCARD_NAMECOMPANY_NAMECOMMAND_LINEDLLFILEAPP_NAMEVENDORAPIMODULEDESCRIPTIONNAMEMSI CUSTOM ACTIONMSI PACKAGEMSI TRANSFORM REFMSI TRANSFORMDATALINKAPPHELPFILELAYERFLAG_REFPATCH_REFSHIM_REFMATCHING_FILEEXEAPPFLAGPATCHSHIMINEXCLUDELIBRARYDATABASETagToIndexInvalid attribute 0x%x. vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesdbapi.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VerQueryValueWGetFileVersionInfoWGetFileVersionInfoSizeWLegalCopyrightInternalNameOriginalFilenameFileVersionProductNameCompanyNameFileDescriptionProductVersionDOSWIN32WIN16NONETAGIDTAGSTRTAB_ITEMINDEX_BITSINDEX_KEYINDEX_TAGINDEXINDEXESSTRINGTABLEMATCH_MODEDATABASE_ID(GUID)MSI_PACKAGE_ID(GUID)DATA_BITSEXE_ID(GUID)FILE_BITSPATCH_BITSFLAGS_NTVDM3FLAGS_NTVDM2FLAGS_NTVDM1DATA_QWORDUPTO_BIN_FILE_VERSIONUPTO_BIN_PRODUCT_VERSIONFLAG_MASK_SHELLFLAG_MASK_USERFLAG_MASK_KERNELMODTIMEBIN_PRODUCT_VERSIONBIN_FILE_VERSIONTIMEAPPLY_ALL_SHIMSMATCH_LOGIC_NOTGENERALINCLUDERUNTIME_PLATFORMMSI_TRANSFORM_TAGIDDATA_DWORDVALUETYPEFLAGSENGINEAPPHELP_LANGIDINDEXFLAGSHTMLHELPIDPROBLEM_SEVERITYPREVOSBUILDNOPREVOSPLATFORMIDPREVOSMINORVERSIONPREVOSMAJORVERSIONVER_LANGUAGEOS_SERVICE_PACKUPTO_LINK_DATELINK_DATELINKER_VERSIONPE_CHECKSUMVERFILETYPEVERFILEOSVERFILEDATELOVERFILEDATEHIMODULE_TYPEFLAG_TAGIDLAYER_TAGIDPATCH_TAGIDSHIM_TAGIDCHECKSUMOFFSETSIZECOMPILER_VERSIONLAYER_DISPLAYNAMES16BIT_MODULE_NAMEMSI_TRANSFORM_FILEDATA_STRINGSXS_MANIFESTAPPHELP_CONTACTAPPHELP_TITLELINK_TEXTLINK_URLPROBLEM_DETAILSS16BIT_DESCRIPTIONLEGAL_COPYRIGHTINTERNAL_NAMEORIGINAL_FILENAMEFILE_VERSIONFILE_DESCRIPTIONPRODUCT_VERSIONPRODUCT_NAMEWILDCARD_NAMECOMPANY_NAMECOMMAND_LINEDLLFILEAPP_NAMEVENDORAPIMODULEDESCRIPTIONNAMEMSI CUSTOM ACTIONMSI PACKAGEMSI TRANSFORM REFMSI TRANSFORMDATALINKAPPHELPFILELAYERFLAG_REFPATCH_REFSHIM_REFMATCHING_FILEEXEAPPFLAGPATCHSHIMINEXCLUDELIBRARYDATABASETagToIndexInvalid attribute 0x%x. vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllX vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000532A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogFile.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006A3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevbalColumnTreeView6.ocx, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUXDPOST.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxdvim.dllP vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxfcr.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2fhtml.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuxfsepv.dllD vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUxfxls.dll" vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameU2ldts.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2lexch.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2lfinra.dll2FRCurrentRatio(CurrentAssets, CurrentLiabilities)=FRQuickRatio(CurrentAssets, Inventories, CurrentLiabilities)1FRDebtEquityRatio(TotalLiabilities, TotalEquity)0FREquityVsTotalAssets(TotalEquity, TotalAssets)$FRNetProfitMargin(NetProfit, Sales)(FRGrossProfitMargin(GrossProfit, Sales)0FROperatingProfitMargin(OperatingProfit, Sales)/FRInterestCoverage(CashFlow, InterestExpenses)+FRCashFlowVsTotalDebt(CashFlow, TotalDebt))FRReturnOnEquity(NetProfit, TotalEquity)4FRReturnOnNetFixedAssets(NetProfit, NetFixedAssets).FRReturnOnTotalAssets(NetProfit, TotalAssets)BFRReturnOnInvestedCapital(NetProfit, TotalBankDebts, TotalEquity)CFRReturnOnCommonEquity(NetProfit, PreferredDividend, CommonEquity)IFREarningsPerCommonShare(NetProfit, PreferredDividend, NumOfCommonShare)6FRAccRecTurnover(AccountReceivable, Sales, NumOfDays)1FRInventoryTurnover(Inventory, Sales, NumOfDays)4FRPriceEarningsRatio(MarketPrice, EarningsPerShare)'FRDividendYield(Dividend, MarketPrice) vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameu2lsamp1.dll vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUniscribe vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevbalFlBr6.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameW95INF16.DLL5%ProductNameMicrosoft vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameW95INF32.DLLj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCF_Login.ocx, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCF_Transaction.ocx, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomct332.ocx, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMDLG32.OCX2 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000068AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSChart.ocx@ vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2240854022.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameram FilHiU vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2067031263.0000000005517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000002.2248684049.000000006CF08000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameahadmin_.dll4 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamez vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000002.2248260945.000000001002F000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameahadmin_.dll4 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamez vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062002599.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameram FilHiU vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2241393232.0000000005498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1740941529.00000000FFE03000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamez vs cfrv_4_0_setup_ALL.exe
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs cfrv_4_0_setup_ALL.exe

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvcrt40.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: craxdrt_res_zzz.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: craxdrt_res_zz.dll

Source: cfrv_4_0_setup_ALL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp, vbalFlBr6.dll.0.dr	Binary or memory string: 4*\AC:\SteveMac\VB6\Develop\vbalFolderBrowse\vbalFolderBrowse6.vbp,
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000654C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .*\AC:\SteveMac\VB6\XHELPE~1\SSubTmr\SubTimer6.vbp
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TRUE\|.wse;.zip;.vbp;.vbw;.vbg;.frm;.frx;.bas;.cls;.ctl;*.ctx
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006A3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: GD*\AC:\SteveMac\VB6\Controls\vbalTreeView6\MultiColumn\vbalColumnTreeViewLib6.vbp

Source: classification engine

Classification label: mal52.evad.winEXE@39/565@0/0

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_0041B110 GetLastError,FormatMessageW,LocalFree,

0_2_0041B110

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_0041F320 GetVersion,CoCreateInstance,

0_2_0041F320

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Code function: 1_2_6CEC2980 LoadResource,SizeofResource,LockResource,CreateFileW,WriteFile,FindCloseChangeNotification,DeleteFileW,

1_2_6CEC2980

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\SBoE

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File created: C:\Users\user\AppData\Local\IIIQF

Jump to behavior

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File created: C:\Users\user\AppData\Local\Temp\mia1

Jump to behavior

Source: Yara match	File source: 1.0.cfrv_4_0_setup_ALL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1735223416.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\cfrv_4_0_setup_ALL.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe, type: DROPPED

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: kernel32.dll	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: SetDllDirectory	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: "-k=	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: "/k=	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: -k=	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: /k=	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: Title	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: BeginPrompt	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: Progress	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: Directory	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: RunProgram	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: ExecuteFile	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: `A	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: setup.exe	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: %%T	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: %%T\	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: mia.lib	0_2_0041FF60
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Command line argument: runas	0_2_0041FF60

Source: cfrv_4_0_setup_ALL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000050D1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1731328809.0000000007150000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000506D000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1731328809.00000000070F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select * from CS_ErrorDescription'select * from sysdatabases where name='masterSQLSERVER_FATAL_ERROR1ValidateDB;Network Library=dbmssocnNetwork Library=dbmssocnd:\cs40\private\cs40\setup\ca_dll\database.cppCommitDB%s
Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000068AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Selects the chart legend.W9Returns/sets the number of data columns in the data grid.WMReturns/sets the number of levels of labels on data columns in the data grid.WJReturns/sets the number of levels of labels on data rows in the data grid.6Returns/sets the number of data rows in the data grid.GDeletes columns of data and their associated labels from the data grid.WWW/Adds one or more data columns to the data grid.WWW>Deletes levels of labels from the data columns in a data grid.GAdds one or more levels of labels to the data columns in the data grid.WWWDDeletes rows of data and their associated labels from the data grid.WW,Adds one or more data rows to the data grid.WW;Deletes levels of labels from the data rows in a data grid.WWWDAdds one or more levels of labels to the data rows in the data grid.WW1Fills the data grid with randomly generated data.W4Sets the number and levels of data columns and rows.WWNAssigns each label in the first level of data grid labels a unique identifier.HFills one or more columns of the data grid with randomly generated data.WWEFills one or more rows of the data grid with randomly generated data.W(Moves a block of cells on the data grid.WW#Gets the value of a data grid cell.WWW#Sets the value of a data grid cell.WWW9Returns/sets the label on a data column in the data grid.WHReturns the multi-level label that identifies a column in the data grid.WWEReturns the multi-level label that identifies a row in the data grid.W6Returns/sets the label on a data row in the data grid.EReturns/sets the strength of the light coming from the light source.WCReturns/sets the X coordinate for the location of the LightSource.WWWCReturns/sets the Y coordinate for the location of the LightSource.WWWCReturns/sets the Z coordinate for the location of the LightSource.WWW]Sets the X,Y,Z coordinates for the LightSource location and the intensity of the LightSource.W

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

File read: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Process created: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe .\cfrv_4_0_setup_ALL.exe /m="C:\Users\user\Desktop\CFRV_4~1.EXE" /k=""
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\mscomctl.ocx" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMDLG32.OCX" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMCT332.OCX" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\TABCTL32.OCX" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO350.DLL" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_CR_control.dll" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_DB_Connect.dll" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Data.dll" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Export.dll" /s
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_Rmt_DB4_Update.dll" /s
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9F821CD8835F26EFA91C6F67DA97DD7D
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\craxdrt.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\Crystal\Cdo32.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crtslv.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\ExportModeller.dll
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /separate /root,::{21ec2020-3aea-1069-a2dd-08002b30309d}
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Process created: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe .\cfrv_4_0_setup_ALL.exe /m="C:\Users\user\Desktop\CFRV_4~1.EXE" /k=""	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\mscomctl.ocx" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMDLG32.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMCT332.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\TABCTL32.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO350.DLL" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_CR_control.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_DB_Connect.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Data.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Export.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_Rmt_DB4_Update.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9F821CD8835F26EFA91C6F67DA97DD7D
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\craxdrt.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\Crystal\Cdo32.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crtslv.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\ExportModeller.dll

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Mouse MouseHoverTime

Jump to behavior

Source: cfrv_4_0_setup_ALL.exe

Static file information: File size 14277760 > 1048576

Source:	Binary string: MsiHnd.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MsiHnd.pdbV source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shfolder.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rF,c:\Windows\System32\ImgXTwain61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shfolder.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb(0 source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapiu.pdbU source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usp10.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msisip.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp, msisip.dll.0.dr
Source:	Binary string: c:\Windows\System32\ImgXPrint61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rFXc:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapiu.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: riched20.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mspatcha.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\EPFXlate\HTML\ReleaseSym\exlate32.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000057A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Windows\System32\ImgXTwain61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rFWc:\Windows\System32\ImgX61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sdbapi.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi_l.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usp10.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdbh source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000057A7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mspatcha.pdbtvbl01\LOCALS~1\Temp\2\DBGtoPDB\mspatcha.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: riched20.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Y:\EPFXlate\HTML\ReleaseSym\exlate32.pdbMZ source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000515D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbapi.pdbU source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006292000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tvbl01\LOCALS~1\Temp\2\DBGtoPDB\mspatcha.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005BC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msisip.pdb3 source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005965000.00000004.00000020.00020000.00000000.sdmp, msisip.dll.0.dr
Source:	Binary string: rF,c:\Windows\System32\ImgXPrint61.pdb source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gacutlrc.pdb source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735771372.0000000000842000.00000002.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFCA4000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_0041F0E0 GetSystemDefaultUILanguage,GetSystemDefaultUILanguage,LoadLibraryW,GetProcAddress,FreeLibrary,_malloc,__CxxThrowException@8,LoadLibraryW,GetProcAddress,FreeLibrary,_swscanf,GetSystemDefaultUILanguage,SetThreadUILanguage,GetUserDefaultUILanguage,SetThreadUILanguage,SetThreadLocale,

0_2_0041F0E0

Source: stdole2.tlb.0.dr	Static PE information: real checksum: 0x0 should be: 0x52af
Source: sscsdk80.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x128651
Source: Crpe32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4d2dd3
Source: CRxmlx07r.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1dd3a
Source: u2lcom.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x29105
Source: exlate32.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xaffcb
Source: u2fsepv.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x19f64
Source: u2ddisk.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x103c1
Source: Crpaig80.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x9e40f
Source: u2dnotes.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x149ee
Source: crxf_rtf.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x32017
Source: AtalaImaging.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x136494
Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x56e113
Source: CRxmlx07.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xea5a8
Source: u2fxls.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x41a2a
Source: ExportModeller.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4ae62
Source: Implode.dll.0.dr	Static PE information: real checksum: 0xb8c2 should be: 0x104a3
Source: craxdrt.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x4f77f9
Source: u2dmapi.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xdf55
Source: u2fhtml.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x10ea0

Source: cfrv_4_0_setup_ALL.exe.0.dr	Static PE information: section name: .didata
Source: usp10.dll.0.dr	Static PE information: section name: Shared
Source: usp10.dll0.0.dr	Static PE information: section name: Shared
Source: craxdrt.dll.0.dr	Static PE information: section name: _CODE
Source: Crpe32.dll.0.dr	Static PE information: section name: _CODE
Source: exlate32.dll.0.dr	Static PE information: section name: _CODE
Source: mDownExec.dll.0.dr	Static PE information: section name: .didata
Source: mMSIExec.dll.0.dr	Static PE information: section name: .didata
Source: msi.dll.0.dr	Static PE information: section name: .orpc
Source: msi.dll0.0.dr	Static PE information: section name: .orpc

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO350.DLL" /s

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00434168 pushad ; iretd	0_2_00434169
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00423ADD push ecx; ret	0_2_00423AF0
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00437F08 push ecx; retf	0_2_00437F09
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0561C473 push ecx; mov dword ptr [esp], edx	1_3_0568F50D
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE440 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE444 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE466 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE4F7 push 51115D8Ah; ret	1_3_055BE52E
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE759 push 51115FDFh; ret	1_3_055BE783
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0568E76A push ecx; ret	1_3_0568E76E
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0568E744 push ecx; ret	1_3_0568E74A
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE76C push 51115FDFh; ret	1_3_055BE783
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055C6678 push 5111ED52h; ret	1_3_055C66F6
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_0566C17C push 510C3A08h; ret	1_3_0566C1AC
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE1D1 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_056061D6 push ecx; mov dword ptr [esp], ecx	1_3_056061D9
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE00A push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE0EF push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE0E7 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE09C push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE094 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE357 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE327 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE3D1 push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BE2FE push 51115D0Eh; ret	1_3_055BE4B2
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_05602D73 push ecx; ret	1_3_05602D74
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BED90 push 51116630h; ret	1_3_055BEDD4
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BEDBA push 51116630h; ret	1_3_055BEDD4
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_05606F5C push 5105E808h; ret	1_3_05606FAC
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BEEE9 push 51116752h; ret	1_3_055BEEF6
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_3_055BEEBC push 51116752h; ret	1_3_055BEEF6

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\5A4D542C\7204BF44\CRUTL15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1A28DE63\34510A4\dao360.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lexch.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lsamp1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D71275EF\1517B7F7\CF_org_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DAE69E8\7204BF44\craxdrt.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\pPin32.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B2966187\1517B7F7\CF_File_Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DCDC5FB4\1517B7F7\CF_File_Import.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\stdole2.tlb	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ixbse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\9F0CE7B6\7204BF44\CRxmlx07.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\47C10F79\7204BF44\CRxmlx07r.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lfinra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DF17326D\1835CB68\Crxlat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\msvbvm60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1D5631E8\1517B7F7\CF_Login.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E76BBEDE\7204BF44\crviewer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3C42.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\487DDF\1835CB68\u2ddisk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DD3D7189\34510A4\COMCT332.OCX	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fxml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FBA4A636\1835CB68\p2lodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\832FC268\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EEBF1E87\7204BF44\exlate32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DC878553\34510A4\AtalaImaging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A297C06E\1517B7F7\CF_audit_review_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\63200452\1835CB68\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\474E307D\1835CB68\u2lsamp1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6D4D0E7\34510A4\ImgX61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A8299B92\7204BF44\CRXML15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dapp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\ED7284FA\1517B7F7\CF_report_export_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1DF81C7A\34510A4\ImgXPrint61.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Crpaig80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6DEA5FF3\7204BF44\CRXML15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\51868479\1517B7F7\CF_report_main_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\68965F3A\1835CB68\u2fhtml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EABD308B\1835CB68\u2dnotes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\imagehlp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRxmlx07.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\pPin64.cpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRBAS15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\usp10.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crwrap32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Implode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\880D11DF\1835CB68\P2smon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\526A560A\1835CB68\u2lcom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4D29780E\1835CB68\u2fsepv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\olepro32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E3BD0475\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1F62DE62\1517B7F7\CF_File_Import_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CBB1E6D9\1517B7F7\CF_Transaction.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u252000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\p2sodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\205EBC50\34510A4\ImgXTwain61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F7CFC206\7204BF44\Implode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C847D812\1835CB68\Cdo32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E5B6414\1835CB68\u2fcr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B3FFCC7F\1835CB68\u2dmapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRUTL15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3E323407\1835CB68\u2fxls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dvim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2ddisk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRxmlx07r.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A9695CDF\1517B7F7\CF_Rmt_DB4_Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\AB3A15F4\34510A4\TABCTL32.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\161F85F0\7204BF44\CRUTL15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\oleaut32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E2BBEE13\1835CB68\p2ixbse.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\ExportModeller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3D003E72\1835CB68\u2fxml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\asycfilt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fxls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D7C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2ldts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\craxdrt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FE57A718\1517B7F7\CF_DB_Connect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BA3E37E4\1517B7F7\CF_CR_control.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crviewer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D4B1A979\1835CB68\u2l2000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\80B1517D\1835CB68\u2dvim.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C2C59FBE\1517B7F7\CF_File_Export.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\33BB160B\1835CB68\u2dapp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E04462E5\1517B7F7\CF_Report_Verify_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E81A74\34510A4\vbalColumnTreeView6.oca	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A52CA551\7204BF44\CRXML15S.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRBAS15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mWinRunExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pg32conv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\sscsdk80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CE1E931F\7204BF44\sscsdk80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C8E76B1B\1835CB68\u2lexch.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496179\1517B7F7\CF_rs_browse_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2D3E0D90\7204BF44\Crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\exlate32.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C964AC44\1835CB68\u2lfinra.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Windows\System32\myah0.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A157FA05\1835CB68\crxf_rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\90E4D581\1517B7F7\CF_ref_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF16.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2EC6F5ED\34510A4\vbalColumnTreeView6.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3B44007A\1835CB68\u252000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1BF788A5\1517B7F7\CF_Name_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\43981525\7204BF44\pg32conv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496C80D6\34510A4\MSCHRT20.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\92CEEA92\34510A4\DAO350.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F0E0F85C\1517B7F7\cf_rpt_link_bus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fsepv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\184596D6\1517B7F7\CF_login_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BB709D56\1517B7F7\CF_Trans_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D77E7C08\7204BF44\crwrap32.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\mia.lib	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRUTL15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\83ED17B7\1517B7F7\CF_report_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BED664EA\7204BF44\Crpaig80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_rtf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FAAEA181\7204BF44\ExportModeller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2smon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\701CB7F7\34510A4\mscomctl.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2ADC2324\1835CB68\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\comcat.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\83C5D67\7204BF44\crtslv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dnotes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7DB1D6B0\7204BF44\CRBAS15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u25dts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Cdo32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A95AB0B4\34510A4\ImgX61.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6C6652B9\1517B7F7\CF_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\riched20.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CDF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7A300D31\1835CB68\crxf_pdf.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\ADVPACK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D25B4F4E\7204BF44\CRBAS15.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D63D429\1517B7F7\CF_document_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\416B4F42\1517B7F7\CF_org_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\8BAE8D59\7204BF44\p2sodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crtslv.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4B371E22\34510A4\vbalFlBr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fhtml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FCE647BF\1835CB68\u2ldts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7CC1D691\34510A4\TABCTL32.OCX	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fcr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15S.DLL	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\cfrv_4_0_setup_ALL.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\CF_Remote.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C7D8D83E\34510A4\SSubTmr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B70202BD\7C02DA3A\CF_Remote.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\679B857\34510A4\COMDLG32.OCX	Jump to dropped file

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\5A4D542C\7204BF44\CRUTL15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1A28DE63\34510A4\dao360.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FE57A718\1517B7F7\CF_DB_Connect.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BA3E37E4\1517B7F7\CF_CR_control.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D4B1A979\1835CB68\u2l2000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D71275EF\1517B7F7\CF_org_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\80B1517D\1835CB68\u2dvim.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C2C59FBE\1517B7F7\CF_File_Export.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DAE69E8\7204BF44\craxdrt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B2966187\1517B7F7\CF_File_Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\33BB160B\1835CB68\u2dapp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DCDC5FB4\1517B7F7\CF_File_Import.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\stdole2.tlb	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E04462E5\1517B7F7\CF_Report_Verify_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E81A74\34510A4\vbalColumnTreeView6.oca	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A52CA551\7204BF44\CRXML15S.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\9F0CE7B6\7204BF44\CRxmlx07.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\47C10F79\7204BF44\CRxmlx07r.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DF17326D\1835CB68\Crxlat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\msvbvm60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CE1E931F\7204BF44\sscsdk80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1D5631E8\1517B7F7\CF_Login.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E76BBEDE\7204BF44\crviewer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\487DDF\1835CB68\u2ddisk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C8E76B1B\1835CB68\u2lexch.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496179\1517B7F7\CF_rs_browse_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2D3E0D90\7204BF44\Crpe32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DD3D7189\34510A4\COMCT332.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FBA4A636\1835CB68\p2lodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\832FC268\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C964AC44\1835CB68\u2lfinra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EEBF1E87\7204BF44\exlate32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DC878553\34510A4\AtalaImaging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A157FA05\1835CB68\crxf_rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A297C06E\1517B7F7\CF_audit_review_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\90E4D581\1517B7F7\CF_ref_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\63200452\1835CB68\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2EC6F5ED\34510A4\vbalColumnTreeView6.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF16.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\474E307D\1835CB68\u2lsamp1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3B44007A\1835CB68\u252000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1BF788A5\1517B7F7\CF_Name_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6D4D0E7\34510A4\ImgX61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\43981525\7204BF44\pg32conv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A8299B92\7204BF44\CRXML15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496C80D6\34510A4\MSCHRT20.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\ED7284FA\1517B7F7\CF_report_export_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\92CEEA92\34510A4\DAO350.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1DF81C7A\34510A4\ImgXPrint61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6DEA5FF3\7204BF44\CRXML15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F0E0F85C\1517B7F7\cf_rpt_link_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\51868479\1517B7F7\CF_report_main_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\68965F3A\1835CB68\u2fhtml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EABD308B\1835CB68\u2dnotes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\184596D6\1517B7F7\CF_login_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BB709D56\1517B7F7\CF_Trans_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D77E7C08\7204BF44\crwrap32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\880D11DF\1835CB68\P2smon.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\526A560A\1835CB68\u2lcom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\83ED17B7\1517B7F7\CF_report_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BED664EA\7204BF44\Crpaig80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4D29780E\1835CB68\u2fsepv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\olepro32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FAAEA181\7204BF44\ExportModeller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\701CB7F7\34510A4\mscomctl.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2ADC2324\1835CB68\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\comcat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E3BD0475\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\83C5D67\7204BF44\crtslv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1F62DE62\1517B7F7\CF_File_Import_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CBB1E6D9\1517B7F7\CF_Transaction.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\205EBC50\34510A4\ImgXTwain61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F7CFC206\7204BF44\Implode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7DB1D6B0\7204BF44\CRBAS15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A95AB0B4\34510A4\ImgX61.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C847D812\1835CB68\Cdo32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E5B6414\1835CB68\u2fcr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6C6652B9\1517B7F7\CF_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7A300D31\1835CB68\crxf_pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B3FFCC7F\1835CB68\u2dmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3E323407\1835CB68\u2fxls.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\ADVPACK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D25B4F4E\7204BF44\CRBAS15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D63D429\1517B7F7\CF_document_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\416B4F42\1517B7F7\CF_org_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\8BAE8D59\7204BF44\p2sodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A9695CDF\1517B7F7\CF_Rmt_DB4_Update.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\AB3A15F4\34510A4\TABCTL32.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4B371E22\34510A4\vbalFlBr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\161F85F0\7204BF44\CRUTL15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\oleaut32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E2BBEE13\1835CB68\p2ixbse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FCE647BF\1835CB68\u2ldts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7CC1D691\34510A4\TABCTL32.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3D003E72\1835CB68\u2fxml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\asycfilt.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\cfrv_4_0_setup_ALL.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C7D8D83E\34510A4\SSubTmr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B70202BD\7C02DA3A\CF_Remote.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\679B857\34510A4\COMDLG32.OCX	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crwrap32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Implode.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lexch.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crviewer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lsamp1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRUTL15.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_rtf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2smon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ixbse.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRBAS15.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dnotes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u252000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lfinra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\p2sodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u25dts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Cdo32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\pg32conv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\sscsdk80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3DAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dmapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3C42.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRUTL15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dvim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\exlate32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fxml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2ddisk.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Windows\System32\myah0.cpl	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRxmlx07r.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crtslv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\ExportModeller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dapp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fhtml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Crpaig80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fcr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fxls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRXML15S.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fsepv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D7C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2ldts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRxmlx07.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\Crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\CRBAS15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\craxdrt.dll	Jump to dropped file

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E81A74\34510A4\vbalColumnTreeView6.oca	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\pPin64.cpl	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Windows\System32\myah0.cpl	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\ProgramData\{D529246B-78E5-4E65-A3A2-8E1040E91E59}\mia.lib	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\pPin32.cpl	Jump to dropped file

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

File created: c:\tmp\log\installs\CF_Remote\install.log

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance\CF Remote.lnk

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: torConnect

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Code function: 1_3_056A068D str word ptr [ebx+40F6FC45h]

1_3_056A068D

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\5A4D542C\7204BF44\CRUTL15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1A28DE63\34510A4\dao360.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2lexch.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D4B1A979\1835CB68\u2l2000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2lsamp1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D71275EF\1517B7F7\CF_org_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\80B1517D\1835CB68\u2dvim.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\pPin32.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\33BB160B\1835CB68\u2dapp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DCDC5FB4\1517B7F7\CF_File_Import.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2ixbse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A52CA551\7204BF44\CRXML15S.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E04462E5\1517B7F7\CF_Report_Verify_bus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRBAS15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\9F0CE7B6\7204BF44\CRxmlx07.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\47C10F79\7204BF44\CRxmlx07r.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2lfinra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DF17326D\1835CB68\Crxlat32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\pg32conv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\sscsdk80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CE1E931F\7204BF44\sscsdk80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1D5631E8\1517B7F7\CF_Login.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dmapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\487DDF\1835CB68\u2ddisk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C8E76B1B\1835CB68\u2lexch.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496179\1517B7F7\CF_rs_browse_bus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\exlate32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2D3E0D90\7204BF44\Crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fxml.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FBA4A636\1835CB68\p2lodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\832FC268\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C964AC44\1835CB68\u2lfinra.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EEBF1E87\7204BF44\exlate32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A157FA05\1835CB68\crxf_rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\DC878553\34510A4\AtalaImaging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A297C06E\1517B7F7\CF_audit_review_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\90E4D581\1517B7F7\CF_ref_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\63200452\1835CB68\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3B44007A\1835CB68\u252000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF16.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2EC6F5ED\34510A4\vbalColumnTreeView6.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\474E307D\1835CB68\u2lsamp1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRXML15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1BF788A5\1517B7F7\CF_Name_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\43981525\7204BF44\pg32conv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6D4D0E7\34510A4\ImgX61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A8299B92\7204BF44\CRXML15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dapp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496C80D6\34510A4\MSCHRT20.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\ED7284FA\1517B7F7\CF_report_export_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1DF81C7A\34510A4\ImgXPrint61.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Crpaig80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6DEA5FF3\7204BF44\CRXML15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F0E0F85C\1517B7F7\cf_rpt_link_bus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fsepv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\51868479\1517B7F7\CF_report_main_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\68965F3A\1835CB68\u2fhtml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\EABD308B\1835CB68\u2dnotes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRxmlx07.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2lodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\184596D6\1517B7F7\CF_login_bus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRBAS15R.DLL	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\pPin64.cpl	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\usp10.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\crwrap32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Implode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BB709D56\1517B7F7\CF_Trans_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\880D11DF\1835CB68\P2smon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D77E7C08\7204BF44\crwrap32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRUTL15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\526A560A\1835CB68\u2lcom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\83ED17B7\1517B7F7\CF_report_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\BED664EA\7204BF44\Crpaig80.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\crxf_rtf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4D29780E\1835CB68\u2fsepv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\P2smon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\comcat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2ADC2324\1835CB68\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E3BD0475\1517B7F7\LogFile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dnotes.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1F62DE62\1517B7F7\CF_File_Import_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\CBB1E6D9\1517B7F7\CF_Transaction.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u252000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\p2sodbc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\205EBC50\34510A4\ImgXTwain61.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\F7CFC206\7204BF44\Implode.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7DB1D6B0\7204BF44\CRBAS15R.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\A95AB0B4\34510A4\ImgX61.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E5B6414\1835CB68\u2fcr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6C6652B9\1517B7F7\CF_report_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3DAC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7A300D31\1835CB68\crxf_pdf.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B3FFCC7F\1835CB68\u2dmapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRUTL15R.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3E323407\1835CB68\u2fxls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dvim.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\ADVPACK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D25B4F4E\7204BF44\CRBAS15.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRXML15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2ddisk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\D63D429\1517B7F7\CF_document_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\416B4F42\1517B7F7\CF_org_history_bus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\8BAE8D59\7204BF44\p2sodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRxmlx07r.dll	Jump to dropped file
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mVBExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4B371E22\34510A4\vbalFlBr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\161F85F0\7204BF44\CRUTL15.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\E2BBEE13\1835CB68\p2ixbse.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msls31.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fhtml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\FCE647BF\1835CB68\u2ldts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fcr.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3D003E72\1835CB68\u2fxml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\asycfilt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\CRXML15S.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fxls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\CF_Remote.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D7C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\C7D8D83E\34510A4\SSubTmr6.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2ldts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\OFFLINE\B70202BD\7C02DA3A\CF_Remote.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\Crpe32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Dropped PE file which has not been started: C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_0-20219
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-20122
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_1-39044

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

API coverage: 9.8 %

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00407E20 FindNextFileW,FindClose,FindFirstFileW,FindFirstFileW,	0_2_00407E20
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC2A30 _memset,FindFirstFileW,LoadLibraryW,FindClose,FindResourceW,LoadLibraryW,	1_2_6CEC2A30
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEB2470 FindClose,FindFirstFileW,FindFirstFileW,	1_2_6CEB2470

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

Code function: 1_2_10001B41 GetSystemInfo,

1_2_10001B41

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance\CF Remote.lnk	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Campaign Finance	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	File opened: C:\ProgramData\Microsoft\Windows	Jump to behavior

Source: explorer.exe, 00000018.00000003.2057826843.0000000008D13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 00000018.00000003.2057512082.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@psQ
Source: explorer.exe, 00000018.00000002.2879083790.0000000008DF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002825000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: NC:\Windows\system32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: explorer.exe, 00000018.00000003.2057512082.0000000008CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000018.00000003.2060166385.00000000067A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000003.2060001241.00000000067A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2878512791.00000000067A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: explorer.exe, 00000018.00000002.2878818194.0000000008C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}1
Source: explorer.exe, 00000018.00000002.2879083790.0000000008DF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}id3=
Source: explorer.exe, 00000017.00000002.1993887879.0000000000E75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_D0
Source: explorer.exe, 00000018.00000002.2879083790.0000000008DF7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}.
Source: explorer.exe, 00000018.00000002.2877884579.0000000001004000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA{
Source: explorer.exe, 00000018.00000002.2878818194.0000000008C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000018.00000003.2057789670.0000000008D84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rod_VMware_SATA_CD00#4&224f42ef&0&00000a

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe

API call chain: ExitProcess graph end node

graph_1-37450

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_00424C1E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00424C1E

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

0_2_0041F0E0

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_004251D4 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004251D4
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00424C1E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00424C1E
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00426C2A SetUnhandledExceptionFilter,	0_2_00426C2A
Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: 0_2_00421DDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00421DDF
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001B723 SetUnhandledExceptionFilter,	1_2_1001B723
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_1001B735 SetUnhandledExceptionFilter,	1_2_1001B735
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC6CD8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CEC6CD8
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC5A8A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CEC5A8A
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: 1_2_6CEC51C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CEC51C7

HIPS / PFW / Operating System Protection Evasion

DLL side loading technique detected

Source: C:\Windows\explorer.exe

Section loaded: C:\Windows\System32\msi.dll

Injects code into the Windows Explorer (explorer.exe)

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Memory written: PID: 6920 base: B20000 value: 00			Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Memory written: PID: 6920 base: D212D8 value: 00			Jump to behavior

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_0041FF60 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,MessageBoxW,CoInitialize,_memset,GetVersionExW,GetCommandLineW,_malloc,__CxxThrowException@8,MessageBoxW,_malloc,__CxxThrowException@8,MessageBoxW,MessageBoxW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,ShellExecuteExW,SetCurrentDirectoryW,SetCurrentDirectoryW,CreateProcessW,GetLastError,GetLastError,CoInitializeEx,ShellExecuteExW,GetLastError,SetCurrentDirectoryW,SetCurrentDirectoryW,CloseHandle,WaitForSingleObject,GetExitCodeProcess,CloseHandle,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_0041FF60

Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\mscomctl.ocx" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMDLG32.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMCT332.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\TABCTL32.OCX" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO350.DLL" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_CR_control.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_DB_Connect.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Data.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Export.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_Rmt_DB4_Update.dll" /s	Jump to behavior
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\craxdrt.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crviewer.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\Crystal\Cdo32.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\crtslv.dll
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\ExportModeller.dll

Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ProgmanU
Source: cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe	Code function: GetLocaleInfoA,		0_2_0042C5C6
Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	Code function: GetLocaleInfoA,		1_2_6CECDEDB

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_004273A1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_004273A1

Source: C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe

Code function: 0_2_0041F320 GetVersion,CoCreateInstance,

0_2_0041F320

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Exploitation for Privilege Escalation	32 Masquerading	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Native API	11 DLL Side-Loading	112 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Multi-hop Proxy	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	112 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Proxy			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Regsvr32	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	11 DLL Side-Loading	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	35 System Information Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
cfrv_4_0_setup_ALL.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\CF_Remote.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\ADVPACK.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF16.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF32.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\asycfilt.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\comcat.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\mVBExec.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\msvbvm60.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\oleaut32.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\olepro32.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\stdole2.tlb	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\cabinet.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\imagehlp.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msi.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiexec.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msihnd.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msiinst.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msimsg.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msisip.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\msls31.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\mspatcha.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\riched20.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\sdbapi.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\shfolder.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\ansi\usp10.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\mWinRunExec.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\cabinet.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\imagehlp.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msi.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiexec.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msihnd.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msiinst.exe	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msimsg.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msisip.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\msls31.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\mspatcha.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\riched20.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\sdbapiU.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\shfolder.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\Microsoft Windows Installer 2.0\mWinRun.dll\unicode\usp10.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\161F85F0\7204BF44\CRUTL15.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\184596D6\1517B7F7\CF_login_bus.dll	2%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1A28DE63\34510A4\dao360.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1BF788A5\1517B7F7\CF_Name_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1D5631E8\1517B7F7\CF_Login.ocx	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1DF81C7A\34510A4\ImgXPrint61.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\1F62DE62\1517B7F7\CF_File_Import_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\205EBC50\34510A4\ImgXTwain61.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2ADC2324\1835CB68\u25dts.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2D3E0D90\7204BF44\Crpe32.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E5B6414\1835CB68\u2fcr.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2E81A74\34510A4\vbalColumnTreeView6.oca	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\2EC6F5ED\34510A4\vbalColumnTreeView6.ocx	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\33BB160B\1835CB68\u2dapp.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3B44007A\1835CB68\u252000.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3D003E72\1835CB68\u2fxml.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\3E323407\1835CB68\u2fxls.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\416B4F42\1517B7F7\CF_org_history_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\43981525\7204BF44\pg32conv.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\474E307D\1835CB68\u2lsamp1.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\47C10F79\7204BF44\CRxmlx07r.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\487DDF\1835CB68\u2ddisk.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496179\1517B7F7\CF_rs_browse_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\496C80D6\34510A4\MSCHRT20.OCX	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4B371E22\34510A4\vbalFlBr6.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\4D29780E\1835CB68\u2fsepv.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\51868479\1517B7F7\CF_report_main_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\526A560A\1835CB68\u2lcom.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\5A4D542C\7204BF44\CRUTL15R.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\63200452\1835CB68\u2dpost.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\679B857\34510A4\COMDLG32.OCX	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\68965F3A\1835CB68\u2fhtml.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6C6652B9\1517B7F7\CF_report_bus.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6D4D0E7\34510A4\ImgX61.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\6DEA5FF3\7204BF44\CRXML15.DLL	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\701CB7F7\34510A4\mscomctl.ocx	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7A300D31\1835CB68\crxf_pdf.dll	0%	ReversingLabs
C:\ProgramData\miaDC6F.tmp\data\OFFLINE\7CC1D691\34510A4\TABCTL32.OCX	0%	ReversingLabs

Source	Detection	Scanner	Label
http://schemas.mi	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://www.ncsbe.govMicrosoft	0%	Avira URL Cloud	safe
http://www.ImgX.net/	0%	Avira URL Cloud	safe
http://www.mywebsite.com/New	0%	Avira URL Cloud	safe
http://www.seagatesoftware.com/xml/schema.xsdxsddtdw	0%	Avira URL Cloud	safe
http://www.ImgX.net/ImgX/purchase.asp	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0C	0%	Avira URL Cloud	safe
https://www.installaware.com/buydirect.aspopen	0%	Avira URL Cloud	safe
http://www.installaware.com/	0%	Avira URL Cloud	safe
http://www.installaware.com/0	0%	Avira URL Cloud	safe
http://www.installaware.com/InstallAware	0%	Avira URL Cloud	safe
http://www.installaware.comz	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.mi	explorer.exe, 00000018.00000002.2879083790.0000000008DF7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctsca2021.crl0o	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.ncsbe.govMicrosoft	cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://standards.iso.org/iso/19770/-2/2008/schema.xsd	cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.installaware.com/0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.installaware.comz	cfrv_4_0_setup_ALL.exe	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ImgX.net/	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.installaware.com/	cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.0000000000418000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mywebsite.com/New	cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2062442144.00000000055A1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/Vh5j3k	explorer.exe, 00000018.00000003.2060166385.00000000067A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000003.2060001241.00000000067A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2878512791.00000000067A1000.00000004.00000020.00020000.00000000.sdmp	false		high
HTTP://WWW.NCSBE.GOVMICROSOFT	cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002833000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteCodeSigningCA.crl0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/odirm	explorer.exe, 00000018.00000003.2060166385.00000000067A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000003.2060001241.00000000067A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000002.2878512791.00000000067A1000.00000004.00000020.00020000.00000000.sdmp	false		high
HTTP://WWW.MYWEBSITE.COM/NEW	cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://repository.certum.pl/ctsca2021.cer0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com05	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ncsbe.gov	cfrv_4_0_setup_ALL.exe, 00000001.00000003.2239438491.0000000002874000.00000004.00001000.00020000.00000000.sdmp	false		high
http://subca.ocsp-certum.com02	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.seagatesoftware.com/xml/schema.xsdxsddtdw	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000065AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0C	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.installaware.com/buydirect.aspopen	cfrv_4_0_setup_ALL.exe, 00000001.00000000.1735223416.00000000007AE000.00000020.00000001.01000000.00000004.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FFC7D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca2.cer09	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.installaware.com/InstallAware	cfrv_4_0_setup_ALL.exe, 00000001.00000003.1738862165.00000000FF8D0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ImgX.net/ImgX/purchase.asp	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000006661000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawtePremiumServerCA.crl0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.000000000681A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002F85000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000060D3000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000002E18000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000031F1000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005E70000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005FA2000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.0000000005348000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000000.00000003.1720906727.00000000054B4000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748764589.0000000003400000.00000004.00001000.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.2064693512.00000000055AA000.00000004.00000020.00020000.00000000.sdmp, cfrv_4_0_setup_ALL.exe, 00000001.00000003.1748704146.0000000003560000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1379637
Start date and time:	2024-01-23 16:42:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	cfrv_4_0_setup_ALL.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@39/565@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 127 Number of non-executed functions: 122
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: cfrv_4_0_setup_ALL.exe

Simulations

Behavior and APIs

Time	Type	Description
16:43:39	API Interceptor	1x Sleep call for process: explorer.exe modified
16:43:41	API Interceptor	24x Sleep call for process: cfrv_4_0_setup_ALL.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\ADVPACK.DLL	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	MXrpqIRV2z.exe	Get hash	malicious	Unknown	Browse
	MXrpqIRV2z.exe	Get hash	malicious	Unknown	Browse
	Bonzify.exe	Get hash	malicious	Unknown	Browse
C:\ProgramData\miaDC6F.tmp\data\Microsoft Visual Basic Virtual Machine 6.0 with Service Pack 6\mVB.dll\W95INF16.DLL	file.exe	Get hash	malicious	Unknown	Browse
	1diWXDlHzi.exe	Get hash	malicious	XWorm	Browse
	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	TextSpeaker.exe	Get hash	malicious	Unknown	Browse
	MXrpqIRV2z.exe	Get hash	malicious	Unknown	Browse
	MXrpqIRV2z.exe	Get hash	malicious	Unknown	Browse
	Bonzify.exe	Get hash	malicious	Unknown	Browse
	nusb320-Eng-98FE.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	225941
Entropy (8bit):	5.035174661405164
Encrypted:	false
SSDEEP:	768:AbYJDHm0NZ/DVtVtVt1tVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtVtltVtVtVtIp:gYocZ/DePXcx/qZa7FHa2Ufo2PoV+
MD5:	D66A1B83063EEEC50D7C02180C859B36
SHA1:	61B713E4D761BF0377B696877EE8FFE86491D01B
SHA-256:	8775ACE9D2E07DAC0DA8F4E74F7A556070D8FA58CBEDF0E2625A8597FD65C0F6
SHA-512:	C1F8278EB81E8689D8A9DABB6724F61F5DE993698BFFF0EE6840CCD6E89CF4D7CE8DADC8AF99B59E37877EFAC1C8464C74BCC7AD7075D26AEE59B5F2C672CEAE
Malicious:	false
Preview:	...@IXOS.@.....@n.7X.@.....@.....@.....@.....@.....@......&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}..CF Remote..cfrv_4_0_setup_ALL.msi.@.....@!....@.....@........\PROGRA~3\miaDC6F.tmp\&.{D529246B-78E5-4E65-A3A2-8E1040E91E59}.....@.....@.....@.....@.......@.....@.....@.......@......CF Remote......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{DBAF7F90-6797-4BCB-8426-E799FE0D75FA}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{10B1E2F4-E12B-4D18-847D-3579632C4DA0}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{70233733-63B7-4686-8B22-F467B98A5511}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{100D9843-4837-4C77-9382-C4AB79C16EC6}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{360CA8FA-B89D-40E5-8E5D-E0358F8448B5}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{AAA707EE-74C6-4091-8DF1-A6063B1CAF22}&.{152D390A-DD7B-4E57-B3A5-14CADE7E1207}.@......&.{9C72C003-1DC2-41F4-AD0C-E99FEB6

Process:	C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5675007
Entropy (8bit):	6.48705961905541
Encrypted:	false
SSDEEP:	98304:2hG63qsl7dEhYCHnWzXzLbVI9AB5dECNhc6ZzH2oYK13icjqsNTUjJG:2Jah2zXzL5IWB5JhnHfFIG
MD5:	3B2D532673D1567116105D04C621CDBA
SHA1:	F0892A2DCF772529C115C15E6B1A510B4DC214E1
SHA-256:	FD6D2298B1B5DD14A9F02207FAA4D7D7DC5F5B399E71F2F4EC3680C2DBC6DF0E
SHA-512:	15ABF21DCF9ABF346DDFB6B35F75C607B4E6CF4518B629C39ADCA5E4690955D70C46C5A842F73FE7373FA6A7F7860DB514D3815DD04D1280DAD7A7D1A315B672
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...?..`.................z;..........e;.......;...@.......................... Y..................@............................?..Y... D.......................................................?.......................?......`?......................text.....:.......:................. ..`.itext.......;.......:............. ..`.data...(.....;......~;.............@....bss.....}....=......Z=..................idata...Y....?..Z...Z=.............@....didata......`?.......=.............@....tls.....A...p?.......=..................rdata........?.......=.............@..@.reloc...I....?.......=.............@..B.rsrc........ D.......=.............@..@.............pY......\W.............@..@........................................................

Entrypoint:	0x422c58
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62E46D6B [Fri Jul 29 23:29:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b48671fed9d5ca4906417d42fcdb066b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a5d8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0x15748	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35200	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x284	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x302ed	0x30400	2038b7d87842b64c67b899ba5e78dc0d	False	0.5152303270725389	data	6.494109860999288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0x93e8	0x9400	9065fae2bc62d08ab84e542ac170dd32	False	0.34588788006756754	data	4.655429443140589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0x8400	0x2400	3b1c2c3bd274b21289a8012d58d091b2	False	0.2587890625	data	4.215578104820278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45000	0x15748	0x15800	b5e79db393609dd64cce69fe68a8673e	False	0.04630723110465116	data	3.441131579787985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x45c54	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.46639784946236557
RT_ICON	0x45f3c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.6216216216216216
RT_DIALOG	0x46064	0x1d8	data			0.5720338983050848
RT_DIALOG	0x4623c	0x1be	data			0.5605381165919282
RT_DIALOG	0x463fc	0x54	data			0.7619047619047619
RT_STRING	0x46450	0x4a4	data	Arabic	Saudi Arabia	0.28703703703703703
RT_STRING	0x468f4	0x4a4	data	Catalan	Spain	0.28703703703703703
RT_STRING	0x46d98	0x4a4	data	Chinese	Taiwan	0.28703703703703703
RT_STRING	0x4723c	0x4a4	data	Czech	Czech Republic	0.28703703703703703
RT_STRING	0x476e0	0x4a4	data	Danish	Denmark	0.28703703703703703
RT_STRING	0x47b84	0x4a4	data	German	Germany	0.28703703703703703
RT_STRING	0x48028	0x4a4	data	Greek	Greece	0.28703703703703703
RT_STRING	0x484cc	0x4a4	data	English	United States	0.28703703703703703
RT_STRING	0x48970	0x4a4	data	Finnish	Finland	0.28703703703703703
RT_STRING	0x48e14	0x4a4	data	French	France	0.28703703703703703
RT_STRING	0x492b8	0x4a4	data	Hebrew	Israel	0.28703703703703703
RT_STRING	0x4975c	0x4a4	data	Hungarian	Hungary	0.28703703703703703
RT_STRING	0x49c00	0x4a4	data	Italian	Italy	0.28703703703703703
RT_STRING	0x4a0a4	0x4a4	data	Japanese	Japan	0.28703703703703703
RT_STRING	0x4a548	0x4a4	data	Korean	North Korea	0.28703703703703703
RT_STRING	0x4a548	0x4a4	data	Korean	South Korea	0.28703703703703703
RT_STRING	0x4a9ec	0x4a4	data	Dutch	Netherlands	0.28703703703703703
RT_STRING	0x4ae90	0x4a4	data	Norwegian	Norway	0.28703703703703703
RT_STRING	0x4b334	0x4a4	data	Polish	Poland	0.28703703703703703
RT_STRING	0x4b7d8	0x4a4	data	Portuguese	Brazil	0.28703703703703703
RT_STRING	0x4bc7c	0x4a4	data	Romanian	Romania	0.28703703703703703
RT_STRING	0x4c120	0x4a4	data	Russian	Russia	0.28703703703703703
RT_STRING	0x4c5c4	0x4a4	data	Croatian	Croatia	0.28703703703703703
RT_STRING	0x4ca68	0x4a4	data	Slovak	Slovakia	0.28703703703703703
RT_STRING	0x4cf0c	0x4a4	data	Swedish	Sweden	0.28703703703703703
RT_STRING	0x4d3b0	0x4a4	data	Thai	Thailand	0.28703703703703703
RT_STRING	0x4d854	0x4a4	data	Turkish	Turkey	0.28703703703703703
RT_STRING	0x4dcf8	0x4a4	data	Slovenian	Slovenia	0.28703703703703703
RT_STRING	0x4e19c	0x4a4	data	Estonian	Estonia	0.28703703703703703
RT_STRING	0x4e640	0x4a4	data	Latvian	Lativa	0.28703703703703703
RT_STRING	0x4eae4	0x4a4	data	Lithuanian	Lithuania	0.28703703703703703
RT_STRING	0x4ef88	0x4a4	data	Vietnamese	Vietnam	0.28703703703703703
RT_STRING	0x4f42c	0x4a4	data	Basque	France	0.28703703703703703
RT_STRING	0x4f42c	0x4a4	data	Basque	Spain	0.28703703703703703
RT_STRING	0x4f8d0	0x4a4	data	Chinese	China	0.28703703703703703
RT_STRING	0x4fd74	0x4a4	data	Portuguese	Portugal	0.28703703703703703
RT_STRING	0x50218	0x4a4	data			0.28703703703703703
RT_STRING	0x506bc	0x2f2	data	Arabic	Saudi Arabia	0.42572944297082227
RT_STRING	0x509b0	0x2f2	data	Catalan	Spain	0.42572944297082227
RT_STRING	0x50ca4	0x2f2	data	Chinese	Taiwan	0.42572944297082227
RT_STRING	0x50f98	0x2f2	data	Czech	Czech Republic	0.42572944297082227
RT_STRING	0x5128c	0x2f2	data	Danish	Denmark	0.42572944297082227
RT_STRING	0x51580	0x2f2	data	German	Germany	0.42572944297082227
RT_STRING	0x51874	0x2f2	data	Greek	Greece	0.42572944297082227
RT_STRING	0x51b68	0x2f2	data	English	United States	0.42572944297082227
RT_STRING	0x51e5c	0x2f2	data	Finnish	Finland	0.42572944297082227
RT_STRING	0x52150	0x2f2	data	French	France	0.42572944297082227
RT_STRING	0x52444	0x2f2	data	Hebrew	Israel	0.42572944297082227
RT_STRING	0x52738	0x2f2	data	Hungarian	Hungary	0.42572944297082227
RT_STRING	0x52a2c	0x2f2	data	Italian	Italy	0.42572944297082227
RT_STRING	0x52d20	0x2f2	data	Japanese	Japan	0.42572944297082227
RT_STRING	0x53014	0x2f2	data	Korean	North Korea	0.42572944297082227
RT_STRING	0x53014	0x2f2	data	Korean	South Korea	0.42572944297082227
RT_STRING	0x53308	0x2f2	data	Dutch	Netherlands	0.42572944297082227
RT_STRING	0x535fc	0x2f2	data	Norwegian	Norway	0.42572944297082227
RT_STRING	0x538f0	0x2f2	data	Polish	Poland	0.42572944297082227
RT_STRING	0x53be4	0x2f2	data	Portuguese	Brazil	0.42572944297082227
RT_STRING	0x53ed8	0x2f2	data	Romanian	Romania	0.42572944297082227
RT_STRING	0x541cc	0x2f2	data	Russian	Russia	0.42572944297082227
RT_STRING	0x544c0	0x2f2	data	Croatian	Croatia	0.42572944297082227
RT_STRING	0x547b4	0x2f2	data	Slovak	Slovakia	0.42572944297082227
RT_STRING	0x54aa8	0x2f2	data	Swedish	Sweden	0.42572944297082227
RT_STRING	0x54d9c	0x2f2	data	Thai	Thailand	0.42572944297082227
RT_STRING	0x55090	0x2f2	data	Turkish	Turkey	0.42572944297082227
RT_STRING	0x55384	0x2f2	data	Slovenian	Slovenia	0.42572944297082227
RT_STRING	0x55678	0x2f2	data	Estonian	Estonia	0.42572944297082227
RT_STRING	0x5596c	0x2f2	data	Latvian	Lativa	0.42572944297082227
RT_STRING	0x55c60	0x2f2	data	Lithuanian	Lithuania	0.42572944297082227
RT_STRING	0x55f54	0x2f2	data	Vietnamese	Vietnam	0.42572944297082227
RT_STRING	0x56248	0x2f2	data	Basque	France	0.42572944297082227
RT_STRING	0x56248	0x2f2	data	Basque	Spain	0.42572944297082227
RT_STRING	0x5653c	0x2f2	data	Chinese	China	0.42572944297082227
RT_STRING	0x56830	0x2f2	data	Portuguese	Portugal	0.42572944297082227
RT_STRING	0x56b24	0x2f2	data			0.42572944297082227
RT_STRING	0x56e18	0x106	data	Arabic	Saudi Arabia	0.5076335877862596
RT_STRING	0x56f20	0x106	data	Catalan	Spain	0.5076335877862596
RT_STRING	0x57028	0x106	data	Chinese	Taiwan	0.5076335877862596
RT_STRING	0x57130	0x106	data	Czech	Czech Republic	0.5076335877862596
RT_STRING	0x57238	0x106	data	Danish	Denmark	0.5076335877862596
RT_STRING	0x57340	0x106	data	German	Germany	0.5076335877862596
RT_STRING	0x57448	0x106	data	Greek	Greece	0.5076335877862596
RT_STRING	0x57550	0x106	data	English	United States	0.5076335877862596
RT_STRING	0x57658	0x106	data	Finnish	Finland	0.5076335877862596
RT_STRING	0x57760	0x106	data	French	France	0.5076335877862596
RT_STRING	0x57868	0x106	data	Hebrew	Israel	0.5076335877862596
RT_STRING	0x57970	0x106	data	Hungarian	Hungary	0.5076335877862596
RT_STRING	0x57a78	0x106	data	Italian	Italy	0.5076335877862596
RT_STRING	0x57b80	0x106	data	Japanese	Japan	0.5076335877862596
RT_STRING	0x57c88	0x106	data	Korean	North Korea	0.5076335877862596
RT_STRING	0x57c88	0x106	data	Korean	South Korea	0.5076335877862596
RT_STRING	0x57d90	0x106	data	Dutch	Netherlands	0.5076335877862596
RT_STRING	0x57e98	0x106	data	Norwegian	Norway	0.5076335877862596
RT_STRING	0x57fa0	0x106	data	Polish	Poland	0.5076335877862596
RT_STRING	0x580a8	0x106	data	Portuguese	Brazil	0.5076335877862596
RT_STRING	0x581b0	0x106	data	Romanian	Romania	0.5076335877862596
RT_STRING	0x582b8	0x106	data	Russian	Russia	0.5076335877862596
RT_STRING	0x583c0	0x106	data	Croatian	Croatia	0.5076335877862596
RT_STRING	0x584c8	0x106	data	Slovak	Slovakia	0.5076335877862596
RT_STRING	0x585d0	0x106	data	Swedish	Sweden	0.5076335877862596
RT_STRING	0x586d8	0x106	data	Thai	Thailand	0.5076335877862596
RT_STRING	0x587e0	0x106	data	Turkish	Turkey	0.5076335877862596
RT_STRING	0x588e8	0x106	data	Slovenian	Slovenia	0.5076335877862596
RT_STRING	0x589f0	0x106	data	Estonian	Estonia	0.5076335877862596
RT_STRING	0x58af8	0x106	data	Latvian	Lativa	0.5076335877862596
RT_STRING	0x58c00	0x106	data	Lithuanian	Lithuania	0.5076335877862596
RT_STRING	0x58d08	0x106	data	Vietnamese	Vietnam	0.5076335877862596
RT_STRING	0x58e10	0x106	data	Basque	France	0.5076335877862596
RT_STRING	0x58e10	0x106	data	Basque	Spain	0.5076335877862596
RT_STRING	0x58f18	0x106	data	Chinese	China	0.5076335877862596
RT_STRING	0x59020	0x106	data	Portuguese	Portugal	0.5076335877862596
RT_STRING	0x59128	0x106	data			0.5076335877862596
RT_GROUP_ICON	0x59230	0x22	data	English	United States	0.9705882352941176
RT_VERSION	0x59254	0x1084	data	English	United States	0.09649952696310313
RT_MANIFEST	0x5a2d8	0x470	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4507042253521127

DLL	Import
KERNEL32.dll	GetLastError, ResetEvent, CreateEventW, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, LoadLibraryW, GetModuleFileNameW, FormatMessageW, LocalFree, GetWindowsDirectoryW, CreateFileW, SetFileTime, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryW, GetFileInformationByHandle, DeleteFileW, GetShortPathNameW, GetFullPathNameW, lstrlenW, GetCurrentDirectoryW, GetTempFileNameW, FindClose, FindFirstFileW, FindNextFileW, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, DeleteCriticalSection, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetCurrentProcessId, InitializeCriticalSection, QueryPerformanceCounter, GetTickCount, Sleep, LocalAlloc, GetProcAddress, SetCurrentDirectoryW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, SetThreadUILanguage, SetThreadLocale, GetVersion, GetCommandLineW, CreateProcessW, GetExitCodeProcess, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetLocaleInfoA, IsValidCodePage, GetOEMCP, RaiseException, GetACP, GetCPInfo, LoadLibraryA, RtlUnwind, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, WaitForSingleObject, SetEvent, GetVersionExW, VirtualAlloc, GetCurrentThreadId, VirtualFree, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapSize, InterlockedDecrement, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, HeapFree, HeapAlloc, ExitThread, CreateThread, HeapReAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, GetModuleHandleW, ExitProcess, GetModuleFileNameA, TlsGetValue
USER32.dll	SetForegroundWindow, CharUpperW, GetWindowRect, DestroyWindow, RegisterWindowMessageW, AdjustWindowRect, LoadImageW, LoadIconW, KillTimer, SetTimer, EndDialog, IsDlgButtonChecked, SetDlgItemTextW, GetDlgItem, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, LoadStringW, DialogBoxParamW, CreateDialogParamW, SystemParametersInfoW, PeekMessageW, GetDesktopWindow, MessageBoxW, SendMessageW, GetWindowLongW, SetWindowLongW, ShowWindow, MoveWindow, PostMessageW
GDI32.dll	GetObjectW
ADVAPI32.dll	RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoInitializeEx, CoInitialize, CoCreateInstance
OLEAUT32.dll	SysAllocStringLen, SysFreeString, VariantClear, SysAllocString

Target ID:	0
Start time:	16:43:00
Start date:	23/01/2024
Path:	C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\cfrv_4_0_setup_ALL.exe
Imagebase:	0x400000
File size:	14'277'760 bytes
MD5 hash:	9197AEADF996DD8CD3885A205927671E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	16:43:11
Start date:	23/01/2024
Path:	C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe
Wow64 process (32bit):	true
Commandline:	.\cfrv_4_0_setup_ALL.exe /m="C:\Users\user\Desktop\CFRV_4~1.EXE" /k=""
Imagebase:	0x400000
File size:	5'675'007 bytes
MD5 hash:	3B2D532673D1567116105D04C621CDBA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.1735223416.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\miaDC6F.tmp\cfrv_4_0_setup_ALL.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	16:43:20
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\mscomctl.ocx" /s
Imagebase:	0x6a0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	16:43:21
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\regsvr32.exe" "C:\Windows\SysWOW64\COMCT332.OCX" /s
Imagebase:	0x6a0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	moderate
Has exited:	true

Target ID:	8
Start time:	16:43:22
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_CR_control.dll" /s
Imagebase:	0x800000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	16:43:23
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\regsvr32.exe" "C:\Windows\NCSBOE\CF_File_Export.dll" /s
Imagebase:	0x6a0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	moderate
Has exited:	true

Target ID:	13
Start time:	16:43:25
Start date:	23/01/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff602f30000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	17
Start time:	16:43:32
Start date:	23/01/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\craxdrt.dll
Imagebase:	0x50000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	16:43:36
Start date:	23/01/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe" /separate /root,::{21ec2020-3aea-1069-a2dd-08002b30309d}
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	24
Start time:	16:43:37
Start date:	23/01/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12%
Total number of Nodes:	2000
Total number of Limit Nodes:	139

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report cfrv_4_0_setup_ALL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4e3b0b.rbs

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\CF_Remote.exe

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\CF_Remote.exe.manifest

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Campaign Finance Remote.chm

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\1998_NC_Disclosure.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Accounts.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Contributions.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Cover.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Debts.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Expenditures.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\LoanEndorsers.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\LoanProceeds.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\LoanRepayments.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\1998\Summary.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\2002\2003_Disclosure.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\2002\2003_Electioneering_Report.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\2002\2003_FED_Disclosure.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\2002\2003_FED_Org_Statement.rpt

C:\Program Files (x86)\SBoE\Campaign Finance\CF Remote\Reports\2002\2003_Judicial_Qualify_Report.rpt

Windows Analysis Report
cfrv_4_0_setup_ALL.exe

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre