Edit tour

Windows Analysis Report
074kFuPFv8.exe

Overview

General Information

Sample name:	074kFuPFv8.exe renamed because original name is a hash value
Original sample name:	9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Analysis ID:	1545581
MD5:	fc5134ba4711406149556e32d47773aa
SHA1:	24e23d1ce7273410b778a36aaa8191c3abeedf3e
SHA256:	9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1
Tags:	exeuser-MaxMax66
Infos:

Detection

Score:	40
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	32
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to detect sleep reduction / modifications

Creates files in the recycle bin to hide itself

Installs Task Scheduler Managed Wrapper

Machine Learning detection for dropped file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Tries to delay execution (extensive OutputDebugStringW loop)

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

EXE planting / hijacking vulnerabilities found

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

074kFuPFv8.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\074kFuPFv8.exe" MD5: FC5134BA4711406149556E32D47773AA)

msiexec.exe (PID: 7720 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi" /qn AI_SETUPEXEPATH=C:\Users\user\Desktop\074kFuPFv8.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7752 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7840 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 6861D10B1BBFC1725672A78A114343A0 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7964 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 51546B5E421AAA8415620B734ACBBF40 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 8000 cmdline: /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8048 cmdline: /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CPUGuardian.exe (PID: 7352 cmdline: "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true MD5: E6401E23BAC056176D4A2497DA0F9767)

InstAct.exe (PID: 7344 cmdline: "C:\Program Files (x86)\CPU Guardian\InstAct.exe" install 1 0 MD5: B0586EE5DB1B3B171D28F48AF4B5F4CD)

InstAct.exe (PID: 2088 cmdline: "C:\Program Files (x86)\CPU Guardian\InstAct.exe" installurl MD5: B0586EE5DB1B3B171D28F48AF4B5F4CD)

CPUGuardian.exe (PID: 8032 cmdline: "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true MD5: E6401E23BAC056176D4A2497DA0F9767)

cleanup

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-30T17:36:14.787474+0100	2803305	3	Unknown Traffic	192.168.2.4	49744	52.216.184.133	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	ReversingLabs: Detection: 33%
Source: C:\Program Files (x86)\CPU Guardian\Splash.exe	ReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\CPU Guardian\updater.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: 074kFuPFv8.exe

ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Joe Sandbox ML: detected

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	EXE: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	Jump to behavior

Uses 32bit PE files

Source: 074kFuPFv8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: 074kFuPFv8.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 074kFuPFv8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: d:\BitBucketGit\CPU Guardian\bo\obj\Release\bo.pdbD7^7 P7_CorDllMainmscoree.dll source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000002.4166623593.0000000008482000.00000002.00000001.01000000.00000013.sdmp, bo.dll.0.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\RegCleaner\obj\Release\CPUGuardian.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: C:\src\wix39r2\build\ship\x86\SfxCA.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ECF000.00000004.00000020.00020000.00000000.sdmp, Uninst000.CA.dll.2.dr, Uninst000.CA.dll.0.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Setup\obj\Release\Setup.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1794851263.0000000006022000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: $^q:C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbd source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb</filename> source: fileerrors_data.10.dr
Source:	Binary string: ntkrnlmp.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\CustomActions\CustomAction1\obj\x86\Release\Uninst000.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ED7000.00000004.00000020.00020000.00000000.sdmp, Uninst000.dll.0.dr, Uninst000.dll.2.dr
Source:	Binary string: $^qgC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\bo\obj\Release\bo.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, CPUGuardian.exe, 0000000A.00000002.4166623593.0000000008482000.00000002.00000001.01000000.00000013.sdmp, bo.dll.0.dr
Source:	Binary string: E:\Point\win\Release\stubs\x86\ExternalUi.pdbL source: 074kFuPFv8.exe
Source:	Binary string: AcroExch.PDBookmark.1 source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error</filename> source: fileerrors_data.10.dr
Source:	Binary string: winload_prod.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\stubs\x86\Updater.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, updater.exe.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\RegCleaner\obj\Release\CPUGuardian.pdb\| source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: d:\ComponentFactory\Build Krypton\Source\Krypton Components\ComponentFactory.Krypton.Toolkit\obj\Release\ComponentFactory.Krypton.Toolkit.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1795714523.0000000006B42000.00000002.00000001.01000000.0000000D.sdmp, ComponentFactory.Krypton.Toolkit.dll.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Setup\obj\Release\Setup.pdbL8n8 `8_CorDllMainmscoree.dll source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1794851263.0000000006022000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\Point\win\Release\custact\x86\AICustAct.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr
Source:	Binary string: E:\Point\win\Release\custact\x86\ResourceCleaner.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, MSI608E.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr
Source:	Binary string: $^qeC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, CPUGuardian.exe, 0000000A.00000002.4177985426.0000000009FC2000.00000002.00000001.01000000.00000014.sdmp, Microsoft.Win32.TaskScheduler.dll.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Logging\obj\Release\Logging.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1793712666.0000000003422000.00000002.00000001.01000000.0000000A.sdmp, Logging.dll.0.dr
Source:	Binary string: $^qmC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\InstallerActions\obj\x86\Release\InstAct.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000000.1739518695.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: $^qXC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831d source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdbt source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000002.4177985426.0000000009FC2000.00000002.00000001.01000000.00000014.sdmp, Microsoft.Win32.TaskScheduler.dll.2.dr
Source:	Binary string: c:\src\wix39r2\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: F.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: $^q\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2d source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^qkC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\custact\x86\ShortcutFlags.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Splash\obj\x86\Release\Splash.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, Splash.exe.0.dr, Splash.exe.2.dr
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error</filename> source: fileerrors_data.10.dr
Source:	Binary string: AcroExch.PDBookmark source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\stubs\x86\ExternalUi.pdb source: 074kFuPFv8.exe
Source:	Binary string: $^q6C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbd source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb</filename> source: fileerrors_data.10.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002ACFAA FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	0_2_002ACFAA
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A9090 __recalloc,_memset,FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_002A9090
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002AD1CC FindFirstFileW,FindClose,FindClose,	0_2_002AD1CC
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00299410 FindFirstFileW,FindClose,FindClose,	0_2_00299410
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A9A11 _memset,FindFirstFileW,FindClose,	0_2_002A9A11
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00298750 _memset,FindFirstFileW,FindClose,FindFirstFileW,FindClose,FindClose,FindClose,FindClose,FindClose,	0_2_00298750
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002B886D FindFirstFileW,FindClose,FindClose,	0_2_002B886D
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00298A30 _wcslen,_memset,FindFirstFileW,FindClose,FindNextFileW,_memcpy_s,_wcslen,FindNextFileW,RemoveDirectoryW,_wcslen,FindNextFileW,DeleteFileW,	0_2_00298A30
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002BD9FD FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindNextFileW,FindClose,	0_2_002BD9FD
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029E320 FindClose,FindResourceW,_wcslen,_memcpy_s,FindFirstFileW,_wcslen,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,_wcsnlen,FindClose,SetLastError,_wcsrchr,_wcsrchr,_wcsnlen,	0_2_0029E320
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002AB89C FindFirstFileW,FindClose,FindClose,	0_2_002AB89C
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A7A7F FindFirstFileW,FindClose,	0_2_002A7A7F
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002C7D7A GetWindowsDirectoryW,lstrcmpW,lstrlenW,FindFirstFileW,lstrlenW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_002C7D7A

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00298E90 _wcsrchr,RemoveDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,FindResourceW,_wcslen,_memcpy_s,_wcslen,__recalloc,

0_2_00298E90

Networking

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /callback/bo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: label.shieldapps.bizContent-Length: 309Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /callback/bo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: label.shieldapps.bizContent-Length: 453Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /callback/bo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: label.shieldapps.bizContent-Length: 58Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /guardian-cdn/tip.jpg HTTP/1.1Host: s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /guardian-cdn/tip2.jpg HTTP/1.1Host: s3.amazonaws.com
Source: global traffic	HTTP traffic detected: POST /callback/bo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: label.shieldapps.bizContent-Length: 29Expect: 100-continueConnection: Keep-Alive

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 52.216.184.133:80

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /guardian-cdn/tip.jpg HTTP/1.1Host: s3.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /guardian-cdn/tip2.jpg HTTP/1.1Host: s3.amazonaws.com

Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr	String found in binary or memory: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s'RichEdit20W[1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmptmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSWS_CLIPCHILDRENWS_CHILDWINDOWWS_CHILDWS_CAPTIONWS_BORDERWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSGetProcessIdKernel32.dllMsiLogFileLocationrunasRunAsAdminFileRunAsAdminCmdRunAsAdminWorkingDir[AdminToolsFolder][TemplateFolder][StartupFolder][DesktopFolder][ProgramMenuFolder][WindowsVolume][SystemFolder][LocalAppDataFolder][WindowsFolder][AI_ProgramFiles][CommonFiles64Folder][LocalAppDataFolder]Programs\Common\[CommonFilesFolder][ProgramFiles64Folder][LocalAppDataFolder]Programs\[ProgramFilesFolder]MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`SELECT `Action`,`Target` FROM `CustomAction`SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRAI_InstallPerUser = "0"ALLUSERS = "2"MSIINSTALLPERUSER = "1"1ALLUSERSVersionMsi >= "5.0"2AI_InstallPerUser = "1"MSIINSTALLPERUSERMSINEWINSTANCEProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoOLDPRODUCTSLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYeslcSELECT `Data` FROM `Binary` WHERE `Name`='AI_DETECTVM_BINARY_IDAI_INSIDEVM2DELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0\|AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderQuickLaunch_DirStartupFolderProgramMenuFolderProgramMenuFolderProductName..AI_SH_DIRAI_PRINT_RTFSELECT `Text` FROM `Control` WHERE `Control`.`Dialog_`='%s' AND `Control`.`Control`='%s'.rtfprinthttp://www.example.comhttp://www.yahoo.comhttp://www.google.comAI_INET_CON_SUCCESSAI_INTERNET_CONNECTIONAI_INET_CON_FAILED -user -machine -quiet -addgroup All_CodeMy_Computer_Zone -url "*" Nothing -name
Source: 074kFuPFv8.exe, 00000000.00000000.1671511549.0000000000331000.00000002.00000001.01000000.00000003.sdmp, 074kFuPFv8.exe, 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: [+.partHEADhttp://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmpAdvancedInstallerGETwininet.dllFTP Server/HTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)
Source: 074kFuPFv8.exe	String found in binary or memory: [H.partHEADhttp://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmpAdvancedInstallerGETwininet.dllFTP Server/HTTP/1.0Range: bytes=%u- equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: label.shieldapps.biz
Source: global traffic	DNS traffic detected: DNS query: s3.amazonaws.com

Source: unknown

HTTP traffic detected: POST /callback/bo.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: label.shieldapps.bizContent-Length: 309Expect: 100-continueConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: NH12YT2K0FJB4JNSx-amz-id-2: 9tEegas5ryN5neUcZxprdjrtqVjnSTYYAo0EcWe0XChiINV7UvBJOQXCK07MbSLvOEQowGdMwBg=Content-Type: application/xmlTransfer-Encoding: chunkedDate: Wed, 30 Oct 2024 16:36:14 GMTServer: AmazonS3Data Raw: 31 32 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 67 75 61 72 64 69 61 6e 2d 63 64 6e 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4e 48 31 32 59 54 32 4b 30 46 4a 42 34 4a 4e 53 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 39 74 45 65 67 61 73 35 72 79 4e 35 6e 65 55 63 5a 78 70 72 64 6a 72 74 71 56 6a 6e 53 54 59 59 41 6f 30 45 63 57 65 30 58 43 68 69 49 4e 56 37 55 76 42 4a 4f 51 58 43 4b 30 37 4d 62 53 4c 76 4f 45 51 6f 77 47 64 4d 77 42 67 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 12e<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>guardian-cdn</BucketName><RequestId>NH12YT2K0FJB4JNS</RequestId><HostId>9tEegas5ryN5neUcZxprdjrtqVjnSTYYAo0EcWe0XChiINV7UvBJOQXCK07MbSLvOEQowGdMwBg=</HostId></Error>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundx-amz-request-id: NH1D185GCN6C5GWCx-amz-id-2: F38DHJNfP00qdRYtSArS6Gw43PBctKx80kqfDY7dOLp7Gn64hVIn7vCUq+NPVwH6UruOfW0DUmY=Content-Type: application/xmlTransfer-Encoding: chunkedDate: Wed, 30 Oct 2024 16:36:14 GMTServer: AmazonS3Data Raw: 31 32 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 67 75 61 72 64 69 61 6e 2d 63 64 6e 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4e 48 31 44 31 38 35 47 43 4e 36 43 35 47 57 43 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 46 33 38 44 48 4a 4e 66 50 30 30 71 64 52 59 74 53 41 72 53 36 47 77 34 33 50 42 63 74 4b 78 38 30 6b 71 66 44 59 37 64 4f 4c 70 37 47 6e 36 34 68 56 49 6e 37 76 43 55 71 2b 4e 50 56 77 48 36 55 72 75 4f 66 57 30 44 55 6d 59 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 12e<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>guardian-cdn</BucketName><RequestId>NH1D185GCN6C5GWC</RequestId><HostId>F38DHJNfP00qdRYtSArS6Gw43PBctKx80kqfDY7dOLp7Gn64hVIn7vCUq+NPVwH6UruOfW0DUmY=</HostId></Error>0

Source: 074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: InstAct.exe, 0000000B.00000002.2403620172.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000002.2403620172.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://label.shieldapps.biz
Source: InstAct.exe, 00000013.00000002.2418595283.0000000002E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://label.shieldapps.biz/callback/bo.php
Source: 074kFuPFv8.exe, Splash.exe.0.dr, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, CPUGuardian.exe.2.dr, decoder.dll.0.dr, Splash.exe.2.dr, MSI5FFE.tmp.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3.amazonaws.com/guardian-cdn/tip.jpg
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s3.amazonaws.com/guardian-cdn/tip2.jpg
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000002.2403620172.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: updater.ini.2.dr	String found in binary or memory: http://setup.shieldapps.biz/registry/cpuguardian/s/updates.txt
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: 074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	String found in binary or memory: http://www.advancedinstaller.com0
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: 074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safecart.com/cpuguardian/.cpu-guardian-35

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C8645 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_002C8645

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C8645 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_002C8645

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00311429 PtInRect,GetAsyncKeyState,TrackMouseEvent,

0_2_00311429

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00271496 __EH_prolog3_catch_GS,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00271496

System Summary

Abnormal high CPU Usage

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Process Stats: CPU usage > 49%

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C1032 GetCurrentProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,

0_2_002C1032

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d5e38.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FAF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FFE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI601F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI607D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI608E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI60DD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI612C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI63DD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI65C2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\SystemFoldermsiexec.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\icon.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70B0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d5e3b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d5e3b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7247.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5FAF.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A9090	0_2_002A9090
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002DA642	0_2_002DA642
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00308299	0_2_00308299
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00260B3C	0_2_00260B3C
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F8D50	0_2_002F8D50
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0025CD87	0_2_0025CD87
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00294FB0	0_2_00294FB0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0028D270	0_2_0028D270
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029D420	0_2_0029D420
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0030D57B	0_2_0030D57B
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002E18F3	0_2_002E18F3
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029DF50	0_2_0029DF50
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0025E013	0_2_0025E013
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F20A0	0_2_002F20A0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F6259	0_2_002F6259
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0030E68C	0_2_0030E68C
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F672E	0_2_002F672E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029A9F0	0_2_0029A9F0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F6B02	0_2_002F6B02
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0028ED30	0_2_0028ED30
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F6F0E	0_2_002F6F0E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F732E	0_2_002F732E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029B4C0	0_2_0029B4C0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0030B4DB	0_2_0030B4DB
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002875D0	0_2_002875D0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002DB800	0_2_002DB800
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002FF8BB	0_2_002FF8BB
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029B9D0	0_2_0029B9D0
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0030BA1F	0_2_0030BA1F
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0030BF63	0_2_0030BF63
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_09FC6783	10_2_09FC6783
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028EA238	10_2_028EA238
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028E8998	10_2_028E8998
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028E8C38	10_2_028E8C38
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028E9F10	10_2_028E9F10
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028E8FC8	10_2_028E8FC8
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028E9FB1	10_2_028E9FB1
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577C5A4	10_2_0577C5A4
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577E0D0	10_2_0577E0D0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577CCC0	10_2_0577CCC0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_05771FB8	10_2_05771FB8
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577FAF0	10_2_0577FAF0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577E508	10_2_0577E508
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577A760	10_2_0577A760
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577A750	10_2_0577A750
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_05778CEC	10_2_05778CEC
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_05771FAD	10_2_05771FAD
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0577E8C0	10_2_0577E8C0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0623CEF0	10_2_0623CEF0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0623A7B0	10_2_0623A7B0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_06244BF4	10_2_06244BF4
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0624D0A8	10_2_0624D0A8
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0624D097	10_2_0624D097
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_063A4E7C	10_2_063A4E7C
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_063A6130	10_2_063A6130
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0790BED3	10_2_0790BED3
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_083D292C	10_2_083D292C
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_083D4CF8	10_2_083D4CF8
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_083D6600	10_2_083D6600
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_083D65FE	10_2_083D65FE
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_08535074	10_2_08535074
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0853A5C0	10_2_0853A5C0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll 956AD7E5C070EE129E70A3E7F5D44038D5BB43ADE2D24B5119A0F0E763E6A8A9

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FBC1C appears 59 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 0027276A appears 39 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FC325 appears 139 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 00292580 appears 87 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 00283507 appears 43 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002B244B appears 89 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FC391 appears 94 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002F5569 appears 57 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FC2F2 appears 1015 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 00234F20 appears 363 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 00292510 appears 87 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 00235A6E appears 136 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FC3ED appears 212 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 0023DF4F appears 132 times
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: String function: 002FC35B appears 196 times

Sample file is different than original file name gathered from version info

Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005DA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelper.dll0 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInterop.IWshRuntimeLibrary.dll vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogging.dll0 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Deployment.WindowsInstaller.dll\ vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninst000.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSfxCA.dll\ vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ED7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninst000.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAICustAct.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005CAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceCleaner.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.2420478068.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDecoder.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005DDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll8 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.dll, vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSplash.resources.dll0 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.2421204327.0000000000F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllX vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInterop.Shell32.dll vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003F54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000002.2421815891.0000000000F97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllX vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.exe< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstAct.exe4 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSplash.exe0 vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameupdater.exeP vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebo.dll( vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameComponentFactory.Krypton.Toolkit.dll@ vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005CF6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005CE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005CBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000000.1671552286.000000000037A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameCPUGuardianSetup.exe: vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005CD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005C82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005DB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005C97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCPUGuardian.resources.dll< vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe	Binary or memory string: OriginalFileNameCPUGuardianSetup.exe: vs 074kFuPFv8.exe
Source: 074kFuPFv8.exe	Binary or memory string: OriginalFilenameDecoder.dllF vs 074kFuPFv8.exe

Uses 32bit PE files

Source: 074kFuPFv8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5d5e38.msi.2.dr

Binary string: IDYESAI_OFFICE_REGOPENAI_ADDIN0.0.0.0Advanced Installer PathSoftware\Caphyon\Advanced Installer\Installation PathSoftware\Caphyon\Advanced InstallerAI_OFN_FILEPATHAI_OFN_DLG_TITLEAI_OFN_FILTERSAI_OFN_FLAGSAI_OFN_DEF_EXTAI_OFN_DIRECTORYAI_OFN_FILENAMEAI_MINJREVERSIONAI_PACKAGE_TYPEx64Intel64Software\JavaSoft\Java Runtime Environment\AI_JREVERFOUNDAI_MINJDKVERSIONSoftware\JavaSoft\Java Development Kit\AI_JDKVERFOUNDAI_COMBOBOX_DATAAI_LISTBOX_DATA\\\esc1\#\esc2\|\esc3\\esc0\esc0\\esc2#\esc3|\esc1\ERROR%sERROR_NO_VALUEERROR_DUPLICATE_ITEM%s: %sSUCCESS#\#|\|\\\%s%c%s%c%s%s%c%sSELECT * FROM `Control` WHERE `Type` = 'Bitmap'AI_SYSTEM_DPIAI_SYSTEM_DPI_SCALEAI_BITMAP_DISPLAY_MODESELECT `Argument`, `Condition` FROM `ControlEvent` WHERE `Dialog_` = 'ExitDialog' AND `Control_` = 'Finish' AND `Event` = 'DoAction' ORDER BY `Ordering`AI_AI_ViewReadmeAI_LaunchAppCTRLS3ALLSELECT `Feature` FROM `Feature`DoActionAddLocalRemoveAddSourceReinstallModeREINSTALLMODEAI_INSTALL_MODE{ED4824AF-DCE4-45A8-81E2-FC7965083634}PublicDocumentsFolder{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}WindowsLibrariesFolder{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}SavedGamesFolderPathWWWRootSOFTWARE\Microsoft\InetStpIIsWWWRootFolder4163416241614160AI_PATH_VALIDATION_FILENAMEAI_PATH_VALIDATION_FAILEDAI_PATH_VALIDATION_OPTUpgradeCodeAssignmentTypeUPGRADINGPRODUCTCODE=ERROR - Cannot create the Filter Graph ManagerAI_AUDIOFILE_PATHAI_AUDIOFILE_OPTIONSERROR - Cannot render the file.ERROR - Cannot play the file.LOOP_OFFGlobal\_MSIExecuteAI_AUDIOFILE_UIPlay\0001\0000\Device\VideoERROR - Registry value not found: SystemHardwareInformation.MemorySize\Device\Video0HARDWARE\DEVICEMAP\VIDEOAI_TOTAL_VIDEO_MEMORYVersionNTSELECT `GroupName` FROM `AI_UserGroups` WHERE `GroupName` = ?SELECT `UserName` FROM `AI_UserAccounts` WHERE `UserName` = ?AI_USER_VALID_PASSWORDAI_USER_CHECK_PASSWORDAI_USER_IS_GROUPAI_USER_IGNORE_MSIAI_USER_IGNORE_FULLNAMEAI_USER_EXISTSUSER_PASSWORDDOMAIN_NAMEUSER_NAMEPerformance Log UsersGRP_LOGGING_USERSPerformance Monitor UsersGRP_MONITORING_USERSIncoming Forest Trust BuildersGRP_RID_INCOMING_FOREST_TRUST_BUILDERSNetwork Configuration OperatorsGRP_NETWORK_CONFIGURATION_OPSRemote Desktop UsersGRP_REMOTE_DESKTOP_USERSPre-Windows 2000 Compatible AccessGRP_PREW2KCOMPACCESSRAS and IAS ServersGRP_RAS_SERVERSReplicatorGRP_REPLICATORPower UsersGRP_POWER_USERSGuestsGRP_GUESTSUsersGRP_USERSAdministratorsGRP_ADMINISTRATORSBOBackup OperatorsGRP_BACKUP_OPSPOPrint OperatorsGRP_PRINT_OPSSOServer OperatorsGRP_SERVER_OPSAOAccount OperatorsGRP_ACCOUNT_OPSNSNetwork ServiceUSR_NETWORK_SERVICEANAnonymousUSR_ANONYMOUSWDEveryoneGRP_EVERYONEDomain ControllersGRP_DOMAIN_CONTROLLERSDomain ComputersGRP_DOMAIN_COMPUTERSDomain UsersGRP_DOMAIN_USERSkrbtgtUSR_KEY_DISTR_CENTER_SERVICEGuestUSR_GUESTAdministratorUSR_ADMINISTRATORGetting localized credentials and storing them in properties...Getting localized credentials on a non-NT system resolution failed: LookupUserGroupFromRid failedLookupUserGroupFromRidSDDL failedLookupAl

Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .vbproj
Source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .csproj

Source: classification engine

Classification label: mal40.evad.winEXE@21/229@2/2

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00298050 FormatMessageW,GetLastError,

0_2_00298050

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002C1032 GetCurrentProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,	0_2_002C1032
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028EAE34 AdjustTokenPrivileges,	10_2_028EAE34
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_028EBEF8 AdjustTokenPrivileges,	10_2_028EBEF8

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002BC77B GetDiskFreeSpaceExW,

0_2_002BC77B

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002ABBFD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_002ABBFD

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C118A CoCreateInstance,

0_2_002C118A

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00280854 __EH_prolog3_catch,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00280854

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002BFF6F GetVersionExW,FindWindowW,_memset,SearchPathW,GetLastError,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,GetLastError,CloseServiceHandle,

0_2_002BFF6F

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\CPU Guardian

Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe

File created: C:\Users\user\AppData\Roaming\CPU Guardian

Jump to behavior

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Mutant created: \Sessions\1\BaseNamedObjects\CPU Guardian
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF5579851029B889B0.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Command line argument: RICHED20.DLL		0_2_0027DC66
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Command line argument: RICHED20.DLL		0_2_0027DC66

Source: 074kFuPFv8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\074kFuPFv8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr

Binary or memory string: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s'RichEdit20W[1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmptmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSWS_CLIPCHILDRENWS_CHILDWINDOWWS_CHILDWS_CAPTIONWS_BORDERWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSGetProcessIdKernel32.dllMsiLogFileLocationrunasRunAsAdminFileRunAsAdminCmdRunAsAdminWorkingDir[AdminToolsFolder][TemplateFolder][StartupFolder][DesktopFolder][ProgramMenuFolder][WindowsVolume][SystemFolder][LocalAppDataFolder][WindowsFolder][AI_ProgramFiles][CommonFiles64Folder][LocalAppDataFolder]Programs\Common\[CommonFilesFolder][ProgramFiles64Folder][LocalAppDataFolder]Programs\[ProgramFilesFolder]MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`SELECT `Action`,`Target` FROM `CustomAction`SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRAI_InstallPerUser = "0"ALLUSERS = "2"MSIINSTALLPERUSER = "1"1ALLUSERSVersionMsi >= "5.0"2AI_InstallPerUser = "1"MSIINSTALLPERUSERMSINEWINSTANCEProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoOLDPRODUCTSLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYeslcSELECT `Data` FROM `Binary` WHERE `Name`='AI_DETECTVM_BINARY_IDAI_INSIDEVM2DELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0|AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderQuickLaunch_DirStartupFolderProgramMenuFolderProgramMenuFolderProductName*.**.*AI_SH_DIRAI_PRINT_RTFSELECT `Text` FROM `Control` WHERE `Control`.`Dialog_`='%s' AND `Control`.`Control`='%s'.rtfprinthttp://www.example.comhttp://www.yahoo.comhttp://www.google.comAI_INET_CON_SUCCESSAI_INTERNET_CONNECTIONAI_INET_CON_FAILED -user -machine -quiet -addgroup All_CodeMy_Computer_Zone -url "*" Nothing -name

Source: 074kFuPFv8.exe

ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\074kFuPFv8.exe

File read: C:\Users\user\Desktop\074kFuPFv8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\074kFuPFv8.exe "C:\Users\user\Desktop\074kFuPFv8.exe"
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi" /qn AI_SETUPEXEPATH=C:\Users\user\Desktop\074kFuPFv8.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6861D10B1BBFC1725672A78A114343A0
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 51546B5E421AAA8415620B734ACBBF40 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\InstAct.exe "C:\Program Files (x86)\CPU Guardian\InstAct.exe" install 1 0
Source: unknown	Process created: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\InstAct.exe "C:\Program Files (x86)\CPU Guardian\InstAct.exe" installurl
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi" /qn AI_SETUPEXEPATH=C:\Users\user\Desktop\074kFuPFv8.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6861D10B1BBFC1725672A78A114343A0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 51546B5E421AAA8415620B734ACBBF40 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\InstAct.exe "C:\Program Files (x86)\CPU Guardian\InstAct.exe" install 1 0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\CPU Guardian\InstAct.exe "C:\Program Files (x86)\CPU Guardian\InstAct.exe" installurl	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"	Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: symsrv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\CPU Guardian\updater.ini

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Window found: window name: msctls_updown32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: 074kFuPFv8.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: 074kFuPFv8.exe

Static file information: File size 5644176 > 1048576

PE file contains a mix of data directories often seen in goodware

Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 074kFuPFv8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 074kFuPFv8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: 074kFuPFv8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: d:\BitBucketGit\CPU Guardian\bo\obj\Release\bo.pdbD7^7 P7_CorDllMainmscoree.dll source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000002.4166623593.0000000008482000.00000002.00000001.01000000.00000013.sdmp, bo.dll.0.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\RegCleaner\obj\Release\CPUGuardian.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: C:\src\wix39r2\build\ship\x86\SfxCA.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ECF000.00000004.00000020.00020000.00000000.sdmp, Uninst000.CA.dll.2.dr, Uninst000.CA.dll.0.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Setup\obj\Release\Setup.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1794851263.0000000006022000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: $^q:C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbd source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb</filename> source: fileerrors_data.10.dr
Source:	Binary string: ntkrnlmp.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\CustomActions\CustomAction1\obj\x86\Release\Uninst000.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005ED7000.00000004.00000020.00020000.00000000.sdmp, Uninst000.dll.0.dr, Uninst000.dll.2.dr
Source:	Binary string: $^qgC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\bo\obj\Release\bo.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, CPUGuardian.exe, 0000000A.00000002.4166623593.0000000008482000.00000002.00000001.01000000.00000013.sdmp, bo.dll.0.dr
Source:	Binary string: E:\Point\win\Release\stubs\x86\ExternalUi.pdbL source: 074kFuPFv8.exe
Source:	Binary string: AcroExch.PDBookmark.1 source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error</filename> source: fileerrors_data.10.dr
Source:	Binary string: winload_prod.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\stubs\x86\Updater.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, updater.exe.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\RegCleaner\obj\Release\CPUGuardian.pdb\| source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: d:\ComponentFactory\Build Krypton\Source\Krypton Components\ComponentFactory.Krypton.Toolkit\obj\Release\ComponentFactory.Krypton.Toolkit.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1795714523.0000000006B42000.00000002.00000001.01000000.0000000D.sdmp, ComponentFactory.Krypton.Toolkit.dll.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Setup\obj\Release\Setup.pdbL8n8 `8_CorDllMainmscoree.dll source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1794851263.0000000006022000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\Point\win\Release\custact\x86\AICustAct.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr
Source:	Binary string: E:\Point\win\Release\custact\x86\ResourceCleaner.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003EFA000.00000004.00000020.00020000.00000000.sdmp, MSI608E.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr
Source:	Binary string: $^qeC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, CPUGuardian.exe, 0000000A.00000002.4177985426.0000000009FC2000.00000002.00000001.01000000.00000014.sdmp, Microsoft.Win32.TaskScheduler.dll.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Logging\obj\Release\Logging.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000D.00000002.1793712666.0000000003422000.00000002.00000001.01000000.0000000A.sdmp, Logging.dll.0.dr
Source:	Binary string: $^qmC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: d:\BitBucketGit\CPU Guardian\InstallerActions\obj\x86\Release\InstAct.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000000.1739518695.0000000000AB2000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: $^qXC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831d source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdbt source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E72000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000002.4177985426.0000000009FC2000.00000002.00000001.01000000.00000014.sdmp, Microsoft.Win32.TaskScheduler.dll.2.dr
Source:	Binary string: c:\src\wix39r2\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr
Source:	Binary string: F.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.exe, 0000000A.00000000.1737687137.0000000000272000.00000002.00000001.01000000.00000006.sdmp, CPUGuardian.exe.2.dr
Source:	Binary string: $^q\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2d source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: $^qkC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\custact\x86\ShortcutFlags.pdb source: 074kFuPFv8.exe, 00000000.00000003.1678986166.0000000003E8D000.00000004.00000020.00020000.00000000.sdmp, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr
Source:	Binary string: d:\BitBucketGit\CPU Guardian\Splash\obj\x86\Release\Splash.pdb source: 074kFuPFv8.exe, 00000000.00000003.1712561481.000000000544E000.00000004.00000020.00020000.00000000.sdmp, Splash.exe.0.dr, Splash.exe.2.dr
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error</filename> source: fileerrors_data.10.dr
Source:	Binary string: AcroExch.PDBookmark source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\Point\win\Release\stubs\x86\ExternalUi.pdb source: 074kFuPFv8.exe
Source:	Binary string: $^q6C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbd source: CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: <filename>C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb</filename> source: fileerrors_data.10.dr

PE file contains a valid data directory to section mapping

Source: 074kFuPFv8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 074kFuPFv8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 074kFuPFv8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 074kFuPFv8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 074kFuPFv8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C09E1 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_002C09E1

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002FC3CA push ecx; ret	0_2_002FC3DD
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F4BFA push es; iretd	0_2_002F4C00
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002ECCA1 push cs; retf	0_2_002ECCA2
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A0CB0 push ecx; mov dword ptr [esp], 00000000h	0_2_002A0CB1
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0024D95A push dword ptr [ebp+ebp*8+3Bh]; ret	0_2_0024D964
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002FEC0C push dword ptr [ecx-75h]; iretd	0_2_002FEC19
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002FBC61 push ecx; ret	0_2_002FBC74
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_02A55AFE push es; iretd	10_2_02A55BCE
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_02A540DE push cs; iretd	10_2_02A540EC
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_0623E188 pushfd ; retf	10_2_0623E215
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_06234820 push eax; mov dword ptr [esp], ecx	10_2_06234824
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_06239950 push es; ret	10_2_06239960
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_063A15FF push es; ret	10_2_063A1600
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_064FCDD1 push es; retn 0004h	10_2_064FCDE0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_064F0A30 push es; ret	10_2_064F0A58
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_064F7901 push es; ret	10_2_064F7910
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_07902590 push es; ret	10_2_079029E0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_07903B99 push esp; ret	10_2_07903BA5
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_08530C48 push es; ret	10_2_08530CF0
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_08537801 push es; ret	10_2_08537810
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_08537B70 pushfd ; iretd	10_2_08537B71
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Code function: 10_2_085376B8 push es; ret	10_2_08537810

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sv\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\da\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\no\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ru\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\no\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Splash.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fil-PH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI612C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\tr-TR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.CA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\no\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\da\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Uninst000.CA.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI63DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ja\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fr\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI608E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\he\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\he\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7247.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fil-PH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\de\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\it\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Logging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ar\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ja\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\nl\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\se-FI\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI65C2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\th-TH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ComponentFactory.Krypton.Toolkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Helper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Helper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.Shell32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\hr-HR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\it\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fr\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\es\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FFE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Uninst000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\nl\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI601F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\ar\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI60DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\pt\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Splash.resources.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI63DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI612C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FFE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI60DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7247.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI65C2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI608E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5FAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI601F.tmp	Jump to dropped file

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Users\user\Desktop\074kFuPFv8.exe	File created: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll			Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian\CPU Guardian.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian\Uninstall.lnk	Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe

0_2_002BFF6F

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\$RECYCLE.BIN\S-1-5-18

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Stores large binary data to the registry

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002D5393

0_2_002D5393

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: OutputDebugStringW count: 193

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 2AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 2E20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 2C50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 1B20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 36E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Memory allocated: 56E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 2E80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Memory allocated: 4E80000 memory reserve \| memory write watch

Contains functionality to detect virtual machines (SLDT)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Code function: 10_2_02A521F0 sldt word ptr [eax]

10_2_02A521F0

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599315	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598940	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598814	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598333	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597978	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597629	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597404	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596964	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595857	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595089	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594976	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594721	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594573	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593962	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593749	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Window / User API: threadDelayed 5161			Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Window / User API: threadDelayed 4318			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sv\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\da\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\no\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ru\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\no\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Splash.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fil-PH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI612C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\tr-TR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.CA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\no\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\da\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Uninst000.CA.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ja\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI63DD.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fr\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI608E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\he\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\he\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7247.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fil-PH\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\de\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\it\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Logging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ar\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\nl\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ja\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\se-FI\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\th-TH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI65C2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ComponentFactory.Krypton.Toolkit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Helper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Helper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5FAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\hr-HR\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\it\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fr\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\es\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5FFE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Uninst000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\nl\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI601F.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI70B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\ar\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.IWshRuntimeLibrary.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Splash.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI60DD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\pt\Uninst000.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Uninst000.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\CPUGuardian.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Splash.resources.dll	Jump to dropped file

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Evaded block: after key decision

graph_0-113227

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-111657

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\074kFuPFv8.exe

API coverage: 6.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -30437127721620741s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599874s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599433s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599315s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -599187s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598940s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598814s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598333s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597978s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597874s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597629s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597404s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -597077s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596964s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -596093s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595857s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595421s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -595089s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -594976s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -594841s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -594721s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -594573s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -593962s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -593859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -593749s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 7924	Thread sleep time: -593640s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe TID: 7768	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe TID: 6016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe TID: 1188	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe TID: 4048	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\074kFuPFv8.exe	File Volume queried: C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002ACFAA FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	0_2_002ACFAA
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A9090 __recalloc,_memset,FindFirstFileW,FindClose,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	0_2_002A9090
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002AD1CC FindFirstFileW,FindClose,FindClose,	0_2_002AD1CC
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00299410 FindFirstFileW,FindClose,FindClose,	0_2_00299410
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A9A11 _memset,FindFirstFileW,FindClose,	0_2_002A9A11
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00298750 _memset,FindFirstFileW,FindClose,FindFirstFileW,FindClose,FindClose,FindClose,FindClose,FindClose,	0_2_00298750
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002B886D FindFirstFileW,FindClose,FindClose,	0_2_002B886D
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00298A30 _wcslen,_memset,FindFirstFileW,FindClose,FindNextFileW,_memcpy_s,_wcslen,FindNextFileW,RemoveDirectoryW,_wcslen,FindNextFileW,DeleteFileW,	0_2_00298A30
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002BD9FD FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindNextFileW,FindClose,	0_2_002BD9FD
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_0029E320 FindClose,FindResourceW,_wcslen,_memcpy_s,FindFirstFileW,_wcslen,GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,_wcsnlen,FindClose,SetLastError,_wcsrchr,_wcsrchr,_wcsnlen,	0_2_0029E320
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002AB89C FindFirstFileW,FindClose,FindClose,	0_2_002AB89C
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002A7A7F FindFirstFileW,FindClose,	0_2_002A7A7F
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002C7D7A GetWindowsDirectoryW,lstrcmpW,lstrlenW,FindFirstFileW,lstrlenW,DeleteFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_002C7D7A

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_00298E90 _wcsrchr,RemoveDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,FindResourceW,_wcslen,_memcpy_s,_wcslen,__recalloc,

0_2_00298E90

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002824D3 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetSystemInfo,GetSystemInfo,

0_2_002824D3

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599433	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599315	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 599187	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598940	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598814	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598333	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597978	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597874	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597629	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597404	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 597077	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596964	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 596093	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595857	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595421	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595202	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 595089	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594976	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594841	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594721	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 594573	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593962	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593859	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593749	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 593640	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Thread delayed: delay time: 922337203685477

Source: CPUGuardian.exe, 0000000A.00000002.4153564323.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: InstAct.exe, 0000000B.00000002.2405600010.0000000005ADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: CPUGuardian.exe, 0000000A.00000002.4166994161.0000000008760000.00000004.00000020.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2417478165.00000000010A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\074kFuPFv8.exe

API call chain: ExitProcess graph end node

graph_0-112076

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Code function: 10_2_028ED2B0 LdrInitializeThunk,

10_2_028ED2B0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002F5574 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_002F5574

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C09E1 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_002C09E1

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002F2E50 GetProcessHeap,HeapAlloc,RtlInterlockedPopEntrySList,VirtualAlloc,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,

0_2_002F2E50

Enables debug privileges

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Process token adjusted: Debug

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe "C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true

Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00293900 SetUnhandledExceptionFilter,	0_2_00293900
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002FC4DB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002FC4DB
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F5574 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002F5574
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F5CB7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_002F5CB7
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_002F3713 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_002F3713
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: 0_2_00293880 SetUnhandledExceptionFilter,	0_2_00293880

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\cpu guardian\cpu guardian 2.6.1\install\1652f6d\cpuguardian.msi" /qn ai_setupexepath=c:\users\user\desktop\074kfupfv8.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /exelang 0 /noprereqs "
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\cpu guardian\cpu guardian 2.6.1\install\1652f6d\cpuguardian.msi" /qn ai_setupexepath=c:\users\user\desktop\074kfupfv8.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /exelang 0 /noprereqs "			Jump to behavior

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002C08EA LocalFree,LocalFree,GetSecurityDescriptorDacl,GetLastError,RaiseException,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,GetLastError,LocalFree,SetSecurityDescriptorDacl,

0_2_002C08EA

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002ABAD2 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,GetLastError,CloseHandle,

0_2_002ABAD2

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_0030C5D5
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_003007BA
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoA,	0_2_002FD2DF
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_002FD5B1
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoA,	0_2_00309BFE
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0030645F
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: SendMessageW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_002BE60A
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: SendMessageW,GetLocaleInfoA,_memset,GetLocaleInfoA,	0_2_002BE64E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_002AA93E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_00306ACD
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_00306D25
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_0030AEA5
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_0030AED9
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0030B018
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_00307179
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00307290
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_00307328
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_0030739C
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_0030756E
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0030762F
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00307696
Source: C:\Users\user\Desktop\074kFuPFv8.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_003076D2

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Logging.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Helper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\bo.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\InstAct.exe VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Helper.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Setup.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Logging.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Helper.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Setup.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\InstAct.exe VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Helper.dll VolumeInformation
Source: C:\Program Files (x86)\CPU Guardian\InstAct.exe	Queries volume information: C:\Program Files (x86)\CPU Guardian\Setup.dll VolumeInformation

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002BC8F4 CreateNamedPipeW,CreateFileW,

0_2_002BC8F4

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002F8CB9 GetSystemTimeAsFileTime,__aulldiv,

0_2_002F8CB9

Source: C:\Users\user\Desktop\074kFuPFv8.exe

Code function: 0_2_002BEE4F GetUserNameExW,GetUserNameExW,

0_2_002BEE4F

Source: C:\Users\user\Desktop\074kFuPFv8.exe

0_2_002BFF6F

Source: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	121 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	21 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 DLL Search Order Hijacking	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Windows Service	1 Windows Service	1 DLL Side-Loading	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Service Execution	1 Scheduled Task/Job	12 Process Injection	1 DLL Search Order Hijacking	LSA Secrets	138 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 File Deletion	Cached Domain Credentials	1 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	22 Masquerading	DCSync	331 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	251 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 Process Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 Application Window Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	1 System Owner/User Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
074kFuPFv8.exe	39%	ReversingLabs	Win32.PUA.CPUGuardian

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe	33%	ReversingLabs	Win32.PUA.CPUGuardian
C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Helper.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\InstAct.exe	17%	ReversingLabs	Win32.PUA.Creprote
C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Logging.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Setup.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Splash.exe	29%	ReversingLabs	Win32.PUA.Creprote
C:\Program Files (x86)\CPU Guardian\Uninst000.CA.dll	8%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\Uninst000.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ar\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ar\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bo.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\da\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\da\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\de\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\es\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fil-PH\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fil-PH\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fr\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\fr\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\he\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\he\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\hr-HR\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\it\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\it\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ja\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ja\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\nl\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\nl\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\no\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\no\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\no\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\pt\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\ru\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\se-FI\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\sv\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll	4%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\th-TH\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll	5%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\tr-TR\Uninst000.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\CPU Guardian\updater.exe	27%	ReversingLabs	Win32.PUA.CPUGuardian
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe	33%	ReversingLabs	Win32.PUA.CPUGuardian
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ComponentFactory.Krypton.Toolkit.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Helper.dll	5%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe	17%	ReversingLabs	Win32.PUA.Creprote
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.IWshRuntimeLibrary.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.Shell32.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Logging.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe	29%	ReversingLabs	Win32.PUA.Creprote

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
label.shieldapps.biz	149.210.147.77	true	false		unknown
s3.amazonaws.com	52.216.184.133	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://label.shieldapps.biz/callback/bo.php	false		unknown
http://s3.amazonaws.com/guardian-cdn/tip.jpg	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safecart.com/cpuguardian/.cpu-guardian-35	CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/bThe	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	074kFuPFv8.exe, Splash.exe.0.dr, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, CPUGuardian.exe.2.dr, decoder.dll.0.dr, Splash.exe.2.dr, MSI5FFE.tmp.2.dr	false	URL Reputation: safe	unknown
http://label.shieldapps.biz	InstAct.exe, 0000000B.00000002.2403620172.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000002.2403620172.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002F03000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	false		unknown
http://www.advancedinstaller.com0	074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	false		unknown
http://www.tiro.com	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wixtoolset.org/news/	074kFuPFv8.exe, 00000000.00000003.1712561481.0000000005E43000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.2.dr	false		unknown
http://www.goodfont.co.kr	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	false	URL Reputation: safe	unknown
http://s3.amazonaws.com/guardian-cdn/tip2.jpg	CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002B66000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawtePCA.crl0	074kFuPFv8.exe, MSI608E.tmp.2.dr, MSI601F.tmp.2.dr, MSI5FAF.tmp.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, MSI63DD.tmp.2.dr, decoder.dll.0.dr, MSI5FFE.tmp.2.dr	false		unknown
http://www.symauth.com/rpa00	074kFuPFv8.exe, Splash.exe.0.dr, updater.exe.2.dr, CPUGuardian.msi.0.dr, 5d5e38.msi.2.dr, CPUGuardian.exe.2.dr, Splash.exe.2.dr	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://setup.shieldapps.biz/registry/cpuguardian/s/updates.txt	updater.ini.2.dr	false		unknown
http://www.fonts.com	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CPUGuardian.exe, 0000000A.00000002.4154911978.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 0000000B.00000002.2403620172.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, InstAct.exe, 00000013.00000002.2418595283.0000000002EF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	CPUGuardian.exe, 0000000A.00000002.4163515825.0000000007982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.216.184.133	s3.amazonaws.com	United States		16509	AMAZON-02US	false
149.210.147.77	label.shieldapps.biz	Netherlands		20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545581
Start date and time:	2024-10-30 17:35:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	074kFuPFv8.exe renamed because original name is a hash value
Original Sample Name:	9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Detection:	MAL
Classification:	mal40.evad.winEXE@21/229@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 116 Number of non-executed functions: 351
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 074kFuPFv8.exe

Simulations

Behavior and APIs

Time	Type	Description
12:36:09	API Interceptor	3410426x Sleep call for process: CPUGuardian.exe modified
12:37:13	API Interceptor	2x Sleep call for process: InstAct.exe modified
16:36:11	Task Scheduler	Run new task: CPUGuardian_Start path: C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe s>true

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3.amazonaws.com	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	52.216.77.118
	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	16.15.176.94
	https://token.onelogin.com-token-auth.com/XaFNXZmZxdFUzWDFPWVFxY2lia3BpYkY4UHdlcTNmZStWYjZidGFaMXFldkJJUk9VdmZTZVQxRk5QbVBlVFlJNGttbUlHcmViUysvaGcrWmRnbmwxLzZ6c0MrRWdVcEg1bHZtYnc4c2czNVlSUlhtdnRPc0gwWS9mZ3R4QTltZUZjdWZRZ1kvZmk0N2huS054TUFZUHJyNk4rNHcrNElWbjI0NWlrN2puRlNtYkx0ZzVhWExWcmpZbmt3PT0tLTFCMXhxTFNKS2ZOU3lIZTItLWtCRWhkMzBFQWZwNE0yN1QwM3BCT1E9PQ==?cid=2262276963	Get hash	malicious	KnowBe4	Browse	52.216.218.136
	https://token.onelogin.com-token-auth.com/Xa0Y1MmVibVhmY0E5dnlabzhVK2w2MVo4bXZUM3RzTFBZU1FSUEYxRHlzb29tODRTUDQ4alBDR3Y1cWUvN1JvVzhtWGVkaHFaSG0rOVpUTVV1VjY2a3MvZDB6TktwTHhsRk9xdzQwQjV6YjIvcnA5MjFsaFJEamtNdXI5UXQ1Qm9lK0ZsZFd0TXI0R2JWWlVYeFFXa2pBaXZOKzR2QXRkUTd3dlBLNzUrQ1RweERVMmQ5ZHQwdjlKZ2dlS2tEVUF5UEE9PS0tdFFWWndQdklZQXNodTY1US0tUXAyU1llVHhDaXRTRjU1OVNWMXFNdz09?cid=2262276963	Get hash	malicious	KnowBe4	Browse	54.231.236.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TRANSIP-ASAmsterdamtheNetherlandsNL	6fLnWSoXXD.elf	Get hash	malicious	Mirai	Browse	95.170.75.171
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	136.144.215.32
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	37.97.214.146
	bnrKk80Fa9.elf	Get hash	malicious	Mirai	Browse	95.170.75.159
	na.elf	Get hash	malicious	Mirai	Browse	95.170.75.159
	fBcMVl6ns6.lnk	Get hash	malicious	RHADAMANTHYS	Browse	37.97.185.116
	rpQF1aDIK4.lnk	Get hash	malicious	RHADAMANTHYS	Browse	37.97.185.116
	test.ps1	Get hash	malicious	RHADAMANTHYS	Browse	37.97.185.116
	path.ps1	Get hash	malicious	DcRat	Browse	37.97.185.116
	f8fKadLyb4.elf	Get hash	malicious	Mirai	Browse	95.170.75.156
AMAZON-02US	https://wetransfer.com/downloads/bd15c1f671ae60c5a56e558eb8cc43bf20241030150256/3b30cd5b9ce1ffb29d79c9118153941c20241030150256/70baef?t_exp=1730559776&t_lsid=6bd545a9-d09b-4abd-a317-124dbe9fe64d&t_network=email&t_rid=YXV0aDB8NjZlYWI0YTExODhmYzc1OGMzMmNiODIx&t_s=download_link&t_ts=1730300576&utm_campaign=TRN_TDL_01&utm	Get hash	malicious	HTMLPhisher	Browse	54.170.178.201
	https://register.edx.org/verizon?&utm_source=vsf_e_paid-ggl-ubrnd&utm_medium=cpc&utm_campaign=GGL%7CEDX%7CAI%7CVSF%7CSEM%7CNBD%7CUS&gad_source=1&gclid=Cj0KCQjwj4K5BhDYARIsAD1Ly2pyzBeRgn77ojfsMTtg7r8SaT93hKq6Ob_f1zsDj7Kj8dy-Mn9a7tMaAng3EALw_wcB&_gl=11dphwek_gcl_awR0NMLjE3MzAyMTU4NDAuQ2owS0NRandqNEs1QmhEWUFSSXNBRDFMeTJweXpCZVJnbjc3b2pmc01UdGc3cjhTYVQ5M2hLcTZPYl9mMXpzRGo3S2o4ZHktTW45YTd0TWFBbmczRUFMd193Y0I._gcl_auMzQxNzQzMjE1LjE3MzAyMTU4Mzg._gaMTE0OTEyNzE2Ni4xNzMwMjE1ODM5_ga_D3KS4KMDT0*MTczMDIxNTgzOS4xLjAuMTczMDIxNTgzOS42MC4wLjA	Get hash	malicious	Unknown	Browse	108.138.7.126
	https://register.edx.org/verizon?&utm_source=vsf_e_paid-ggl-ubrnd&utm_medium=cpc&utm_campaign=GGL%7CEDX%7CAI%7CVSF%7CSEM%7CNBD%7CUS&gad_source=1&gclid=Cj0KCQjwj4K5BhDYARIsAD1Ly2pyzBeRgn77ojfsMTtg7r8SaT93hKq6Ob_f1zsDj7Kj8dy-Mn9a7tMaAng3EALw_wcB&_gl=11dphwek_gcl_awR0NMLjE3MzAyMTU4NDAuQ2owS0NRandqNEs1QmhEWUFSSXNBRDFMeTJweXpCZVJnbjc3b2pmc01UdGc3cjhTYVQ5M2hLcTZPYl9mMXpzRGo3S2o4ZHktTW45YTd0TWFBbmczRUFMd193Y0I._gcl_auMzQxNzQzMjE1LjE3MzAyMTU4Mzg._gaMTE0OTEyNzE2Ni4xNzMwMjE1ODM5_ga_D3KS4KMDT0*MTczMDIxNTgzOS4xLjAuMTczMDIxNTgzOS42MC4wLjA	Get hash	malicious	Unknown	Browse	143.204.215.119
	https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9	Get hash	malicious	Unknown	Browse	18.245.60.47
	chica-pc-shield-1-75-0-1300-en-win.exe	Get hash	malicious	GhostRat, Xtreme RAT	Browse	65.9.66.84
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	18.245.46.34
	chica-pc-shield-1-75-0-1300-en-win.exe	Get hash	malicious	GhostRat, KillMBR, Xtreme RAT	Browse	65.9.66.107
	Complete with Docusign_ Remittance Advice .pdf(1).eml	Get hash	malicious	HTMLPhisher	Browse	52.42.45.237
	Receipt.htm	Get hash	malicious	Unknown	Browse	18.245.86.57
	weekly-finances-report.xlsx	Get hash	malicious	KnowBe4	Browse	52.216.77.118

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll	PmRXFyOFkf.exe	Get hash	malicious	GuLoader	Browse
	PmRXFyOFkf.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\$Recycle.Bin\S-1-5-18\desktop.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Windows desktop.ini
Category:	modified
Size (bytes):	129
Entropy (8bit):	5.323600488446077
Encrypted:	false
SSDEEP:	3:0NdQDjoqxyRVIQBU+1IVLfAPmBACaWZcy/FbBmedyn:0NwoSyzI2U8MAPVCawbBmeUn
MD5:	A526B9E7C716B3489D8CC062FBCE4005
SHA1:	2DF502A944FF721241BE20A9E449D2ACD07E0312
SHA-256:	E1B9CE9B57957B1A0607A72A057D6B7A9B34EA60F3F8AA8F38A3AF979BD23066
SHA-512:	D83D4C656C96C3D1809AD06CE78FA09A77781461C99109E4B81D1A186FC533A7E72D65A4CB7EDF689EECCDA8F687A13D3276F1111A1E72F7C3CD92A49BCE0F88
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[.ShellClassInfo]..CLSID={645FF040-5081-101B-9F08-00AA002F954E}..LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-8964..

C:\Config.Msi\5d5e3a.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	749746
Entropy (8bit):	6.452082417882415
Encrypted:	false
SSDEEP:	12288:Wx1TbeXSAPKfRFjJGzfC48AF9M9N7x1TbeXSAPKfRFjJGzfC48AF9M9NG:61e+P48AFO3V1e+P48AFO3G
MD5:	CBA9B750C2FE8E115F15A62BFC1C0376
SHA1:	1272352A22244EDE6DBE8F2ADFB414F6866877E1
SHA-256:	FF8166D4252A17AEA57611B5E12AD64A0C2103C2723739EF1971AFFF773E045B
SHA-512:	8452E565D269594913F228F8D0A20F051AE059C43CB9815836AA7D9F657435E0D47F4D83AF00DB269A3DE94EA0ADBD016067595553005B89CEF8A8F3EE98F71F
Malicious:	false
Preview:	...@IXOS.@.....@.d^Y.@.....@.....@.....@.....@.....@......&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}..CPU Guardian..CPUGuardian.msi.@.....@.....@.....@......icon.exe..&.{19B047E6-8562-4C6B-BBED-1F83ED1824A4}.....@.....@.....@.....@.......@.....@.....@.......@......CPU Guardian......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{31AB0EED-1171-4593-AD2E-1D31853E0B71}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{DAB8DBA0-9416-436D-B2ED-548B19EF9B44}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{17FC9C22-6536-47E6-8A6F-DD16BDEC0D43}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{C585207B-9A0F-4AFF-A563-71089EE2354B}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{63FF3E86-9EC6-4432-9949-B57EE8A72C19}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{D4774DFE-7BF5-45FC-8ACA-40E55DD379F6}&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}.@......&.{EE926B0C-13EA-4FDC-A9F9-D4A7EBC40DD5}&.{87D8CFC2-

C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5139432
Entropy (8bit):	6.361730150038723
Encrypted:	false
SSDEEP:	98304:1j71i71W71A71f71v71v71J71v71v71J71v71v71v71Z+y+pcemEIl02Tsp6bwK6:1jQsCdddTddTdddv+y0cemEIl02K6bwV
MD5:	E6401E23BAC056176D4A2497DA0F9767
SHA1:	0CC148FDA90567EB03080647AF914C702FC7266F
SHA-256:	D36125C54BA2DF1822F95597323573A8028CD259B1D11C457D538744FB9476EF
SHA-512:	73E2EFE47CAD7F19B64E5787FC7770B1E4089A1709F3F6CB1FC19DA14C755C591A86001C17694B9ADEC69580D1622DD4F366B64ED477AD1137200B2EF70DB232
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.0U..................L...........L.. ....L...@.. ........................N.......N...@.................................T.L.W.....L.8............TN.......N.......L.............................................. ............... ..H............text.....L.. ....L................. ..`.rsrc...8.....L.......L.............@..@.reloc........N......RN.............@..B..................L.....H.........H.\\..............0.D..........................................0...........(.....(.....{....(/...o.....{....r...p(....(....-.(q...+.(p...(....(....o.....{....(+...(....-.(-...+.(,...(....(....o.....{....()...(....(....o....(....r...p(....,=.{....r#..p.........((......(.......(.......(......(....o....(....rC..p(....,<.{....(..........(....rI..p(..........(....rQ..p( ...o....+..{....(*...(....(....(....o.....{.....o!....{.....o!....{.....("......(#....[.{....o$......(

C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5510
Entropy (8bit):	4.20288350069814
Encrypted:	false
SSDEEP:	96:YrDNI7+nXn+hnQn/nTnkncnInCn0VnAn9nonanL0ntnyAnincn6nFnUznenuAnrD:Yr5Tku
MD5:	9A2B1FC6B00891288A905A7788D45E95
SHA1:	090EF58AE8284126D46D715CF61F4336432CF944
SHA-256:	5FD381FD5E214938A7E541C1423D291C98E815796F066ECD3CCDBBA9F9B4C19A
SHA-512:	43F398D7FE232C0568552EE7A1AA5C825EF523087B9D02016AC746867268A8C5D1ABBABC0E7A62E7D21C58D55F1FDEBE218A7F4F4348A972531BF35076489486
Malicious:	true
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">.. <section name="RegCleaner.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false"/>.. </sectionGroup>.. </configSections>.. <userSettings>.. <RegCleaner.Properties.Settings>.. <setting name="LastScan" serializeAs="String">.. <value/>.. </setting>.. <setting name="CreateRestore" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="WriteLog" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="VirtualDevices" serializeA

C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2667520
Entropy (8bit):	6.021972030667934
Encrypted:	false
SSDEEP:	24576:lNnJox6yr8nN03BI9abUCAqS8yLzdnOKaWw//emX17WLwlt6t9fnjNiBqUb:lNnM8nyI9lzdnOKaWw//BWMlt6tLiH
MD5:	4AA46ECABD3073852F3A778D28D9EDAE
SHA1:	0011708B8549BFBCBE0596C7A9459D61B072D16F
SHA-256:	956AD7E5C070EE129E70A3E7F5D44038D5BB43ADE2D24B5119A0F0E763E6A8A9
SHA-512:	08C025D77FC5E1936B2DD695DEA1D4533E3F98E84861CCF5A72DA1F63152CC3B10A603C5D8490FC29FF76C79B46D399AC6E443FAA52036BD05A130D287A10A45
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: PmRXFyOFkf.exe, Detection: malicious, Browse Filename: PmRXFyOFkf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nO.O...........!.....$'..........C'.. ...`'...@.. ....................... ).....D.(...@.................................pC'.K....`'.......................)......B'.............................................. ............... ..H............text....#'.. ...$'................. ..`.rsrc........`'......&'.............@..@.reloc........).......(.............@..B.................C'.....H.......$.......................P .........................................Z-...[t..<C....8..f...........(..;.m)..4.7..3.I....Fz..7.. .+..U.aV..X..B..{..{.<.\|<.I.7L.t]..}.<....9.`m..U^v....hJ.("....(.+..}......{......0...........-.r...ps&...z.-.r...ps&...z.-.r...ps&...z.o'...-.(#?..s(..... .@..o).....3...o).........E................+'......+..o...+...o...+.......+..o.........E..../.......&...............+4..o+...++..o+...+"..o+...+...o+...+...o+...+...o+......

C:\Program Files (x86)\CPU Guardian\Helper.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.084840805171319
Encrypted:	false
SSDEEP:	768:e+o0nKWkPuH93+yB+BrKGLi06y/MEPDdl2Kbs3AY5O:eEAPuAnTLi9oMSbswgO
MD5:	2880C4ECCDBCE5491AC23D9AC5B45C79
SHA1:	CE9376A66620E9E55B2B45B1DFE439B4989A3362
SHA-256:	23D1CFBB1B628CFB8EAD4C452CEF6135B1C3053EE6E41F5CFBB66AB49A6D783B
SHA-512:	887531D74311FB83FBE82AF1FD4BC0281F1B5A5D29A2BCCFE77A3E855AD2539F61BBD2DAFDEA14DD44C317B00CB569A2A9DDAC1C4F9A9F1367377F100FB35313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.0U...........!..................... ... ....@.. .......................`..................................................W....@....................... ....................................................... ............... ..H............text........ ...................... ..`.reloc....... ......................@..B.rsrc........@......................@..@........................H.......D...l\.............x............................................0.._....... ..... ..k...Y. }ib...a.as...............s........Y.....o..... ...J..Y.Yfeffefefefe.. ...8X.Xfefeffefefea..,..o....+.....,.. ......Y.Yfefeffeefa...,...o....+.......w...(....3!.~....`...... .y.K..X.X..Xa.8......-$... 6..\a.afefeffeefa.~.....`.....+Y..o.........(....o....... ..H...Y.Xa.~.....`.....+&..~....`........ h.\a.afefeffeef..Ya..~....X.....*..0.............. .......i.8x.....b%. ....3..

C:\Program Files (x86)\CPU Guardian\Helper.dll.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Program Files (x86)\CPU Guardian\InstAct.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	6.129129659339863
Encrypted:	false
SSDEEP:	384:5HzQTDmvAX9CD6eMTxpAxGnYPLRTX9/eM4:6Tl+MTxpAxG+TX9b4
MD5:	B0586EE5DB1B3B171D28F48AF4B5F4CD
SHA1:	DB47565CEC4BE55A78AA678E3238EF425ACFFD50
SHA-256:	1B8B753DFA929DDD700B3939B1FCF1D53B94E7D8D97C81083AEC11EE970D239B
SHA-512:	9F960C81A953869E78291243690976319B2F72313B0A9DEC0341E21E878F7A05E3326D1AEDDED9B17A8F3E55A6138665EDEBCA671D75A0F418D2FA9615609E60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.0U.............................=... ...@....@.. ...............................R....@.................................\=..O....@...............(.......`......$<............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H........&...............%...............................................0..l.........i-.r...p(.........r...p(....,...(....+1.r!..p(....,...(....+..r5..p(....,..(....+..(........o....(..............I].......0..f.........i.3".....(....s.......(....s....(......i.3......(....s.............(........................(.......0...........(.......(......0..........(.....(....(......,"(....rK..p.(.........(....o.....+ (....r...p.(.........(....o......r...po.....r...po.......ijo .

C:\Program Files (x86)\CPU Guardian\InstAct.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.927182710614965
Encrypted:	false
SSDEEP:	6:TMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQAopuAW4QIT:TMHd413VymhsS+Qzop93xT
MD5:	CC5216762E808C8A13B799001FB14D7F
SHA1:	D3E0F084903317BD8FA6F2E62746BCE3452C5E32
SHA-256:	A057532608B629756DAA45BF136212E2BCC39608213791D5E0DBAF33686EB83A
SHA-512:	4B4CC1932938762B4E1BD6B8B80C6C4AFBF88B37581A92259E570557A33FF001C3A240E89BBDF992338D3C157D0684F346456212567A784055AF40CA0070D21D
Malicious:	true
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727"/>.. </startup>..</configuration>

C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.584750598195
Encrypted:	false
SSDEEP:	768:gx3LY+sPhWVJPsedLVDUYlkXrSXVteUdzttJ2z9IkCBsQtcNg:4L9nVJEetVDUxSpvJ2z9IDs3g
MD5:	EF615EA13EDA0F6DBE335989CFF2B0AF
SHA1:	B0965C7F3ABC13A938614387553F93402A571F04
SHA-256:	8C30EA6D36E6E4FD1933803E3A492F39ADF85CA86211E9B00328341517380773
SHA-512:	44A6BA39F574E6C4F6B979204CBE9186130BDEBB8909C604B7B5837ACB05DF54A30F0BAD4BFF15786596F77A9239CFB34C40A9C5A09F653EB6605C7283BB1244
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!......... ......>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.476592511891861
Encrypted:	false
SSDEEP:	768:Mexl81nX6ZxlvUAa7KoBv7epginbCe7AXjuw9tL0Duxj7tr+BrkFS:Mexl81nK34PJepgqcVz6
MD5:	A364F2BBDEA952E1479899F32A57AD34
SHA1:	1D3603D15DBFFD35665253F54BECF872AACB84F1
SHA-256:	9E6CE2EBD72E3BAD36710C9B208A658BD8E25C83FA57EBE159152F8E0F774D8E
SHA-512:	0C755630C22EE7A4AB76070AC568E3B70FD742DBFFB3CC8C68CD89F3D6D31C04A18EED6DB16785E0D0AC32137862A5D81940888EA64FDE3A8364C10228D6CDC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.0U...........!......... ........... ........@.. ....................................@....................................O.......h............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\Logging.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.520606029097103
Encrypted:	false
SSDEEP:	96:i7uoR4mr0Zz+YOhmrnVvv2rYjyf/NF7b7xe1pZXLzbYHXvs:MR4mIZvO85XqNVJe1pZX7YHf
MD5:	28B7EB67A7889A46ECE863EE6EC6C3BC
SHA1:	BA12371BE8CE73CF52C3270CA46941B71FF90025
SHA-256:	B71BED56159A16652075CA90F6C5191B47102C653A2FACAC7F1823985B141FF6
SHA-512:	B767676DA12D1D8915C956071F81D107C2795ADD2F8318D7FBE2EFE12096612C3D4904F6A4991E1EB1E3170412260226FFBCC4BCAEEBC59CDC2ACE4F313A15B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.0U...........!.................8... ...@....... ....................................@..................................7..S....@.......................`.......6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H........%..............................................................:.(......(......{...."..}....&...(.......0..<........(....(......-..r...p.o....+..r...p..o.....o.....o......&..........88......B(....r%..p(....B(....rA..p(.......0..<........(....rO..p(....(......(....,...(....&.(....,..*rS..ps....z.0..........(.....s.......3=.r{..po.....r$..p( ......(!...( ......("...o.....rB..po....+a..3>.r...po.....r...p( ......(!...( .......("...o.....r{..po....+..r...p( .....

C:\Program Files (x86)\CPU Guardian\Logging.dll.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Program Files (x86)\CPU Guardian\Microsoft.Deployment.WindowsInstaller.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	5.7399324609598485
Encrypted:	false
SSDEEP:	3072:LjyY5UlEOitKOYwEvCnfKlRUjW01KykgBJ22R3k1Xn0YIEbTZOCZ4C7KjmQjpRQ:LndrHH22Y1Xn0YXVamQtR
MD5:	7D625FE73AB5F25390D5B663B0760BB8
SHA1:	5DCCF0B59215E47BD477AE563DB9FB53FD1970A0
SHA-256:	20AF4EA25C5BFB6CF5AE236D2F213402C6040EBCA2E7AB5C0983267D34CA1673
SHA-512:	A7A12744AFB89FF52D7CC5785EDC9C42DA0C796D3389CD39E7815623D9BDD4735F2410885714BC25E8FDF74E5CBA8A1E3E691C0E47B775A2DCE05BD0A5662A93
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e).T...........!......... ........... ........... ..............................H.....@.................................\...O...................................$................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	5.911239698708562
Encrypted:	false
SSDEEP:	3072:kzUX+8YpYBTZUhF4SYK/G1JyMQ4FZSES6N0:kMI2s
MD5:	B351FDD6CA2B71C9E2310A6E5521D690
SHA1:	491538F4F77AFFA2DBBD8CC5474338ABBB895E6D
SHA-256:	9E21648FBD3E281FF2924904B80F7B9C65B440AEF9FECD87D0CA6AABF50E5DF4
SHA-512:	2E3947AD63141B6B92CBD141F889F3A5D104776A93E379EC294B879B510F338641B12E66C3280580DB16A945CD5AE57D84649DA61947E5572C6C27526DC1DCAD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..O...........!..................... ... ....@.. .......................`............@.................................L...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......d...DN.................P ..........................................P8.,'C...<.a........j....L..Q.k.A...E...K..b4.y{.=b._....[X,i....\.op..V......~.Z.oGO.,)...R..S..Is.<s3...O.iWY.y..N.($....(.....(......($....(......(......(......(.......(.......}.....(.....(......{....,..{....or...-..{............0..B........{....,..{....os....{....o......J.......\..o%......i.3....~&......0..@........{....,..{....ot....{....o......J.......\..o%......i.3.........{.

C:\Program Files (x86)\CPU Guardian\Setup.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.570733033305149
Encrypted:	false
SSDEEP:	96:iqXshmkp7pjpWvuJDHRgcs9eomMmXDxXnKc7ScPnPPbRxkxvVRSQc3MDm7M6aqm0:t6DScs/mMStXK6xx4SQl1qSjTPJw
MD5:	A774435D2C0A7768F4BE70B469390B55
SHA1:	E0F7CE4E38C5895686CFEFF58B4DEA58E10233AD
SHA-256:	3CB9187A144148DC61DD50007DC1E49A4158F01DB2557A7E3792B95054DA3082
SHA-512:	11FB6A6262BA6334615BB4C2F0BC5BB455CD03B8354E3F2DEDD25AEA655CBE8FFA6B7DF5B0129B751108D9287BE47B3A27B8B421C141D71A3144197121CA1B82
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.0U...........!................~8... ...@....... ....................................@.................................$8..W....@.......................`.......6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................`8......H.......,%...............................................................0..k........(.......(....k}.......(....k}......(....,+..(.......(....k.......(.......(....k....."..HD....."...D......r...p.r...p.(....(.....(....(........0..J.......s.........+...o......(....-..(....-..._....-3...o....&..X...o....2..o......(%..."..2DZ(.....(&..."....Z(....s......(%..."..;DZ(.....(&..."...AZ(....s......(%..."..;DZ(.....(&..."....Z(....s......(%..."..FDZ(.....(&..."...AZ(....s...

C:\Program Files (x86)\CPU Guardian\Setup.dll.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Program Files (x86)\CPU Guardian\Splash.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	255976
Entropy (8bit):	4.612209206661168
Encrypted:	false
SSDEEP:	3072:gsmj7mtiLfJKEmjZ+MX0stopP7mtiLfJKEmjqNP:67mULxKEmd+e0Z7mULxKEmC
MD5:	8DF371D6C8439AA6225D87AD741C6333
SHA1:	230AFADB5F2DC84AA7962FA808905EFD28B1C21D
SHA-256:	D8731FA86067EA429244378F81F9DC7E24377F7EF378044D5F46C378424392AE
SHA-512:	9DE82F68CD7430A3CA6CBBD1933E6303ED1497137C08A240E8F6579D4D7DCD56967319525B638CC70F81CE05EF8A3ED4D1A207D4908C17DC5290B19D43479193
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U.................@..........>^... ...`....@.. ....................... ............@..................................]..K....`..............................\............................................... ............... ..H............text...D>... ...@.................. ..`.rsrc.......`.......B..............@..@.reloc..............................@..B................ ^......H........+...0...........9...............................................0...........(.....(....(....s....(.......X.X..X}.......}.....{....(!....{.....#...(....o.....{....("...o.....{....(....o.....{.....o.....{....(....o.....{....(....o.....{....(#...o.....{....(%...o.....{....( ...o.....{....(&...o.....{....($...o.....(....o....(....(....(....(....(....(....(....(......1.{......(....o.....{.....o ....{.....o .....1.{......(....o.....{.....o ....{.....o .....1*.{......(...

C:\Program Files (x86)\CPU Guardian\Splash.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.927182710614965
Encrypted:	false
SSDEEP:	6:TMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQAopuAW4QIT:TMHd413VymhsS+Qzop93xT
MD5:	CC5216762E808C8A13B799001FB14D7F
SHA1:	D3E0F084903317BD8FA6F2E62746BCE3452C5E32
SHA-256:	A057532608B629756DAA45BF136212E2BCC39608213791D5E0DBAF33686EB83A
SHA-512:	4B4CC1932938762B4E1BD6B8B80C6C4AFBF88B37581A92259E570557A33FF001C3A240E89BBDF992338D3C157D0684F346456212567A784055AF40CA0070D21D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727"/>.. </startup>..</configuration>

C:\Program Files (x86)\CPU Guardian\Uninst000.CA.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1081295
Entropy (8bit):	7.774773660389089
Encrypted:	false
SSDEEP:	12288:lGA6ILTvHWo5JKmE6/Ys8cNYcgJ07N5tObk2lTD57pkrpDS98OqORpS2kg3lltyJ:fvv2macQ7Llf57pkrpUKgSsxQyww8
MD5:	0BCC088A002518322E1ECBCE9FDF796B
SHA1:	57B9C096A8EB3636CF3815AFD4C0C5D08BFFEC53
SHA-256:	A51751F54889932E87DCC1C73F4165F0C99B8224416F9200E77D02EAB688EEA1
SHA-512:	555B61ED74F16ADB168084809F703E26B7BFBBB979174CAF2AE79A25D5F45AD719FB2D837C53F4D00B135450CE0872753DC1777EC0F90B7A9EF6FC224398D489
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^h..............\XC.0...\X}.....\XB.`....q1..............[C......[~......[y.......5......[\|.....Rich....................PE..L...p).T...........!.........n.......m.......0............................................@......................... 6...*...`..x.......`............................2..8...........................(0..@............0..d............................text............................... ..`.rdata..v:...0...<... ..............@..@.data...$1...p.......\..............@....rsrc...`............p..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\Uninst000.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	6.441854728182318
Encrypted:	false
SSDEEP:	3072:fK7mtiLfJKEmjvY4e3+XPBp+E1+eJohq9AYHdj0iVrDobtjP5T4XW/r6VijH:i7mULxKEmjYJUPJHRbHt7ZoNv/rz
MD5:	CBD338291F40C848724E289E1C89B5ED
SHA1:	95FF61F915EAD00C64B7C71BF084CE9B67C20391
SHA-256:	983225D7ABB49456DAB5DC9842ECCE4065B4A8C3B4A9E980857BCA6CBA66EC59
SHA-512:	BD11299B6FD9DA3D8BFB0E46B8B4F0DB088655DEF666F692920DA854F467F7B6A0191930678C0096C735ECA0C0FCF45C4361CD2033114710BBB9DD651572D4FE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.0U...........!................H... ...`....... ....................................@.................................`H..K....`..H...........................(G............................................... ............... ..H............text....(... ..................... ..`.rsrc...H....`.......,..............@..@.reloc...............6..............@..B.................H......H.......\....B...........@...............................................0..O.......(....s.....(....(....(....(....(....(....(....(.....r...p...........(........(........(........(.......(....o....( ....(!...("...o#.....s.......o$....(%....o....,.(..............(&...('...o(...().....-.....\|.(.......o+...r9..p(,...(-...(......s/........o0.....rI..po1.......o2.........(3...& B..........r]..p..o4...(-...o............A...........#................0..;.......r...p(,...(-...(5...

C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.351471842158252
Encrypted:	false
SSDEEP:	768:T7BOdNxk5q+mZ5s2BMPqCX9diHUXtehsnE4YOhZ3A0opesLZBdQ6qhXLwnq3:nBO395s2eAH2eP4YOhW0cesLzdQ6tnc
MD5:	B08F4DC229CD738E564B8D4CCB00D073
SHA1:	805C97EF45CEC4B4610BA9AB8F781C05A555B3A9
SHA-256:	0E33DB40420297721419EF8329011AA32531754DCE99B988D7C34F8125746371
SHA-512:	45FB4EE3AEEDAD1955220B034E9FF3FB33B913970A251266EDD9C9313FF73C1629721B189C2954F7247202270BB6FAE4E4A14EC2CC71CA9C61764B288205A54F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ......>*... ...@....@.. ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\ar\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.184393622111684
Encrypted:	false
SSDEEP:	96:oz/3H/LB+FXNDkTglLXD0U2JARXD03lRtbqkV:+fH/LB+FXNDkTgkJH9t
MD5:	25B52BF55505B189FFA5ED6DD93CF715
SHA1:	CFB36A89678A7C2964E13789B8206D5C8EF1A180
SHA-256:	955D7172504B8E2A3CEE1B6415BEF8FDCC144D380A5CCF966CEFA3CE6446D937
SHA-512:	C5B2C6141B8CE3EE349EC843FC3042696D1849882604578AD422E3F9A4990BC94DD3C59805184C2C03128EDB0D5339C3F676DE950B8478FD0DE34781855B2B0A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................-... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H........).. ...........P ..p...........................................l..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.)...(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\ar\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.137106681343619
Encrypted:	false
SSDEEP:	192:9GQmBZfY8OnzyPTa5t8zyEAYNy2RYkaHv:9GQmHCzyssyEdNy8YdHv
MD5:	F6AA66D2F100F44661BA06A27296DCB1
SHA1:	B2C0322662CF9EBE90AC4D9E3AF538C93E737496
SHA-256:	64E59C3E98C7E1C596D8FA7FBA799C971A51C9697E6103CA8EECF5304EAE6C3A
SHA-512:	EE3857AD4B38F09C4F95D06F4A6159B6A38C805FB0326CA9DAF5742675C9021BF7B2DFB1353494F022EF9FF9B5D4E72DC61A430FD9D70FE04BEEBD0C35697E8D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................h3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......40..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\bo.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.6401835801650595
Encrypted:	false
SSDEEP:	96:pBmrqY2ZPtrPEg2XzVzu9+viWn1DvCwqlQxwN16HZGe/ycbGfwiNoPBnp:DC2ZPtrPJ2ZzuIhDvCwcvwyI6wiNs/
MD5:	C57D5679E6A2E2E4B4DEB278A1EAF8F4
SHA1:	A67DE39528104B271531195643FA7CB5243831F3
SHA-256:	29C716B81AE2B875B772CA6892E3917436D7AAB30BB8C8FCC3CD38EB10E42603
SHA-512:	F1C5AFCD424B810D6BDD123B635D976EB4C73FAB683B44171D70A87D43E2EA3965C9737F4073E8EEAB381F521B3F501E734C84700D2ECD9CA21498225E86DECF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.0U...........!................n7... ...@....... ....................................@..................................7..O....@.......................`.......5............................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P7......H.......l%..x............................................................0..i........(....(......(..........(....(.....(....(.....,..%(....r...p.(....(....(.....%(....r...p.(....(....(........0..........(.....(.......(....-...(....-.r'..p(.........(......(....,..(....,!rc..p(.....................(......(....-.r...p(...............(....r...p(...............(........0............(....%-.&.(.................rg..p....o.....s......(....,...}......8&.........-....}....8......

C:\Program Files (x86)\CPU Guardian\bo.dll.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.390730381820147
Encrypted:	false
SSDEEP:	1536:rBO2Pe5oBpxqJ8+T+TKU/q42slkTCAQN:VO2PeUIJpqTKU/q42slkTCz
MD5:	E88771DA626EA5D32D453B43E8576154
SHA1:	9DE32419309DC0C814AEBE535ADC573D2548E56B
SHA-256:	C1DC149A5D923F4DA70E13793DBED729F3B3B4331DE5E02F6E6680AE2DA4D563
SHA-512:	8C62C4A9EFC175356EDA3DC3329DC1C05118C868433E120B40935AAFDCCB0042E019DDD2D983617E21E00570D61A60BCF36504F05F6E981D3278D12392FA72A5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!..... ... .......8... ...@....@.. ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.347343292574456
Encrypted:	false
SSDEEP:	48:6HfcDGMll8XJkGkYkAkKkEkyKk+Ck8mkwwkWOhytO9NKyP219NKdOlR4X3NkQ9hD:oBJ71lnJYXCU8chcweFLlRmdqkV
MD5:	4388D01327E9D1E4B24F083DFEEC4CE3
SHA1:	977E876838F6960D8D86728A1A61BF1DA8629FE8
SHA-256:	86B1D43F54BF52308F9EC1E636974453E2E1DE18DCE49FDC2F86180CAD5938D1
SHA-512:	6B166ABC1ED290C3BC94268FBE384C5E69C911915CC9CDC3D58AA5739A3E8A9DAE09C39F70E14F8FC91FA202BCC69DB619AF2140D487FE8D008138BDA5AC3386
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................-... ...@....@.. ....................................@..................................-..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H.......p*..0...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.%...(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.073443121920409
Encrypted:	false
SSDEEP:	96:X+I0Uk10zmZ70Uk0BO0/B0sV0Wz02kE0WEVFnzQlK5vwTaFGYuUV9zQlEa19XNsh:wQmBZBquOdzy1TaFB/zyE0Nyl93Hz
MD5:	7780E00A60CF36671E45AF19984CC9E8
SHA1:	629B97953C4480A43AF1C99A92E250BC8B91842C
SHA-256:	5C2F555EAD13303430DBEACB02DCD77C5A83FB9AA8EEFB895490D2810741CA26
SHA-512:	7AE0D2345F8F27B6779535AE402CF4546893A455561E9CB2BCD3FE7C362DE592973485C15FBFEDCCEAF46F34786239752AC95E519698681BCE6DDB9835393116
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................P3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9553473800090524
Encrypted:	false
SSDEEP:	768:hBOdvSNSOIGJ1JDo4wESimTskX4gvA1IU4PsZJFG80y:hBOhSNFJ1JDoxiiogvA1IU4PMrb
MD5:	FC837A680559AB483B0A24D15569C5B2
SHA1:	C029B87F974EF4EB803F23EDE8C2F8FCFE7BE9B0
SHA-256:	242CE11E629A29D55A3B0F0540DEEA4534B2EBC204D44F366F3D3B81CCBFA9DE
SHA-512:	FCDDB5E2C6355C6BF6826D91D45AC93E998CBC237144239B2699E84F0B483C448F3D6886F8F2C6F31804193074003DAFD55B1B416FACBC1F5E34E4FBD77DE8A6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.................................X...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7911815973520455
Encrypted:	false
SSDEEP:	48:6HA2DGMljjH2Pktk6hktk3k3kyqk+4k6kw4k2y+gvr7p+gvqOlR4X3Nh5cMhIHaz:o54snhI66kX4vkjy5x5LlRmtcbkV
MD5:	5BA46B916E39E8C2ED12D24370BE7177
SHA1:	A9D3589B76F1B8AF1EF60A23A8E653F9C81AEF0C
SHA-256:	6685A16C00A4B11107ADBE0D2AA79B3298ECF3D100D7577DA748DA55E0D732B0
SHA-512:	9E158EA1B787AD373322B50929076CE46E8E9E0EF70E1CE34065DCA0A31401CEABB074C84D6FC4CBC742A35607053DB73608F89D96E0A63AB426E0B451D8BE6D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................,... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(..0...........P ..[...........................................W..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.051562867290683
Encrypted:	false
SSDEEP:	96:X2I0Uk10zmZ70Uk0Br0/m0sq0WK02kF0WEVFYzQlzjkqvuTaDadYWeVZzQlEw1bL:YQmBZeTFOOzyPiTaDaSNzyEHNywdkrz
MD5:	91E411AA51BCAFCF2AD2318475F21636
SHA1:	3F533BCF80EFEB0B1F4F630134E8093A51AEA0C0
SHA-256:	4A8797251DD3E3A3E9C2E5C3D8F6C65585F6FE8D8B921B5940CDF36A17328C06
SHA-512:	2D154F59E7F1A7427723FA1B7A72DA27993CFF0E45FC12D7BB116AFB12D7CF8B25F3258FFDBD91452F1FA8AC8BDDC7E0CB64B33FC13BB68C58DFC220F1597838
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................D3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.8716554275523185
Encrypted:	false
SSDEEP:	768:IBOdqmhS9Yt3IneNuX52RQeRKkUfBkMrJZkpA5SIl:IBO4mpt3ImmeRKn9SpA5Sw
MD5:	41709EE56BF07EAF6F8CF84C78214D64
SHA1:	058847E12B2718FC3E92FFFAB20F72F753F24BC8
SHA-256:	116018CB0A23F5BF0819C691EF30BD4679B660AD92126464708057B6390D8DE2
SHA-512:	AABB95BE440F88B77AF01C7FD7F3AA06A43289F76FDC20D2768313F3D1724405A40A9DBBF0ABDF9241D449D03078DBF870E5670CE5DDFDAA41D5FCC76F4FB13F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\da\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.918716894176816
Encrypted:	false
SSDEEP:	48:6Hl8DGMlfklakTkqktlkVkDky4k+qkSkw7NkTLlAu0AX4Wbc3Z4UOlR4/NBAzhI0:obaqPQlAGeXqX/NUpgAdlRbIkV
MD5:	68B79183233A6C2D19FB606AA49482D6
SHA1:	B41005D41BA6DDC888072661B410B23EE17E9233
SHA-256:	13BA0A16789D435E52DF303B1F03373A96C90A15CAA3C692B44F50C93FAD6529
SHA-512:	36E8754EBB5AB4E1D95B6154823A3C1B7DB55D5B184479C56004CC74C197D381FCBD690B6E72064A91155D959F4D57967023ED1B0493F1B23B9A2D9A262809A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................+... ...@....@.. ....................................@.................................d+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......D(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\da\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.048589783067445
Encrypted:	false
SSDEEP:	96:XWI0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWiVKzQlER17MC:4QmBZwlXOczyITaPD6zyEfWNy3NZZ9z
MD5:	E3D637DF0EC98C57FCF706132616E4EB
SHA1:	9FC71E5862B20DA5D75619AD15679AD394CB8A10
SHA-256:	F184CF931AB5AC898EF54A5C933F7265BECD28557868A0FFD3A5589927BB0901
SHA-512:	06F5588523209568A78BB73BEAB6C9C9A24231B2E1F798EDA1824879AD63AAD08BD44A0385D5BC98B822DF829233FEF11BD7EE74505F87A190A2A385F7695B16
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................H3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.041619677545147
Encrypted:	false
SSDEEP:	768:CBOd0NDwOVo3uVCz7xCcxbqAzLoVUXUWv3Y306cmVaNQxseaIGTb:CBOW1e3sCVqG0qv3Y3ubeaHn
MD5:	77E503E84EBBFAA5E074DCE709604DE7
SHA1:	4C6B29C825411726448F17D2DF12EFCBFAA2BD3D
SHA-256:	3D727943961DBD02D259319FB4A28051AD6DD90A3E1C9445E92E9590DE5C8A7D
SHA-512:	8D62BD3E3D20D9E8D4772F52E5676AFE40BE96C8387C5CFC3A163E3622F437AB5EE96AD4E8DC43776855DA1B30AD509C84C7C5B26106B7E65728A2C32BA2307F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7234027852509146
Encrypted:	false
SSDEEP:	48:6HQVDGMlQPe8k0ksklkekrkyqk+ak8kwOkzuxOoubw7/0u8Gw7/uOlR4/N1C5Wwl:oy8V5g7+kXapqZxOo/IvzlRbYkV
MD5:	D58E83F563E2E3DAB4EA7E3836ED3B48
SHA1:	2E0C5678B1C1A9B2FC156E051B91A0CFCBF07BA1
SHA-256:	08EBF070F7766323AADEDDDFF748585A9B5BED1B57F109FBFAAAB75FF9FEE4E1
SHA-512:	A95206087EADEDA4DB1108E2A21EC90CBBB1A745503052F3D9C2715E1FF592C7A6BDA8433245D8F1C95C770DEC948BF7CCFA51208F5C897C7B75838842C169B6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(.. ...........P ..D...........................................@..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\de\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.022899439217561
Encrypted:	false
SSDEEP:	192:pQma5jH7OQzykTa8BezyEm/cXiZs0l04:pQmAi+ykKyEssH4
MD5:	842454216446DB6C907513F8E60A8338
SHA1:	B60E47FC8C361D2274AA02C0BF72136469E777F1
SHA-256:	8F13E43DDF364EFA5A3E6FE515DCC76EFBDFDFB16EFB210580B16201E242B366
SHA-512:	4B75D4B2206A1E08EFC391B0D629B4FE2F647EE6127DBBA1C39AF63AFA69BE8AF4D7B3E57E32B69CEB805E48EC12F8353B15703BC3A514830E1D6A4D800081E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@.................................44..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p4......H........1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.0192389069270344
Encrypted:	false
SSDEEP:	768:KBOdZPy3+cks6Y8DDedNsTndQz8/px4bwUSioPUgVT2lz+G7RBvo:KBOfPcks6Y3ad287fUSnUgVTW6G7RBg
MD5:	23A214851F7697FC813BF78AFFF714ED
SHA1:	FC3C592B24B696662C09BD35CAF6A1FAC4F16634
SHA-256:	4F0A1255E4B69B376CA3D114544064B674DBC3BB54389FE20DB5E7AB0B536850
SHA-512:	BC2B4F5D2712E424195E99EC742D927928E06B246A096BA458B41EAF10778CF58B89E9F148F59149342DE9BB2D9052E1A3C131AAE810851A88DFBDE64FDCA247
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7345347426798576
Encrypted:	false
SSDEEP:	48:6iQuDGMl3G2lkGkbkykykqkyAk+RkODkwSkglAuRtMv23FFuOlR4/NoxPxzhIHaz:tllvmfvnGXRX251G23FFXlR9jIkV
MD5:	92DFFCA7DA68BDDA785B8ED473418C98
SHA1:	6EBA96893A5EC949640AAFCE1433A428165A5F3E
SHA-256:	B555EB57F4905EFA8C41DCCE27B9B275632EC264BF312EF89D85BC36C3E2D13E
SHA-512:	5AAF886EAB7C763F64C5D92E60B2EEA66741F020516372A795C9B1F4F6CC3FD02181A49A2DB75FACA5AD0126D1A253F07463FECD3A1AE3E4D2A7B1F368CF9654
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(.. ...........P ..b...........................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\es\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.000848952911671
Encrypted:	false
SSDEEP:	96:XxI0Uk10zmZx0UJ0BX0/k0sj0Wx602ko0WEVF2zQlP3vzTa2VYi7VIzQlEV1Cujr:xQmjuXxDaOgzyTTa2aNzyEqWY3VFL4
MD5:	9DD2AA44CB3CE41E4177A2309039F333
SHA1:	857BC820BA4BD159FE561F64684A1F83C9B620C5
SHA-256:	E91E6A08F75DA9C00558EB234A91F5B87F48F759BB673138E9312A18EAD2F969
SHA-512:	3E24FEBF5A4CD923792168471EC13A100C451D580C4DF274A5E8F260A09CF243C77BFDF637D2224F97973C1E68F4A575E093888E25CB92A2FBC2C3CF66484EFA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@.................................44..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p4......H........1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9732068230305058
Encrypted:	false
SSDEEP:	768:1BOdSSmjxQ1lAvHjLH6dwPbcc7QWek5RQi3RbuZXZhg3DN9:1BO8PgAvHY2QyQeRbap8D/
MD5:	AEC66B38C2FCC7825D214018F296BBF5
SHA1:	EB731083E50EDC4A1FE10CC409CE30B50B90608E
SHA-256:	17F1A61D11CB84C322936C1F8FEDF8CF62355DBBF5EE5C0967D465DD74F02B0A
SHA-512:	28CE6C69CEA25C06A20DC9A9EFF3AA123ECCCB7C0B43DCE1047A090A47C733F2C263F52D36EBA94EC61B4D6AFAB965E11675876ADF513905CB15CEC95EDFAD39
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\fil-PH\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.756666177601189
Encrypted:	false
SSDEEP:	48:6iQeDGMljEZ+x3kekpk1lkzk5kyOk+ckvkwMktlAuC+kglAuOqqs4klnqqsVulR5:tYW3H8KWUoXc6ACfHD6DIlRWDkV
MD5:	B2590E6421128A931BFB1C8FE4490E27
SHA1:	A9E649894B1C905C625D3E729CA3C5D06374FD2F
SHA-256:	44672B7AE4EAA9826384ECCCC2BBA501ADF3FE3C0C4B893C18D5D48B09B71A9D
SHA-512:	B18CBE937527258BB2E490C102796238FD72037D1CA1F888E0D5185EB980F69FE4C2FA6415F8ECB63E443A5E78018C67B1FECBEEBAEE4A3A7A73F3B35555B864
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(..(...........P ..i...........................................e..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\fil-PH\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.059456711666594
Encrypted:	false
SSDEEP:	96:XWI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVczQlER17+:YQmBZjcYOjzybTaxlOzyEfpNyCXH2b
MD5:	473E378DBB8178CC87CF5AAF5806428E
SHA1:	43F383B4EC68FB5B076786F14110900B72A150DB
SHA-256:	ECB7411B6EC421F3D1A249011848F8B186FF4C65940D4FF746F6D0AC66DE7826
SHA-512:	B7AB65AC03084E1D538B530411711B972918A86888A7C2D2994E49DC414A640CBEE78C555433A4912220CD34A918351048819453C7F245B330FF80330EA41DB8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................T3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..<...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.079319572470228
Encrypted:	false
SSDEEP:	768:kBOdvSJR83MvHNioJd56UXyXIRxXtVTE25ACwxxIxLMlLJARQc7cLcxxI:kBORSJJvHNXD4cxkWAwxW
MD5:	027A8A78CA213637211D5200AF1B042D
SHA1:	AC51B2C2F8D27CF09AFB7E6057FB86B5CEE511A5
SHA-256:	15077FC3760B94B82484A83174AF6A867A5930D5163C673BCA6BA66E5BF3D767
SHA-512:	E3E56459A7AE288DA19347B7AD194F3F97538168086CC10EBBBFBB9B9D4EDA1DAADD13EB8053FF3B6D016F6891F9FA9E4BC31CAD98AFFCA47B77E22FA492EE37
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......N.... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\fr\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7770642638300065
Encrypted:	false
SSDEEP:	96:tntzHIb1NcLXKA/Odqkr20RqkLlReMHkV:JtzHIb1N6XKA/Odqkr2cqkLKMc
MD5:	7CFA0647BFF0D5C32B46351DE6A5429E
SHA1:	4AD7B3A7028F718595535F97D2E1761FBA7EB5CE
SHA-256:	E3773CE96662882C1601072E72090A4E80976F356C01F1E763BC0FF90C523AF5
SHA-512:	C995B37B5BB8121C06F93F8FFD8532C17CF2FFA1280E48CD3B8586C0C99CCA8CB57E50942CB732209B10D78CFB63563E4DCE69B90888FA804E9E22782927D39C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................N,... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................0,......H........(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\fr\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.081738950123952
Encrypted:	false
SSDEEP:	192:ZQml2renO8zyBTaNICzyEKwI0GZneWhHPLA:ZQm2PaymRyEKyGZeWhA
MD5:	B8C42E3E55BF1BB7AD13FC90116A58C1
SHA1:	2B51C83B12F3F4AEECE0BEA75254A21EAD062E1C
SHA-256:	83DFE90514D8D07A524887E73B2F5B4B0EE43B75B5DA4611A57D135CDB6E2777
SHA-512:	82CF15CA227BE56BD6F6C2090E3D9A2E52BE827991B17F6AB6C4579D97930EF50A605E8E4462717BEBD7B0A2A71032EC6C7E235EB7FCD76B5C4794F962A87077
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@..................................4..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................4......H.......X1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	4.032004620717601
Encrypted:	false
SSDEEP:	768:rBOdfHOEAKn/hwpxUEADJOXUnYfKREUSlPw8vkPQ:rBOROihixUEJkyUSRlvkY
MD5:	10516BB4D2825A16526D237DC9CFA72C
SHA1:	98D3CA0E3F223509477116176EB0B6415E8E2DF8
SHA-256:	BDE16F1BDB11B1683DA0F926EC0FF02921C10C78E59AB9BC666BD0289C0A0B9D
SHA-512:	889EC461BC452EECFF40DB5459C6BA652CA3216F489D215006884EB84C263EA94F0408F901115AEF957373F82F9FFC34F292519A87BC1A7189320FAC9852BC5F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\he\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.900169167057354
Encrypted:	false
SSDEEP:	48:6ilgDGMlm9eRkbkYkb/kvkVky1k+fkfkw1kgJlAumvAdP8nhOlR4/NgGGzhIHaq8:t2Ry1OyQjXfqxlXaodP8n8lRdfIkV
MD5:	5D92C1B07EC32C9A80B0FD560CB1D677
SHA1:	BCB3AC48B5CC79B96FABB607392DB843611E9F03
SHA-256:	B24E4D131832B43A165E7408E13A462FCE61445EA52ADF457DCE635B25FBB34F
SHA-512:	8015AB05FE3D91DFBEC83468FAA245461237B6E823CCD8D35404F695F2C6256B5DB66BD83C71A6CD93BCC7C6C77ACB185DB2AA47719D479413B0C67FA4CE9109
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@.................................d+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......D(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\he\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.039017071227604
Encrypted:	false
SSDEEP:	96:XuFI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVYzQlEN1x:+dQmBZjcYOjzybTaxlyzyE1nNy6Frrz
MD5:	2FF404DF3A45BF9F18BB613950C3650B
SHA1:	EA7E767E249F8E4CC44597755FA26ED98587E27A
SHA-256:	AD59502FBB5848AF48DD5AC38C274A6801E2035F5D16183F8FA9946918DE7E29
SHA-512:	C0C9A6FFAA97ABFFDBD572FF3C7851BF1DCC70594791D05F757976DE3460B9CB3D8D0E52E0CF78A78E4382B31731604C2F30D29800BCD51CC545F71B23016973
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................D3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9659510119567094
Encrypted:	false
SSDEEP:	768:7BOdvFQQVV2WkWORp/yDWMosYnp1E5yhMB7fqt:7BOJZV2Wk43osYnp1E5yqh+
MD5:	FDD4BFB5A4E817C14CD16FA5E039D7E4
SHA1:	1D0414194B1FB74067159E2C4B5C3100DB9356E1
SHA-256:	C91DAB72DD5F016D85D9854ED023F7A3BE6AC27280D0603526D80B15B91ADF17
SHA-512:	59DF6020BA49C8875A857C746AA8CC25B495DC46D2A79B4EB498E080821A63EA30F8DFB3FE25D7B8B3C9A4A0A90E8FA57B19203BE70B6D749F65BADC8A86FF77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................@...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7413954254986312
Encrypted:	false
SSDEEP:	48:6iZxH9DGMljklMk3kEkTkNkpDky2Lk+2kokwokxAz0J7P/kL0hulR4SNgUvrhIHU:tkMuxm4YcLX2lU0fBkIElR0ywkV
MD5:	A672557BA410F907D3855F7AC8FC2170
SHA1:	8A8A406AED928B349C8DC5A100752164CCF92B60
SHA-256:	1F5F27E759F521715196F5BDB9B527C615CCA6B34F97EAA96811DBD7EB6C5EC4
SHA-512:	3C558F86B8FACF10D3B536B922A49057014C2B492F820C16B9D7FCA7E7B553DA9581CE5A71ABE297E14053E1AAA7DD02E1D7679B2FFFEEF1045A6A679003B284
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(..$...........P ..7...........................................3..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\hr-HR\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.182084893995854
Encrypted:	false
SSDEEP:	96:Q+I0Uk10zmZ70Uk0Br0/m0sq0WK02kF0WEVFYzQlzjkqvuTaDadYWeVbzQlEW1WD:lQmBZeTFOOzyPiTaDaSfzyEKNyw9sr
MD5:	D99C4A722153555ADAD9B8A99482EE80
SHA1:	9A87CB3CA5E55E978B8684A9CAC4E61F2A7AF8C6
SHA-256:	669CED0F9D382B4CFF64E030AC08A39A39FF4076B8E1326F3EF6F4BA7A7AB5A7
SHA-512:	D9E6F4FC45855518E53BBC97A78A636499BC852BAD4D9B4F93C42CD34CDF50FD1461274F5B4743D2AE65E83D8737860B499E0419CCFD6E5B4BF5345BB01B9B06
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@..................................3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......L0..8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\it\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9691724802214194
Encrypted:	false
SSDEEP:	768:/BOdg4OVo3w7T+N9OyR+BKIu7D/hW5c60MklN5jRtJx1D5g1XoZ:/BOai3qT+2Xu7rhWDGlN5jRDxBuXM
MD5:	812B5D1EB56D6D94945ED814059A444B
SHA1:	D54140C811ED84BB91706811D88AB40C85385FB9
SHA-256:	3F045423F29DA3BCF3F5A388B8B2EFA67A8AA9D5D1A253BEC50B9BF6F2D21778
SHA-512:	DA6FF1A989730B7A9CEF6E0DA8A0FC9423A14ABFD645CF848796969E84B4258E2F7E66AFC01722C48C70858114F6352BA7CDDACC9E8169DD318B332F9E909681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................8...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.739847864662882
Encrypted:	false
SSDEEP:	48:6i4CDGMl84mAkP4kGkYk0kSkyBk+LkckwNk38lAu0AgcnRLXdWPl25mnRLXcOlRI:tKAh79J/PXLJJ3gTkRJWd+mRFlRBPkV
MD5:	7D9800DC4070C98011B366CC8678909A
SHA1:	D67416E875B59A953347CE727E255D5A195677CB
SHA-256:	33B7C869131D4526928485DE4D35583CA2C1E3E6ECC4884C8E53CE36172135DA
SHA-512:	DD60A119B59301D4B0F192C8F8B474D272C9EC5347DE9F267B001351AC3092ECEEDCEC40D0EF1148441F576E8FF744FF1185CB04DC34C0039FC0B4A031F0A293
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..S....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(.. ...........P ..w...........................................s..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\it\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.041465111422236
Encrypted:	false
SSDEEP:	96:QtYI0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWiVNzQlEY1zr:CeQmBZwlXOczyITaPDdzyE+Nyz1E/P
MD5:	8BD86E748D92D6A4567F973539AAFA2B
SHA1:	E6C7702AC060D9BB34BFA4D541840E8379201B8D
SHA-256:	6590CC22AA637F73D2991D72B8869223689588914E0EB3B03D2E524E439B3DDF
SHA-512:	D02B72EF9136173A757836714745A23F40CDC4F27BE47BF1570B0E0F27BF9DEC359901BED6FC495317EBDD230BA311C09721C88B8614EB27434289C76639E1E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................@3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\ja\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.4255106250707925
Encrypted:	false
SSDEEP:	768:hCxBOdVBxE1B3vcMYbc7drcXiz5to4bswwsYMIBu:haBOX6vcMAyz7o4bstspIg
MD5:	DEA74122A9A2EBC0D680DC157A16B39E
SHA1:	BACFD4A9FEF07EBB887D1147694123F98F076DA6
SHA-256:	C3616533785F0185198496AE4A2CD5754A9AF35ABAB025AFFEB437909B9A8A37
SHA-512:	B9430DFCB9C208D56FC7FEB04BFD9BB0F6513FCDE7DD0DD9EE079C0D1DF003F70D09D3431309AEA243561232D9B296ED8724DC11E29DDB2AD33AF1ECF0AA7910
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... .......$... ...@....@.. ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.176153372046629
Encrypted:	false
SSDEEP:	96:tY81g9J/qXq5gyzB43BGxXlzIBGxflR6fkV:y81g9J/qXq5gyzB43BGNlzIBG1G0
MD5:	F0D9B1401796CFC78F2E88281578B88E
SHA1:	8908B6C9B8AAA2087243F809D67174CECC061E8C
SHA-256:	C0C3D22DEC05AD462003F07BAC905C94A07BE450A84D84F319687B7A4C989B4D
SHA-512:	A1B4429607842918793A6CDDEF5B58CCC3DC5DAF05C2C3B5B329F7BF9654747A7915F5AAFA57BC3D756CEAF253F62DCFE2947F9CC76EC5CAF634B3B29ACD3CE7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................,... ...@....@.. ....................................@.................................x,..S....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H.......X).. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e./...(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\ja\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.082944201678249
Encrypted:	false
SSDEEP:	96:QmI0Uk10zmZ70Uk0Bz0/u0sS0WC02kt0WEVFQzQlcSv+TazoY2uVhzQlEo1juNsn:VQmBZGbNOmzyyTazPFzyELNycFgb
MD5:	EF09D718633829DD3FDF713F590DAA72
SHA1:	F657A19D4CD76D46AD7EEC270B45FBC90358E01D
SHA-256:	3434E0E6BC1A38115594A94F0FB3D4C321A2C16142358E76717AD307F9568AB7
SHA-512:	869019EA8C9791764FFDE633677E7DD4632FDE22CB555C825D3EFE06E3110E50BC6F206BBE3E9C061671299B45ACDC3D4B0E8BB48FC4E43946C6CC58FED77A3A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................T3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H....... 0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\nl\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.8994526850766222
Encrypted:	false
SSDEEP:	768:0BOdVyG8F11n7TdUabqn5pOxMrJIiIkRaBwImPvv1nRsS:0BOL2n7TThGJpXRDzXv1nRD
MD5:	E6EB8D4F9151F57A6549120A019A1ABD
SHA1:	50B2C3B2F1A3AC26138E2E4FD993E18F17E53858
SHA-256:	12D96859BACB839E5F5AC21E86F32CE7B2F20F366AA76B8AF086011E2D9A82DA
SHA-512:	DD6D3523CF9B66D707D7F8117B23DE1655E771A199E57BD187F7C9181C06B2C19B16EF28CF9827A51CC44788DC6E0F2C8F9CD9B718F8F04BDC235147F692AB63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................8...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.687543440887069
Encrypted:	false
SSDEEP:	48:6iZxWQDGMlQA6kkwkikQkNk2kyLk+okskwm4kcA41D8sYsFODFuOlR4/N3o2rhI0:t6rkxnV4zdXoZC4j9YQoZXlR8wkV
MD5:	F11F42363600EC97A28F7CDA34CD3D17
SHA1:	43C67A53B13BA3E7BD48BC22D85C663F34B92A22
SHA-256:	6FD0D852A6C75881A9CB892B50108E40686787359733A8CE62E9CA70EEA1D76D
SHA-512:	9B1BA9A28D02B92F4A92F0DE980648A726196D62AD14642A5A9E15BB62D6A4B2756E563373516B586C47587429D7F19DFA9347267F4210489B19271EA83738F4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(.. ...........P ..:...........................................6..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\nl\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	3.953164623912564
Encrypted:	false
SSDEEP:	192:OQmsIwEfOSzymTajI+zyEEescZnfMfQpo:OQmqNoyVVyEEesc9seo
MD5:	44477A6EB2BC155276D54FB662129262
SHA1:	309F889DEC5EAF99E6634872EC272F575611BAA3
SHA-256:	836579EAE6E8A26F6972DA21ED27742DEE86C995D8D3CA1C8FB01266A86A4DEB
SHA-512:	2F2F460F93E0CCEE6EEFDAAED9B4BC0A6E7A467167AE8D862738B51FEAC847B9647193360E0F35C270F07FB95DDA9B8E0CBDEF88E80B941314B81B8E81B60F73
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................>4... ...@....@.. ....................................@..................................3..W....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ 4......H........0..4...........P ..]...........................................Y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\no\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9181491538846354
Encrypted:	false
SSDEEP:	768:ZBOdPBZtO3Zt0c1RWnB95rpSWRGsEqEI9kcp7iHClfD3+EN9zokKuj+5nLuSnIZH:ZBO1Y3b0c1ReI6G9HqpnUeBIm
MD5:	26DA832F09D62923431676F0797688D8
SHA1:	5A05D0258306725E706BC7600024398C72813CFB
SHA-256:	F0A94BC58243A26316C47EEC2FACE2B8188B9CFFE1B71888C06E2BC698A51447
SHA-512:	5EDA4CC00D449DD4FB5EA31504118CBA8F39239417D67E021EDDBD33CB0D3FC118486355C6AAC8E4B168AE24662AF071F3B54C88C0064B377742B8210E031FE6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................l...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\no\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.9492607056179194
Encrypted:	false
SSDEEP:	48:6izRgbDGMlJ07Mk3k6kIkFkTkyKk+YkAkwgkwklAu0ArvdWqpRdW1OlR4/NpoHhD:t2iMu/tQWEXYtsjYgK1tp3LlRjkkV
MD5:	86DFED479DFC45B2823916145DCAA416
SHA1:	A5B1783185A3A28361216819AFB57F054632E005
SHA-256:	946EBF7E8616E593BFA935A54524411DFF3EDB6E7172A0223F85D013A9C3C6F0
SHA-512:	5BF61BFBA7D15A2ECE5CF856389A84F19BCEBF75B54948682EF8DE07B93C4ADC622B80E53AFEFEF19FF7A65CDE6BC6330AA69A720F3971DEEF4B11EDEFCD14E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......`(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\no\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.04991392298531
Encrypted:	false
SSDEEP:	96:QtUI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVzzQlEE1p:CSQmBZjcYOjzybTaxltzyE5Nyu18/P
MD5:	993AE0B85F6F53841CEB77ADA93BA46B
SHA1:	6EDCBC8BC1C96674B41733FC63FC768468A3CBB4
SHA-256:	DFD7A4B1BD072C7971520627667B66FBD8AF24DF4DD62DCA2770AC0B311F259D
SHA-512:	2F1B921260CA05271E6D8A37454D7188224C44F0BEEB7A1A01AF25E04317190BB42726EBFD24D3D46E61250B6C473C4F2930376A53BFA2F5D13721715661BDBE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................@3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.971721289254612
Encrypted:	false
SSDEEP:	768:1SmsP9uP0BHf5eoa5dDbc0RlPy9A3w4haK3Cxzo9/maU:1Sms17uoa5dpmAX3stv
MD5:	6CFC17B521F809CD5EE4A0E422644DD1
SHA1:	8151FEE8DFDCD05A169BB0FBCABCC9E5BAEE9249
SHA-256:	B87C4F1E76846F4F5FF8E9CCA767EA7A9298759DBAD9CB7EBD075511EB27E2E3
SHA-512:	04A8C30C0E475F16ADC3A5ED690DD4866B4FFD01E33F4E7FC16E541C5046680E2AEA3BD832DFCE99841C2032EFEBB75601903CB36D3B8718F6A2220E1C897108
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......^.... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.833571849211572
Encrypted:	false
SSDEEP:	48:6i4KDGMl3qleAkO4k0kfkjkskyVk+uxk5kwukh1NkjNxOlR4/NKDwhIHaqwGlBo3:tGdGBymhDXOMCSNkj6lRH3kV
MD5:	DEB4EB85B057AC5734C1B1167940306C
SHA1:	B8205028AFD65BB10F9E6975BD54CA699F50B5A9
SHA-256:	85ED2FCD17B87CD0A331E5097FF7B0FA2F2CE831458DB4977CF512B63C237F4B
SHA-512:	80E2EE351978D3D7F7120F3334765B2A3822B0051EB13124BC06E22907CC415E4AFB4B942525A2975333E9A315DDDDB83053EE350C2A25B7AE28A03C9012F432
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(.. ...........P ..}...........................................y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\pt\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.065581190458283
Encrypted:	false
SSDEEP:	192:pQmlyNAAOgzypTazFIVzyEgw7JvN9rud7:pQmw2OyI0yETlTr87
MD5:	6AFADA9F452385D301123803443399AA
SHA1:	ED195CC59206F077BCE8186A2F1E4B37A43C5B89
SHA-256:	2060DB090D87894142C4556EC4914C6D4416CA5FB0DE8BF55A2F29A165BA321B
SHA-512:	C071FF19986CE74DE4D0341F3385A2ED7B32DD14D47E6D2547FDF555E3B7407A85B8B66C13FC5EE60B619BE17A0EDC65EB80716861540D0E5112013759DD56EF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................N3... ...@....@.. ....................................@..................................2..W....@..@....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................03......H......../..4...........P ..o...........................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.491247413221048
Encrypted:	false
SSDEEP:	1536:mTQUWl0G7k9WwyWl2ia6v3YbceFi4WXIBuYRbmiK8HLCoh33:IDNTJHhv30fWXI8LiK8HL5
MD5:	A763547105D323E47E6314F73AA7C974
SHA1:	C6300C01AED96E6DE9882EEC0805A4ED55313D3A
SHA-256:	203439DFC3D49595B2B86A139EFF247868B5ED16C255112F5F763A9D78BA7A5E
SHA-512:	B89C44D190F2361B1A6FE8FD24B7E3ADE5E3818CA0A4C54B3704FD1337B54EB935F342AB8200D8A283C66161D6E8F1FB3D4D17E7B26FFC29814DA9CE5D5F4B66
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!..... ... ......n?... ...@....@.. ....................................@..................................?..W....@.......................`....................................................... ............... ..H............text...t.... ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.2211282701766475
Encrypted:	false
SSDEEP:	48:6iXsf0MZrlGs+QklkRkek2NkfmkyWk+yk1kwDkCYK28Jsu0UgTGDIYKxOlR4/Nr5:tcVJkkDtNCmEXywHH28d0MlR696kV
MD5:	B45A96B29BBCC942991989C83B590046
SHA1:	B8040ADD80BB1BCD270F954252277F9880A11E04
SHA-256:	64083B3229DD74A47B7C3078454D8D5202161C7019DA43ADCD3B9402F1CF3AF6
SHA-512:	60CE08598C7B810ED7A2EEA266627D300A25512D72C9E3965DC984642E7D69CE1BD219C87F03253493B0E733AFB0FAAB5176A42159D3B48503326299B1FF2F40
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>-... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ -......H........).. ...........P ..~...........................................z..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...........q.....Aa..Ng.2Ml........Y.......?...{.......,.......j.......<...................J....E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.#....E.x.p.i.r.e.d.R.e.n.e.w.j....F.i.x.

C:\Program Files (x86)\CPU Guardian\ru\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.504808963956695
Encrypted:	false
SSDEEP:	192:9+Qmu8BQPOpzyaTa6J2kzyExyAOHu0K3:sQmtBtyg/yExylq3
MD5:	D7B8E775EAE5B85BB68E3DD92C532D49
SHA1:	5E91A7D8456BEDB3D602541BFBF0F0BCBFCF1607
SHA-256:	D11B433A442596EAD5D9D3E12DF6E00B827E57866CFF8BEFAA5A05A024516173
SHA-512:	8ECD845D6C74216CC5309787AA755305248DD429DF5696BB12625241FDF4FB0A54C796196AC0CE5E1D2FEA55B63A0CBE34DD04B9067652BDDAB2FAE782043F41
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................^7... ...@....@.. ....................................@..................................7..O....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@7......H........3..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9451674201385862
Encrypted:	false
SSDEEP:	1536:zBO0Hd8dK/yMPmcUst4lRJhSXtXxzD1hQpSXdXUihw9k:tOKdpdzUllRJodhzP4SNz
MD5:	FE8F698C654097EDAE0EBAB06CE93A67
SHA1:	7086FA465D1715643881E7D5A5002231F0D073CD
SHA-256:	BD79BC04C904C694F0E103DE2F864A27753684AFFBA29238762E7BC3E3ADFDE4
SHA-512:	C8FA3B48C4128A885552EE786BB53DF41202B505F8D8F63C1FF8A89986B3252E335A4E11982A2DCAA99F0C202A427E53119C789BCA79AB0F8CA10FFFAE89A1DD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ......^.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.8528524103987323
Encrypted:	false
SSDEEP:	96:tLgNQ8ayDf4XkGDP9dKUpCKnURlRwTkV:FgNQ8ayDf4XkGDP9dUK4EI
MD5:	91A173B401ADB226D0D459AECB7185D6
SHA1:	28D8D8DD98B3F1BAF7C527A2D3D5D5CB8B70E77E
SHA-256:	A298B7E2D04B4B56F0EED8BA896F064CEA72D9D81B0D5DF3C6A7CAAA49403CFB
SHA-512:	59CD3607D6684B8278B29FC75CCBEAF7FEA35237FE187EDFF63171700425D8F999037414B4FD4F69A3232FD5F6A7EC231AE6D1492C50B3C029529C3B21FCBE7C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................N,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................0,......H........(..$...........P ..}...........................................y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\se-FI\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.0846400068915765
Encrypted:	false
SSDEEP:	192:VQmBZwlXOczyITaPDgzyEwNyzmyWhWoXs:VQmYU6yzayEwNyzZmds
MD5:	ED07C1AEDE2F42966952246E5849400C
SHA1:	184C827F6BAA7544474B6B5FB971BF331F0B338F
SHA-256:	CF9279BF0B716FD59DE5FC1F88B09E258DCE3ECCC69FEF64CB3E33C6A8C2EDEA
SHA-512:	419D0C43A870F92BFF9A769E8F20923E2CD0F731F82ECF69847F951D915B7E331DDE0F97877327C9D620862E3EE4A034A77179B55C6A8802D54C30983947A750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................^4... ...@....@.. ....................................@..................................4..K....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@4......H........0..8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.379382974331268
Encrypted:	false
SSDEEP:	1536:HBOiGrPIxqYcDUfjEK+rFNvFjT4cR+nZ:hOiDgNw7EK+rFNvFjT4cR+Z
MD5:	F62A31D7978AD582B5940ADBD7532582
SHA1:	87363BC5C621072C87A80441788F89B6E6825AB0
SHA-256:	3994D737ED0B72BEDD358BFC57C10B4C5A6AA5137013D0019B00AD96EEE2DFD5
SHA-512:	F54408F6D96D44A239EEADCE95F0B482BF51E2305387F5F087BB250F4E89706D7414EF2861B57C0ACAEB3735A43DFF3C2A02FB66CE2DEB0D99629F150694AAFE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!..... ... .......8... ...@....@.. ....................................@..................................7..K....@.......................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.321459539979928
Encrypted:	false
SSDEEP:	48:6ZH/ADGMllR84kFkfk9kPk5kyxk+9k4kwgkeOrtDjNyoljNrOlR4X3NoqrlhIHaz:uL44C4S0zX9tscBtLKlRmprikV
MD5:	CD70D773593C270F0E513AEE9BB684D9
SHA1:	031C4D1E1971A9FDBC4A8AF8E289459FC863366B
SHA-256:	31B4E37303E012A4D3D44B175B27B910030845C2F138C952B5BADAAFE59789D4
SHA-512:	4A8718A89E19C26CD34A246745480769BDA42B46183B8F3FA84408025A826E019EB1071D417F27BB55DAF68E7700EE9B8DC4CEBD0026981075B23C598F27A9E4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................-... ...@....@.. ....................................@.................................x-..S....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H.......H*..0...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.%...(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.110367815320927
Encrypted:	false
SSDEEP:	96:QtdWI0Uk10zmZ70Uk0BO0/B0sV0Wz02kE0WEVFnzQlK5vwTaFGYuUV2zQlEn1OX2:6KQmBZBquOdzy1TaFBwzyEYNylVVjf
MD5:	4FB24C40602FF79E2DAFD6F1579436CA
SHA1:	4DFDD44AE0D33D27D043D91BF682B5C025539FEB
SHA-256:	F8CBF8BD6CEDCD79CBF62F4F3C81FC788DF3B42820D190F4B9FADB197E7EDAC6
SHA-512:	7D64F42171CB5A5AE710EA8B8704A8295C6BE040CECEE250D382AFD5F7C1A5D91E4F07A6D270AA935DDA997D0E9D4797F08B3C7532A5B5C8C2F302876262BD09
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................l3..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......(0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9486263178080003
Encrypted:	false
SSDEEP:	768:dBOd56m5w9a1YMdNaJDWEPdtE4AgAdwrntEkihu:dBOn681YMLsC4pAdwryJA
MD5:	DA64FDCF62E86D27A2AEFE9A6A16CC01
SHA1:	15695B0C5A54BB769C257E6DD94EC861BD228A9E
SHA-256:	72FB8DBA2A4A7F3A521815702CA28FFDEFF00EEAEAAB92A94382D6915BB29658
SHA-512:	AD1373EECE3A3906D5A626927233867552507D4E88C5C90FD93E7FCBEDBF47CEDFD2C50215D0D38286F27820CE2AB1AADB22F141348C96B101EC591188B07D2C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ......N.... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.78375600624741
Encrypted:	false
SSDEEP:	48:6ZYKDGMljklMk3k1kEkGkukyzk+ZkJkwZkMpAzuY5rVkPuYUOlR4X3N1qghIHaq8:ugMuYpDbFXZcdzpxYDkWYRlRmunkV
MD5:	DBCF2704FB624DA8BED5E9F8F5411D7D
SHA1:	ADFCC4784E8392892AEB630147D01478779B9452
SHA-256:	48304509F026310A5DC7C78D334B0785FD08F3E2B9C314D179D642581C4AD70A
SHA-512:	2EB251C61E938521A6D28879C724CE13E329E2FD48ADE8F960F134AD48426177CDCD6DAC4E6EE6802969D4213D3E714665F1785AF202E6091377D7937C2732D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................,... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(..0...........P .._...........................................[..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.080209394120206
Encrypted:	false
SSDEEP:	192:CKQmBZeTFOOzyPiTaDaSczyETNywf7Hv:CKQm2gky5SyETNy8Hv
MD5:	565514DB8F1053DE70BDE7D6EDAA68F7
SHA1:	A3F3FB7A52C6B1F6E74DD6FEF307340B56BDE584
SHA-256:	D82B05BF241CAA4820EFECF5C410C6398CAE3013A2B3FF0205B876396DA03814
SHA-512:	6BC4A18C49FE31C3DA9776A43B9E05D066BADCAC36AA33552C31345F32F6FA866C1F2BC3CA6CED7CAA96B10BF676DE69E350B0AE76252DA2A17E066ACED7AEB3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................h3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......$0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.945156930938208
Encrypted:	false
SSDEEP:	768:3BOdwM1hnv/NAZisOjUoenPXwJmF4gu/DAkIlSsHl/qa:3BOSM/1AZiC8mF4TsbzHl/B
MD5:	C6963BC4B4923925C341E2DF9581733D
SHA1:	291A1EDC05E005D74485E372E98D80C8FFF1CC4E
SHA-256:	398B649ADCE9C7E3AAECCA57C838DCD44F1AB07F863362C727EF76712571B74F
SHA-512:	B63D43B389AD736789DE5F1E10FA46AE8B7EBD8D1FB87336141DF981F7624F739B2E774C0998119E85D5D867D4C48EF45FDEBB7F9CD158517DD26CF4D0D06585
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ........... ... ....@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.9504912557880996
Encrypted:	false
SSDEEP:	48:6Zl0DGMljERQkBk+kRkHkpDkygk+ykHkwmkEGlAu0A7V+II1VOOlR4/NfU7wqAhD:uTQgTsqYmXyCCZigPIIrlRYUkV
MD5:	2971D47CAA85DF274B4133D111682F00
SHA1:	DEAA7A99DC17F4480423E41C4393B594BF66BC2A
SHA-256:	2BC2986503EFBCD0C74AD43109F3B60BF412C53A8C0E578AF0C4E585F991F916
SHA-512:	97F4E146C446EFDC110A9B626043CA48854A7C2F2BC59E071BC6C0E32723D3683FFEA083994F0B1A8B377991C0D1395EAC759F291C3E21A92695B00586BC9E03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................+... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......p(.. ...........P .. ..........................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\sv\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.175782760061513
Encrypted:	false
SSDEEP:	96:QyI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVOzQlEb1Ny:hQmBZjcYOjzybTaxlczyE6NyuXBH
MD5:	D6C13FA525441958209715CB05EDB0B5
SHA1:	1B13E49504861C74457FFF8310036393D503F744
SHA-256:	9083496FD71FBC09E63431354DF60DDFA83DD9E0839A2575849962688CEF2315
SHA-512:	1B52EA254DC0958A18F4721D7E822FF5483ECE3F29F093478D53A24E00E69141AE3E5DE17BA84CC5F3C40DE0E6D8D18D404FBC54B6847CFB743AE08AB3E04F52
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@..................................3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......\0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.365412956920742
Encrypted:	false
SSDEEP:	768:ZBOda5CIXxCPz2bR8TPk0rLKRwhmjgSgh1Hh1xr6eLRSmDusAQli6YhfNjYhfNt3:ZBOgsPz2bI+R8EWnJD3UHYgR0xEkF7
MD5:	7A3577B2742256B20A74CD8D02F20672
SHA1:	C1CA4471F1E4CB7653D0E857E94E44837BB1811D
SHA-256:	6AA27257943D86865D162F55628EBC1E16957C220DB2DAE70380A755FCA61726
SHA-512:	2EDEC392959901B180F635E209E273040F4BDFD13A770CBF08525E169DDCBEA3437871D5A8638D1B5D00D992C0E0D452E6DCC250E8B6181A580BEDF0C82465FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!.....P... ......Nb... ........@.. ....................................@..................................a..O.................................................................................... ............... ..H............text...TB... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.312306988769099
Encrypted:	false
SSDEEP:	96:uJwKzTE45wNXkWtmrL2Cgh2wlvYMi2s2wlvRlR3ckV:KwITE45wNXptmrqCghjlvYMfsjlvRrv
MD5:	4969D48F11E92C1AE109BFCB59D1590B
SHA1:	97914E3AA7E397B06EA4C4B3F5AC6CFA94047D13
SHA-256:	77B59617FDAB29CFA36D371AE3E11C2C014BC7751F78BFFA9CBFEDF5BEE34DC2
SHA-512:	134F1E2F0F36FA71017357E5BB6B697AE23E38601F839749C6CC1A05510FAB6C1FB256595D4E7A0F3B53903F66224D3001E0C405DF534D5CF995EB12DE3C51C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!................>/... ...@....@.. ....................................@.....................................W....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ /......H........+..$...........P ..n...........................................j..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.1...(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\th-TH\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	3.9286963323819766
Encrypted:	false
SSDEEP:	96:VLhv0Uk10zmZ70Uk0BN60/j0so60Wd02kC0WEVF1zQlS/fvsTapqYuAzQlEPWyyQ:SQmBZNucgEOfzysMTap9VzyEKNyqtHq
MD5:	9B183C25446CD228D6186EA28271F453
SHA1:	01A542FC5A4E5E1F858ADD959D5E008A07E689DB
SHA-256:	7430893D1163719DAF880429B8F8DCD73D89BBDD4B6219E6947012D2B4EA99BF
SHA-512:	F7900351C2B701613A8D1B867F832E9A0F34A3676BA967C83BF953B5DB105E6E52B4499337CF777DAEC8E6EF9FC92777A9FD4827CAE37E4F7EFD3BCD4B4513D5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!................~2... ...@....@.. ....................................@.................................$2..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................`2......H...........8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.039988619807441
Encrypted:	false
SSDEEP:	768:MBOdP6rIg1ZFzz6fxHot0MTudACujzguZtqgkRFUHkIn8:MBOZ6PZFzqqu+C2suZtTk28
MD5:	837C1A02186D2D53D7C230F2D25CF0CD
SHA1:	5B810F63C65608FC23D0D9C63BD47A8CE86219A1
SHA-256:	AC9A78FDCF1B11618306E92DA60DF5830D64A13A512E9E3D1670291F32ACB83A
SHA-512:	2F7279B7E7D14C7DFC39A3629F21AF023B2FD5CC27A69F1091C13726BF1ACC2564E1D7B7CDD0D3BE0B4D0E09B665406B783D6334F7E1D2667D739A26EE5AFA6A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.746627833688834
Encrypted:	false
SSDEEP:	48:6ZQZ/DGMl8FXGk4mkOkUk8kakyNk+3kzkwAk+lAulPPi4zOG68sBxHBPi4zOG9uc:u5GcD5RX7X3eM9VxdHsDJxdolRXYYkV
MD5:	5435202B35683F86EB338A24018EDB07
SHA1:	71D87E1473765492987C70053A8A2400C9DB245F
SHA-256:	3E2FC5979EFF712345FD454EEC98E2F1C0B09A34A610F5C8E9C5983B42C65E3A
SHA-512:	CB76D3FEBD0DBD5D9870658438903A84BFC539B3DAA13CD2834C0A9AE5532675538A11F3CC7A6E48FC7502A9A8D5FA310FD162BF7E8B536C17C7DB422219A377
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(..$...........P ..=...........................................9..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Program Files (x86)\CPU Guardian\tr-TR\Uninst000.resources.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	3.896516122737556
Encrypted:	false
SSDEEP:	96:VJv0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWQzQlE9FLNspN:eQmBZwlXOczyITaPDJzyE/NylN2m
MD5:	29BF2AFF2FD6CEB9234D8C1E776525FB
SHA1:	946ACD392E7F9E3637FDFE262F152128BA317DD9
SHA-256:	F73BEC1CD2230070EB891906FB581F7AEB5736C4789B1C64B612CD73A77D3050
SHA-512:	1F19BBA83E706CC1CF2D000372A89F435AC87B9989BE8028CA151977916A17AAB77FCAC9027E288012B586CA505FDC8F3EBD181DF28E50F0B90609BEFE0FB8D8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!................^2... ...@....@.. ....................................@..................................2..K....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@2......H...........8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Program Files (x86)\CPU Guardian\updater.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433640
Entropy (8bit):	6.125248413835682
Encrypted:	false
SSDEEP:	6144:YGDVPVmyTCYbbLe+Bz1iE1/M7xbQE9VP/A7mULxKEmgDx4Qygjq2Hvp:YGCyTCYbbfB1iEm7xME95A71L34QD
MD5:	55C585039516BE3AD631C2C4D7427699
SHA1:	31B0C9D42E7919C7801920005C71BF3BB0B8DBA5
SHA-256:	773C09B3DCBD38F08521228D3E0521182EE84E4D8BF22C33F28CC30A0D217F3D
SHA-512:	72F64F17FF5CDF51EE0116C8FC95C23C2ACA5DC360B7ABE49108741EEE11061320586DDDFD478CCE75E246C7E91A38419DB2B190EE4B0479C59EDA9F30BD85E9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s..u ..u ..u ... .u ... .u ... ..u ... z.u ... .u ..t ..u ... ..u ... ..u ... ..u Rich..u ................PE..L...>.4T..........................................@.................................Nw....@..........................................`...........................,......................................@...................d........................text............................... ..`.rdata..dn.......p..................@..@.data...\L.......*..................@....rsrc........`.......,..............@..@.reloc...B.......D...B..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPU Guardian\updater.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.448072035390801
Encrypted:	false
SSDEEP:	12:1CbmtHMd37f3MfC3MH4wlSmvDrHaMYCBYZJbJ:1GMHM97f3Ma3MH55LuMYCBW9
MD5:	A9E9B4C17A91FC4A11364C3CCEAA0AFC
SHA1:	C6F4BD9CF7AC832B9BC2D876B830D6AA74E30A2B
SHA-256:	8FC970959D3430C15B4E4C987216B33DDDCFCE89A78BB2FD0994ABEB91B57F4C
SHA-512:	99059887FB8FA733FF2CB008D949474D39EA3E51DFEA0877EF5760BBE341C28C058CC499BF159892FFD7A5804C88853927136930BAFEE4ED4BF542274C148940
Malicious:	false
Preview:	[General]..AppDir=C:\Program Files (x86)\CPU Guardian\..CheckFrequency=2..CompanyName=CPU Guardian..ApplicationName=CPU Guardian..Flags=PerMachine\|ShowConfigOptionsButton..ID={384B7686-1061-40F0-B564-42388708B63A}..ApplicationVersion=2.6.1..DefaultCommandLine=/checknow..DownloadsFolder=C:\Users\user\AppData\Roaming\\CPU Guardian\updates\..URL=http://setup.shieldapps.biz/registry/cpuguardian/s/updates.txt..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian\CPU Guardian.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 17 04:34:14 2015, mtime=Wed Oct 30 15:36:05 2024, atime=Fri Apr 17 04:34:14 2015, length=5139432, window=hide
Category:	dropped
Size (bytes):	1067
Entropy (8bit):	4.691698080183554
Encrypted:	false
SSDEEP:	12:8mQ6b400Xilm9e/EXKdp8DCDU//Lc2++mV7znl5XTNtlZjA7amtHM9YbdpYm9X7E:8mZ8/OEadOErA+MHMGdcdOUUHGyfm
MD5:	F95E6622BE6BC576EFC98BCEBE3BC70D
SHA1:	3C8FF6E0874F198B4B98C8163E0E2A834930571D
SHA-256:	49124E5AA6DC9BD80ECABB9D58994970E2B964A5C861E6AC70DD2B2A40BCA8AC
SHA-512:	36174D484AD776B836510D64259BAD0AB14FC1DF644E0890821A632E1B5E1021058E6FF13C3936223C2A2F93727EC8004D954D68F3630E791F911637CC92BBBB
Malicious:	false
Preview:	L..................F.... ....R.#.x...w......R.#.x...kN..........................P.O. .:i.....+00.../C:\.....................1.....^Y....PROGRA~2.........O.I^Y......................V.....v...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1.....^Y....CPUGUA~1..J......^Y..^Y.............................4D.C.P.U. .G.u.a.r.d.i.a.n.....l.2..kN..FH, .CPUGUA~1.EXE..P......FH,^Y.......G.....................i..C.P.U.G.u.a.r.d.i.a.n...e.x.e.......b...............-.......a...........X3uk.....C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe..B.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.P.U. .G.u.a.r.d.i.a.n.\.C.P.U.G.u.a.r.d.i.a.n...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.P.U. .G.u.a.r.d.i.a.n.\.........................@Z\|...K.J.........`.......X.......835180...........hT..CrF.f4... .K.T..b...,.......hT..CrF.f4... .K.T..b...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.......

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian\Uninstall.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 30 15:36:02 2024, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
Category:	dropped
Size (bytes):	1931
Entropy (8bit):	3.6364159387273745
Encrypted:	false
SSDEEP:	24:8QR/J+D1U7b4dAkwB+sj+sgjc+MSjvSqq4WSjNcH2yfm:8QR/uEb4W5jr0c5OvSAWO6V
MD5:	CC6D6831A773286C77023259892B0E24
SHA1:	61CE7D77D293A8178EF5F9179D85CFC2A12F10BD
SHA-256:	59A94D3818562199DA0E858BBB78770A8FAEC5801FBE6DA7B4E27D0D4D01768D
SHA-512:	4E8D8BE543B4633CA3A6DA82FC39E8129D0D665C449E1DD0C86B899B6469D6E725A88BF593A9DDB48977A47961B41EB3558459DE2D8279A1D9D442CED4D69497
Malicious:	false
Preview:	L..................F.@.. ...25..........*..25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwH^Y}.....3.....................y..W.i.n.d.o.w.s.....Z.1.....^Y{...SysWOW64..B......O.I^Y}.....Y.....................$...S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBI^Y..................\|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M...........X3uk.....C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e...C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.)./.x. .{.8.7.D.8.C.F.C.2.-.0.E.3.5.-.4.B.F.0.-.8.1.B.C.-.C.5.B.3.D.1.6.5.2.F.6.D.}.S.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.8.7.D.8.C.F.C.2.-.0.E.3.5.-.4.B.F.0.-.8.1.B.C.-.C.5.B.3.D.1.6.5.2.F.6.D.}.\.S.y.s.t.e.m.F.o.l.d.e.r.m.s.i.e.x.e.c...e.x.e.........%SystemRoot%\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\SystemFoldermsiexec.exe..........................................

C:\Users\Public\Desktop\CPU Guardian.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Apr 17 04:34:14 2015, mtime=Wed Oct 30 15:36:05 2024, atime=Fri Apr 17 04:34:14 2015, length=5139432, window=hide
Category:	dropped
Size (bytes):	1049
Entropy (8bit):	4.69893564303814
Encrypted:	false
SSDEEP:	12:8miKGn400Xilm9e/EXKdp8DCDU//Lc2++mV7znl5XTNtlZjA7amtHM9nbdpYm9Xo:8mp9/OEadOErA+MHMhdcdOUUHGyfm
MD5:	692858E4F4658F422CEA0FAEAB9BC1D9
SHA1:	A52A62CB8755D25F3381A97832A658B5B1B4C9E3
SHA-256:	8208B379D7632688003CF0E3BDA6ECB9FCF7B2D1D8D4F69DE869096B77F6148D
SHA-512:	F9D640A45DE8FE627781972B191D3820DE3501D88F96E679AAD3A8E8A749046BA8B951BE5752D6F79152E8CCD8107BAA4D444A72B7D4DAF7B942A39692D40B14
Malicious:	false
Preview:	L..................F.... ....R.#.x..rY......R.#.x...kN..........................P.O. .:i.....+00.../C:\.....................1.....^Y....PROGRA~2.........O.I^Y......................V.....v...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....b.1.....^Y....CPUGUA~1..J......^Y..^Y.............................4D.C.P.U. .G.u.a.r.d.i.a.n.....l.2..kN..FH, .CPUGUA~1.EXE..P......FH,^Y.......G.....................i..C.P.U.G.u.a.r.d.i.a.n...e.x.e.......b...............-.......a...........X3uk.....C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe..9.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.P.U. .G.u.a.r.d.i.a.n.\.C.P.U.G.u.a.r.d.i.a.n...e.x.e.$.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.P.U. .G.u.a.r.d.i.a.n.\.........................@Z\|...K.J.........`.......X.......835180...........hT..CrF.f4... .K.T..b...,.......hT..CrF.f4... .K.T..b...,..............A...1SPS.XF.L8C....&.m.%................S.-.1.-.5.-.1.8.........9...1SPS..mD..pH

C:\Users\user\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\4dijbbh5.newcfg

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.42981273039719
Encrypted:	false
SSDEEP:	6:TMVBd1IGnOGAOYYQCI0RXKRF/+uKpvvvXfxAONI3QIT:TMHdGGnOXOBEN+uKpvvvXaONI3xT
MD5:	C3712A40A97B4CA4D23D92E582C3AB19
SHA1:	3129333C2C32A7238570E57C348B3E9E9963CA2C
SHA-256:	E39C48E501F99CF9C50FBA3D74C105D55C42FC7666F590532D1BFBB1DFC958DD
SHA-512:	DF184A90728C0F251C10D5DB10CDC4F675DCD8E4A67E0D8559E3972084FCEB9EB94136427D81BA93F68731BA36CF61EEDCD1CBA5B2772F6F4F537FC464EF017F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <userSettings>.. <RegCleaner.Properties.Settings>.. <setting name="Regged" serializeAs="String">.. <value>False</value>.. </setting>.. </RegCleaner.Properties.Settings>.. </userSettings>..</configuration>

C:\Users\user\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\j2je5pbx.newcfg

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.433671409464578
Encrypted:	false
SSDEEP:	12:TMHdGGnOXOfqEN+6RTw/mvvXBEN+uKpvvvXaONI3xT:2dexkvREKpnvQ
MD5:	23F9963829B0427D6D9F8D56F78C0F85
SHA1:	C6D661DD9878480425542299C81AA694153356BE
SHA-256:	6ADD558B730A34BA10D413FF0E0C36A289455678C2765F5959C9C098E31C4225
SHA-512:	421EF0651B92F1AF4F4E04BCE1B1051E7B15307E39AB2380B6F7DC3B4E9C16F7A3AA488ECB03ED6A6C742988A7E7BEF2A8D8EBA21AFD0EEAACB596F0458CDBAD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <userSettings>.. <RegCleaner.Properties.Settings>.. <setting name="LastScan" serializeAs="String">.. <value>11/01/2024 11:21:20</value>.. </setting>.. <setting name="Regged" serializeAs="String">.. <value>False</value>.. </setting>.. </RegCleaner.Properties.Settings>.. </userSettings>..</configuration>

C:\Users\user\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config (copy)

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	319
Entropy (8bit):	4.42981273039719
Encrypted:	false
SSDEEP:	6:TMVBd1IGnOGAOYYQCI0RXKRF/+uKpvvvXfxAONI3QIT:TMHdGGnOXOBEN+uKpvvvXaONI3xT
MD5:	C3712A40A97B4CA4D23D92E582C3AB19
SHA1:	3129333C2C32A7238570E57C348B3E9E9963CA2C
SHA-256:	E39C48E501F99CF9C50FBA3D74C105D55C42FC7666F590532D1BFBB1DFC958DD
SHA-512:	DF184A90728C0F251C10D5DB10CDC4F675DCD8E4A67E0D8559E3972084FCEB9EB94136427D81BA93F68731BA36CF61EEDCD1CBA5B2772F6F4F537FC464EF017F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <userSettings>.. <RegCleaner.Properties.Settings>.. <setting name="Regged" serializeAs="String">.. <value>False</value>.. </setting>.. </RegCleaner.Properties.Settings>.. </userSettings>..</configuration>

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CPUGuardian.exe.log

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstAct.exe.log

Download File

Process:	C:\Program Files (x86)\CPU Guardian\InstAct.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1248
Entropy (8bit):	5.347863460191528
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qpsXE4qdKtKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MIHK5HKH1qHpH7YHKh3oPtHo6hAHKzeR
MD5:	479D9CB1F22479ECD109A4A9DAF58EEE
SHA1:	5D0D82D0D3927C90858063D77F18613D32E7EF18
SHA-256:	538E5F5780382E75CF32B93688D25A660C5CCE95DA7E6A380F5EEACC9639CE9A
SHA-512:	BB485614AF4C62E9AA441ED53DC36CA48439A938546D2312FE3F378641B4029BBB2B009E8915D354DEA292774ED33D47DBBBBEFC741E566E72DA2356459BC4E7
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa

C:\Users\user\AppData\Local\Temp\AIBB_7964.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	554
Entropy (8bit):	3.413733649469819
Encrypted:	false
SSDEEP:	12:j1RhcGtdArX/ds1vRKQ19ncGtsTHb3mq+16rRNEEtcGt9S4DLYKXjp:fhckiX/K9XncdTrFrrEUcO/DLYO
MD5:	2D8A4C9E5CE4A4A256EF72A77E1A7E34
SHA1:	30C3557443D807F216854EF0E4CCC7BBD61D49CE
SHA-256:	1471EB0253310A24893D31EC6325AE3560D7829BE5D9CD56DE7EF50D0BAB37E8
SHA-512:	F3F35FB3BB18D0C50D5EAEDAAF26092BE169069E3F10AABFC1A145B4B2D741C5790F75D2600080DE79ADDE2434F2D118F22C12BEB3C2AFE55672E7B75097477B
Malicious:	false
Preview:	........C.:.\.....................7...C.:.\.A.I._.R.e.c.y.c.l.e.B.i.n.\.{.D.9.0.2.B.8.1.6.-.9.7.A.7.-.4.F.E.D.-.B.2.B.1.-.8.A.5.6.B.A.0.1.0.9.2.5.}.....D.:.\.....................V...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.A.I._.R.e.c.y.c.l.e.B.i.n.\.{.E.3.C.A.B.6.0.D.-.7.1.A.4.-.4.3.9.0.-.8.1.3.9.-.8.6.8.4.1.9.B.6.F.1.D.6.}.........H.K.C.U.....................O...H.K.E.Y._.C.U.R.R.E.N.T._.U.S.E.R.\.S.o.f.t.w.a.r.e.\.A.I._.R.e.c.y.c.l.e.B.i.n.\.{.1.C.A.6.C.8.5.3.-.6.8.2.F.-.4.5.0.D.-.B.F.9.6.-.8.E.C.6.2.D.A.B.3.D.B.B.}...

C:\Users\user\AppData\Local\Temp\AI_ResourceCleanerLog.txt

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6824
Entropy (8bit):	3.231354205953975
Encrypted:	false
SSDEEP:	96:tadwpkcO73/KzrJvzrXzrhJTLadwpf/lrlh2s4Q6adwp0CBN:taFf7vK/Jv/X/hNLauNRgLPaK7
MD5:	3217FA41A7AC1B3A60ECAE68FE18F915
SHA1:	5BE71DE98544255428FF95751969201CE0D1ACE1
SHA-256:	EF04F9A467E96BCCB23ABA8CA412550B7FBF5E87787FBFAB85661614B606C663
SHA-512:	CAF21FCC86434530AB57E29FF94E2A3540327F565357FB247219190E31EECF737FAF32C1881DBD7BFE111093CAD12B4959ACD5E016EFD183D3483963417D9DD6
Malicious:	false
Preview:	......<.<. .A.d.v.a.n.c.e.d. .I.n.s.t.a.l.l.e.r. .(.x.8.6.). .L.o.g. .>.>.....<.<. .O.S. .V.e.r.s.i.o.n.:. . .M.a.j.o.r.V.e.r.s.i.o.n.:. .6.;. .M.i.n.o.r.V.e.r.s.i.o.n.:. .0.;. .B.u.i.l.d.N.u.m.b.e.r.:. .6.0.0.0.;. .P.l.a.t.f.o.r.m.I.d.:. .2.;. .C.S.D.V.e.r.s.i.o.n.:. .;. .S.e.r.v.i.c.e.P.a.c.k.M.a.j.o.r.:. .0.;. .S.e.r.v.i.c.e.P.a.c.k.M.i.n.o.r.:. .0.;. .S.u.i.t.e.M.a.s.k.:. .2.5.6.;. .P.r.o.d.u.c.t.T.y.p.e.:. .1.;. .>.>. .........#. .2.0.2.4.-.1.0.-.3.0. .@.1.2.:.3.6.:.0.1. .[.P.I.D.=.7.8.4.0.\|.T.h.r.e.a.d.=.7.9.1.2.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\|. .O.n.A.i.R.e.m.o.v.e.F.i.l.e.I.m.m.e.d.i.a.t.e. .s.t.a.r.t.......#. .2.0.2.4.-.1.0.-.3.0. .@.1.2.:.3.6.:.0.1. .[.P.I.D.=.7.8.4.0.\|.T.h.r.e.a.d.=.7.9.1.2.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .\|. .M.s.i.T.a.b.

C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	5.220701674175138
Encrypted:	false
SSDEEP:	3:GOt+kiE2J5xAIudnVZTIVwQcgdShcXHwEhFK0w2:Fwkn23fSVtIVwNc3XFK03
MD5:	D826F2CEDB00713B8A1767A9F4356D53
SHA1:	AE587D6DB1223573F2901DA30395FA8F97E5CBB8
SHA-256:	926C667A65F122020F33E7E433472841E12AAE9E27F38F16CAF74C865970DAA6
SHA-512:	71EB2A535BCBDB00498DE09F7CEF81FEAA93BDC85A5CC8305472FEE38ADD10294C909F07C602B0EF794AF243DA174066DBCED064099ED3CFE9DC0C1C39650305
Malicious:	false
Preview:	del "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat" /Q /F..

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5139432
Entropy (8bit):	6.361730150038723
Encrypted:	false
SSDEEP:	98304:1j71i71W71A71f71v71v71J71v71v71J71v71v71v71Z+y+pcemEIl02Tsp6bwK6:1jQsCdddTddTdddv+y0cemEIl02K6bwV
MD5:	E6401E23BAC056176D4A2497DA0F9767
SHA1:	0CC148FDA90567EB03080647AF914C702FC7266F
SHA-256:	D36125C54BA2DF1822F95597323573A8028CD259B1D11C457D538744FB9476EF
SHA-512:	73E2EFE47CAD7F19B64E5787FC7770B1E4089A1709F3F6CB1FC19DA14C755C591A86001C17694B9ADEC69580D1622DD4F366B64ED477AD1137200B2EF70DB232
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.0U..................L...........L.. ....L...@.. ........................N.......N...@.................................T.L.W.....L.8............TN.......N.......L.............................................. ............... ..H............text.....L.. ....L................. ..`.rsrc...8.....L.......L.............@..@.reloc........N......RN.............@..B..................L.....H.........H.\\..............0.D..........................................0...........(.....(.....{....(/...o.....{....r...p(....(....-.(q...+.(p...(....(....o.....{....(+...(....-.(-...+.(,...(....(....o.....{....()...(....(....o....(....r...p(....,=.{....r#..p.........((......(.......(.......(......(....o....(....rC..p(....,<.{....(..........(....rI..p(..........(....rQ..p( ...o....+..{....(*...(....(....(....o.....{.....o!....{.....o!....{.....("......(#....[.{....o$......(

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.exe.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5510
Entropy (8bit):	4.20288350069814
Encrypted:	false
SSDEEP:	96:YrDNI7+nXn+hnQn/nTnkncnInCn0VnAn9nonanL0ntnyAnincn6nFnUznenuAnrD:Yr5Tku
MD5:	9A2B1FC6B00891288A905A7788D45E95
SHA1:	090EF58AE8284126D46D715CF61F4336432CF944
SHA-256:	5FD381FD5E214938A7E541C1423D291C98E815796F066ECD3CCDBBA9F9B4C19A
SHA-512:	43F398D7FE232C0568552EE7A1AA5C825EF523087B9D02016AC746867268A8C5D1ABBABC0E7A62E7D21C58D55F1FDEBE218A7F4F4348A972531BF35076489486
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">.. <section name="RegCleaner.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false"/>.. </sectionGroup>.. </configSections>.. <userSettings>.. <RegCleaner.Properties.Settings>.. <setting name="LastScan" serializeAs="String">.. <value/>.. </setting>.. <setting name="CreateRestore" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="WriteLog" serializeAs="String">.. <value>True</value>.. </setting>.. <setting name="VirtualDevices" serializeA

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {19B047E6-8562-4C6B-BBED-1F83ED1824A4}, Number of Words: 0, Subject: CPU Guardian, Author: CPU Guardian, Name of Creating Application: Advanced Installer 11.5.1 build 60347, Template: ;1033, Comments: This installer database contains the logic and data required to install CPU Guardian.
Category:	dropped
Size (bytes):	1278464
Entropy (8bit):	6.453906709405942
Encrypted:	false
SSDEEP:	24576:zLdjk711wY5APXQr0Q1e+P48AFO3qn1Mp3WqagKxmqR7f:zhjk711wY5APXQgp+P48II/Zza9xmqR7
MD5:	955E3A6F8138F5CFFFF24AB48109BF5E
SHA1:	6BB76D4244D92533A92BD2FFCC3071629408CAE8
SHA-256:	3BA7793A75B91956F9BF347512B16ED79968FB47F4AD18CF0F6AA1EFACC50E33
SHA-512:	D40D85A5719417CBEEE2066E0702EFF9B7480BA890C56F892A7675764F26063A0CDC061695E6A4F5044E5F2CA2F79F5B52BA97FFB13230CB6E8C86764FD5D78C
Malicious:	false
Preview:	......................>...............................................................}...............~.......................^...........................................................................................................................................................................................................................................................................................................................................................................................................K...............D...&........................................................................................... ...!..."...#...$...%...1...9...(...)...*...+...,...-......./...0.......2...3...4...5...6...7...8...<...:...;...@...=...>...?...E...A...B...C...J...Z...F...G...H...I...P...L...\|...M...N...O...W...Q...R...S...T...U...V...[...X...Y...\.......^...]...w..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...c...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ComponentFactory.Krypton.Toolkit.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2667520
Entropy (8bit):	6.021972030667934
Encrypted:	false
SSDEEP:	24576:lNnJox6yr8nN03BI9abUCAqS8yLzdnOKaWw//emX17WLwlt6t9fnjNiBqUb:lNnM8nyI9lzdnOKaWw//BWMlt6tLiH
MD5:	4AA46ECABD3073852F3A778D28D9EDAE
SHA1:	0011708B8549BFBCBE0596C7A9459D61B072D16F
SHA-256:	956AD7E5C070EE129E70A3E7F5D44038D5BB43ADE2D24B5119A0F0E763E6A8A9
SHA-512:	08C025D77FC5E1936B2DD695DEA1D4533E3F98E84861CCF5A72DA1F63152CC3B10A603C5D8490FC29FF76C79B46D399AC6E443FAA52036BD05A130D287A10A45
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nO.O...........!.....$'..........C'.. ...`'...@.. ....................... ).....D.(...@.................................pC'.K....`'.......................)......B'.............................................. ............... ..H............text....#'.. ...$'................. ..`.rsrc........`'......&'.............@..@.reloc........).......(.............@..B.................C'.....H.......$.......................P .........................................Z-...[t..<C....8..f...........(..;.m)..4.7..3.I....Fz..7.. .+..U.aV..X..B..{..{.<.\|<.I.7L.t]..}.<....9.`m..U^v....hJ.("....(.+..}......{......0...........-.r...ps&...z.-.r...ps&...z.-.r...ps&...z.o'...-.(#?..s(..... .@..o).....3...o).........E................+'......+..o...+...o...+.......+..o.........E..../.......&...............+4..o+...++..o+...+"..o+...+...o+...+...o+...+...o+......

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Helper.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	59904
Entropy (8bit):	6.084840805171319
Encrypted:	false
SSDEEP:	768:e+o0nKWkPuH93+yB+BrKGLi06y/MEPDdl2Kbs3AY5O:eEAPuAnTLi9oMSbswgO
MD5:	2880C4ECCDBCE5491AC23D9AC5B45C79
SHA1:	CE9376A66620E9E55B2B45B1DFE439B4989A3362
SHA-256:	23D1CFBB1B628CFB8EAD4C452CEF6135B1C3053EE6E41F5CFBB66AB49A6D783B
SHA-512:	887531D74311FB83FBE82AF1FD4BC0281F1B5A5D29A2BCCFE77A3E855AD2539F61BBD2DAFDEA14DD44C317B00CB569A2A9DDAC1C4F9A9F1367377F100FB35313
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.0U...........!..................... ... ....@.. .......................`..................................................W....@....................... ....................................................... ............... ..H............text........ ...................... ..`.reloc....... ......................@..B.rsrc........@......................@..@........................H.......D...l\.............x............................................0.._....... ..... ..k...Y. }ib...a.as...............s........Y.....o..... ...J..Y.Yfeffefefefe.. ...8X.Xfefeffefefea..,..o....+.....,.. ......Y.Yfefeffeefa...,...o....+.......w...(....3!.~....`...... .y.K..X.X..Xa.8......-$... 6..\a.afefeffeefa.~.....`.....+Y..o.........(....o....... ..H...Y.Xa.~.....`.....+&..~....`........ h.\a.afefeffeef..Ya..~....X.....*..0.............. .......i.8x.....b%. ....3..

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Helper.dll.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	6.129129659339863
Encrypted:	false
SSDEEP:	384:5HzQTDmvAX9CD6eMTxpAxGnYPLRTX9/eM4:6Tl+MTxpAxG+TX9b4
MD5:	B0586EE5DB1B3B171D28F48AF4B5F4CD
SHA1:	DB47565CEC4BE55A78AA678E3238EF425ACFFD50
SHA-256:	1B8B753DFA929DDD700B3939B1FCF1D53B94E7D8D97C81083AEC11EE970D239B
SHA-512:	9F960C81A953869E78291243690976319B2F72313B0A9DEC0341E21E878F7A05E3326D1AEDDED9B17A8F3E55A6138665EDEBCA671D75A0F418D2FA9615609E60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E.0U.............................=... ...@....@.. ...............................R....@.................................\=..O....@...............(.......`......$<............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H........&...............%...............................................0..l.........i-.r...p(.........r...p(....,...(....+1.r!..p(....,...(....+..r5..p(....,..(....+..(........o....(..............I].......0..f.........i.3".....(....s.......(....s....(......i.3......(....s.............(........................(.......0...........(.......(......0..........(.....(....(......,"(....rK..p.(.........(....o.....+ (....r...p.(.........(....o......r...po.....r...po.......ijo .

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\InstAct.exe.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.927182710614965
Encrypted:	false
SSDEEP:	6:TMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQAopuAW4QIT:TMHd413VymhsS+Qzop93xT
MD5:	CC5216762E808C8A13B799001FB14D7F
SHA1:	D3E0F084903317BD8FA6F2E62746BCE3452C5E32
SHA-256:	A057532608B629756DAA45BF136212E2BCC39608213791D5E0DBAF33686EB83A
SHA-512:	4B4CC1932938762B4E1BD6B8B80C6C4AFBF88B37581A92259E570557A33FF001C3A240E89BBDF992338D3C157D0684F346456212567A784055AF40CA0070D21D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727"/>.. </startup>..</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.IWshRuntimeLibrary.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.584750598195
Encrypted:	false
SSDEEP:	768:gx3LY+sPhWVJPsedLVDUYlkXrSXVteUdzttJ2z9IkCBsQtcNg:4L9nVJEetVDUxSpvJ2z9IDs3g
MD5:	EF615EA13EDA0F6DBE335989CFF2B0AF
SHA1:	B0965C7F3ABC13A938614387553F93402A571F04
SHA-256:	8C30EA6D36E6E4FD1933803E3A492F39ADF85CA86211E9B00328341517380773
SHA-512:	44A6BA39F574E6C4F6B979204CBE9186130BDEBB8909C604B7B5837ACB05DF54A30F0BAD4BFF15786596F77A9239CFB34C40A9C5A09F653EB6605C7283BB1244
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!......... ......>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Interop.Shell32.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	4.476592511891861
Encrypted:	false
SSDEEP:	768:Mexl81nX6ZxlvUAa7KoBv7epginbCe7AXjuw9tL0Duxj7tr+BrkFS:Mexl81nK34PJepgqcVz6
MD5:	A364F2BBDEA952E1479899F32A57AD34
SHA1:	1D3603D15DBFFD35665253F54BECF872AACB84F1
SHA-256:	9E6CE2EBD72E3BAD36710C9B208A658BD8E25C83FA57EBE159152F8E0F774D8E
SHA-512:	0C755630C22EE7A4AB76070AC568E3B70FD742DBFFB3CC8C68CD89F3D6D31C04A18EED6DB16785E0D0AC32137862A5D81940888EA64FDE3A8364C10228D6CDC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P.0U...........!......... ........... ........@.. ....................................@....................................O.......h............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Logging.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.520606029097103
Encrypted:	false
SSDEEP:	96:i7uoR4mr0Zz+YOhmrnVvv2rYjyf/NF7b7xe1pZXLzbYHXvs:MR4mIZvO85XqNVJe1pZX7YHf
MD5:	28B7EB67A7889A46ECE863EE6EC6C3BC
SHA1:	BA12371BE8CE73CF52C3270CA46941B71FF90025
SHA-256:	B71BED56159A16652075CA90F6C5191B47102C653A2FACAC7F1823985B141FF6
SHA-512:	B767676DA12D1D8915C956071F81D107C2795ADD2F8318D7FBE2EFE12096612C3D4904F6A4991E1EB1E3170412260226FFBCC4BCAEEBC59CDC2ACE4F313A15B4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.0U...........!.................8... ...@....... ....................................@..................................7..S....@.......................`.......6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H........%..............................................................:.(......(......{...."..}....&...(.......0..<........(....(......-..r...p.o....+..r...p..o.....o.....o......&..........88......B(....r%..p(....B(....rA..p(.......0..<........(....rO..p(....(......(....,...(....&.(....,..*rS..ps....z.0..........(.....s.......3=.r{..po.....r$..p( ......(!...( ......("...o.....rB..po....+a..3>.r...po.....r...p( ......(!...( .......("...o.....r{..po....+..r...p( .....

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Logging.dll.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Deployment.WindowsInstaller.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	5.7399324609598485
Encrypted:	false
SSDEEP:	3072:LjyY5UlEOitKOYwEvCnfKlRUjW01KykgBJ22R3k1Xn0YIEbTZOCZ4C7KjmQjpRQ:LndrHH22Y1Xn0YXVamQtR
MD5:	7D625FE73AB5F25390D5B663B0760BB8
SHA1:	5DCCF0B59215E47BD477AE563DB9FB53FD1970A0
SHA-256:	20AF4EA25C5BFB6CF5AE236D2F213402C6040EBCA2E7AB5C0983267D34CA1673
SHA-512:	A7A12744AFB89FF52D7CC5785EDC9C42DA0C796D3389CD39E7815623D9BDD4735F2410885714BC25E8FDF74E5CBA8A1E3E691C0E47B775A2DCE05BD0A5662A93
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e).T...........!......... ........... ........... ..............................H.....@.................................\...O...................................$................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	5.911239698708562
Encrypted:	false
SSDEEP:	3072:kzUX+8YpYBTZUhF4SYK/G1JyMQ4FZSES6N0:kMI2s
MD5:	B351FDD6CA2B71C9E2310A6E5521D690
SHA1:	491538F4F77AFFA2DBBD8CC5474338ABBB895E6D
SHA-256:	9E21648FBD3E281FF2924904B80F7B9C65B440AEF9FECD87D0CA6AABF50E5DF4
SHA-512:	2E3947AD63141B6B92CBD141F889F3A5D104776A93E379EC294B879B510F338641B12E66C3280580DB16A945CD5AE57D84649DA61947E5572C6C27526DC1DCAD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..O...........!..................... ... ....@.. .......................`............@.................................L...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......d...DN.................P ..........................................P8.,'C...<.a........j....L..Q.k.A...E...K..b4.y{.=b._....[X,i....\.op..V......~.Z.oGO.,)...R..S..Is.<s3...O.iWY.y..N.($....(.....(......($....(......(......(......(.......(.......}.....(.....(......{....,..{....or...-..{............0..B........{....,..{....os....{....o......J.......\..o%......i.3....~&......0..@........{....,..{....ot....{....o......J.......\..o%......i.3.........{.

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Setup.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.570733033305149
Encrypted:	false
SSDEEP:	96:iqXshmkp7pjpWvuJDHRgcs9eomMmXDxXnKc7ScPnPPbRxkxvVRSQc3MDm7M6aqm0:t6DScs/mMStXK6xx4SQl1qSjTPJw
MD5:	A774435D2C0A7768F4BE70B469390B55
SHA1:	E0F7CE4E38C5895686CFEFF58B4DEA58E10233AD
SHA-256:	3CB9187A144148DC61DD50007DC1E49A4158F01DB2557A7E3792B95054DA3082
SHA-512:	11FB6A6262BA6334615BB4C2F0BC5BB455CD03B8354E3F2DEDD25AEA655CBE8FFA6B7DF5B0129B751108D9287BE47B3A27B8B421C141D71A3144197121CA1B82
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.0U...........!................~8... ...@....... ....................................@.................................$8..W....@.......................`.......6............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B................`8......H.......,%...............................................................0..k........(.......(....k}.......(....k}......(....,+..(.......(....k.......(.......(....k....."..HD....."...D......r...p.r...p.(....(.....(....(........0..J.......s.........+...o......(....-..(....-..._....-3...o....&..X...o....2..o......(%..."..2DZ(.....(&..."....Z(....s......(%..."..;DZ(.....(&..."...AZ(....s......(%..."..;DZ(.....(&..."....Z(....s......(%..."..FDZ(.....(&..."...AZ(....s...

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Setup.dll.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	255976
Entropy (8bit):	4.612209206661168
Encrypted:	false
SSDEEP:	3072:gsmj7mtiLfJKEmjZ+MX0stopP7mtiLfJKEmjqNP:67mULxKEmd+e0Z7mULxKEmC
MD5:	8DF371D6C8439AA6225D87AD741C6333
SHA1:	230AFADB5F2DC84AA7962FA808905EFD28B1C21D
SHA-256:	D8731FA86067EA429244378F81F9DC7E24377F7EF378044D5F46C378424392AE
SHA-512:	9DE82F68CD7430A3CA6CBBD1933E6303ED1497137C08A240E8F6579D4D7DCD56967319525B638CC70F81CE05EF8A3ED4D1A207D4908C17DC5290B19D43479193
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U.................@..........>^... ...`....@.. ....................... ............@..................................]..K....`..............................\............................................... ............... ..H............text...D>... ...@.................. ..`.rsrc.......`.......B..............@..@.reloc..............................@..B................ ^......H........+...0...........9...............................................0...........(.....(....(....s....(.......X.X..X}.......}.....{....(!....{.....#...(....o.....{....("...o.....{....(....o.....{.....o.....{....(....o.....{....(....o.....{....(#...o.....{....(%...o.....{....( ...o.....{....(&...o.....{....($...o.....(....o....(....(....(....(....(....(....(....(......1.{......(....o.....{.....o ....{.....o .....1.{......(....o.....{.....o ....{.....o .....1*.{......(...

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Splash.exe.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	230
Entropy (8bit):	4.927182710614965
Encrypted:	false
SSDEEP:	6:TMVBdTMkIffVymRMT4/0xC/C7VrfC7VNQAopuAW4QIT:TMHd413VymhsS+Qzop93xT
MD5:	CC5216762E808C8A13B799001FB14D7F
SHA1:	D3E0F084903317BD8FA6F2E62746BCE3452C5E32
SHA-256:	A057532608B629756DAA45BF136212E2BCC39608213791D5E0DBAF33686EB83A
SHA-512:	4B4CC1932938762B4E1BD6B8B80C6C4AFBF88B37581A92259E570557A33FF001C3A240E89BBDF992338D3C157D0684F346456212567A784055AF40CA0070D21D
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.. <supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727"/>.. </startup>..</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.CA.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	1081295
Entropy (8bit):	7.774773660389089
Encrypted:	false
SSDEEP:	12288:lGA6ILTvHWo5JKmE6/Ys8cNYcgJ07N5tObk2lTD57pkrpDS98OqORpS2kg3lltyJ:fvv2macQ7Llf57pkrpUKgSsxQyww8
MD5:	0BCC088A002518322E1ECBCE9FDF796B
SHA1:	57B9C096A8EB3636CF3815AFD4C0C5D08BFFEC53
SHA-256:	A51751F54889932E87DCC1C73F4165F0C99B8224416F9200E77D02EAB688EEA1
SHA-512:	555B61ED74F16ADB168084809F703E26B7BFBBB979174CAF2AE79A25D5F45AD719FB2D837C53F4D00B135450CE0872753DC1777EC0F90B7A9EF6FC224398D489
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^h..............\XC.0...\X}.....\XB.`....q1..............[C......[~......[y.......5......[\|.....Rich....................PE..L...p).T...........!.........n.......m.......0............................................@......................... 6...*...`..x.......`............................2..8...........................(0..@............0..d............................text............................... ..`.rdata..v:...0...<... ..............@..@.data...$1...p.......\..............@....rsrc...`............p..............@..@.reloc...............z..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Uninst000.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	276480
Entropy (8bit):	6.441854728182318
Encrypted:	false
SSDEEP:	3072:fK7mtiLfJKEmjvY4e3+XPBp+E1+eJohq9AYHdj0iVrDobtjP5T4XW/r6VijH:i7mULxKEmjYJUPJHRbHt7ZoNv/rz
MD5:	CBD338291F40C848724E289E1C89B5ED
SHA1:	95FF61F915EAD00C64B7C71BF084CE9B67C20391
SHA-256:	983225D7ABB49456DAB5DC9842ECCE4065B4A8C3B4A9E980857BCA6CBA66EC59
SHA-512:	BD11299B6FD9DA3D8BFB0E46B8B4F0DB088655DEF666F692920DA854F467F7B6A0191930678C0096C735ECA0C0FCF45C4361CD2033114710BBB9DD651572D4FE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.0U...........!................H... ...`....... ....................................@.................................`H..K....`..H...........................(G............................................... ............... ..H............text....(... ..................... ..`.rsrc...H....`.......,..............@..@.reloc...............6..............@..B.................H......H.......\....B...........@...............................................0..O.......(....s.....(....(....(....(....(....(....(....(.....r...p...........(........(........(........(.......(....o....( ....(!...("...o#.....s.......o$....(%....o....,.(..............(&...('...o(...().....-.....\|.(.......o+...r9..p(,...(-...(......s/........o0.....rI..po1.......o2.........(3...& B..........r]..p..o4...(-...o............A...........#................0..;.......r...p(,...(-...(5...

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.351471842158252
Encrypted:	false
SSDEEP:	768:T7BOdNxk5q+mZ5s2BMPqCX9diHUXtehsnE4YOhZ3A0opesLZBdQ6qhXLwnq3:nBO395s2eAH2eP4YOhW0cesLzdQ6tnc
MD5:	B08F4DC229CD738E564B8D4CCB00D073
SHA1:	805C97EF45CEC4B4610BA9AB8F781C05A555B3A9
SHA-256:	0E33DB40420297721419EF8329011AA32531754DCE99B988D7C34F8125746371
SHA-512:	45FB4EE3AEEDAD1955220B034E9FF3FB33B913970A251266EDD9C9313FF73C1629721B189C2954F7247202270BB6FAE4E4A14EC2CC71CA9C61764B288205A54F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ......>*... ...@....@.. ....................................@..................................)..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.184393622111684
Encrypted:	false
SSDEEP:	96:oz/3H/LB+FXNDkTglLXD0U2JARXD03lRtbqkV:+fH/LB+FXNDkTgkJH9t
MD5:	25B52BF55505B189FFA5ED6DD93CF715
SHA1:	CFB36A89678A7C2964E13789B8206D5C8EF1A180
SHA-256:	955D7172504B8E2A3CEE1B6415BEF8FDCC144D380A5CCF966CEFA3CE6446D937
SHA-512:	C5B2C6141B8CE3EE349EC843FC3042696D1849882604578AD422E3F9A4990BC94DD3C59805184C2C03128EDB0D5339C3F676DE950B8478FD0DE34781855B2B0A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................-... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H........).. ...........P ..p...........................................l..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.)...(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ar\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.137106681343619
Encrypted:	false
SSDEEP:	192:9GQmBZfY8OnzyPTa5t8zyEAYNy2RYkaHv:9GQmHCzyssyEdNy8YdHv
MD5:	F6AA66D2F100F44661BA06A27296DCB1
SHA1:	B2C0322662CF9EBE90AC4D9E3AF538C93E737496
SHA-256:	64E59C3E98C7E1C596D8FA7FBA799C971A51C9697E6103CA8EECF5304EAE6C3A
SHA-512:	EE3857AD4B38F09C4F95D06F4A6159B6A38C805FB0326CA9DAF5742675C9021BF7B2DFB1353494F022EF9FF9B5D4E72DC61A430FD9D70FE04BEEBD0C35697E8D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................h3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......40..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bo.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.6401835801650595
Encrypted:	false
SSDEEP:	96:pBmrqY2ZPtrPEg2XzVzu9+viWn1DvCwqlQxwN16HZGe/ycbGfwiNoPBnp:DC2ZPtrPJ2ZzuIhDvCwcvwyI6wiNs/
MD5:	C57D5679E6A2E2E4B4DEB278A1EAF8F4
SHA1:	A67DE39528104B271531195643FA7CB5243831F3
SHA-256:	29C716B81AE2B875B772CA6892E3917436D7AAB30BB8C8FCC3CD38EB10E42603
SHA-512:	F1C5AFCD424B810D6BDD123B635D976EB4C73FAB683B44171D70A87D43E2EA3965C9737F4073E8EEAB381F521B3F501E734C84700D2ECD9CA21498225E86DECF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.0U...........!................n7... ...@....... ....................................@..................................7..O....@.......................`.......5............................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P7......H.......l%..x............................................................0..i........(....(......(..........(....(.....(....(.....,..%(....r...p.(....(....(.....%(....r...p.(....(....(........0..........(.....(.......(....-...(....-.r'..p(.........(......(....,..(....,!rc..p(.....................(......(....-.r...p(...............(....r...p(...............(........0............(....%-.&.(.................rg..p....o.....s......(....,...}......8&.........-....}....8......

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bo.dll.config

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	227
Entropy (8bit):	4.937998208562116
Encrypted:	false
SSDEEP:	6:JiMVBdTtdcIjkfVymRMT4/0xvFM7VEk7VNQA5DuACQIT:MMHdRd9ofVymhsvFfSz5D9CxT
MD5:	2B501716C1274B0B35543316B410D60C
SHA1:	69E370E1522EAB2F66FF11238984A3F288EB7A9E
SHA-256:	B4DAA280754F634F0C289EB06538AD00D6F6BFF81D48450BFC5D56463B04D382
SHA-512:	E38523EABE64E4B17CB6D45DF7726BDD5B40EFC341EF765B56C0B82197581819EDEC105204D3785BF0F5865CFAA81A23AB03E54B0C2242D1EAA25575254DA936
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" />. <supportedRuntime version="v2.0.50727"/>. </startup>.</configuration>

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.390730381820147
Encrypted:	false
SSDEEP:	1536:rBO2Pe5oBpxqJ8+T+TKU/q42slkTCAQN:VO2PeUIJpqTKU/q42slkTCz
MD5:	E88771DA626EA5D32D453B43E8576154
SHA1:	9DE32419309DC0C814AEBE535ADC573D2548E56B
SHA-256:	C1DC149A5D923F4DA70E13793DBED729F3B3B4331DE5E02F6E6680AE2DA4D563
SHA-512:	8C62C4A9EFC175356EDA3DC3329DC1C05118C868433E120B40935AAFDCCB0042E019DDD2D983617E21E00570D61A60BCF36504F05F6E981D3278D12392FA72A5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!..... ... .......8... ...@....@.. ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.347343292574456
Encrypted:	false
SSDEEP:	48:6HfcDGMll8XJkGkYkAkKkEkyKk+Ck8mkwwkWOhytO9NKyP219NKdOlR4X3NkQ9hD:oBJ71lnJYXCU8chcweFLlRmdqkV
MD5:	4388D01327E9D1E4B24F083DFEEC4CE3
SHA1:	977E876838F6960D8D86728A1A61BF1DA8629FE8
SHA-256:	86B1D43F54BF52308F9EC1E636974453E2E1DE18DCE49FDC2F86180CAD5938D1
SHA-512:	6B166ABC1ED290C3BC94268FBE384C5E69C911915CC9CDC3D58AA5739A3E8A9DAE09C39F70E14F8FC91FA202BCC69DB619AF2140D487FE8D008138BDA5AC3386
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................-... ...@....@.. ....................................@..................................-..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H.......p*..0...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.%...(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Cyrl-BA\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.073443121920409
Encrypted:	false
SSDEEP:	96:X+I0Uk10zmZ70Uk0BO0/B0sV0Wz02kE0WEVFnzQlK5vwTaFGYuUV9zQlEa19XNsh:wQmBZBquOdzy1TaFB/zyE0Nyl93Hz
MD5:	7780E00A60CF36671E45AF19984CC9E8
SHA1:	629B97953C4480A43AF1C99A92E250BC8B91842C
SHA-256:	5C2F555EAD13303430DBEACB02DCD77C5A83FB9AA8EEFB895490D2810741CA26
SHA-512:	7AE0D2345F8F27B6779535AE402CF4546893A455561E9CB2BCD3FE7C362DE592973485C15FBFEDCCEAF46F34786239752AC95E519698681BCE6DDB9835393116
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................P3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9553473800090524
Encrypted:	false
SSDEEP:	768:hBOdvSNSOIGJ1JDo4wESimTskX4gvA1IU4PsZJFG80y:hBOhSNFJ1JDoxiiogvA1IU4PMrb
MD5:	FC837A680559AB483B0A24D15569C5B2
SHA1:	C029B87F974EF4EB803F23EDE8C2F8FCFE7BE9B0
SHA-256:	242CE11E629A29D55A3B0F0540DEEA4534B2EBC204D44F366F3D3B81CCBFA9DE
SHA-512:	FCDDB5E2C6355C6BF6826D91D45AC93E998CBC237144239B2699E84F0B483C448F3D6886F8F2C6F31804193074003DAFD55B1B416FACBC1F5E34E4FBD77DE8A6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.................................X...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7911815973520455
Encrypted:	false
SSDEEP:	48:6HA2DGMljjH2Pktk6hktk3k3kyqk+4k6kw4k2y+gvr7p+gvqOlR4X3Nh5cMhIHaz:o54snhI66kX4vkjy5x5LlRmtcbkV
MD5:	5BA46B916E39E8C2ED12D24370BE7177
SHA1:	A9D3589B76F1B8AF1EF60A23A8E653F9C81AEF0C
SHA-256:	6685A16C00A4B11107ADBE0D2AA79B3298ECF3D100D7577DA748DA55E0D732B0
SHA-512:	9E158EA1B787AD373322B50929076CE46E8E9E0EF70E1CE34065DCA0A31401CEABB074C84D6FC4CBC742A35607053DB73608F89D96E0A63AB426E0B451D8BE6D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................,... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(..0...........P ..[...........................................W..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\bs-Latn-BA\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.051562867290683
Encrypted:	false
SSDEEP:	96:X2I0Uk10zmZ70Uk0Br0/m0sq0WK02kF0WEVFYzQlzjkqvuTaDadYWeVZzQlEw1bL:YQmBZeTFOOzyPiTaDaSNzyEHNywdkrz
MD5:	91E411AA51BCAFCF2AD2318475F21636
SHA1:	3F533BCF80EFEB0B1F4F630134E8093A51AEA0C0
SHA-256:	4A8797251DD3E3A3E9C2E5C3D8F6C65585F6FE8D8B921B5940CDF36A17328C06
SHA-512:	2D154F59E7F1A7427723FA1B7A72DA27993CFF0E45FC12D7BB116AFB12D7CF8B25F3258FFDBD91452F1FA8AC8BDDC7E0CB64B33FC13BB68C58DFC220F1597838
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................D3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.8716554275523185
Encrypted:	false
SSDEEP:	768:IBOdqmhS9Yt3IneNuX52RQeRKkUfBkMrJZkpA5SIl:IBO4mpt3ImmeRKn9SpA5Sw
MD5:	41709EE56BF07EAF6F8CF84C78214D64
SHA1:	058847E12B2718FC3E92FFFAB20F72F753F24BC8
SHA-256:	116018CB0A23F5BF0819C691EF30BD4679B660AD92126464708057B6390D8DE2
SHA-512:	AABB95BE440F88B77AF01C7FD7F3AA06A43289F76FDC20D2768313F3D1724405A40A9DBBF0ABDF9241D449D03078DBF870E5670CE5DDFDAA41D5FCC76F4FB13F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.918716894176816
Encrypted:	false
SSDEEP:	48:6Hl8DGMlfklakTkqktlkVkDky4k+qkSkw7NkTLlAu0AX4Wbc3Z4UOlR4/NBAzhI0:obaqPQlAGeXqX/NUpgAdlRbIkV
MD5:	68B79183233A6C2D19FB606AA49482D6
SHA1:	B41005D41BA6DDC888072661B410B23EE17E9233
SHA-256:	13BA0A16789D435E52DF303B1F03373A96C90A15CAA3C692B44F50C93FAD6529
SHA-512:	36E8754EBB5AB4E1D95B6154823A3C1B7DB55D5B184479C56004CC74C197D381FCBD690B6E72064A91155D959F4D57967023ED1B0493F1B23B9A2D9A262809A2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................+... ...@....@.. ....................................@.................................d+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......D(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\da\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.048589783067445
Encrypted:	false
SSDEEP:	96:XWI0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWiVKzQlER17MC:4QmBZwlXOczyITaPD6zyEfWNy3NZZ9z
MD5:	E3D637DF0EC98C57FCF706132616E4EB
SHA1:	9FC71E5862B20DA5D75619AD15679AD394CB8A10
SHA-256:	F184CF931AB5AC898EF54A5C933F7265BECD28557868A0FFD3A5589927BB0901
SHA-512:	06F5588523209568A78BB73BEAB6C9C9A24231B2E1F798EDA1824879AD63AAD08BD44A0385D5BC98B822DF829233FEF11BD7EE74505F87A190A2A385F7695B16
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................H3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.041619677545147
Encrypted:	false
SSDEEP:	768:CBOd0NDwOVo3uVCz7xCcxbqAzLoVUXUWv3Y306cmVaNQxseaIGTb:CBOW1e3sCVqG0qv3Y3ubeaHn
MD5:	77E503E84EBBFAA5E074DCE709604DE7
SHA1:	4C6B29C825411726448F17D2DF12EFCBFAA2BD3D
SHA-256:	3D727943961DBD02D259319FB4A28051AD6DD90A3E1C9445E92E9590DE5C8A7D
SHA-512:	8D62BD3E3D20D9E8D4772F52E5676AFE40BE96C8387C5CFC3A163E3622F437AB5EE96AD4E8DC43776855DA1B30AD509C84C7C5B26106B7E65728A2C32BA2307F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7234027852509146
Encrypted:	false
SSDEEP:	48:6HQVDGMlQPe8k0ksklkekrkyqk+ak8kwOkzuxOoubw7/0u8Gw7/uOlR4/N1C5Wwl:oy8V5g7+kXapqZxOo/IvzlRbYkV
MD5:	D58E83F563E2E3DAB4EA7E3836ED3B48
SHA1:	2E0C5678B1C1A9B2FC156E051B91A0CFCBF07BA1
SHA-256:	08EBF070F7766323AADEDDDFF748585A9B5BED1B57F109FBFAAAB75FF9FEE4E1
SHA-512:	A95206087EADEDA4DB1108E2A21EC90CBBB1A745503052F3D9C2715E1FF592C7A6BDA8433245D8F1C95C770DEC948BF7CCFA51208F5C897C7B75838842C169B6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(.. ...........P ..D...........................................@..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\de\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.022899439217561
Encrypted:	false
SSDEEP:	192:pQma5jH7OQzykTa8BezyEm/cXiZs0l04:pQmAi+ykKyEssH4
MD5:	842454216446DB6C907513F8E60A8338
SHA1:	B60E47FC8C361D2274AA02C0BF72136469E777F1
SHA-256:	8F13E43DDF364EFA5A3E6FE515DCC76EFBDFDFB16EFB210580B16201E242B366
SHA-512:	4B75D4B2206A1E08EFC391B0D629B4FE2F647EE6127DBBA1C39AF63AFA69BE8AF4D7B3E57E32B69CEB805E48EC12F8353B15703BC3A514830E1D6A4D800081E1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@.................................44..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p4......H........1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.0192389069270344
Encrypted:	false
SSDEEP:	768:KBOdZPy3+cks6Y8DDedNsTndQz8/px4bwUSioPUgVT2lz+G7RBvo:KBOfPcks6Y3ad287fUSnUgVTW6G7RBg
MD5:	23A214851F7697FC813BF78AFFF714ED
SHA1:	FC3C592B24B696662C09BD35CAF6A1FAC4F16634
SHA-256:	4F0A1255E4B69B376CA3D114544064B674DBC3BB54389FE20DB5E7AB0B536850
SHA-512:	BC2B4F5D2712E424195E99EC742D927928E06B246A096BA458B41EAF10778CF58B89E9F148F59149342DE9BB2D9052E1A3C131AAE810851A88DFBDE64FDCA247
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.0U...........!......... ........... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7345347426798576
Encrypted:	false
SSDEEP:	48:6iQuDGMl3G2lkGkbkykykqkyAk+RkODkwSkglAuRtMv23FFuOlR4/NoxPxzhIHaz:tllvmfvnGXRX251G23FFXlR9jIkV
MD5:	92DFFCA7DA68BDDA785B8ED473418C98
SHA1:	6EBA96893A5EC949640AAFCE1433A428165A5F3E
SHA-256:	B555EB57F4905EFA8C41DCCE27B9B275632EC264BF312EF89D85BC36C3E2D13E
SHA-512:	5AAF886EAB7C763F64C5D92E60B2EEA66741F020516372A795C9B1F4F6CC3FD02181A49A2DB75FACA5AD0126D1A253F07463FECD3A1AE3E4D2A7B1F368CF9654
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(.. ...........P ..b...........................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\es\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.000848952911671
Encrypted:	false
SSDEEP:	96:XxI0Uk10zmZx0UJ0BX0/k0sj0Wx602ko0WEVF2zQlP3vzTa2VYi7VIzQlEV1Cujr:xQmjuXxDaOgzyTTa2aNzyEqWY3VFL4
MD5:	9DD2AA44CB3CE41E4177A2309039F333
SHA1:	857BC820BA4BD159FE561F64684A1F83C9B620C5
SHA-256:	E91E6A08F75DA9C00558EB234A91F5B87F48F759BB673138E9312A18EAD2F969
SHA-512:	3E24FEBF5A4CD923792168471EC13A100C451D580C4DF274A5E8F260A09CF243C77BFDF637D2224F97973C1E68F4A575E093888E25CB92A2FBC2C3CF66484EFA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@.................................44..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p4......H........1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9732068230305058
Encrypted:	false
SSDEEP:	768:1BOdSSmjxQ1lAvHjLH6dwPbcc7QWek5RQi3RbuZXZhg3DN9:1BO8PgAvHY2QyQeRbap8D/
MD5:	AEC66B38C2FCC7825D214018F296BBF5
SHA1:	EB731083E50EDC4A1FE10CC409CE30B50B90608E
SHA-256:	17F1A61D11CB84C322936C1F8FEDF8CF62355DBBF5EE5C0967D465DD74F02B0A
SHA-512:	28CE6C69CEA25C06A20DC9A9EFF3AA123ECCCB7C0B43DCE1047A090A47C733F2C263F52D36EBA94EC61B4D6AFAB965E11675876ADF513905CB15CEC95EDFAD39
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......>.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.756666177601189
Encrypted:	false
SSDEEP:	48:6iQeDGMljEZ+x3kekpk1lkzk5kyOk+ckvkwMktlAuC+kglAuOqqs4klnqqsVulR5:tYW3H8KWUoXc6ACfHD6DIlRWDkV
MD5:	B2590E6421128A931BFB1C8FE4490E27
SHA1:	A9E649894B1C905C625D3E729CA3C5D06374FD2F
SHA-256:	44672B7AE4EAA9826384ECCCC2BBA501ADF3FE3C0C4B893C18D5D48B09B71A9D
SHA-512:	B18CBE937527258BB2E490C102796238FD72037D1CA1F888E0D5185EB980F69FE4C2FA6415F8ECB63E443A5E78018C67B1FECBEEBAEE4A3A7A73F3B35555B864
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(..(...........P ..i...........................................e..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fil-PH\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.059456711666594
Encrypted:	false
SSDEEP:	96:XWI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVczQlER17+:YQmBZjcYOjzybTaxlOzyEfpNyCXH2b
MD5:	473E378DBB8178CC87CF5AAF5806428E
SHA1:	43F383B4EC68FB5B076786F14110900B72A150DB
SHA-256:	ECB7411B6EC421F3D1A249011848F8B186FF4C65940D4FF746F6D0AC66DE7826
SHA-512:	B7AB65AC03084E1D538B530411711B972918A86888A7C2D2994E49DC414A640CBEE78C555433A4912220CD34A918351048819453C7F245B330FF80330EA41DB8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................T3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..<...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.079319572470228
Encrypted:	false
SSDEEP:	768:kBOdvSJR83MvHNioJd56UXyXIRxXtVTE25ACwxxIxLMlLJARQc7cLcxxI:kBORSJJvHNXD4cxkWAwxW
MD5:	027A8A78CA213637211D5200AF1B042D
SHA1:	AC51B2C2F8D27CF09AFB7E6057FB86B5CEE511A5
SHA-256:	15077FC3760B94B82484A83174AF6A867A5930D5163C673BCA6BA66E5BF3D767
SHA-512:	E3E56459A7AE288DA19347B7AD194F3F97538168086CC10EBBBFBB9B9D4EDA1DAADD13EB8053FF3B6D016F6891F9FA9E4BC31CAD98AFFCA47B77E22FA492EE37
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......N.... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7770642638300065
Encrypted:	false
SSDEEP:	96:tntzHIb1NcLXKA/Odqkr20RqkLlReMHkV:JtzHIb1N6XKA/Odqkr2cqkLKMc
MD5:	7CFA0647BFF0D5C32B46351DE6A5429E
SHA1:	4AD7B3A7028F718595535F97D2E1761FBA7EB5CE
SHA-256:	E3773CE96662882C1601072E72090A4E80976F356C01F1E763BC0FF90C523AF5
SHA-512:	C995B37B5BB8121C06F93F8FFD8532C17CF2FFA1280E48CD3B8586C0C99CCA8CB57E50942CB732209B10D78CFB63563E4DCE69B90888FA804E9E22782927D39C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................N,... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................0,......H........(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\fr\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.081738950123952
Encrypted:	false
SSDEEP:	192:ZQml2renO8zyBTaNICzyEKwI0GZneWhHPLA:ZQm2PaymRyEKyGZeWhA
MD5:	B8C42E3E55BF1BB7AD13FC90116A58C1
SHA1:	2B51C83B12F3F4AEECE0BEA75254A21EAD062E1C
SHA-256:	83DFE90514D8D07A524887E73B2F5B4B0EE43B75B5DA4611A57D135CDB6E2777
SHA-512:	82CF15CA227BE56BD6F6C2090E3D9A2E52BE827991B17F6AB6C4579D97930EF50A605E8E4462717BEBD7B0A2A71032EC6C7E235EB7FCD76B5C4794F962A87077
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................4... ...@....@.. ....................................@..................................4..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................4......H.......X1..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	4.032004620717601
Encrypted:	false
SSDEEP:	768:rBOdfHOEAKn/hwpxUEADJOXUnYfKREUSlPw8vkPQ:rBOROihixUEJkyUSRlvkY
MD5:	10516BB4D2825A16526D237DC9CFA72C
SHA1:	98D3CA0E3F223509477116176EB0B6415E8E2DF8
SHA-256:	BDE16F1BDB11B1683DA0F926EC0FF02921C10C78E59AB9BC666BD0289C0A0B9D
SHA-512:	889EC461BC452EECFF40DB5459C6BA652CA3216F489D215006884EB84C263EA94F0408F901115AEF957373F82F9FFC34F292519A87BC1A7189320FAC9852BC5F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.....................................S.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.900169167057354
Encrypted:	false
SSDEEP:	48:6ilgDGMlm9eRkbkYkb/kvkVky1k+fkfkw1kgJlAumvAdP8nhOlR4/NgGGzhIHaq8:t2Ry1OyQjXfqxlXaodP8n8lRdfIkV
MD5:	5D92C1B07EC32C9A80B0FD560CB1D677
SHA1:	BCB3AC48B5CC79B96FABB607392DB843611E9F03
SHA-256:	B24E4D131832B43A165E7408E13A462FCE61445EA52ADF457DCE635B25FBB34F
SHA-512:	8015AB05FE3D91DFBEC83468FAA245461237B6E823CCD8D35404F695F2C6256B5DB66BD83C71A6CD93BCC7C6C77ACB185DB2AA47719D479413B0C67FA4CE9109
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@.................................d+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......D(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\he\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.039017071227604
Encrypted:	false
SSDEEP:	96:XuFI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVYzQlEN1x:+dQmBZjcYOjzybTaxlyzyE1nNy6Frrz
MD5:	2FF404DF3A45BF9F18BB613950C3650B
SHA1:	EA7E767E249F8E4CC44597755FA26ED98587E27A
SHA-256:	AD59502FBB5848AF48DD5AC38C274A6801E2035F5D16183F8FA9946918DE7E29
SHA-512:	C0C9A6FFAA97ABFFDBD572FF3C7851BF1DCC70594791D05F757976DE3460B9CB3D8D0E52E0CF78A78E4382B31731604C2F30D29800BCD51CC545F71B23016973
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.0U...........!.................3... ...@....@.. ....................................@.................................D3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9659510119567094
Encrypted:	false
SSDEEP:	768:7BOdvFQQVV2WkWORp/yDWMosYnp1E5yhMB7fqt:7BOJZV2Wk43osYnp1E5yqh+
MD5:	FDD4BFB5A4E817C14CD16FA5E039D7E4
SHA1:	1D0414194B1FB74067159E2C4B5C3100DB9356E1
SHA-256:	C91DAB72DD5F016D85D9854ED023F7A3BE6AC27280D0603526D80B15B91ADF17
SHA-512:	59DF6020BA49C8875A857C746AA8CC25B495DC46D2A79B4EB498E080821A63EA30F8DFB3FE25D7B8B3C9A4A0A90E8FA57B19203BE70B6D749F65BADC8A86FF77
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................@...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.7413954254986312
Encrypted:	false
SSDEEP:	48:6iZxH9DGMljklMk3kEkTkNkpDky2Lk+2kokwokxAz0J7P/kL0hulR4SNgUvrhIHU:tkMuxm4YcLX2lU0fBkIElR0ywkV
MD5:	A672557BA410F907D3855F7AC8FC2170
SHA1:	8A8A406AED928B349C8DC5A100752164CCF92B60
SHA-256:	1F5F27E759F521715196F5BDB9B527C615CCA6B34F97EAA96811DBD7EB6C5EC4
SHA-512:	3C558F86B8FACF10D3B536B922A49057014C2B492F820C16B9D7FCA7E7B553DA9581CE5A71ABE297E14053E1AAA7DD02E1D7679B2FFFEEF1045A6A679003B284
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(..$...........P ..7...........................................3..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\hr-HR\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.182084893995854
Encrypted:	false
SSDEEP:	96:Q+I0Uk10zmZ70Uk0Br0/m0sq0WK02kF0WEVFYzQlzjkqvuTaDadYWeVbzQlEW1WD:lQmBZeTFOOzyPiTaDaSfzyEKNyw9sr
MD5:	D99C4A722153555ADAD9B8A99482EE80
SHA1:	9A87CB3CA5E55E978B8684A9CAC4E61F2A7AF8C6
SHA-256:	669CED0F9D382B4CFF64E030AC08A39A39FF4076B8E1326F3EF6F4BA7A7AB5A7
SHA-512:	D9E6F4FC45855518E53BBC97A78A636499BC852BAD4D9B4F93C42CD34CDF50FD1461274F5B4743D2AE65E83D8737860B499E0419CCFD6E5B4BF5345BB01B9B06
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@..................................3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......L0..8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9691724802214194
Encrypted:	false
SSDEEP:	768:/BOdg4OVo3w7T+N9OyR+BKIu7D/hW5c60MklN5jRtJx1D5g1XoZ:/BOai3qT+2Xu7rhWDGlN5jRDxBuXM
MD5:	812B5D1EB56D6D94945ED814059A444B
SHA1:	D54140C811ED84BB91706811D88AB40C85385FB9
SHA-256:	3F045423F29DA3BCF3F5A388B8B2EFA67A8AA9D5D1A253BEC50B9BF6F2D21778
SHA-512:	DA6FF1A989730B7A9CEF6E0DA8A0FC9423A14ABFD645CF848796969E84B4258E2F7E66AFC01722C48C70858114F6352BA7CDDACC9E8169DD318B332F9E909681
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................8...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.739847864662882
Encrypted:	false
SSDEEP:	48:6i4CDGMl84mAkP4kGkYk0kSkyBk+LkckwNk38lAu0AgcnRLXdWPl25mnRLXcOlRI:tKAh79J/PXLJJ3gTkRJWd+mRFlRBPkV
MD5:	7D9800DC4070C98011B366CC8678909A
SHA1:	D67416E875B59A953347CE727E255D5A195677CB
SHA-256:	33B7C869131D4526928485DE4D35583CA2C1E3E6ECC4884C8E53CE36172135DA
SHA-512:	DD60A119B59301D4B0F192C8F8B474D272C9EC5347DE9F267B001351AC3092ECEEDCEC40D0EF1148441F576E8FF744FF1185CB04DC34C0039FC0B4A031F0A293
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..S....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(.. ...........P ..w...........................................s..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\it\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.041465111422236
Encrypted:	false
SSDEEP:	96:QtYI0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWiVNzQlEY1zr:CeQmBZwlXOczyITaPDdzyE+Nyz1E/P
MD5:	8BD86E748D92D6A4567F973539AAFA2B
SHA1:	E6C7702AC060D9BB34BFA4D541840E8379201B8D
SHA-256:	6590CC22AA637F73D2991D72B8869223689588914E0EB3B03D2E524E439B3DDF
SHA-512:	D02B72EF9136173A757836714745A23F40CDC4F27BE47BF1570B0E0F27BF9DEC359901BED6FC495317EBDD230BA311C09721C88B8614EB27434289C76639E1E4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................@3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	4.4255106250707925
Encrypted:	false
SSDEEP:	768:hCxBOdVBxE1B3vcMYbc7drcXiz5to4bswwsYMIBu:haBOX6vcMAyz7o4bstspIg
MD5:	DEA74122A9A2EBC0D680DC157A16B39E
SHA1:	BACFD4A9FEF07EBB887D1147694123F98F076DA6
SHA-256:	C3616533785F0185198496AE4A2CD5754A9AF35ABAB025AFFEB437909B9A8A37
SHA-512:	B9430DFCB9C208D56FC7FEB04BFD9BB0F6513FCDE7DD0DD9EE079C0D1DF003F70D09D3431309AEA243561232D9B296ED8724DC11E29DDB2AD33AF1ECF0AA7910
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... .......$... ...@....@.. ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.176153372046629
Encrypted:	false
SSDEEP:	96:tY81g9J/qXq5gyzB43BGxXlzIBGxflR6fkV:y81g9J/qXq5gyzB43BGNlzIBG1G0
MD5:	F0D9B1401796CFC78F2E88281578B88E
SHA1:	8908B6C9B8AAA2087243F809D67174CECC061E8C
SHA-256:	C0C3D22DEC05AD462003F07BAC905C94A07BE450A84D84F319687B7A4C989B4D
SHA-512:	A1B4429607842918793A6CDDEF5B58CCC3DC5DAF05C2C3B5B329F7BF9654747A7915F5AAFA57BC3D756CEAF253F62DCFE2947F9CC76EC5CAF634B3B29ACD3CE7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................,... ...@....@.. ....................................@.................................x,..S....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H.......X).. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e./...(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ja\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.082944201678249
Encrypted:	false
SSDEEP:	96:QmI0Uk10zmZ70Uk0Bz0/u0sS0WC02kt0WEVFQzQlcSv+TazoY2uVhzQlEo1juNsn:VQmBZGbNOmzyyTazPFzyELNycFgb
MD5:	EF09D718633829DD3FDF713F590DAA72
SHA1:	F657A19D4CD76D46AD7EEC270B45FBC90358E01D
SHA-256:	3434E0E6BC1A38115594A94F0FB3D4C321A2C16142358E76717AD307F9568AB7
SHA-512:	869019EA8C9791764FFDE633677E7DD4632FDE22CB555C825D3EFE06E3110E50BC6F206BBE3E9C061671299B45ACDC3D4B0E8BB48FC4E43946C6CC58FED77A3A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................T3..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H....... 0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.8994526850766222
Encrypted:	false
SSDEEP:	768:0BOdVyG8F11n7TdUabqn5pOxMrJIiIkRaBwImPvv1nRsS:0BOL2n7TThGJpXRDzXv1nRD
MD5:	E6EB8D4F9151F57A6549120A019A1ABD
SHA1:	50B2C3B2F1A3AC26138E2E4FD993E18F17E53858
SHA-256:	12D96859BACB839E5F5AC21E86F32CE7B2F20F366AA76B8AF086011E2D9A82DA
SHA-512:	DD6D3523CF9B66D707D7F8117B23DE1655E771A199E57BD187F7C9181C06B2C19B16EF28CF9827A51CC44788DC6E0F2C8F9CD9B718F8F04BDC235147F692AB63
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................8...S.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.687543440887069
Encrypted:	false
SSDEEP:	48:6iZxWQDGMlQA6kkwkikQkNk2kyLk+okskwm4kcA41D8sYsFODFuOlR4/N3o2rhI0:t6rkxnV4zdXoZC4j9YQoZXlR8wkV
MD5:	F11F42363600EC97A28F7CDA34CD3D17
SHA1:	43C67A53B13BA3E7BD48BC22D85C663F34B92A22
SHA-256:	6FD0D852A6C75881A9CB892B50108E40686787359733A8CE62E9CA70EEA1D76D
SHA-512:	9B1BA9A28D02B92F4A92F0DE980648A726196D62AD14642A5A9E15BB62D6A4B2756E563373516B586C47587429D7F19DFA9347267F4210489B19271EA83738F4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..O....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(.. ...........P ..:...........................................6..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\nl\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	3.953164623912564
Encrypted:	false
SSDEEP:	192:OQmsIwEfOSzymTajI+zyEEescZnfMfQpo:OQmqNoyVVyEEesc9seo
MD5:	44477A6EB2BC155276D54FB662129262
SHA1:	309F889DEC5EAF99E6634872EC272F575611BAA3
SHA-256:	836579EAE6E8A26F6972DA21ED27742DEE86C995D8D3CA1C8FB01266A86A4DEB
SHA-512:	2F2F460F93E0CCEE6EEFDAAED9B4BC0A6E7A467167AE8D862738B51FEAC847B9647193360E0F35C270F07FB95DDA9B8E0CBDEF88E80B941314B81B8E81B60F73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................>4... ...@....@.. ....................................@..................................3..W....@..@....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................ 4......H........0..4...........P ..]...........................................Y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9181491538846354
Encrypted:	false
SSDEEP:	768:ZBOdPBZtO3Zt0c1RWnB95rpSWRGsEqEI9kcp7iHClfD3+EN9zokKuj+5nLuSnIZH:ZBO1Y3b0c1ReI6G9HqpnUeBIm
MD5:	26DA832F09D62923431676F0797688D8
SHA1:	5A05D0258306725E706BC7600024398C72813CFB
SHA-256:	F0A94BC58243A26316C47EEC2FACE2B8188B9CFFE1B71888C06E2BC698A51447
SHA-512:	5EDA4CC00D449DD4FB5EA31504118CBA8F39239417D67E021EDDBD33CB0D3FC118486355C6AAC8E4B168AE24662AF071F3B54C88C0064B377742B8210E031FE6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ........... ... ....@.. .......................`............@.................................l...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.9492607056179194
Encrypted:	false
SSDEEP:	48:6izRgbDGMlJ07Mk3k6kIkFkTkyKk+YkAkwgkwklAu0ArvdWqpRdW1OlR4/NpoHhD:t2iMu/tQWEXYtsjYgK1tp3LlRjkkV
MD5:	86DFED479DFC45B2823916145DCAA416
SHA1:	A5B1783185A3A28361216819AFB57F054632E005
SHA-256:	946EBF7E8616E593BFA935A54524411DFF3EDB6E7172A0223F85D013A9C3C6F0
SHA-512:	5BF61BFBA7D15A2ECE5CF856389A84F19BCEBF75B54948682EF8DE07B93C4ADC622B80E53AFEFEF19FF7A65CDE6BC6330AA69A720F3971DEEF4B11EDEFCD14E6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!.................+... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......`(.. ...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\no\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.04991392298531
Encrypted:	false
SSDEEP:	96:QtUI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVzzQlEE1p:CSQmBZjcYOjzybTaxltzyE5Nyu18/P
MD5:	993AE0B85F6F53841CEB77ADA93BA46B
SHA1:	6EDCBC8BC1C96674B41733FC63FC768468A3CBB4
SHA-256:	DFD7A4B1BD072C7971520627667B66FBD8AF24DF4DD62DCA2770AC0B311F259D
SHA-512:	2F1B921260CA05271E6D8A37454D7188224C44F0BEEB7A1A01AF25E04317190BB42726EBFD24D3D46E61250B6C473C4F2930376A53BFA2F5D13721715661BDBE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................@3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................p3......H........0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.971721289254612
Encrypted:	false
SSDEEP:	768:1SmsP9uP0BHf5eoa5dDbc0RlPy9A3w4haK3Cxzo9/maU:1Sms17uoa5dpmAX3stv
MD5:	6CFC17B521F809CD5EE4A0E422644DD1
SHA1:	8151FEE8DFDCD05A169BB0FBCABCC9E5BAEE9249
SHA-256:	B87C4F1E76846F4F5FF8E9CCA767EA7A9298759DBAD9CB7EBD075511EB27E2E3
SHA-512:	04A8C30C0E475F16ADC3A5ED690DD4866B4FFD01E33F4E7FC16E541C5046680E2AEA3BD832DFCE99841C2032EFEBB75601903CB36D3B8718F6A2220E1C897108
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W.0U...........!......... ......^.... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.833571849211572
Encrypted:	false
SSDEEP:	48:6i4KDGMl3qleAkO4k0kfkjkskyVk+uxk5kwukh1NkjNxOlR4/NKDwhIHaqwGlBo3:tGdGBymhDXOMCSNkj6lRH3kV
MD5:	DEB4EB85B057AC5734C1B1167940306C
SHA1:	B8205028AFD65BB10F9E6975BD54CA699F50B5A9
SHA-256:	85ED2FCD17B87CD0A331E5097FF7B0FA2F2CE831458DB4977CF512B63C237F4B
SHA-512:	80E2EE351978D3D7F7120F3334765B2A3822B0051EB13124BC06E22907CC415E4AFB4B942525A2975333E9A315DDDDB83053EE350C2A25B7AE28A03C9012F432
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>,... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ ,......H........(.. ...........P ..}...........................................y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\pt\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.065581190458283
Encrypted:	false
SSDEEP:	192:pQmlyNAAOgzypTazFIVzyEgw7JvN9rud7:pQmw2OyI0yETlTr87
MD5:	6AFADA9F452385D301123803443399AA
SHA1:	ED195CC59206F077BCE8186A2F1E4B37A43C5B89
SHA-256:	2060DB090D87894142C4556EC4914C6D4416CA5FB0DE8BF55A2F29A165BA321B
SHA-512:	C071FF19986CE74DE4D0341F3385A2ED7B32DD14D47E6D2547FDF555E3B7407A85B8B66C13FC5EE60B619BE17A0EDC65EB80716861540D0E5112013759DD56EF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................N3... ...@....@.. ....................................@..................................2..W....@..@....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................03......H......../..4...........P ..o...........................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.491247413221048
Encrypted:	false
SSDEEP:	1536:mTQUWl0G7k9WwyWl2ia6v3YbceFi4WXIBuYRbmiK8HLCoh33:IDNTJHhv30fWXI8LiK8HL5
MD5:	A763547105D323E47E6314F73AA7C974
SHA1:	C6300C01AED96E6DE9882EEC0805A4ED55313D3A
SHA-256:	203439DFC3D49595B2B86A139EFF247868B5ED16C255112F5F763A9D78BA7A5E
SHA-512:	B89C44D190F2361B1A6FE8FD24B7E3ADE5E3818CA0A4C54B3704FD1337B54EB935F342AB8200D8A283C66161D6E8F1FB3D4D17E7B26FFC29814DA9CE5D5F4B66
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!..... ... ......n?... ...@....@.. ....................................@..................................?..W....@.......................`....................................................... ............... ..H............text...t.... ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.2211282701766475
Encrypted:	false
SSDEEP:	48:6iXsf0MZrlGs+QklkRkek2NkfmkyWk+yk1kwDkCYK28Jsu0UgTGDIYKxOlR4/Nr5:tcVJkkDtNCmEXywHH28d0MlR696kV
MD5:	B45A96B29BBCC942991989C83B590046
SHA1:	B8040ADD80BB1BCD270F954252277F9880A11E04
SHA-256:	64083B3229DD74A47B7C3078454D8D5202161C7019DA43ADCD3B9402F1CF3AF6
SHA-512:	60CE08598C7B810ED7A2EEA266627D300A25512D72C9E3965DC984642E7D69CE1BD219C87F03253493B0E733AFB0FAAB5176A42159D3B48503326299B1FF2F40
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................>-... ...@....@.. ....................................@..................................,..K....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ -......H........).. ...........P ..~...........................................z..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...........q.....Aa..Ng.2Ml........Y.......?...{.......,.......j.......<...................J....E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.#....E.x.p.i.r.e.d.R.e.n.e.w.j....F.i.x.

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ru\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.504808963956695
Encrypted:	false
SSDEEP:	192:9+Qmu8BQPOpzyaTa6J2kzyExyAOHu0K3:sQmtBtyg/yExylq3
MD5:	D7B8E775EAE5B85BB68E3DD92C532D49
SHA1:	5E91A7D8456BEDB3D602541BFBF0F0BCBFCF1607
SHA-256:	D11B433A442596EAD5D9D3E12DF6E00B827E57866CFF8BEFAA5A05A024516173
SHA-512:	8ECD845D6C74216CC5309787AA755305248DD429DF5696BB12625241FDF4FB0A54C796196AC0CE5E1D2FEA55B63A0CBE34DD04B9067652BDDAB2FAE782043F41
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................^7... ...@....@.. ....................................@..................................7..O....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@7......H........3..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9451674201385862
Encrypted:	false
SSDEEP:	1536:zBO0Hd8dK/yMPmcUst4lRJhSXtXxzD1hQpSXdXUihw9k:tOKdpdzUllRJodhzP4SNz
MD5:	FE8F698C654097EDAE0EBAB06CE93A67
SHA1:	7086FA465D1715643881E7D5A5002231F0D073CD
SHA-256:	BD79BC04C904C694F0E103DE2F864A27753684AFFBA29238762E7BC3E3ADFDE4
SHA-512:	C8FA3B48C4128A885552EE786BB53DF41202B505F8D8F63C1FF8A89986B3252E335A4E11982A2DCAA99F0C202A427E53119C789BCA79AB0F8CA10FFFAE89A1DD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ......^.... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.8528524103987323
Encrypted:	false
SSDEEP:	96:tLgNQ8ayDf4XkGDP9dKUpCKnURlRwTkV:FgNQ8ayDf4XkGDP9dUK4EI
MD5:	91A173B401ADB226D0D459AECB7185D6
SHA1:	28D8D8DD98B3F1BAF7C527A2D3D5D5CB8B70E77E
SHA-256:	A298B7E2D04B4B56F0EED8BA896F064CEA72D9D81B0D5DF3C6A7CAAA49403CFB
SHA-512:	59CD3607D6684B8278B29FC75CCBEAF7FEA35237FE187EDFF63171700425D8F999037414B4FD4F69A3232FD5F6A7EC231AE6D1492C50B3C029529C3B21FCBE7C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.0U...........!................N,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................0,......H........(..$...........P ..}...........................................y..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\se-FI\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	4.0846400068915765
Encrypted:	false
SSDEEP:	192:VQmBZwlXOczyITaPDgzyEwNyzmyWhWoXs:VQmYU6yzayEwNyzZmds
MD5:	ED07C1AEDE2F42966952246E5849400C
SHA1:	184C827F6BAA7544474B6B5FB971BF331F0B338F
SHA-256:	CF9279BF0B716FD59DE5FC1F88B09E258DCE3ECCC69FEF64CB3E33C6A8C2EDEA
SHA-512:	419D0C43A870F92BFF9A769E8F20923E2CD0F731F82ECF69847F951D915B7E331DDE0F97877327C9D620862E3EE4A034A77179B55C6A8802D54C30983947A750
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!................^4... ...@....@.. ....................................@..................................4..K....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@4......H........0..8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.379382974331268
Encrypted:	false
SSDEEP:	1536:HBOiGrPIxqYcDUfjEK+rFNvFjT4cR+nZ:hOiDgNw7EK+rFNvFjT4cR+Z
MD5:	F62A31D7978AD582B5940ADBD7532582
SHA1:	87363BC5C621072C87A80441788F89B6E6825AB0
SHA-256:	3994D737ED0B72BEDD358BFC57C10B4C5A6AA5137013D0019B00AD96EEE2DFD5
SHA-512:	F54408F6D96D44A239EEADCE95F0B482BF51E2305387F5F087BB250F4E89706D7414EF2861B57C0ACAEB3735A43DFF3C2A02FB66CE2DEB0D99629F150694AAFE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!..... ... .......8... ...@....@.. ....................................@..................................7..K....@.......................`....................................................... ............... ..H............text...$.... ... .................. ..`.rsrc........@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.321459539979928
Encrypted:	false
SSDEEP:	48:6ZH/ADGMllR84kFkfk9kPk5kyxk+9k4kwgkeOrtDjNyoljNrOlR4X3NoqrlhIHaz:uL44C4S0zX9tscBtLKlRmprikV
MD5:	CD70D773593C270F0E513AEE9BB684D9
SHA1:	031C4D1E1971A9FDBC4A8AF8E289459FC863366B
SHA-256:	31B4E37303E012A4D3D44B175B27B910030845C2F138C952B5BADAAFE59789D4
SHA-512:	4A8718A89E19C26CD34A246745480769BDA42B46183B8F3FA84408025A826E019EB1071D417F27BB55DAF68E7700EE9B8DC4CEBD0026981075B23C598F27A9E4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................-... ...@....@.. ....................................@.................................x-..S....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................-......H.......H*..0...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.%...(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Cyrl-RS\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.110367815320927
Encrypted:	false
SSDEEP:	96:QtdWI0Uk10zmZ70Uk0BO0/B0sV0Wz02kE0WEVFnzQlK5vwTaFGYuUV2zQlEn1OX2:6KQmBZBquOdzy1TaFBwzyEYNylVVjf
MD5:	4FB24C40602FF79E2DAFD6F1579436CA
SHA1:	4DFDD44AE0D33D27D043D91BF682B5C025539FEB
SHA-256:	F8CBF8BD6CEDCD79CBF62F4F3C81FC788DF3B42820D190F4B9FADB197E7EDAC6
SHA-512:	7D64F42171CB5A5AE710EA8B8704A8295C6BE040CECEE250D382AFD5F7C1A5D91E4F07A6D270AA935DDA997D0E9D4797F08B3C7532A5B5C8C2F302876262BD09
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................l3..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......(0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.9486263178080003
Encrypted:	false
SSDEEP:	768:dBOd56m5w9a1YMdNaJDWEPdtE4AgAdwrntEkihu:dBOn681YMLsC4pAdwryJA
MD5:	DA64FDCF62E86D27A2AEFE9A6A16CC01
SHA1:	15695B0C5A54BB769C257E6DD94EC861BD228A9E
SHA-256:	72FB8DBA2A4A7F3A521815702CA28FFDEFF00EEAEAAB92A94382D6915BB29658
SHA-512:	AD1373EECE3A3906D5A626927233867552507D4E88C5C90FD93E7FCBEDBF47CEDFD2C50215D0D38286F27820CE2AB1AADB22F141348C96B101EC591188B07D2C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ......N.... ... ....@.. .......................`............@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.78375600624741
Encrypted:	false
SSDEEP:	48:6ZYKDGMljklMk3k1kEkGkukyzk+ZkJkwZkMpAzuY5rVkPuYUOlR4X3N1qghIHaq8:ugMuYpDbFXZcdzpxYDkWYRlRmunkV
MD5:	DBCF2704FB624DA8BED5E9F8F5411D7D
SHA1:	ADFCC4784E8392892AEB630147D01478779B9452
SHA-256:	48304509F026310A5DC7C78D334B0785FD08F3E2B9C314D179D642581C4AD70A
SHA-512:	2EB251C61E938521A6D28879C724CE13E329E2FD48ADE8F960F134AD48426177CDCD6DAC4E6EE6802969D4213D3E714665F1785AF202E6091377D7937C2732D6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................,... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................,......H........(..0...........P .._...........................................[..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sr-Latn-RS\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.080209394120206
Encrypted:	false
SSDEEP:	192:CKQmBZeTFOOzyPiTaDaSczyETNywf7Hv:CKQm2gky5SyETNy8Hv
MD5:	565514DB8F1053DE70BDE7D6EDAA68F7
SHA1:	A3F3FB7A52C6B1F6E74DD6FEF307340B56BDE584
SHA-256:	D82B05BF241CAA4820EFECF5C410C6398CAE3013A2B3FF0205B876396DA03814
SHA-512:	6BC4A18C49FE31C3DA9776A43B9E05D066BADCAC36AA33552C31345F32F6FA866C1F2BC3CA6CED7CAA96B10BF676DE69E350B0AE76252DA2A17E066ACED7AEB3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@.................................h3..S....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......$0..D...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	3.945156930938208
Encrypted:	false
SSDEEP:	768:3BOdwM1hnv/NAZisOjUoenPXwJmF4gu/DAkIlSsHl/qa:3BOSM/1AZiC8mF4TsbzHl/B
MD5:	C6963BC4B4923925C341E2DF9581733D
SHA1:	291A1EDC05E005D74485E372E98D80C8FFF1CC4E
SHA-256:	398B649ADCE9C7E3AAECCA57C838DCD44F1AB07F863362C727EF76712571B74F
SHA-512:	B63D43B389AD736789DE5F1E10FA46AE8B7EBD8D1FB87336141DF981F7624F739B2E774C0998119E85D5D867D4C48EF45FDEBB7F9CD158517DD26CF4D0D06585
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ........... ... ....@.. .......................`............@.................................`...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.9504912557880996
Encrypted:	false
SSDEEP:	48:6Zl0DGMljERQkBk+kRkHkpDkygk+ykHkwmkEGlAu0A7V+II1VOOlR4/NfU7wqAhD:uTQgTsqYmXyCCZigPIIrlRYUkV
MD5:	2971D47CAA85DF274B4133D111682F00
SHA1:	DEAA7A99DC17F4480423E41C4393B594BF66BC2A
SHA-256:	2BC2986503EFBCD0C74AD43109F3B60BF412C53A8C0E578AF0C4E585F991F916
SHA-512:	97F4E146C446EFDC110A9B626043CA48854A7C2F2BC59E071BC6C0E32723D3683FFEA083994F0B1A8B377991C0D1395EAC759F291C3E21A92695B00586BC9E03
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................+... ...@....@.. ....................................@..................................+..K....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H.......p(.. ...........P .. ..........................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\sv\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.175782760061513
Encrypted:	false
SSDEEP:	96:QyI0Uk10zmZ70Uk0Bo0/X0sXP0WB02ku0WEVFZzQliDfvzwTaxCY+oVOzQlEb1Ny:hQmBZjcYOjzybTaxlczyE6NyuXBH
MD5:	D6C13FA525441958209715CB05EDB0B5
SHA1:	1B13E49504861C74457FFF8310036393D503F744
SHA-256:	9083496FD71FBC09E63431354DF60DDFA83DD9E0839A2575849962688CEF2315
SHA-512:	1B52EA254DC0958A18F4721D7E822FF5483ECE3F29F093478D53A24E00E69141AE3E5DE17BA84CC5F3C40DE0E6D8D18D404FBC54B6847CFB743AE08AB3E04F52
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N.0U...........!.................3... ...@....@.. ....................................@..................................3..K....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................3......H.......\0..4...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......I`,.9..c..Y...Q....\|...b..c.0.}.B.0.S&.HT.d.sd{q.....J...!...y.......\...Y...R...G.......T...........................e...........................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.365412956920742
Encrypted:	false
SSDEEP:	768:ZBOda5CIXxCPz2bR8TPk0rLKRwhmjgSgh1Hh1xr6eLRSmDusAQli6YhfNjYhfNt3:ZBOgsPz2bI+R8EWnJD3UHYgR0xEkF7
MD5:	7A3577B2742256B20A74CD8D02F20672
SHA1:	C1CA4471F1E4CB7653D0E857E94E44837BB1811D
SHA-256:	6AA27257943D86865D162F55628EBC1E16957C220DB2DAE70380A755FCA61726
SHA-512:	2EDEC392959901B180F635E209E273040F4BDFD13A770CBF08525E169DDCBEA3437871D5A8638D1B5D00D992C0E0D452E6DCC250E8B6181A580BEDF0C82465FB
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!.....P... ......Nb... ........@.. ....................................@..................................a..O.................................................................................... ............... ..H............text...TB... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.312306988769099
Encrypted:	false
SSDEEP:	96:uJwKzTE45wNXkWtmrL2Cgh2wlvYMi2s2wlvRlR3ckV:KwITE45wNXptmrqCghjlvYMfsjlvRrv
MD5:	4969D48F11E92C1AE109BFCB59D1590B
SHA1:	97914E3AA7E397B06EA4C4B3F5AC6CFA94047D13
SHA-256:	77B59617FDAB29CFA36D371AE3E11C2C014BC7751F78BFFA9CBFEDF5BEE34DC2
SHA-512:	134F1E2F0F36FA71017357E5BB6B697AE23E38601F839749C6CC1A05510FAB6C1FB256595D4E7A0F3B53903F66224D3001E0C405DF534D5CF995EB12DE3C51C0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!................>/... ...@....@.. ....................................@.....................................W....@.. ....................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B................ /......H........+..$...........P ..n...........................................j..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.1...(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\th-TH\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	3.9286963323819766
Encrypted:	false
SSDEEP:	96:VLhv0Uk10zmZ70Uk0BN60/j0so60Wd02kC0WEVF1zQlS/fvsTapqYuAzQlEPWyyQ:SQmBZNucgEOfzysMTap9VzyEKNyqtHq
MD5:	9B183C25446CD228D6186EA28271F453
SHA1:	01A542FC5A4E5E1F858ADD959D5E008A07E689DB
SHA-256:	7430893D1163719DAF880429B8F8DCD73D89BBDD4B6219E6947012D2B4EA99BF
SHA-512:	F7900351C2B701613A8D1B867F832E9A0F34A3676BA967C83BF953B5DB105E6E52B4499337CF777DAEC8E6EF9FC92777A9FD4827CAE37E4F7EFD3BCD4B4513D5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!................~2... ...@....@.. ....................................@.................................$2..W....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................`2......H...........8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\CPUGuardian.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	4.039988619807441
Encrypted:	false
SSDEEP:	768:MBOdP6rIg1ZFzz6fxHot0MTudACujzguZtqgkRFUHkIn8:MBOZ6PZFzqqu+C2suZtTk28
MD5:	837C1A02186D2D53D7C230F2D25CF0CD
SHA1:	5B810F63C65608FC23D0D9C63BD47A8CE86219A1
SHA-256:	AC9A78FDCF1B11618306E92DA60DF5830D64A13A512E9E3D1670291F32ACB83A
SHA-512:	2F7279B7E7D14C7DFC39A3629F21AF023B2FD5CC27A69F1091C13726BF1ACC2564E1D7B7CDD0D3BE0B4D0E09B665406B783D6334F7E1D2667D739A26EE5AFA6A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.0U...........!......... ........... ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Splash.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.746627833688834
Encrypted:	false
SSDEEP:	48:6ZQZ/DGMl8FXGk4mkOkUk8kakyNk+3kzkwAk+lAulPPi4zOG68sBxHBPi4zOG9uc:u5GcD5RX7X3eM9VxdHsDJxdolRXYYkV
MD5:	5435202B35683F86EB338A24018EDB07
SHA1:	71D87E1473765492987C70053A8A2400C9DB245F
SHA-256:	3E2FC5979EFF712345FD454EEC98E2F1C0B09A34A610F5C8E9C5983B42C65E3A
SHA-512:	CB76D3FEBD0DBD5D9870658438903A84BFC539B3DAA13CD2834C0A9AE5532675538A11F3CC7A6E48FC7502A9A8D5FA310FD162BF7E8B536C17C7DB422219A377
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.0U...........!.................,... ...@....@.. ....................................@..................................+..W....@.. ....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................+......H........(..$...........P ..=...........................................9..............lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADPA...H]C.$[....x..e..1R:.x...K...C...............q....H.;..Aa..Ng.2Ml............................t...........K...<...........i.......#...a........E.r.r.o.r.s.F.o.u.n.d......E.x.p.i.r.a.t.i.o.n.D.a.t.e.....(E.x.p.i.r.a.t.i.o.n

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\tr-TR\Uninst000.resources.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	3.896516122737556
Encrypted:	false
SSDEEP:	96:VJv0Uk10zmZ70Uk0Bl0/E0sM0Wh602kP0WEVFSzQlfoovSTaP0YWQzQlE9FLNspN:eQmBZwlXOczyITaPDJzyE/NylN2m
MD5:	29BF2AFF2FD6CEB9234D8C1E776525FB
SHA1:	946ACD392E7F9E3637FDFE262F152128BA317DD9
SHA-256:	F73BEC1CD2230070EB891906FB581F7AEB5736C4789B1C64B612CD73A77D3050
SHA-512:	1F19BBA83E706CC1CF2D000372A89F435AC87B9989BE8028CA151977916A17AAB77FCAC9027E288012B586CA505FDC8F3EBD181DF28E50F0B90609BEFE0FB8D8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.0U...........!................^2... ...@....@.. ....................................@..................................2..K....@..@....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................@2......H...........8...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..l..2..........C:...~......2B..(......9..c..Y...Q....\|...b..c.0.}.B.0.S&.HTd{q.....J...!...y.......\...Y...R...G...............................e...T...................TB.a.c.k.u.p._.B.a.c.k.u.p._.A.c.c.e.s.s._.f.i.l.e.s._.a

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\updater.exe

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	433640
Entropy (8bit):	6.125248413835682
Encrypted:	false
SSDEEP:	6144:YGDVPVmyTCYbbLe+Bz1iE1/M7xbQE9VP/A7mULxKEmgDx4Qygjq2Hvp:YGCyTCYbbfB1iEm7xME95A71L34QD
MD5:	55C585039516BE3AD631C2C4D7427699
SHA1:	31B0C9D42E7919C7801920005C71BF3BB0B8DBA5
SHA-256:	773C09B3DCBD38F08521228D3E0521182EE84E4D8BF22C33F28CC30A0D217F3D
SHA-512:	72F64F17FF5CDF51EE0116C8FC95C23C2ACA5DC360B7ABE49108741EEE11061320586DDDFD478CCE75E246C7E91A38419DB2B190EE4B0479C59EDA9F30BD85E9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s..u ..u ..u ... .u ... .u ... ..u ... z.u ... .u ..t ..u ... ..u ... ..u ... ..u Rich..u ................PE..L...>.4T..........................................@.................................Nw....@..........................................`...........................,......................................@...................d........................text............................... ..`.rdata..dn.......p..................@..@.data...\L.......*..................@....rsrc........`.......,..............@..@.reloc...B.......D...B..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\decoder.dll

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	128640
Entropy (8bit):	6.538088740462681
Encrypted:	false
SSDEEP:	3072:+HLohTAI0NkxvLIe9R7Lw1UDm+qnWFGm+UZm:So+5yxzIebLX98
MD5:	E14324092DE7DF785684C2FC677F0DDF
SHA1:	947A50E2D8237DF137C78CB329AD2C594A422F94
SHA-256:	CACB69CC777B1CA7D97E47579F72AA986B2BD307862A722563A9BCCFFA4DC492
SHA-512:	2C101DE3D99DB06911F4CEAE588AF43CABE8131D0085F9C661987236F210827D1BE0DBEA0122EEC8211B6B79FF793EC94A0346A64949E25CCD8A37DEE7474F71
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w...............nA......nP......nF......nV.........x....nO......nW......DQ......nT.....Rich............................PE..L...,.4T...........!.....d...\|...............................................p......}m....@.........................P.......0...<....0.......................@..........................................@...............D............................text....b.......d.................. ..`.rdata...<.......>...h..............@..@.data...L`..........................@....rsrc........0......................@..@.reloc...%...@...&..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\074kFuPFv8.exe
File Type:	data
Category:	dropped
Size (bytes):	12421709
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D34488155BB58116C9B8BA7615D672CC
SHA1:	076D61792EAE1FEE699C1EF1A4FC7970BE534F80
SHA-256:	1216B76235EEB4E14CD5A39B2D29EDA7F33FD4B9283996BA26F43CD0BBC48BE2
SHA-512:	BA2AECEEBA02DF776D7384E18E859A8D4090C95A3C65F138B608A70FD5CFBCFD5EBF3779D45FBE7D20E6C54C85063904DAF307983A0F76086D02D4424FCFF839
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\CPUGuardian\errors

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	261
Entropy (8bit):	4.8931980654353175
Encrypted:	false
SSDEEP:	6:TMVBjzArRAEcvXoEmSxNBMo5/dmfzGYS9N6mKNZuAtRAKwnFv0h6Rb:TMb8RN+ZmSh5lmfaYS9NeNZ9jAVW6Rb
MD5:	EDAF63E7837F03516914536FB0022C70
SHA1:	9599A463702827096BE12C1020B66DFD7CD485D9
SHA-256:	DCBB055CBC2A83D828CCEB7DBC0B7C2A740EE3FE8354E9962EADF1BADBE9E7F9
SHA-512:	EE131FE3E21D54938880324B6457544F85F2E940EF4F10F08853D6E5A6A001E95859FFC02165FF432D147E8B29E80C2C90BC3F8267DED0A55753EA370A16581F
Malicious:	false
Preview:	<?xml version="1.0" standalone="yes"?>..<DocumentElement>.. <regerrors>.. <_date>2024-11-01T11:30:37.9802001-04:00</_date>.. <_system>7</_system>.. <_com>194</_com>.. <_user>27</_user>.. <_startup>0</_startup>.. </regerrors>..</DocumentElement>

C:\Users\user\Documents\CPUGuardian\errors_data

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	64134
Entropy (8bit):	5.3361160408643915
Encrypted:	false
SSDEEP:	96:WUHD05een/VsBHsNHssHsxpHsj4HsWiHsoBLxsdDpsdDXsdDesdDWesdDZsdDcpQ:Wr+Ol4xvzyR9K7uD/utNWfavLuH1c
MD5:	A63D0FC4FF7510F6A55CC7E60C9FE715
SHA1:	F24C551D18DFCCBD1ED8769174B8F032CDAF8F4B
SHA-256:	56C57BCDE83E92431BB4CF811EC565A1D126640C7F4CAC85A03A3E27329185A7
SHA-512:	E7F6EBFEEB4D08D0BE28AA7231EA22B5512FD57DF098A9AB1DF48533596959F1B631B0A222824AEDBAEDFD552EE5FA5A0634949FAC5047E4177091673E4DD6F5
Malicious:	false
Preview:	<?xml version="1.0" standalone="yes"?>..<NewDataSet>.. <xs:schema id="NewDataSet" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">.. <xs:element name="NewDataSet" msdata:IsDataSet="true" msdata:MainDataTable="regerrorsdata" msdata:UseCurrentLocale="true">.. <xs:complexType>.. <xs:choice minOccurs="0" maxOccurs="unbounded">.. <xs:element name="regerrorsdata">.. <xs:complexType>.. <xs:sequence>.. <xs:element name="scanner" type="xs:string" minOccurs="0" />.. <xs:element name="problem" type="xs:string" minOccurs="0" />.. <xs:element name="basekey" type="xs:string" minOccurs="0" />.. <xs:element name="subkey" type="xs:string" minOccurs="0" />.. <xs:element name="value" type="xs:string" minOccurs="0" />.. </xs:sequence>.. </xs:complexType>.. </xs:element>.. </xs:choice>..

C:\Users\user\Documents\CPUGuardian\fileerrors

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	251
Entropy (8bit):	4.957590959023538
Encrypted:	false
SSDEEP:	6:TMVBjzArRUbvXoEmSxN5FRRAdmf+jENXgSnGaxGSh5k0Mv0h6Rb:TMb8RUZmSBFwdmf+gNwSnnzk0z6Rb
MD5:	7EF91279B2B8E2B669C24DB74D626AF4
SHA1:	4BD2D2B9E22F69E9B6AD50D47E1DA76BC8974518
SHA-256:	656C8C1C3AB50F7D6BBEAD498C4DDA85712F3410EBE7D40E5CD40B9B3500CB3C
SHA-512:	A61CA0C11D2623B8ADC87FC02D5FB483C368B129B2560D72C0191D7ABFFE33738F14A940EA8D456D0EF4E823488E0A6C39D03CBC07E4D78D6F85B831FCED6645
Malicious:	false
Preview:	<?xml version="1.0" standalone="yes"?>..<DocumentElement>.. <fileerrors>.. <_date>2024-11-01T11:30:38.0114448-04:00</_date>.. <_recycle>0</_recycle>.. <_wintemp>167</_wintemp>.. <_inttemp>80</_inttemp>.. </fileerrors>..</DocumentElement>

C:\Users\user\Documents\CPUGuardian\fileerrors_data

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	50401
Entropy (8bit):	5.106198699852427
Encrypted:	false
SSDEEP:	192:WmyE8ETsEsEVEwEJEPEQEgEzEYExE0EnEEErEpE4EaERE1EtEKE+EjEHE9ERXEgH:ErdWX3yMZUv51cEhyxp
MD5:	73DB6089F66E70AC4EAF46AA888C3AB3
SHA1:	5E67C80B62FC0CE9FAF985237049B9AD025796B6
SHA-256:	C0A607647AD7A3F5BF8E069A4FEECEBEA05FA774BEFD0CC93DA911598E7E47BC
SHA-512:	D8F3430FEA7C53A446D5E4AC2025DC4709359444217FB73D7A9EAEAFC3E7C157F0971044C95B69AE4C4EEAFFE114629B41CD1B1818930DC33B17509FDFC91373
Malicious:	false
Preview:	<?xml version="1.0" standalone="yes"?>..<NewDataSet>.. <xs:schema id="NewDataSet" xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">.. <xs:element name="NewDataSet" msdata:IsDataSet="true" msdata:MainDataTable="fileerrorsdata" msdata:UseCurrentLocale="true">.. <xs:complexType>.. <xs:choice minOccurs="0" maxOccurs="unbounded">.. <xs:element name="fileerrorsdata">.. <xs:complexType>.. <xs:sequence>.. <xs:element name="section" type="xs:string" minOccurs="0" />.. <xs:element name="filename" type="xs:string" minOccurs="0" />.. <xs:element name="filesize" type="xs:long" minOccurs="0" />.. </xs:sequence>.. </xs:complexType>.. </xs:element>.. </xs:choice>.. </xs:complexType>.. </xs:element>.. </xs:schema>.. <fileerrorsdata>.. <section>wintemp</section>.. <filename>C:\Users\user\AppData\Loca

C:\Users\user\Documents\CPUGuardian\log.txt

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	41436
Entropy (8bit):	5.630709401105368
Encrypted:	false
SSDEEP:	192:IwEHxtmWlo9ykT6tz0VegX+hfARjyLtKFnqT:rO6RmY+irQT
MD5:	805E612A0BCE663645D3311C3EF7152F
SHA1:	B3C29B363ED8BC5DB9EE4CB156345D07071E657D
SHA-256:	0B704BF5113C2BF9F6C62BE7A86CB4A77750AD2CE8E7A82CB976011D24003CBB
SHA-512:	3A0E333AAF284A264551E28141F955345E1E29B9B831765A6E13024DC34A518639C08E1FCF4E6047CD2186415174966BE3026A1C776571C7EA2456CFA3BD9237
Malicious:	false
Preview:	..Log Entry : 13:56:06 Wednesday, 30 October 2024.. :.. :Delete task: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)..-------------------------------..:Startup :Already running....Log Entry : 19:04:40 Wednesday, 30 October 2024.. :.. :Started scan at30/10/2024 19:04:40..-------------------------------.. :Starting scanning: Application paths.. :Application paths.. :Checking for invalid installer folders.. :Checking for invalid application paths.. :Bad Registry Key Found! Problem: "Invalid registry key" Path: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe".. :Bad Registry Key Found! Problem: "Invalid registry key" Path: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\dfshim.dll".. :Bad Registry Key Found! Problem: "Invalid registry key" Path: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\fsquirt.exe".. :Bad Registry Key Found! Problem: "Invalid registry key

C:\Users\user\Documents\CPUGuardian\logerror.txt

Download File

Process:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	771
Entropy (8bit):	2.9494219251607547
Encrypted:	false
SSDEEP:	3:c66pkMMzFTof1tz5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5z5zH:L6pkMklcpkMk7IM70Ia
MD5:	4C5DF2E78238E3BCBEFA8B9784FD8894
SHA1:	8C21A0FD19B3013D1679F57B4C4E7CE3D800D343
SHA-256:	1D35A1DD351F90468E5588AC69860EBA2B86F5229E220E4E0EAF24AC0346CAA9
SHA-512:	CBE1A7F99A89556C8B211E04BBF012251E84D50712BA9B83BC9611E165DD4DC4001967885E66A468969AA3A9E2501C37184BC24FB46B359BB63FBD369F85337F
Malicious:	false
Preview:	___________________________________________________________________________________..START: 30/10/2024 12:36.......................................................................................___________________________________________________________________________________..START: 30/10/2024 12:36.......................................................................................22:51 - ActiveCom: No more data is available.....

C:\Windows\Installer\5d5e38.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {19B047E6-8562-4C6B-BBED-1F83ED1824A4}, Number of Words: 0, Subject: CPU Guardian, Author: CPU Guardian, Name of Creating Application: Advanced Installer 11.5.1 build 60347, Template: ;1033, Comments: This installer database contains the logic and data required to install CPU Guardian.
Category:	dropped
Size (bytes):	1278464
Entropy (8bit):	6.453906709405942
Encrypted:	false
SSDEEP:	24576:zLdjk711wY5APXQr0Q1e+P48AFO3qn1Mp3WqagKxmqR7f:zhjk711wY5APXQgp+P48II/Zza9xmqR7
MD5:	955E3A6F8138F5CFFFF24AB48109BF5E
SHA1:	6BB76D4244D92533A92BD2FFCC3071629408CAE8
SHA-256:	3BA7793A75B91956F9BF347512B16ED79968FB47F4AD18CF0F6AA1EFACC50E33
SHA-512:	D40D85A5719417CBEEE2066E0702EFF9B7480BA890C56F892A7675764F26063A0CDC061695E6A4F5044E5F2CA2F79F5B52BA97FFB13230CB6E8C86764FD5D78C
Malicious:	false
Preview:	......................>...............................................................}...............~.......................^...........................................................................................................................................................................................................................................................................................................................................................................................................K...............D...&........................................................................................... ...!..."...#...$...%...1...9...(...)...*...+...,...-......./...0.......2...3...4...5...6...7...8...<...:...;...@...=...>...?...E...A...B...C...J...Z...F...G...H...I...P...L...\|...M...N...O...W...Q...R...S...T...U...V...[...X...Y...\.......^...]...w..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...c...t...u...v...w...x...y...z...

C:\Windows\Installer\5d5e3b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {19B047E6-8562-4C6B-BBED-1F83ED1824A4}, Number of Words: 0, Subject: CPU Guardian, Author: CPU Guardian, Name of Creating Application: Advanced Installer 11.5.1 build 60347, Template: ;1033, Comments: This installer database contains the logic and data required to install CPU Guardian.
Category:	dropped
Size (bytes):	1278464
Entropy (8bit):	6.453906709405942
Encrypted:	false
SSDEEP:	24576:zLdjk711wY5APXQr0Q1e+P48AFO3qn1Mp3WqagKxmqR7f:zhjk711wY5APXQgp+P48II/Zza9xmqR7
MD5:	955E3A6F8138F5CFFFF24AB48109BF5E
SHA1:	6BB76D4244D92533A92BD2FFCC3071629408CAE8
SHA-256:	3BA7793A75B91956F9BF347512B16ED79968FB47F4AD18CF0F6AA1EFACC50E33
SHA-512:	D40D85A5719417CBEEE2066E0702EFF9B7480BA890C56F892A7675764F26063A0CDC061695E6A4F5044E5F2CA2F79F5B52BA97FFB13230CB6E8C86764FD5D78C
Malicious:	false
Preview:	......................>...............................................................}...............~.......................^...........................................................................................................................................................................................................................................................................................................................................................................................................K...............D...&........................................................................................... ...!..."...#...$...%...1...9...(...)...*...+...,...-......./...0.......2...3...4...5...6...7...8...<...:...;...@...=...>...?...E...A...B...C...J...Z...F...G...H...I...P...L...\|...M...N...O...W...Q...R...S...T...U...V...[...X...Y...\.......^...]...w..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...c...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI5FAF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92288
Entropy (8bit):	6.168843169819038
Encrypted:	false
SSDEEP:	1536:8R1jQVHH8pgKeDFX/0p3QTW+PB6y3rui6o84hiviuHw8f7sZzES2:Y1jqcpgKeDla+JXuGjkf7tH
MD5:	61E0D69413E1D3F975D6910FE04CADD8
SHA1:	382DC5AB38F75C40430C28AFFE9146DC583A5909
SHA-256:	A4D9154276DEF89A52CFBA94AA872C0284A01780D5728A4F57B8B562EAA4A5E0
SHA-512:	518D04C87818A66825F25D0FD9D79AAF1A6C030B917FB59CAED5F7341CFC912B1F635D2544A92DFFEF04054EF98EBA65031978804458CA777D6CC8A6DF62E930
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..j^...^..m^...^..}^...^...^...^..d^...^..\|^...^..z^...^...^...^Rich...^........................PE..L...S.4T...........!................U................................................A....@..........................@.......8.......`...............V.......p...............................................................2.......................text............................... ..`.rdata..wh.......j..................@..@.data...m....P.......>..............@....rsrc........`.......B..............@..@.reloc..l....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5FFE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301184
Entropy (8bit):	6.3403871925680635
Encrypted:	false
SSDEEP:	6144:v4a3qM8iEvSsiyPJ8OGZ0B9tEascMNKxmsCURqgQ:vOM8iaLiAJYutEaNmKxmsxR7Q
MD5:	36885842C1E86AC026470D3931C1FB16
SHA1:	C9264EE7D297D8873651D1B780F2EE40430539C7
SHA-256:	E760209574843BD3879FF1F631C377DF8F4BE0A5E2C6C09FFE60C9E52C9A4308
SHA-512:	C5B831BB08DC9E70E462E6B747FD7BE6200A55E51FF4060BC9C4E8F9C0544206194466F9C1E0C3B5A6963B6AEE5C9E27F4B968A804FAE7339A8334B6F62839C8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.?.R.l.R.l.R.l.Ql.R.l..@l.R.l.Gl?R.l.@l.R.l.Wl.R.l.R.l.S.l.Nl.R.l.Vl.R.l..Pl.R.l.*Ul.R.lRich.R.l........................PE..L.....4T...........!.....4...N......4).......P......................................U.....@......................... ...;............p..D........................+......................................@............P..T...d...@....................text...K2.......4.................. ..`.rdata..[....P.......8..............@..@.data....@... ... ..................@....rsrc...D....p.......&..............@..@.reloc...X.......Z...,..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI601F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92288
Entropy (8bit):	6.168843169819038
Encrypted:	false
SSDEEP:	1536:8R1jQVHH8pgKeDFX/0p3QTW+PB6y3rui6o84hiviuHw8f7sZzES2:Y1jqcpgKeDla+JXuGjkf7tH
MD5:	61E0D69413E1D3F975D6910FE04CADD8
SHA1:	382DC5AB38F75C40430C28AFFE9146DC583A5909
SHA-256:	A4D9154276DEF89A52CFBA94AA872C0284A01780D5728A4F57B8B562EAA4A5E0
SHA-512:	518D04C87818A66825F25D0FD9D79AAF1A6C030B917FB59CAED5F7341CFC912B1F635D2544A92DFFEF04054EF98EBA65031978804458CA777D6CC8A6DF62E930
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..j^...^..m^...^..}^...^...^...^..d^...^..\|^...^..z^...^...^...^Rich...^........................PE..L...S.4T...........!................U................................................A....@..........................@.......8.......`...............V.......p...............................................................2.......................text............................... ..`.rdata..wh.......j..................@..@.data...m....P.......>..............@....rsrc........`.......B..............@..@.reloc..l....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI607D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1648584
Entropy (8bit):	6.332396309861831
Encrypted:	false
SSDEEP:	49152:U+P48IIO+P48IIC+P48IIzZza9xmqR7d71Jf:Ua48ea48ya48jZzaPB71x
MD5:	C01B1BE569DB3B046F88933C0E1EA01A
SHA1:	0138222992922D77BB47F32B30ACCE3BC8B50C7F
SHA-256:	2EAC9F98E0D115913592A89653E02CCF338E146716BA2DE7C176D821C165AEBD
SHA-512:	C5EE79FA053EEF5D9632D0945A357D4DCFD5764887301A7F9D37425AD73EE448B0AD71FB8C36C47C0F5AA4CACA67116556D76B12E694536B7836DA6235BBF90E
Malicious:	false
Preview:	...@IXOS.@.....@.d^Y.@.....@.....@.....@.....@.....@......&.{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}..CPU Guardian..CPUGuardian.msi.@.....@.....@.....@......icon.exe..&.{19B047E6-8562-4C6B-BBED-1F83ED1824A4}.....@.....@.....@.....@.......@.....@.....@.......@......CPU Guardian......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@X....@.....@.]....&.{31AB0EED-1171-4593-AD2E-1D31853E0B71}B.C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPU Guardian\.@.......@.....@.....@......&.{DAB8DBA0-9416-436D-B2ED-548B19EF9B44}3.C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe.@.......@.....@.....@......&.{17FC9C22-6536-47E6-8A6F-DD16BDEC0D43}..02:\Software\CPU Guardian\CPU Guardian\Version.@.......@.....@.....@......&.{C585207B-9A0F-4AFF-A563-71089EE2354B}@.C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll.@.......@.....@.....@......&.{63FF3E86-9EC6-4432-9949-B57EE8A72C

C:\Windows\Installer\MSI608E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	360576
Entropy (8bit):	6.403857404373277
Encrypted:	false
SSDEEP:	6144:Vx1TBp0jB90G25pAVyEKfRUAXlKiJGzFKyC4WZALBpiQMPaKNg:Vx1TbeXSAPKfRFjJGzfC48AF9M9Ng
MD5:	ACCC5E05C4009B2A44CADF1D093CD07A
SHA1:	6B9167B1C61F8DCC9D8EE4DC880F1DB90331E89D
SHA-256:	28D23DFCD76F4B50D5E847B1415A4B193C843BF52B2522A8BE83840D77E59D97
SHA-512:	6CFC01B9ABBE4DE4CC3AFE64AEC3BF4ED12F8304CBD6009E39C3301357B26A93AD5A845EEF7DBA184A3BAFF3DC8EBA664F7EF2D2E8B7F8F0B5F70A5EA54B5B51
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.e.<...<...<...5...%...5.......5...r..."...?...5.../...<.......5.......5...=..."...=...5...=...Rich<...................PE..L.....4T...........!.........p......................................................k.....@.........................@...k...8...x....P..`............n.......`...0..................................(...@...................\........................text............................... ..`.rdata..............................@..@.data....B....... ..................@....rsrc...`....P......................@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI60DD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301184
Entropy (8bit):	6.3403871925680635
Encrypted:	false
SSDEEP:	6144:v4a3qM8iEvSsiyPJ8OGZ0B9tEascMNKxmsCURqgQ:vOM8iaLiAJYutEaNmKxmsxR7Q
MD5:	36885842C1E86AC026470D3931C1FB16
SHA1:	C9264EE7D297D8873651D1B780F2EE40430539C7
SHA-256:	E760209574843BD3879FF1F631C377DF8F4BE0A5E2C6C09FFE60C9E52C9A4308
SHA-512:	C5B831BB08DC9E70E462E6B747FD7BE6200A55E51FF4060BC9C4E8F9C0544206194466F9C1E0C3B5A6963B6AEE5C9E27F4B968A804FAE7339A8334B6F62839C8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.?.R.l.R.l.R.l.Ql.R.l..@l.R.l.Gl?R.l.@l.R.l.Wl.R.l.R.l.S.l.Nl.R.l.Vl.R.l..Pl.R.l.*Ul.R.lRich.R.l........................PE..L.....4T...........!.....4...N......4).......P......................................U.....@......................... ...;............p..D........................+......................................@............P..T...d...@....................text...K2.......4.................. ..`.rdata..[....P.......8..............@..@.data....@... ... ..................@....rsrc...D....p.......&..............@..@.reloc...X.......Z...,..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI612C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117376
Entropy (8bit):	6.150451245687014
Encrypted:	false
SSDEEP:	1536:MNwfjahC2EDwJZF83ZAHe4fnt3GiDPvvKH5rIDSdpLd:fWhC2EOF8354RVfKH5rIDSdT
MD5:	DF2F203F4D7B1444F7C2A5BD256735D9
SHA1:	604DCBF7EE612F2E3AF5F78E1F34B45C6B1AE898
SHA-256:	A4C5B94E72D5B8BD288D3C12AFA8FF513565E7043168A5B447D688B0B693FB17
SHA-512:	252DEF110C893F22EF52A152E7E1DB63B2342158DD34FDFC12C96D21600716DA005448E857BF5E5DC295E215017DA53F79A1649D2A3ACA6A6CBDB34A0372E4EA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.u...&...&...&. W&...&. c&...&. b&U..&..J&...&..Z&...&...&...&. f&...&. R&...&. S&...&. T&...&Rich...&................PE..L.....4T...........!.................Y.......0.......................................@....@.........................Pz..t...ds..P.......P.......................D....1...............................[..@............0..h............................text............................... ..`.rdata...J...0...L..................@..@.data....8...........b..............@....rsrc...P............z..............@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI63DD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	360576
Entropy (8bit):	6.403857404373277
Encrypted:	false
SSDEEP:	6144:Vx1TBp0jB90G25pAVyEKfRUAXlKiJGzFKyC4WZALBpiQMPaKNg:Vx1TbeXSAPKfRFjJGzfC48AF9M9Ng
MD5:	ACCC5E05C4009B2A44CADF1D093CD07A
SHA1:	6B9167B1C61F8DCC9D8EE4DC880F1DB90331E89D
SHA-256:	28D23DFCD76F4B50D5E847B1415A4B193C843BF52B2522A8BE83840D77E59D97
SHA-512:	6CFC01B9ABBE4DE4CC3AFE64AEC3BF4ED12F8304CBD6009E39C3301357B26A93AD5A845EEF7DBA184A3BAFF3DC8EBA664F7EF2D2E8B7F8F0B5F70A5EA54B5B51
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.e.<...<...<...5...%...5.......5...r..."...?...5.../...<.......5.......5...=..."...=...5...=...Rich<...................PE..L.....4T...........!.........p......................................................k.....@.........................@...k...8...x....P..`............n.......`...0..................................(...@...................\........................text............................... ..`.rdata..............................@..@.data....B....... ..................@....rsrc...`....P......................@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI65C2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	301184
Entropy (8bit):	6.3403871925680635
Encrypted:	false
SSDEEP:	6144:v4a3qM8iEvSsiyPJ8OGZ0B9tEascMNKxmsCURqgQ:vOM8iaLiAJYutEaNmKxmsxR7Q
MD5:	36885842C1E86AC026470D3931C1FB16
SHA1:	C9264EE7D297D8873651D1B780F2EE40430539C7
SHA-256:	E760209574843BD3879FF1F631C377DF8F4BE0A5E2C6C09FFE60C9E52C9A4308
SHA-512:	C5B831BB08DC9E70E462E6B747FD7BE6200A55E51FF4060BC9C4E8F9C0544206194466F9C1E0C3B5A6963B6AEE5C9E27F4B968A804FAE7339A8334B6F62839C8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3.?.R.l.R.l.R.l.Ql.R.l..@l.R.l.Gl?R.l.@l.R.l.Wl.R.l.R.l.S.l.Nl.R.l.Vl.R.l..Pl.R.l.*Ul.R.lRich.R.l........................PE..L.....4T...........!.....4...N......4).......P......................................U.....@......................... ...;............p..D........................+......................................@............P..T...d...@....................text...K2.......4.................. ..`.rdata..[....P.......8..............@..@.data....@... ... ..................@....rsrc...D....p.......&..............@..@.reloc...X.......Z...,..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI70B0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117376
Entropy (8bit):	6.150451245687014
Encrypted:	false
SSDEEP:	1536:MNwfjahC2EDwJZF83ZAHe4fnt3GiDPvvKH5rIDSdpLd:fWhC2EOF8354RVfKH5rIDSdT
MD5:	DF2F203F4D7B1444F7C2A5BD256735D9
SHA1:	604DCBF7EE612F2E3AF5F78E1F34B45C6B1AE898
SHA-256:	A4C5B94E72D5B8BD288D3C12AFA8FF513565E7043168A5B447D688B0B693FB17
SHA-512:	252DEF110C893F22EF52A152E7E1DB63B2342158DD34FDFC12C96D21600716DA005448E857BF5E5DC295E215017DA53F79A1649D2A3ACA6A6CBDB34A0372E4EA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.u...&...&...&. W&...&. c&...&. b&U..&..J&...&..Z&...&...&...&. f&...&. R&...&. S&...&. T&...&Rich...&................PE..L.....4T...........!.................Y.......0.......................................@....@.........................Pz..t...ds..P.......P.......................D....1...............................[..@............0..h............................text............................... ..`.rdata...J...0...L..................@..@.data....8...........b..............@....rsrc...P............z..............@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7247.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	360576
Entropy (8bit):	6.403857404373277
Encrypted:	false
SSDEEP:	6144:Vx1TBp0jB90G25pAVyEKfRUAXlKiJGzFKyC4WZALBpiQMPaKNg:Vx1TbeXSAPKfRFjJGzfC48AF9M9Ng
MD5:	ACCC5E05C4009B2A44CADF1D093CD07A
SHA1:	6B9167B1C61F8DCC9D8EE4DC880F1DB90331E89D
SHA-256:	28D23DFCD76F4B50D5E847B1415A4B193C843BF52B2522A8BE83840D77E59D97
SHA-512:	6CFC01B9ABBE4DE4CC3AFE64AEC3BF4ED12F8304CBD6009E39C3301357B26A93AD5A845EEF7DBA184A3BAFF3DC8EBA664F7EF2D2E8B7F8F0B5F70A5EA54B5B51
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.e.<...<...<...5...%...5.......5...r..."...?...5.../...<.......5.......5...=..."...=...5...=...Rich<...................PE..L.....4T...........!.........p......................................................k.....@.........................@...k...8...x....P..`............n.......`...0..................................(...@...................\........................text............................... ..`.rdata..............................@..@.data....B....... ..................@....rsrc...`....P......................@..@.reloc...Z...`...\..................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.3209111169389516
Encrypted:	false
SSDEEP:	48:p/4BHUv++wfGT/kd779/DOVAGqEk7BlVSS4xwSW0zvH:p/QJfLl2AXFlF0W0zP
MD5:	5DB1B8637A198C6FDA76BAF42951CA75
SHA1:	0902F802AD1865AA6B3127EAD8EE46430089E65C
SHA-256:	82BDE511A2716562EF522C0B63FA4661439E618A8D6DE21CD5A57CBCFE8777B8
SHA-512:	19337A850497AB0FCE0B868AFE966F221D7B9FA288910D96507FC8FB13F117D2A0C9880C5C8C7B894621DE930695496CB8CCCCA1D8DCC332D2FCA517564E90B1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6295217862218376
Encrypted:	false
SSDEEP:	48:98PhZuRc06WX4GFT5Tldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:ghZ12FTPg0zURRCeG8RCk
MD5:	031C76C5E43FE22FFDD196AA580453FC
SHA1:	8A24DD57D311D5972C878DD2D7415EC1ACE626A6
SHA-256:	E9A1101388C90F53A437C98A4082AF762A2355B7830F3DAF35C064027C108E19
SHA-512:	56284636A46D3CB276F4DC230BDFD797DCC2129E3F05D9622549435BE6759E58691A732A51D854CEE0CF2009C574122E9D8338057074165B4299E8C9B0EBB13B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\SystemFoldermsiexec.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 8 icons, 32x32, 16 colors, 4 bits/pixel, 24x24, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	14534
Entropy (8bit):	5.08612958031438
Encrypted:	false
SSDEEP:	192:gWiXwlNwH5AxLV1th7743rsl0rMeaJ/1Nc6keo0/waIkllDh2syOqniTJ8Q:gWd7wqRGYlEMe6/3NkmIkR2syOqi1X
MD5:	C2649AD15118FD46780D6FCBC38447D0
SHA1:	F32EFACB590F5028A9F5DA7236CC74086A3C87EC
SHA-256:	F0F4D5BF1DE9D2463031520AFF51FEB1E7D432ECEA447534A91CBBD79832AC89
SHA-512:	322EA628ED541713457248341B2CD0A95B6DD3661C9E1E4A22285368872A1B2A89808E272E2A6195B34FD47BD02C33AA893D0C324FBE35E4D65C5E5F401A81AE
Malicious:	false
Preview:	...... ..........................n... ..........V...........................h....... .... ............... ......*........ .h...^4..(... ...@.....................................................................................................................................................................................................................................ww.w............fg.fh...........fg.fg..........x.x.............f....v..........fx...fo.........fo...f..........w....f...........................w..w............wx.w.....................................................................................................................................................................................................................................?...?...?...?...?...?...?...?...?...?...?...?...............................................................?....(.......0........... .....................................................................................................

C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\icon.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	99678
Entropy (8bit):	3.404971460977392
Encrypted:	false
SSDEEP:	384:s8/CuKGgbJwgmimf1jxdiLqorSYZvCPEm2mmO883:sMQJfzmf1NdiLfJZqPEm2mmS
MD5:	5360D06828E1AC92D77322F97F1AEE32
SHA1:	A2B2ADA4DE79FBFA8DD4EC9A14C78D78E3D24405
SHA-256:	8E952863CE54E4E62E5585253F0368EB3824C5B34D27DED6D60D203BC84A6D3A
SHA-512:	A32EF05C10521C5A3CCA8ABC79A6F77F6076A0720FC86602A52554E4D493A032A4042B259E171324E7AFA2CD3CC07140089E8371793D2DE43DAE7DAD36F86B04
Malicious:	false
Preview:	............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@..............................................!.........K...............................................m....................................................................B.W.............................................................8.......n.................................=...................8...........x..........}........................................8....................................%......r.................8...............L..........M...........i......#.................8.............................................................f...<...<...<...<..........................H...H...H...H...T..D....n...n...n...n........................P...H...H...H...S..B....n...n...n...m......................./i...H...H...H...R..A....n...n...n...t........{...........]............N....L...Q..?....n.O.................M................................i...~........

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375168331641753
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauX:zTtbmkExhMJCIpErq
MD5:	40E7D521408933B38F6FF224B877CE37
SHA1:	64396A34BFCF3A2788922CB46E47D10E5D0F2DF9
SHA-256:	53F9AAEF6CEE8B61BAFC6CC37F34830DEF72DCE5A3E8F8A9252BC47F2E69F869
SHA-512:	A007A886E1E3688E115CAD71A893CACAA05960CE61EC826CC7F4C9AD42F67E3C2E14D1EFA95CE39A3BD9B12633ACC0EA26DCC07CC7CF1E49EF4F1CB3B2758694
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF0069EE55F1D0BB5B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6295217862218376
Encrypted:	false
SSDEEP:	48:98PhZuRc06WX4GFT5Tldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:ghZ12FTPg0zURRCeG8RCk
MD5:	031C76C5E43FE22FFDD196AA580453FC
SHA1:	8A24DD57D311D5972C878DD2D7415EC1ACE626A6
SHA-256:	E9A1101388C90F53A437C98A4082AF762A2355B7830F3DAF35C064027C108E19
SHA-512:	56284636A46D3CB276F4DC230BDFD797DCC2129E3F05D9622549435BE6759E58691A732A51D854CEE0CF2009C574122E9D8338057074165B4299E8C9B0EBB13B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3BD4D7D1E6482870.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF454C9B42DBCEE293.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6295217862218376
Encrypted:	false
SSDEEP:	48:98PhZuRc06WX4GFT5Tldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:ghZ12FTPg0zURRCeG8RCk
MD5:	031C76C5E43FE22FFDD196AA580453FC
SHA1:	8A24DD57D311D5972C878DD2D7415EC1ACE626A6
SHA-256:	E9A1101388C90F53A437C98A4082AF762A2355B7830F3DAF35C064027C108E19
SHA-512:	56284636A46D3CB276F4DC230BDFD797DCC2129E3F05D9622549435BE6759E58691A732A51D854CEE0CF2009C574122E9D8338057074165B4299E8C9B0EBB13B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5579851029B889B0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.16108400551908045
Encrypted:	false
SSDEEP:	48:DETmSkdBAEkrCyjdmSkdkAEkrCyjdLg8DF7jo5lh5Ei5l:DH8RCbRRCeKhl7
MD5:	F1D62D5BB21EDE21CCD5DA3D7BBBAEDB
SHA1:	6AF023F1495674BD2B6E62965B669D5451D9604F
SHA-256:	14777F549015560350277294635C5B27D41E9208B4DE1392270DEC13B217BB85
SHA-512:	B1D76883F187F664BA4AC2632CC579A4D13E264E6A58CE24464F5F83A50752E545328DA05885CD277E0ED391B8A2165DED47C4976CD17E215C78BB5C543D8728
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C35BE9A740F4393.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.300001454548136
Encrypted:	false
SSDEEP:	48:wMQhuyBthPIFX4HT5mjldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:0h7tIET8Zg0zURRCeG8RCk
MD5:	3E5D4167BCC025EDB154CE9B4FE7A698
SHA1:	6A055543DB47FA2C9F3B4C75CBA6206EDEE6E2AE
SHA-256:	28FDC1EF8A086D2EB374D68D4F25D6B91075AC517438A8DF0042C71004D10D84
SHA-512:	869CC12C62FC1B8D9D0FE1CCC8206CCBC3ECBD5D35A8A5881FBC298AB917B28095296D931ADED6EC336092EEA37E9ACD68BC450AE055C57FD74C62F0F803B7E7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF85CD5FF8267D805A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.300001454548136
Encrypted:	false
SSDEEP:	48:wMQhuyBthPIFX4HT5mjldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:0h7tIET8Zg0zURRCeG8RCk
MD5:	3E5D4167BCC025EDB154CE9B4FE7A698
SHA1:	6A055543DB47FA2C9F3B4C75CBA6206EDEE6E2AE
SHA-256:	28FDC1EF8A086D2EB374D68D4F25D6B91075AC517438A8DF0042C71004D10D84
SHA-512:	869CC12C62FC1B8D9D0FE1CCC8206CCBC3ECBD5D35A8A5881FBC298AB917B28095296D931ADED6EC336092EEA37E9ACD68BC450AE055C57FD74C62F0F803B7E7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF969A2937E765D5E8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.925969821037474
Encrypted:	false
SSDEEP:	48:/HTaml+wfGT/kd779/DOVAGqEk7BlVSS4xwSW0:fTaCfLl2AXFlF0W0
MD5:	DFF0A8A95C7BD849949DEB555CFACF9D
SHA1:	1358D9B1FD6DC68720C2203E318F2531F8E02457
SHA-256:	52823CBCC10E7BAEB88D7A48216F4E506EDD5FAA931B7285FD55289F06C38F0E
SHA-512:	3C18BB056EADA533FACB7C957D74265DB8D209723E4D67DF8A701BAD9BDDC54014936685B3071C06AB133B5A06BEC1B72B2056AA44B3C571F3AD39C0D6C08358
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF99AE2353FA8378E8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9B0768747831CAE4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.300001454548136
Encrypted:	false
SSDEEP:	48:wMQhuyBthPIFX4HT5mjldi05PlUSkdkAEkrCyjdLg8DF7joHSkdBAEkrCyjd1TT:0h7tIET8Zg0zURRCeG8RCk
MD5:	3E5D4167BCC025EDB154CE9B4FE7A698
SHA1:	6A055543DB47FA2C9F3B4C75CBA6206EDEE6E2AE
SHA-256:	28FDC1EF8A086D2EB374D68D4F25D6B91075AC517438A8DF0042C71004D10D84
SHA-512:	869CC12C62FC1B8D9D0FE1CCC8206CCBC3ECBD5D35A8A5881FBC298AB917B28095296D931ADED6EC336092EEA37E9ACD68BC450AE055C57FD74C62F0F803B7E7
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9F1F63144348FFA9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE2BCD8FBFED7B386.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE2E45FC4C4068BE2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.72631447322548
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	074kFuPFv8.exe
File size:	5'644'176 bytes
MD5:	fc5134ba4711406149556e32d47773aa
SHA1:	24e23d1ce7273410b778a36aaa8191c3abeedf3e
SHA256:	9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1
SHA512:	c457b37709914362717b867b88becda3751f2c79ee11a9f6d67a1780308e123a2e2a65ffb5af9431d99f7881a36ae16899d01cfcb8f52a569e3ca69ec78ac965
SSDEEP:	98304:wG7cl1155MF19r71Gw5/91TK1IyHZnVD8jSTzpRcUOeCNx1w8vlXWUlCaHKMDqwK:xuQ3j51RK1IyvlvpcestRKMD4
TLSH:	9746F12277E2C037D52739F08529A27991B97D606A21818F73783B1DBB30993DC39A5F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......j..%...v...v...v'.Tv5..v0.Ev)..v'.Bv...v'.Evx..v'.Rv...v...v...v'.Kv:..v0.Uv/..v'.Pv/..vRich...v........PE..L...V.4T...........

File Icon


Icon Hash:	0d872323a307051e

Static PE Info

General

Entrypoint:	0x4c87ec
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x54340156 [Tue Oct 7 15:05:58 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	08121d2e08520cab5e5c4384900e0af4

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	14/04/2015 20:00:00 14/04/2016 19:59:59
Subject Chain	CN=Secure Software Center, O=Secure Software Center, L=Cheyenne, S=Wyoming, C=US
Version:	3
Thumbprint MD5:	180D137EEA76E3BEF90F55706A3C7CA0
Thumbprint SHA-1:	D8408740573550EE6B33CE7E5CB8755583CF5423
Thumbprint SHA-256:	D419BB2698A617C23532AE37AFE368EF9DA958ED25A77B8A4643BD5432FCE4B4
Serial:	2EB40AF51637CD04F50F9096EE698C62

Entrypoint Preview

Instruction
call 00007FDEF0E92B3Fh
jmp 00007FDEF0E85D6Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, eax
xor ebx, ebx
cmp esi, ebx
jne 00007FDEF0E85F10h
call 00007FDEF0E8AC52h
push 00000016h
pop esi
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], esi
call 00007FDEF0E834BAh
add esp, 14h
mov eax, esi
jmp 00007FDEF0E85FB7h
push edi
cmp dword ptr [ebp+0Ch], ebx
jnbe 00007FDEF0E85F10h
call 00007FDEF0E8AC2Eh
push 00000016h
pop esi
push ebx
push ebx
push ebx
push ebx
push ebx
mov dword ptr [eax], esi
call 00007FDEF0E83496h
add esp, 14h
mov eax, esi
jmp 00007FDEF0E85F92h
xor eax, eax
cmp dword ptr [ebp+14h], ebx
mov word ptr [esi], ax
setne al
inc eax
cmp dword ptr [ebp+0Ch], eax
jnbe 00007FDEF0E85EFBh
call 00007FDEF0E8ABFFh
push 00000022h
jmp 00007FDEF0E85EC1h
mov eax, dword ptr [ebp+10h]
add eax, FFFFFFFEh
cmp eax, 22h
jnbe 00007FDEF0E85EAFh
mov dword ptr [ebp-04h], ebx
mov ecx, esi
cmp dword ptr [ebp+14h], ebx
je 00007FDEF0E85F05h
neg dword ptr [ebp+08h]
push 0000002Dh
pop eax
mov word ptr [esi], ax
lea ecx, dword ptr [esi+02h]
mov dword ptr [ebp-04h], 00000001h
mov edi, ecx
mov eax, dword ptr [ebp+08h]
xor edx, edx
div dword ptr [ebp+10h]
mov dword ptr [ebp+08h], eax
cmp edx, 09h
jbe 00007FDEF0E85EF7h
add edx, 57h
jmp 00007FDEF0E85EF5h
add edx, 30h
mov eax, dword ptr [ebp-04h]
mov word ptr [ecx], dx
inc ecx
inc ecx
inc eax
xor ebx, ebx
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp+00h], ebx

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[C++] VS2008 build 21022
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13ce08	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14a000	0x3c55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5607a8	0x17e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x187000	0x10530	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x101870	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x11cd20	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x101000	0x768	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x13c0d4	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xff5d2	0xff600	9db1dfcdcdff708f96b0aa401c287f5c	False	0.5442421530837004	data	6.6088068883312445	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x101000	0x3e65a	0x3e800	0a8e2d5022e80b1b7cd8d523fcbe5c8b	False	0.2891640625	data	4.41500188644796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x140000	0x9dc8	0x3400	3cd351664389d308a82e9b28fab93376	False	0.3538161057692308	data	4.344082372670926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14a000	0x3c55c	0x3c600	aef1f11e595fa74a9c12e717238e03aa	False	0.33644701086956524	data	5.646446798244028	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x187000	0x1824e	0x18400	4ee8054f0d3d7d70df4dd4f06815c053	False	0.3893766108247423	data	5.240741362634274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
IMAGE_FILE	0x14ab18	0xc928	JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:04:15 08:30:49], baseline, precision 8, 495x310, components 3	English	United States	0.6490601211744601
IMAGE_FILE	0x157440	0x4b9e	JPEG image data, JFIF standard 1.02, resolution (DPI), density 300x300, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2015:04:15 08:24:05], baseline, precision 8, 495x60, components 3	English	United States	0.5044942659365637
RTF_FILE	0x15bfe0	0x2e9	Rich Text Format data, version 1, ANSI, code page 1252	English	United States	0.5503355704697986
RTF_FILE	0x15c2cc	0xa1	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033	English	United States	0.906832298136646
RT_BITMAP	0x15c370	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x15c4b0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x15ccd8	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x161580	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x161fec	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x162140	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x162968	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.500886524822695
RT_ICON	0x162dd0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.31308630393996245
RT_ICON	0x163e78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2465767634854772
RT_ICON	0x166420	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.17713745866792632
RT_ICON	0x16a648	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.11259316219093812
RT_ICON	0x17ae70	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7026173285198556
RT_ICON	0x17b718	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.7644009216589862
RT_ICON	0x17bde0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6047687861271677
RT_ICON	0x17c348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4612033195020747
RT_ICON	0x17e8f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7181050656660413
RT_ICON	0x17f998	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.780327868852459
RT_ICON	0x180320	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.775709219858156
RT_MENU	0x180788	0x5c	data	English	United States	0.8478260869565217
RT_MENU	0x1807e4	0x2a	data	English	United States	1.0714285714285714
RT_DIALOG	0x180810	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x1808bc	0x2a6	data	English	United States	0.5132743362831859
RT_DIALOG	0x180b64	0x3b4	data	English	United States	0.43248945147679324
RT_DIALOG	0x180f18	0xbc	data	English	United States	0.7180851063829787
RT_DIALOG	0x180fd4	0x204	data	English	United States	0.560077519379845
RT_DIALOG	0x1811d8	0x282	data	English	United States	0.48598130841121495
RT_DIALOG	0x18145c	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x181528	0x146	data	English	United States	0.5736196319018405
RT_DIALOG	0x181670	0x226	data	English	United States	0.4690909090909091
RT_DIALOG	0x181898	0x388	data	English	United States	0.45464601769911506
RT_DIALOG	0x181c20	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x181dd4	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x181f0c	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x181f58	0x45c	data	English	United States	0.3844086021505376
RT_STRING	0x1823b4	0x760	data	English	United States	0.3225635593220339
RT_STRING	0x182b14	0x2f8	data	English	United States	0.4039473684210526
RT_STRING	0x182e0c	0x598	data	English	United States	0.2807262569832402
RT_STRING	0x1833a4	0x3e4	StarOffice Gallery theme i, 1627418368 objects, 1st n	English	United States	0.39558232931726905
RT_STRING	0x183788	0x7a6	data	English	United States	0.2763023493360572
RT_STRING	0x183f30	0x744	data	English	United States	0.26344086021505375
RT_STRING	0x184674	0x7ba	data	English	United States	0.2269969666329626
RT_STRING	0x184e30	0x598	data	English	United States	0.3952513966480447
RT_STRING	0x1853c8	0x82	data	English	United States	0.6307692307692307
RT_STRING	0x18544c	0x226	data	English	United States	0.4709090909090909
RT_STRING	0x185674	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x18588c	0x21a	data	English	United States	0.41821561338289964
RT_GROUP_ICON	0x185aa8	0x4c	data	English	United States	0.75
RT_VERSION	0x185af4	0x380	data	English	United States	0.4419642857142857
RT_MANIFEST	0x185e74	0x6e8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4117647058823529

Imports

DLL	Import
KERNEL32.dll	GlobalUnlock, GetModuleFileNameW, InterlockedIncrement, InterlockedDecrement, CompareStringW, GetDriveTypeW, lstrcmpiW, GetVersionExW, lstrlenW, FreeLibrary, LoadLibraryW, CreateDirectoryW, GetCurrentProcessId, GetExitCodeThread, SetEvent, CreateEventW, GlobalLock, GlobalAlloc, lstrcmpW, GetFileSize, SetStdHandle, WriteConsoleW, WriteConsoleA, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, GetConsoleMode, GetConsoleCP, GetTickCount, QueryPerformanceCounter, GetStartupInfoA, SetLastError, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, IsValidCodePage, GetOEMCP, GetACP, HeapCreate, ReadFile, LCMapStringA, GetCPInfo, RtlUnwind, ExitProcess, TlsFree, TlsSetValue, LoadLibraryA, TlsGetValue, GetStartupInfoW, GetSystemTimeAsFileTime, IsDebuggerPresent, UnhandledExceptionFilter, TerminateProcess, HeapSize, HeapReAlloc, HeapDestroy, VirtualAlloc, VirtualFree, IsProcessorFeaturePresent, HeapAlloc, GetProcessHeap, HeapFree, InterlockedCompareExchange, PeekNamedPipe, OpenEventW, SearchPathW, GetLocaleInfoA, GetStringTypeW, ConnectNamedPipe, CreateNamedPipeW, ResetEvent, MoveFileW, TerminateThread, GetSystemDirectoryW, GetLocalTime, OutputDebugStringW, GlobalMemoryStatus, GetVersion, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetWindowsDirectoryW, GetUserDefaultLangID, GetSystemDefaultLangID, GetLocaleInfoW, GlobalFree, GetTempPathW, GetTempPathA, GetSystemTime, GetTempFileNameW, DeleteFileW, GetTempFileNameA, DeleteFileA, FindFirstFileW, RemoveDirectoryW, FindNextFileW, GetLogicalDriveStringsW, GetFileAttributesW, CreateFileA, SetFileAttributesW, WaitForMultipleObjects, GetSystemInfo, InterlockedExchange, WideCharToMultiByte, LoadLibraryExW, MultiByteToWideChar, FindClose, CopyFileW, LCMapStringW, GetDiskFreeSpaceExW, Sleep, GetLastError, GetCurrentThreadId, WaitForSingleObject, MulDiv, lstrcpynW, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceLanguagesW, SetEndOfFile, SetCurrentDirectoryW, GetCommandLineW, UnlockFile, LockFile, GetExitCodeProcess, CreateProcessA, CreateProcessW, DuplicateHandle, LeaveCriticalSection, GetModuleFileNameA, FlushFileBuffers, SetFilePointer, GetConsoleOutputCP, GetConsoleScreenBufferInfo, GetStdHandle, SetConsoleTextAttribute, GetFullPathNameW, GetCurrentThread, GetEnvironmentVariableW, InitializeCriticalSection, EnterCriticalSection, DeleteCriticalSection, GetModuleHandleW, GetProcAddress, RaiseException, FlushInstructionCache, GetCurrentProcess, CloseHandle, WriteFile, CreateFileW, GetFileType, TlsAlloc, GetShortPathNameW, LocalAlloc, FormatMessageW, CreateThread, SetUnhandledExceptionFilter, LocalFree
USER32.dll	GetWindow, GetClientRect, GetWindowTextW, GetWindowTextLengthW, FillRect, IsWindow, ShowWindow, GetWindowRect, UnionRect, GetParent, BeginPaint, EndPaint, ScreenToClient, SetWindowPos, GetWindowDC, LookupIconIdFromDirectoryEx, CallWindowProcW, DefWindowProcW, GetWindowLongW, IsWindowVisible, MapWindowPoints, SetWindowLongW, SendMessageW, DrawFrameControl, RegisterWindowMessageW, InvalidateRgn, GetDesktopWindow, GetKeyState, DrawStateW, DrawTextExW, DrawFocusRect, ValidateRect, DestroyMenu, AppendMenuW, CreatePopupMenu, TrackPopupMenu, InflateRect, LoadBitmapW, MessageBeep, CharNextW, GetClassNameW, ReleaseCapture, SetCapture, UpdateWindow, DestroyIcon, GetDlgCtrlID, GetCapture, SetScrollInfo, GetScrollPos, GetClassInfoExW, RegisterClassExW, DrawEdge, SetScrollPos, SetRect, MoveWindow, GetScrollInfo, GetMessagePos, SystemParametersInfoW, GetActiveWindow, TrackMouseEvent, GetAsyncKeyState, DestroyCursor, GetWindowRgn, IsZoomed, SetWindowRgn, GetComboBoxInfo, DestroyAcceleratorTable, CreateAcceleratorTableW, TranslateAcceleratorW, CreateDialogParamW, EndDialog, DialogBoxParamW, InvalidateRect, GetNextDlgTabItem, SetCursor, MonitorFromWindow, GetMonitorInfoW, LoadImageW, IsDialogMessageW, IsChild, PostQuitMessage, PostMessageW, SetForegroundWindow, SetCursorPos, GetCursorPos, PeekMessageW, GetMessageW, TranslateMessage, DispatchMessageW, LoadCursorW, LoadStringW, MessageBoxW, GetFocus, EnableWindow, DestroyWindow, LoadIconW, DialogBoxIndirectParamW, GetForegroundWindow, MsgWaitForMultipleObjects, EnumWindows, GetWindowThreadProcessId, GetPropW, GetSystemMenu, EnableMenuItem, ModifyMenuW, FindWindowW, ExitWindowsEx, GetScrollRange, SetPropW, RemovePropW, LoadMenuW, GetSubMenu, OpenClipboard, CloseClipboard, EmptyClipboard, SetClipboardData, GetIconInfo, SendMessageTimeoutW, UnregisterClassA, DrawTextW, DrawIconEx, GetSystemMetrics, ClientToScreen, OffsetRect, SetRectEmpty, PtInRect, GetSysColorBrush, IntersectRect, IsRectEmpty, SendMessageA, IsWindowEnabled, CopyRect, RedrawWindow, SetFocus, GetSysColor, CreateWindowExW, GetDlgItem, SetWindowTextW, EqualRect, SetTimer, KillTimer, GetDC, ReleaseDC, CreateIconFromResourceEx
GDI32.dll	GetLayout, GetBrushOrgEx, CreateFontIndirectW, CreateSolidBrush, GetRgnBox, EqualRgn, CreatePolygonRgn, CreateRectRgnIndirect, GetStockObject, CreateFontW, SetBkMode, SetTextColor, SetBrushOrgEx, CreatePatternBrush, FillRgn, SelectClipRgn, GetBitmapBits, CreateRectRgn, GetObjectW, GetDeviceCaps, Rectangle, ExcludeClipRect, CreatePen, ExtTextOutW, SetBkColor, BitBlt, SetViewportOrgEx, CreateCompatibleBitmap, CreateCompatibleDC, DeleteObject, SelectObject, DeleteDC, CreateDIBSection, CreateBitmapIndirect, CombineRgn
ADVAPI32.dll	RegOpenKeyW, LookupPrivilegeValueW, LookupAccountSidW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, SetEntriesInAclW, GetSecurityDescriptorDacl, StartServiceW, QueryServiceStatus, OpenServiceW, RegDeleteValueA, RegQueryValueExA, RegOpenKeyA, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegSetValueExA, OpenSCManagerW, LockServiceDatabase, UnlockServiceDatabase, CloseServiceHandle, RegOpenKeyExA, RegEnumValueA, AdjustTokenPrivileges, RegCreateKeyW, OpenProcessToken, GetTokenInformation, AllocateAndInitializeSid, EqualSid, FreeSid, GetUserNameW, RegDeleteKeyA, RegCreateKeyA
SHELL32.dll	ShellExecuteW, ShellExecuteExW, SHGetFolderPathW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetMalloc, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	CoTaskMemRealloc, CoTaskMemFree, CoInitialize, OleInitialize, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoCreateInstance, CreateStreamOnHGlobal, OleLockRunning, StringFromGUID2, OleUninitialize, CoUninitialize, CoCreateGuid, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CoInitializeEx, CoTaskMemAlloc
OLEAUT32.dll	VarUI4FromStr, VarDateFromStr, OleLoadPicture, SysStringByteLen, SysAllocStringByteLen, SysAllocStringLen, LoadTypeLib, LoadRegTypeLib, SysStringLen, OleCreateFontIndirect, VariantCopy, VariantInit, VariantClear, SysAllocString, SysFreeString
dbghelp.dll	SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, SymFunctionTableAccess, StackWalk, SymGetModuleBase
SHLWAPI.dll	PathAddBackslashW, PathIsUNCW, PathIsDirectoryW, PathFileExistsW
COMCTL32.dll	ImageList_Create, PropertySheetW, DestroyPropertySheetPage, InitCommonControlsEx, ImageList_LoadImageW, ImageList_GetIcon, ImageList_AddMasked, ImageList_SetBkColor, _TrackMouseEvent, ImageList_Add, ImageList_ReplaceIcon, ImageList_Destroy, CreatePropertySheetPageW
MSIMG32.dll	TransparentBlt, AlphaBlend
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
NETAPI32.dll	NetUserGetLocalGroups, NetApiBufferFree, NetLocalGroupGetMembers
Secur32.dll	GetUserNameExW
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-30T17:36:14.787474+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49744	52.216.184.133	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 17:36:10.396625042 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.402225018 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.402302980 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.402601004 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.408016920 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.612953901 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.614008904 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.618416071 CET	80	49741	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.618499041 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.618694067 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.619391918 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.619471073 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.619599104 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.624017954 CET	80	49741	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.624906063 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.757019997 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.762547016 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.975332022 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.975333929 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:10.980714083 CET	80	49741	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:10.980837107 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.242310047 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.365591049 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:11.443293095 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.445590973 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.445687056 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:11.449906111 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:11.455846071 CET	80	49742	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.455924034 CET	49742	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:11.473993063 CET	80	49741	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.526654005 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:11.532432079 CET	80	49741	149.210.147.77	192.168.2.4
Oct 30, 2024 17:36:11.533953905 CET	49741	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:36:13.745299101 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:36:13.765399933 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:13.765505075 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:36:13.765577078 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:36:13.788568020 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:14.469935894 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:14.477682114 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:36:14.494242907 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:14.645659924 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:14.787473917 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:36:37.697989941 CET	80	49744	52.216.184.133	192.168.2.4
Oct 30, 2024 17:36:37.698071003 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:37:14.407579899 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:14.409974098 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:14.416482925 CET	80	49738	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:14.418190002 CET	49738	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.132271051 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.138443947 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.138566017 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.139311075 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.144982100 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.484932899 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.490488052 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.970360041 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.971719027 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.971863031 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.972080946 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:15.977814913 CET	80	49834	149.210.147.77	192.168.2.4
Oct 30, 2024 17:37:15.977937937 CET	49834	80	192.168.2.4	149.210.147.77
Oct 30, 2024 17:37:54.688267946 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:37:55.016005993 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:37:55.625387907 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:37:56.911334991 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:37:59.371844053 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:38:04.312897921 CET	49744	80	192.168.2.4	52.216.184.133
Oct 30, 2024 17:38:13.922274113 CET	49744	80	192.168.2.4	52.216.184.133

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 30, 2024 17:36:10.319961071 CET	54615	53	192.168.2.4	1.1.1.1
Oct 30, 2024 17:36:10.347660065 CET	53	54615	1.1.1.1	192.168.2.4
Oct 30, 2024 17:36:13.698694944 CET	57699	53	192.168.2.4	1.1.1.1
Oct 30, 2024 17:36:13.742994070 CET	53	57699	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 30, 2024 17:36:10.319961071 CET	192.168.2.4	1.1.1.1	0x95be	Standard query (0)	label.shieldapps.biz	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.698694944 CET	192.168.2.4	1.1.1.1	0x938c	Standard query (0)	s3.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 30, 2024 17:36:10.347660065 CET	1.1.1.1	192.168.2.4	0x95be	No error (0)	label.shieldapps.biz	149.210.147.77	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	52.216.184.133	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	16.182.72.16	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	3.5.16.219	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	52.217.201.208	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	16.15.176.47	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	54.231.161.176	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	54.231.137.64	A (IP address)	IN (0x0001)	false
Oct 30, 2024 17:36:13.742994070 CET	1.1.1.1	192.168.2.4	0x938c	No error (0)	s3.amazonaws.com	16.15.176.207	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

label.shieldapps.biz

s3.amazonaws.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	149.210.147.77	80	7344	C:\Program Files (x86)\CPU Guardian\InstAct.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 17:36:10.402601004 CET	178	OUT	POST /callback/bo.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: label.shieldapps.biz Content-Length: 309 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 17:36:10.757019997 CET	309	OUT	Data Raw: 6c 61 62 65 6c 69 64 3d 35 31 31 26 69 6e 73 74 61 6c 6c 73 74 61 74 73 3d 31 26 6d 61 63 3d 45 43 46 34 42 42 45 41 31 35 38 38 26 69 73 6f 6c 61 6e 67 3d 65 6e 2d 43 48 26 69 73 69 6e 73 74 61 6c 6c 3d 31 26 6c 61 6e 67 73 74 72 3d 45 6e 67 6c Data Ascii: labelid=511&installstats=1&mac=ECF4BBEA1588&isolang=en-CH&isinstall=1&langstr=English (United Kingdom)&appver=2.6.1.0&machineid=02D2C6B774_del_VLM74VNU5GZDRY7UCCOK20221121000000.000000+0004G7FL_del_U5ZGUOHO SCSI Disk Device(Standard disk drive
Oct 30, 2024 17:36:11.242310047 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 17:37:14.407579899 CET	210	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 16:36:11 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.45-0+deb7u14 Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	149.210.147.77	80	7352	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 17:36:10.618694067 CET	178	OUT	POST /callback/bo.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: label.shieldapps.biz Content-Length: 453 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 17:36:10.975332022 CET	453	OUT	Data Raw: 73 74 61 72 74 75 70 73 74 61 74 73 3d 31 26 6b 65 79 3d 75 6e 6b 6e 6f 77 6e 26 72 65 67 68 61 73 68 3d 75 6e 6b 6e 6f 77 6e 26 67 65 6e 68 61 73 68 3d 32 34 31 32 31 37 31 39 31 34 35 31 38 32 31 31 32 32 31 34 32 34 37 32 32 37 33 37 31 31 34 Data Ascii: startupstats=1&key=unknown&reghash=unknown&genhash=24121719145182112214247227371141711511624221218561452619335158&mac=ECF4BBEA1588&language=en&encoding=Western European (Windows)&labelid=511&osver=Microsoft Windows NT 6.2.9200.0&sixfour=1&appv
Oct 30, 2024 17:36:11.473993063 CET	235	IN	HTTP/1.1 100 Continue Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 33 30 20 4f 63 74 20 32 30 32 34 20 31 36 3a 33 36 3a 31 31 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 32 2e 32 32 20 28 44 65 62 69 61 6e 29 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 35 2e 34 2e 34 35 2d 30 2b 64 65 62 37 75 31 34 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 0d 0a Data Ascii: HTTP/1.1 200 OKDate: Wed, 30 Oct 2024 16:36:11 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Vary: Accept-EncodingContent-Length: 0Connection: closeContent-Type: text/html

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	149.210.147.77	80	7352	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 17:36:10.619599104 CET	177	OUT	POST /callback/bo.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: label.shieldapps.biz Content-Length: 58 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 17:36:10.975333929 CET	58	OUT	Data Raw: 61 6c 6c 3d 31 26 6e 65 77 64 65 73 69 67 6e 3d 31 26 6c 61 62 65 6c 69 64 3d 35 31 31 26 6d 61 72 6b 31 3d 31 26 6d 61 72 6b 32 3d 30 26 6c 61 6e 67 3d 65 6e 26 6b 65 79 3d Data Ascii: all=1&newdesign=1&labelid=511&mark1=1&mark2=0&lang=en&key=
Oct 30, 2024 17:36:11.443293095 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 17:36:11.445590973 CET	587	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 16:36:11 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.45-0+deb7u14 Vary: Accept-Encoding Content-Length: 375 Connection: close Content-Type: text/html Data Raw: 68 74 74 70 73 3a 2f 2f 73 61 66 65 63 61 72 74 2e 63 6f 6d 2f 63 70 75 67 75 61 72 64 69 61 6e 2f 2e 63 70 75 2d 67 75 61 72 64 69 61 6e 2d 33 35 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 31 35 3a 30 30 3a 30 30 5f 5f 64 65 6c 5f 5f 30 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 30 5f 5f 64 65 6c 5f 5f 68 74 74 70 3a 2f 2f 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 2f 67 75 61 72 64 69 61 6e 2d 63 64 6e 2f 74 69 70 2e 6a 70 67 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 68 74 74 70 3a 2f 2f 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 2f 67 75 61 72 64 69 61 6e 2d 63 64 6e 2f 74 69 70 2e 6a 70 67 5f 5f 64 65 6c 5f 5f 5f 5f 64 65 6c 5f 5f 68 74 74 70 3a 2f 2f 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 2f 67 75 61 72 64 69 61 6e 2d 63 64 6e 2f 74 69 70 32 2e 6a 70 67 5f 5f 64 65 6c 5f [TRUNCATED] Data Ascii: https://safecart.com/cpuguardian/.cpu-guardian-35__del____del____del____del____del____del____del____del____del____del____del____del__15:00:00__del__0__del____del__0__del__http://s3.amazonaws.com/guardian-cdn/tip.jpg__del____del__http://s3.amazonaws.com/guardian-cdn/tip.jpg__del____del__http://s3.amazonaws.com/guardian-cdn/tip2.jpg__del____del__09 77 55 47 31__del__NOEXPIRE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	52.216.184.133	80	7352	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 17:36:13.765577078 CET	86	OUT	GET /guardian-cdn/tip.jpg HTTP/1.1 Host: s3.amazonaws.com Connection: Keep-Alive
Oct 30, 2024 17:36:14.469935894 CET	580	IN	HTTP/1.1 404 Not Found x-amz-request-id: NH12YT2K0FJB4JNS x-amz-id-2: 9tEegas5ryN5neUcZxprdjrtqVjnSTYYAo0EcWe0XChiINV7UvBJOQXCK07MbSLvOEQowGdMwBg= Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 30 Oct 2024 16:36:14 GMT Server: AmazonS3 Data Raw: 31 32 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 67 75 61 72 64 69 61 6e 2d 63 64 6e 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4e 48 31 32 59 54 32 4b 30 46 4a 42 34 4a 4e 53 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 39 74 45 65 67 61 73 35 72 79 4e 35 6e 65 55 63 5a 78 70 72 64 6a 72 74 71 56 6a 6e 53 54 59 59 41 6f 30 45 63 57 65 30 58 43 68 69 49 4e 56 37 55 76 42 4a 4f 51 58 43 4b 30 37 4d 62 53 4c 76 4f 45 51 6f 77 47 64 4d 77 42 67 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 12e<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>guardian-cdn</BucketName><RequestId>NH12YT2K0FJB4JNS</RequestId><HostId>9tEegas5ryN5neUcZxprdjrtqVjnSTYYAo0EcWe0XChiINV7UvBJOQXCK07MbSLvOEQowGdMwBg=</HostId></Error>0
Oct 30, 2024 17:36:14.477682114 CET	63	OUT	GET /guardian-cdn/tip2.jpg HTTP/1.1 Host: s3.amazonaws.com
Oct 30, 2024 17:36:14.645659924 CET	580	IN	HTTP/1.1 404 Not Found x-amz-request-id: NH1D185GCN6C5GWC x-amz-id-2: F38DHJNfP00qdRYtSArS6Gw43PBctKx80kqfDY7dOLp7Gn64hVIn7vCUq+NPVwH6UruOfW0DUmY= Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 30 Oct 2024 16:36:14 GMT Server: AmazonS3 Data Raw: 31 32 65 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 4e 6f 53 75 63 68 42 75 63 6b 65 74 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 54 68 65 20 73 70 65 63 69 66 69 65 64 20 62 75 63 6b 65 74 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 3c 2f 4d 65 73 73 61 67 65 3e 3c 42 75 63 6b 65 74 4e 61 6d 65 3e 67 75 61 72 64 69 61 6e 2d 63 64 6e 3c 2f 42 75 63 6b 65 74 4e 61 6d 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 4e 48 31 44 31 38 35 47 43 4e 36 43 35 47 57 43 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 46 33 38 44 48 4a 4e 66 50 30 30 71 64 52 59 74 53 41 72 53 36 47 77 34 33 50 42 63 74 4b 78 38 30 6b 71 66 44 59 37 64 4f 4c 70 37 47 6e 36 34 68 56 49 6e 37 76 43 55 71 2b 4e 50 56 77 48 36 55 72 75 4f 66 57 30 44 55 6d 59 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 12e<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>guardian-cdn</BucketName><RequestId>NH1D185GCN6C5GWC</RequestId><HostId>F38DHJNfP00qdRYtSArS6Gw43PBctKx80kqfDY7dOLp7Gn64hVIn7vCUq+NPVwH6UruOfW0DUmY=</HostId></Error>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49834	149.210.147.77	80	2088	C:\Program Files (x86)\CPU Guardian\InstAct.exe

Timestamp	Bytes transferred	Direction	Data
Oct 30, 2024 17:37:15.139311075 CET	177	OUT	POST /callback/bo.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: label.shieldapps.biz Content-Length: 29 Expect: 100-continue Connection: Keep-Alive
Oct 30, 2024 17:37:15.484932899 CET	29	OUT	Data Raw: 69 6e 73 74 61 6c 6c 3d 31 26 6c 61 62 65 6c 69 64 3d 35 31 31 26 6c 61 6e 67 3d 65 6e Data Ascii: install=1&labelid=511&lang=en
Oct 30, 2024 17:37:15.970360041 CET	25	IN	HTTP/1.1 100 Continue
Oct 30, 2024 17:37:15.971719027 CET	210	IN	HTTP/1.1 200 OK Date: Wed, 30 Oct 2024 16:37:15 GMT Server: Apache/2.2.22 (Debian) X-Powered-By: PHP/5.4.45-0+deb7u14 Vary: Accept-Encoding Content-Length: 0 Connection: close Content-Type: text/html

Target ID:	0
Start time:	12:36:00
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\074kFuPFv8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\074kFuPFv8.exe"
Imagebase:	0x230000
File size:	5'644'176 bytes
MD5 hash:	FC5134BA4711406149556E32D47773AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:36:00
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi" /qn AI_SETUPEXEPATH=C:\Users\user\Desktop\074kFuPFv8.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
Imagebase:	0x4a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:36:01
Start date:	30/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff768740000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:36:01
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 6861D10B1BBFC1725672A78A114343A0
Imagebase:	0x4a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:36:02
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 51546B5E421AAA8415620B734ACBBF40 E Global\MSI0000
Imagebase:	0x4a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:36:02
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:36:02
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:36:02
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/C "C:\Users\user\AppData\Local\Temp\{C7F8B9FC-A653-4074-A59A-3A17D9B805FE}.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 8056, Parent PID: 8048

General

Target ID:	8
Start time:	12:36:02
Start date:	30/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:36:06
Start date:	30/10/2024
Path:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true
Imagebase:	0x270000
File size:	5'139'432 bytes
MD5 hash:	E6401E23BAC056176D4A2497DA0F9767
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 33%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:36:06
Start date:	30/10/2024
Path:	C:\Program Files (x86)\CPU Guardian\InstAct.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPU Guardian\InstAct.exe" install 1 0
Imagebase:	0xab0000
File size:	16'360 bytes
MD5 hash:	B0586EE5DB1B3B171D28F48AF4B5F4CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 17%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:36:11
Start date:	30/10/2024
Path:	C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true
Imagebase:	0xf40000
File size:	5'139'432 bytes
MD5 hash:	E6401E23BAC056176D4A2497DA0F9767
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:37:13
Start date:	30/10/2024
Path:	C:\Program Files (x86)\CPU Guardian\InstAct.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPU Guardian\InstAct.exe" installurl
Imagebase:	0xb70000
File size:	16'360 bytes
MD5 hash:	B0586EE5DB1B3B171D28F48AF4B5F4CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 002BFF6F Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 115
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,00335CA4,?), ref: 002BFF97
FindWindowW.USER32(SAGEWINDOWCLASS,SYSTEM AGENT COM WINDOW), ref: 002BFFB1
_memset.LIBCMT ref: 002BFFCD
SearchPathW.KERNEL32(00000000,mstask.exe,00000000,00000104,?,?), ref: 002BFFEF
GetLastError.KERNEL32 ref: 002BFFF9
OpenSCManagerW.SECHOST(00000000,00000000,00000001), ref: 002C0040
OpenServiceW.ADVAPI32(00000000,Schedule,00000014,00000000), ref: 002C0055
CloseServiceHandle.ADVAPI32(00000000), ref: 002C0064
QueryServiceStatus.ADVAPI32(00000000,?), ref: 002C006F
StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 002C0082
CloseServiceHandle.ADVAPI32(00000000), ref: 002C008D
GetLastError.KERNEL32 ref: 002C008F

Strings

SYSTEM AGENT COM WINDOW, xrefs: 002BFFA7
Schedule, xrefs: 002C004F
mstask.exe, xrefs: 002BFFE6
SAGEWINDOWCLASS, xrefs: 002BFFAC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Service$CloseErrorHandleLastOpen$FindManagerPathQuerySearchStartStatusVersionWindow_memset
String ID: SAGEWINDOWCLASS$SYSTEM AGENT COM WINDOW$Schedule$mstask.exe
API String ID: 944598716-610972839
Opcode ID: f96c70fdbe38596442ab12de1b4bfa598f43b06dd8637d7035ce17ec274e61a9
Instruction ID: 4ccb104c3ac74bcbbddd49924725e7b47ac804bf0a16105825e0fe500efe919c
Opcode Fuzzy Hash: f96c70fdbe38596442ab12de1b4bfa598f43b06dd8637d7035ce17ec274e61a9
Instruction Fuzzy Hash: 64318F71A10259EBDB329FB5AC88FEF7BBCEB85B41F040529F506E2050EB749548CB60

Function 002ABAD2 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 112
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,Lx*,00000000,?,?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABAF3
OpenProcessToken.ADVAPI32(00000000,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABAFA
GetLastError.KERNEL32(?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABB04
GetTokenInformation.KERNELBASE(Lx*,00000001(TokenIntegrityLevel),00000000,00000000,?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABB26
GetLastError.KERNEL32(?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABB32
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,?,?,?,?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABB58
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,002A784C,00000000), ref: 002ABB8E
EqualSid.ADVAPI32(?,?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABBA0
FreeSid.ADVAPI32(?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABBB2
CloseHandle.KERNELBASE(?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABBC9
CloseHandle.KERNEL32(?,?,?,?,002A784C,00000000,?,?,?,00000029), ref: 002ABBE6

Strings

Lx*, xrefs: 002ABAE5, 002ABB1D, 002ABBE3, 002ABAE8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Token$CloseErrorHandleInformationLastProcess$AllocateCurrentEqualFreeInitializeOpen
String ID: Lx*
API String ID: 2194704513-3130824606
Opcode ID: 44d627550bc8a3f09a41e1a0397ee00d364ae7c781029421988a206184aa96ac
Instruction ID: dcf74487187debf252de50c2cd337c387523576b6557c1a6cb032f4cd19e5785
Opcode Fuzzy Hash: 44d627550bc8a3f09a41e1a0397ee00d364ae7c781029421988a206184aa96ac
Instruction Fuzzy Hash: F631773591024EAFCF129FA1CC89AFEBFB9FF49704F00045AE600A2161DB794995DBA0

Function 0027DC66 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 237
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 0027DC88

Part of subcall function 00293880: SetUnhandledExceptionFilter.KERNEL32(Function_00064290,00000128), ref: 0029389B

Part of subcall function 0027C2A3: __EH_prolog3.LIBCMT ref: 0027C2AA

CoInitializeEx.COMBASE(00000000,00000002,00000128), ref: 0027DCAE
DefWindowProcW.USER32(00000000,00000000,00000000,00000000), ref: 0027DCCF
InitCommonControlsEx.COMCTL32(00000008), ref: 0027DCE7
LoadLibraryW.KERNELBASE(RICHED20.DLL), ref: 0027DCF2

Part of subcall function 0027EB6B: __EH_prolog3_catch.LIBCMT ref: 0027EB72
Part of subcall function 0027EB6B: GetCurrentThreadId.KERNEL32 ref: 0027EB9D

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

FreeLibrary.KERNEL32(?,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?,?), ref: 0027DE02
CoUninitialize.OLE32 ref: 0027DE15
FreeLibrary.KERNELBASE(?,?,?,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?,?), ref: 0027DF97
CoUninitialize.COMBASE ref: 0027DFAA

Strings

RICHED20.DLL, xrefs: 0027DCED

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Library$FreeH_prolog3H_prolog3_catchUninitialize$CommonControlsCurrentExceptionFilterInitInitializeLoadProcThreadUnhandledWindow
String ID: RICHED20.DLL
API String ID: 2919774176-992299850
Opcode ID: b94722c4145d7666485bcffe6716e3fca960949cf2205924dcc5aa63294a400c
Instruction ID: cf1cc7082e3b1fb4c0de6c2eb2fc9414594a7cf39e6c9708a1445f0bc64b25b2
Opcode Fuzzy Hash: b94722c4145d7666485bcffe6716e3fca960949cf2205924dcc5aa63294a400c
Instruction Fuzzy Hash: 06A1E47181128CEBCF22EFA4CD45BDDBBB8AF19304F148099E549BB142CB745B19CB61

Function 002A9090 Relevance: 15.6, APIs: 10, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

__recalloc.LIBCMT ref: 002A9228

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$__recalloc
String ID:
API String ID: 1900422986-0
Opcode ID: fd78a597599627fa9e4dc1e2bd828cd6b41123549577b17428ed4d2b73bafd7b
Instruction ID: c7595d51bff45c096d5009ab00c9ec66686f6f7a7f4f5f62534a489a6b8a5f3e
Opcode Fuzzy Hash: fd78a597599627fa9e4dc1e2bd828cd6b41123549577b17428ed4d2b73bafd7b
Instruction Fuzzy Hash: CF2238715283419FC710EF29C881A9EF7E4BF89700F44492EF59597261DB70EA69CF42

Function 002DA642 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002DA14F: __EH_prolog3.LIBCMT ref: 002DA156

Part of subcall function 002DB575: __EH_prolog3_GS.LIBCMT ref: 002DB57C

Part of subcall function 002DD77B: __EH_prolog3.LIBCMT ref: 002DD782

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

_wcslen.LIBCMT ref: 002DA73F

Part of subcall function 0024258A: __EH_prolog3.LIBCMT ref: 00242591

Strings

Property, xrefs: 002DAA1A, 002DAA1F, 002DAA34
B4, xrefs: 002DA971
ALLUSERS, xrefs: 002DA93B, 002DA9EB
CLIENTPROCESSID, xrefs: 002DA818
Value, xrefs: 002DAA04
LIMITUI, xrefs: 002DA8EC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3__wcslen
String ID: B4$ALLUSERS$CLIENTPROCESSID$LIMITUI$Property$Value
API String ID: 1263074910-3200270137
Opcode ID: 9594987a9474058625fce2a858112d5a9bd18dc693505d6efd71d22f873cb20c
Instruction ID: 69516955ca69b7b4e776053f89d855ad6c02bef3988397465b0fa72ebda48569
Opcode Fuzzy Hash: 9594987a9474058625fce2a858112d5a9bd18dc693505d6efd71d22f873cb20c
Instruction Fuzzy Hash: 9FC19371429380DBD721EF24CC95FDBB7A8BF41314F04066DF9899B292DB709918CB62

Function 002F2E50 Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0000000D,00000000,00233692,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000), ref: 002F2DD1
HeapAlloc.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002F2DD8

Part of subcall function 002F2CE9: IsProcessorFeaturePresent.KERNEL32(0000000C,002F2DBF,00000000,00233692,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000), ref: 002F2CEB

RtlInterlockedPopEntrySList.NTDLL(00F84B18), ref: 002F2DE5
VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000040,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002F2DFA
RtlInterlockedPopEntrySList.NTDLL(?), ref: 002F2E13
VirtualFree.KERNEL32(00000000,00000000,00008000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002F2E27
RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 002F2E3E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
String ID:
API String ID: 2304957937-0
Opcode ID: 71d1ad8f1483b8ab682ca243a95a26742abb241eef31bd170101796868e0d1ab
Instruction ID: 84cc3534e98cfaa303148bb0f35c521e531cc73dbfec8275ff7de80d7519530e
Opcode Fuzzy Hash: 71d1ad8f1483b8ab682ca243a95a26742abb241eef31bd170101796868e0d1ab
Instruction Fuzzy Hash: C601D631215267E7D7335B24FD08B7BB61DAB86B81F250830FB04D62A1CB60DC559661

Function 002ACFAA Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 002AD1CC: FindFirstFileW.KERNELBASE(00000000,?,00000000,?,?,?,00000001), ref: 002AD20C
Part of subcall function 002AD1CC: FindClose.KERNELBASE(00000000), ref: 002AD281

FindFirstFileW.KERNEL32(00000000,?,?,0033DAA0,?,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 002AD0B6
FindNextFileW.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00000001), ref: 002AD0D5
FindNextFileW.KERNEL32(000000FF,?,?,00000000,?,?,00000000,00000000,00000001), ref: 002AD14A
FindClose.KERNEL32(00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 002AD160

Part of subcall function 00297260: __recalloc.LIBCMT ref: 0029729E

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

FindClose.KERNEL32(000000FF,?,?,?,00000000,?,?,00000000,00000000,00000001), ref: 002AD18E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$File$CloseH_prolog3$FirstNext$__recalloc
String ID:
API String ID: 1388204262-0
Opcode ID: 9b8c957018842b255648d711ea8a10e7954a784c0a294192ce2c8b1452d35429
Instruction ID: 343d0dd23196fa2487a046c5245f215d8512f173ce820d6299be41804cc73daf
Opcode Fuzzy Hash: 9b8c957018842b255648d711ea8a10e7954a784c0a294192ce2c8b1452d35429
Instruction Fuzzy Hash: 8151EA7192512D9BCF25EF60DC89AEEB378AF05300F5041E6B50AA3161DE31AF95CF50

Function 002BC8F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNELBASE(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,?,\\.\pipe\ToServer,00000000,?,?,002A3CC5,00000001), ref: 002BC955
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,\\.\pipe\ToServer,00000000,?,?,002A3CC5,00000001,00000000), ref: 002BC971

Strings

\\.\pipe\ToServer, xrefs: 002BC91A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID: \\.\pipe\ToServer
API String ID: 1328467360-63420281
Opcode ID: efe33e728c524a90d02a7c39d9c73f973fcb14612561d340e91ae38b845a5f18
Instruction ID: e418c127044f72045201ef7401fd91730823cb63f5a89613f6f715ccfc067003
Opcode Fuzzy Hash: efe33e728c524a90d02a7c39d9c73f973fcb14612561d340e91ae38b845a5f18
Instruction Fuzzy Hash: C011297114474ABEE721DF20CC80EFABB9CAF01380F14C429F4995B191D631AA95DB60

Function 002A9A11 Relevance: 4.7, APIs: 3, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 33d9aa93dc97c460af8f36180d4374a23b1479f39e35c9007feda07187fb1864
Instruction ID: 2a341ecac1eff5ec671dadfaabe6d181d99b269e37bba3f67b2b92dc8c327eb2
Opcode Fuzzy Hash: 33d9aa93dc97c460af8f36180d4374a23b1479f39e35c9007feda07187fb1864
Instruction Fuzzy Hash: C8714EB1A1112A9FCB60DF25CC81AEDB7B9AF05354F4441EAE609A3151EF30AF98CF54

Function 002AD1CC Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0027D894: _wcsnlen.LIBCMT ref: 0027D8C5

FindFirstFileW.KERNELBASE(00000000,?,00000000,?,?,?,00000001), ref: 002AD20C
FindClose.KERNEL32(000000FF), ref: 002AD2A6

Part of subcall function 002AAE39: GetFileVersionInfoSizeW.VERSION(00000000,002AAE1F,?,00000000,?,002AAE1F,00000000,?,?,002C464F,000000FF,00000000), ref: 002AAE50

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

FindClose.KERNELBASE(00000000), ref: 002AD281

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$CloseFile$FirstH_prolog3InfoSizeVersion_wcsnlen
String ID:
API String ID: 378036534-0
Opcode ID: 50e35357856f4433b911663aad620aa7d650ace70981abb920a363e162fb071d
Instruction ID: 4492d1e42f57ef39e73bb05f97c30c156255c3def45a773405635e9a40b0743f
Opcode Fuzzy Hash: 50e35357856f4433b911663aad620aa7d650ace70981abb920a363e162fb071d
Instruction Fuzzy Hash: 8C21817181411C9BCB20FF64DC89AEEB7B8AF05320F4001A6B459E2061DB319A99CF60

Function 00299410 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,D7557A70,?,?), ref: 00299469
FindClose.KERNELBASE(00000000), ref: 0029949E
FindClose.KERNEL32 ref: 002994B4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$Close$FileFirst
String ID:
API String ID: 3046750681-0
Opcode ID: 5438f1f05bbd6506cb61ac0621e9d4fe6b7f6895f1da3e405969d393133a7181
Instruction ID: c7fec0c167db2b0d371bf8624ae37d1dcb6c232071cd33b63a9cb1744961db04
Opcode Fuzzy Hash: 5438f1f05bbd6506cb61ac0621e9d4fe6b7f6895f1da3e405969d393133a7181
Instruction Fuzzy Hash: F0212975518781DFCB25DF28C88969AB7E4FF88320F504A2EE459C3750DB359845CF82

Function 002BC77B Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNELBASE(?,00000000,?,?,00000000,?,00000000), ref: 002BC853

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 43148bfc744309ea8463f43d0d5b345f51ca0c0bc23204261c9804d78a9b811d
Instruction ID: 1fd98bc2bcda48b36a3d5e74ac0c45e580f46acd3d43c7e98b1e3424f57d981f
Opcode Fuzzy Hash: 43148bfc744309ea8463f43d0d5b345f51ca0c0bc23204261c9804d78a9b811d
Instruction Fuzzy Hash: 0F41B6B5D302699ACF319F2488407E9B3B8AF40394F3045AED799E3140E7B04ED59B99

Function 00293900 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 002F914E: __getptd.LIBCMT ref: 002F9154
Part of subcall function 002F914E: __getptd.LIBCMT ref: 002F915F

SetUnhandledExceptionFilter.KERNEL32(00294290), ref: 0029394D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __getptd$ExceptionFilterUnhandled
String ID:
API String ID: 2662456848-0
Opcode ID: 500d612933e5c9ac2d5cf3f97857a6f75316992ef21d050087dee55b62b197d9
Instruction ID: 091f89166acef1cdaf1f0098dc99f55f94cf82bf30995f4140873cb3f6db458e
Opcode Fuzzy Hash: 500d612933e5c9ac2d5cf3f97857a6f75316992ef21d050087dee55b62b197d9
Instruction Fuzzy Hash: 39018FB65086419FD721CF18EC05B4AFBE8EB56B20F04492EF85983390D674A9448F52

Function 002C118A Relevance: 1.5, APIs: 1, Instructions: 29comCOMMON

Download Yara Rule

APIs

Part of subcall function 002936B0: _memset.LIBCMT ref: 0029370E

CoCreateInstance.OLE32(0033418C,00000000,00000001,003481C8,000000B0,00000000,00000000,002BF59B,00000094,00000018,00000040,0000003C,00000038,00000000,?,?), ref: 002C11C4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateInstance_memset
String ID:
API String ID: 1524378431-0
Opcode ID: 931bea904be0f7d13da54873474bedd996bf4c6f140f18a47dcd47ae3bd00fa6
Instruction ID: b1d6236a545093b87d1a0670d1844365dc2c2edea04e871c859ce05053850401
Opcode Fuzzy Hash: 931bea904be0f7d13da54873474bedd996bf4c6f140f18a47dcd47ae3bd00fa6
Instruction Fuzzy Hash: 2CF030B12007029FD7218F9ACCC5A96FBF9FF55701B14492DE18A87641C7B5A855CB50

Function 002B200E Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002B20B8

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 0029A5A0: GetEnvironmentVariableW.KERNEL32(00000001,00000000,00000000,?,?,?,00000000,002B1EAB,?,?,?,?,?,0025005D,?,?), ref: 0029A5AF

GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000000,?,WindowsFolder,?,00000000,?,SystemFolder,?,00000000,?,ProgramFiles64Folder,?), ref: 002B20F6
GetWindowsDirectoryW.KERNEL32(?,00000104,?,00000000,?,WindowsVolume,?,00000000,?,WindowsFolder,?,00000000,?,SystemFolder,?,00000000), ref: 002B214B
GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,SETUPEXEDIR,?,TempFolder,?,00000000,?,WindowsVolume,?,00000000,?,WindowsFolder,?), ref: 002B21C3

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

SETUPEXEDIR, xrefs: 002B2199
SystemFolder, xrefs: 002B207E
WindowsFolder, xrefs: 002B20C0
WindowsVolume, xrefs: 002B2115
TempFolder, xrefs: 002B215C
ProgramW6432, xrefs: 002B2045
d27, xrefs: 002B21A8, 002B21B1, 002B21E1
ProgramFiles64Folder, xrefs: 002B202C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Directory$H_prolog3Windows$EnvironmentFileModuleNameSystemVariable
String ID: ProgramFiles64Folder$ProgramW6432$SETUPEXEDIR$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$d27
API String ID: 49938133-3271979304
Opcode ID: d5244b09b442318fb439edd2b35978e299cf3456138f85115e5816686646eb39
Instruction ID: 4b201ee5a6f48eb9aa370180b8693205d56675563e9fdbc1cee97ae771930bf2
Opcode Fuzzy Hash: d5244b09b442318fb439edd2b35978e299cf3456138f85115e5816686646eb39
Instruction Fuzzy Hash: B961B271630208DBCB25EFB4DC86AEE77BCAF06740F100129FA59DB152DB7499199F11

Function 002DCB6C Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 354
registryprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002DDF03: __EH_prolog3_GS.LIBCMT ref: 002DDF0D
Part of subcall function 002DDF03: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002DDF2F

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Part of subcall function 0023A7E6: std::_String_base::_Xlen.LIBCPMT ref: 0023A823
Part of subcall function 0023A7E6: char_traits.LIBCPMT ref: 0023A874

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

_wcslen.LIBCMT ref: 002DCC23
_memset.LIBCMT ref: 002DCCF7
CreateProcessW.KERNELBASE(00000004,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002DCD54
GetLastError.KERNEL32(00000001,00000000), ref: 002DCD79
WaitForSingleObject.KERNEL32(?,000000FF,00000001,00000000), ref: 002DCD94
GetExitCodeProcess.KERNELBASE(?,?), ref: 002DCDA3

Part of subcall function 002DA0DA: __EH_prolog3.LIBCMT ref: 002DA0E1

RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,EstimatedSize,00000001,00000000,?,80000002,00000001,?), ref: 002DD03E

Strings

ARPSIZE, xrefs: 002DCF2E
AiProductCode, xrefs: 002DCE72
D, xrefs: 002DCCEC
EstimatedSize, xrefs: 002DCFE3
FASTOEM, xrefs: 002DCDB5
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 002DCF95
AiProductCode64, xrefs: 002DCEC0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$Processchar_traits$CodeCreateDirectoryErrorExitH_prolog3H_prolog3_LastObjectSingleString_base::_SystemValueWaitXlen_memsetstd::_
String ID: ARPSIZE$AiProductCode$AiProductCode64$D$EstimatedSize$FASTOEM$Software\Microsoft\Windows\CurrentVersion\Uninstall\
API String ID: 1497790680-1690049508
Opcode ID: f02bdb56955863ff3be8e60ee60140ba7c76702592e4b3684c0496da0992e90e
Instruction ID: 98d966fa5dfdfc2f45ca5ffccf6790d096b2e9c6f8cf410dcd36254a64e8d18e
Opcode Fuzzy Hash: f02bdb56955863ff3be8e60ee60140ba7c76702592e4b3684c0496da0992e90e
Instruction Fuzzy Hash: CCE1A1B1018381AED731DB24C885FEBBBE8AF95304F544A1DF58957291DB30AA58CB63

Function 002A8728 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 348
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,?,?), ref: 002A87C6
CreateFileW.KERNELBASE(00000080,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,?,?), ref: 002A8929
GetLastError.KERNEL32 ref: 002A8942
GetLastError.KERNEL32(00000000,00000104,?), ref: 002A895F
CloseHandle.KERNEL32(00000000), ref: 002A89BF
SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 002A8A09
GetLastError.KERNEL32 ref: 002A8A14
ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 002A8AB2
WriteFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 002A8AEA
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,002BE1E8), ref: 002A8B4B
CloseHandle.KERNEL32(?,?,?,?), ref: 002A8B6B

Strings

Not enough disk space to extract file:, xrefs: 002A884B
Failed to extract file:, xrefs: 002A897D
Error:, xrefs: 002A8974

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorFileLast$CloseHandle$CreatePointerReadWrite
String ID: Error:$Failed to extract file:$Not enough disk space to extract file:
API String ID: 261060256-4103669389
Opcode ID: 021ec176164aa51a3c6263b07063f23d6dea7b35f0d569e702d23b0fcdb46f87
Instruction ID: ef26ea1dba4f3788d222a0c79a931f0568b9e8954e815ceb1d6960888d71bfef
Opcode Fuzzy Hash: 021ec176164aa51a3c6263b07063f23d6dea7b35f0d569e702d23b0fcdb46f87
Instruction Fuzzy Hash: BDC18B71224302AFCB04EF64C885AAAB7E8BF89754F00491DF585972A1DF70EA64CF52

Function 002A2FA6 Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 326
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

RegDeleteKeyA.ADVAPI32(80000001,?), ref: 002A301A
RegDeleteKeyA.ADVAPI32(80000001,?), ref: 002A30F2

Strings

No prerequisite must be installed., xrefs: 002A30A3
Starting installing prerequisites in silent mode., xrefs: 002A3150
After running prerequisites we have:, xrefs: 002A32FE
Xx4, xrefs: 002A3003, 002A3006
Xx4, xrefs: 002A2FC9
InterbootContext, xrefs: 002A2FB8
Starting installing prerequisites in full UI mode., xrefs: 002A328D
Reboot in Progress=, xrefs: 002A3378
Starting installing prerequisites in basic UI mode., xrefs: 002A3203
Reboot was refused=, xrefs: 002A333E
Reboot was required=, xrefs: 002A32F9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Delete$H_prolog3
String ID: Reboot in Progress=$ Reboot was refused=$ Reboot was required=$After running prerequisites we have:$InterbootContext$No prerequisite must be installed.$Starting installing prerequisites in basic UI mode.$Starting installing prerequisites in full UI mode.$Starting installing prerequisites in silent mode.$Xx4$Xx4
API String ID: 1836833418-2654866553
Opcode ID: e5db399f2bef87e9acab6e6ef3745f59ffedd26f376ecd15975e564a4bd4793b
Instruction ID: d176acb3082ed9db1b6ffc948f083ce7a8ec64ff2e81c3e63574626199d5b1a1
Opcode Fuzzy Hash: e5db399f2bef87e9acab6e6ef3745f59ffedd26f376ecd15975e564a4bd4793b
Instruction Fuzzy Hash: 04C1ACB1D2024AABDF11EFA0C846BDDBB78AF05340F448495F504A7152CF749BA9CFA1

Function 00282951 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 128
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00282958

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

CreateEventW.KERNEL32(00000000,00000001,00000000,-00000004,_uigo_evt,00000048,00280EE6,?,D7557A70), ref: 00282992
CreateEventW.KERNEL32(00000000,00000001,00000000,-00000004,_uidone_evt,00000001,00000000,00000001,00000000,?,D7557A70), ref: 00282A00
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,00000001,00000000,00000001,00000000,?,D7557A70), ref: 00282A6A
SetEvent.KERNEL32(?,?,D7557A70), ref: 00282A93
GetExitCodeThread.KERNELBASE(00000000,00000000,?,D7557A70), ref: 00282AAA
WaitForSingleObject.KERNEL32(00000000,000000FF,?,D7557A70), ref: 00282ABE
GetExitCodeThread.KERNEL32(?,00000103,?,D7557A70), ref: 00282AD3

Strings

_uigo_evt, xrefs: 0028295D
_uidone_evt, xrefs: 002829C8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Event$CodeCreateExitH_prolog3ThreadWait$MultipleObjectObjectsSingle
String ID: _uidone_evt$_uigo_evt
API String ID: 559468189-3641534511
Opcode ID: b86c472793a2b76e90aebef911809b86d8bab30bb41047b82c98f768264e3830
Instruction ID: 3dc01b68cac86acecf9d3262838bc90ce0cf67867839be1a0fb0bf6f29130cda
Opcode Fuzzy Hash: b86c472793a2b76e90aebef911809b86d8bab30bb41047b82c98f768264e3830
Instruction Fuzzy Hash: 0D415A75910209EFEB14EFA4CC86BEDB778AF10314F244529F911AB2D1CBB0AE59CB50

Function 002BD4E5 Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 39
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,?,002A9ABC,?,00000000,00000000,?,?,?,00000000,00000000,00000001), ref: 002BD4E8
FreeLibrary.KERNEL32(00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000001), ref: 002BD4FE
GetProcAddress.KERNEL32(00000000,InitExtraction), ref: 002BD51F
GetProcAddress.KERNEL32(GetTotalFilesSize), ref: 002BD531
GetProcAddress.KERNEL32(ExtractAllFiles), ref: 002BD543
GetProcAddress.KERNEL32(EndExtraction), ref: 002BD555

Strings

EndExtraction, xrefs: 002BD545
ExtractAllFiles, xrefs: 002BD533
InitExtraction, xrefs: 002BD519
GetTotalFilesSize, xrefs: 002BD521

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EndExtraction$ExtractAllFiles$GetTotalFilesSize$InitExtraction
API String ID: 2449869053-3462492388
Opcode ID: 9b9f38f1821f0f16a2351971ca3c2d90c5462feee8c9104474387e01c8d65ec5
Instruction ID: e85f637e0b591fc449eadedfe358b7389806bc65c7f41b08d0b1b49c1f10d1c2
Opcode Fuzzy Hash: 9b9f38f1821f0f16a2351971ca3c2d90c5462feee8c9104474387e01c8d65ec5
Instruction Fuzzy Hash: 68F019749842119ACF335F75FE895D63FE8E7467A4B000816E91893271EB30A8A1CBA1

Function 002BF656 Relevance: 16.6, APIs: 11, Instructions: 120
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,0000040B), ref: 002BF672

Part of subcall function 002BEC1B: SendMessageW.USER32(?,00000406,00000000,00000000), ref: 002BEC28

Part of subcall function 002C11EC: GetWindowLongW.USER32(00000000,000000F0), ref: 002C11F5
Part of subcall function 002C11EC: GetParent.USER32(00000000), ref: 002C1203

GetDlgItem.USER32(?,0000040A), ref: 002BF6A1

Part of subcall function 0024D38B: GetWindowLongW.USER32(-00000004,000000F0), ref: 0024D395

IsWindow.USER32(?), ref: 002BF6D7
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 002BF6EB

Part of subcall function 002616C4: SendMessageW.USER32(?,00000432,00000000,?), ref: 002616EB

SetWindowTextW.USER32(?,00000000), ref: 002BF71F
GetDlgItem.USER32(?,00000002), ref: 002BF762
EnableWindow.USER32(00000000,00000000), ref: 002BF76A
GetSystemMenu.USER32(?,00000000,?,?,00000100,?,?,?,00000000,002BF465), ref: 002BF773
ModifyMenuW.USER32(00000000,0000F060,00000001,00000000,00000000), ref: 002BF785
DestroyMenu.USER32(00000000,?,?,00000100,?,?,?,00000000,002BF465), ref: 002BF790
SetEvent.KERNEL32(?,?,000000DA,?,?,00000100,?,?,?,00000000,002BF465), ref: 002BF7A1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ItemMenuMessageSend$Long$DestroyEnableEventModifyParentSystemText
String ID:
API String ID: 4141562097-0
Opcode ID: 78c6e24b439c5df6aa913989453335ac0372d8b0b4e557619f88d806f7c3b876
Instruction ID: c5cc352c30419f38ef9dbdbdf5a93007fc86a9dd7b9608b43015bf8e7f1dd301
Opcode Fuzzy Hash: 78c6e24b439c5df6aa913989453335ac0372d8b0b4e557619f88d806f7c3b876
Instruction Fuzzy Hash: 24418276210209FFEB22AFA4CC86EDA7BADEF05350F008424FA45A7161CB719D619F64

Function 002A22EB Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(00000000,?), ref: 002A23DF
SetCurrentDirectoryW.KERNEL32(00000000,00000001,00000000,?), ref: 002A247E

Part of subcall function 002A55FF: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001), ref: 002A562F

Part of subcall function 002A484C: GetFileAttributesW.KERNEL32(?,?,00000000,00000000,?,0000005C,?,000000DC,?,00000003), ref: 002A4893
Part of subcall function 002A484C: SetFileAttributesW.KERNEL32(?,00000080), ref: 002A48A6
Part of subcall function 002A484C: CopyFileW.KERNEL32(00000000,?,00000000), ref: 002A48B4

Strings

Full command line:, xrefs: 002A23E6
Command line to pass to MSI:, xrefs: 002A2426
Advinst_, xrefs: 002A2624
\m4, xrefs: 002A24F2, 002A24F6
d27, xrefs: 002A2356

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$Attributes$CommandCopyCurrentDirectoryLineModuleName
String ID: Advinst_$Command line to pass to MSI:$Full command line:$\m4$d27
API String ID: 587823951-3732278980
Opcode ID: 566bd3f77078f8a7a9438c63161f72ea5962865058d4703cfb4410a18aaec322
Instruction ID: cd8f9c28fee31e608f53629fea6ceeaa3b358a71cdda80262e20a0ca85dcf344
Opcode Fuzzy Hash: 566bd3f77078f8a7a9438c63161f72ea5962865058d4703cfb4410a18aaec322
Instruction Fuzzy Hash: 2F027E71528381DFC711EF64C882B9EB7E8AF8A304F444929F88897152DF74DA69CF52

Function 00281B7C Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 244
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00283072: __EH_prolog3.LIBCMT ref: 00283079

Part of subcall function 00283125: __EH_prolog3.LIBCMT ref: 0028312C

Part of subcall function 002D3316: __EH_prolog3_GS.LIBCMT ref: 002D331D

Part of subcall function 002D49A5: __EH_prolog3.LIBCMT ref: 002D49AC

Part of subcall function 002D4B6A: __EH_prolog3.LIBCMT ref: 002D4B71
Part of subcall function 002D4B6A: CloseHandle.KERNEL32(00000000,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4C8E
Part of subcall function 002D4B6A: CloseHandle.KERNEL32(00282091,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4C9F

CloseHandle.KERNEL32(?,?,?,006F0043), ref: 00281E4E
CloseHandle.KERNEL32(?,?,?,006F0043), ref: 00281E66
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00281F05
CloseHandle.KERNEL32(?), ref: 00281F23
CloseHandle.KERNEL32(?), ref: 00281F3B

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

Unable to start installation error code: %u, xrefs: 00281ED8
tX3, xrefs: 00281D69

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseH_prolog3Handle$H_prolog3_ObjectSingleWait
String ID: Unable to start installation error code: %u$tX3
API String ID: 2953185580-2632149491
Opcode ID: 02736104e4e6e3cba621843227465aac73cff55a70d566bf9fc96917ba751527
Instruction ID: 08a825e94c8fa9f060b81685bf1ce104655346f5b786b9368e5945868aba135f
Opcode Fuzzy Hash: 02736104e4e6e3cba621843227465aac73cff55a70d566bf9fc96917ba751527
Instruction Fuzzy Hash: 82B15B714183858FC761DF68C884B8FBBE8AF99704F14092EF5888B291DB74A659CF53

Function 002BD68B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00000001,?,00000001,00000002,00000000,?,00000029,?,?,00000029,?,002A46B9,00000001,00000000), ref: 002BD6FC
GetLastError.KERNEL32(?,00000029,?,002A46B9,00000001,00000000), ref: 002BD706
ReadFile.KERNELBASE(00000001,?,00000400,00000000,00000000,?,00000029,?,002A46B9,00000001,00000000), ref: 002BD722
SetFilePointer.KERNELBASE(00000001,?,00000029,00000000,?,00000029,?,002A46B9,00000001,00000000), ref: 002BD75C
ReadFile.KERNELBASE(00000001,?,0000004A,00000000,00000000,?,00000029,?,002A46B9,00000001,00000000), ref: 002BD771
_memcmp.LIBCMT ref: 002BD78B

Strings

ADVINSTSFX, xrefs: 002BD785

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$PointerRead$ErrorLast_memcmp
String ID: ADVINSTSFX
API String ID: 2567624970-4038163286
Opcode ID: e8aec08efbc905293aec66604cbed111980be5199a5b537ba788d463224ebe40
Instruction ID: 5f9bf99b2416c80e15c751d5ff18abec53163a7783fd0fc61a1e5634719bbf12
Opcode Fuzzy Hash: e8aec08efbc905293aec66604cbed111980be5199a5b537ba788d463224ebe40
Instruction Fuzzy Hash: 8C416471A10209AFDB15DFB4DC85AEEFBB8EF08360F10452AF605E6190EB709E519B51

Function 002AAECE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

GetFileVersionInfoSizeW.VERSION(00000000,0000004E,?,000000FF,FFFFFF38,?,00000000,?,00000000,?), ref: 002AAEEF
GetFileVersionInfoW.VERSION(00000000,0000004E,00000000,00000000,00000000,0000004E,?,000000FF,FFFFFF38,?,00000000,?,00000000,?), ref: 002AAF27
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,00000000,?,000000FF,00000000,0000004E,00000000,00000000,00000000,0000004E,?,000000FF,FFFFFF38,?,00000000), ref: 002AAF47
VerQueryValueW.VERSION(00000000,00000000,00000000,?,0000004E,?,000000FF,FFFFFF38,?,00000000,?,00000000,?), ref: 002AAF9B

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 002AAF7B
\VarFileInfo\Translation, xrefs: 002AAF41
ProductName, xrefs: 002AAF60, 002AAF69

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileH_prolog3InfoQueryValueVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 1674470118-2149928195
Opcode ID: e689c4b80e3c6cd2911342904acf47733fd5835f07da8374e9c1a9d7707614b8
Instruction ID: ae4aa24eb535bff41fa9327c5b58d666f4bc82b503af9c6d5b41e912775fda7f
Opcode Fuzzy Hash: e689c4b80e3c6cd2911342904acf47733fd5835f07da8374e9c1a9d7707614b8
Instruction Fuzzy Hash: 8E316CB1964119BBCB16EBA0CC42EFFB7BC9F05700F500066F501E2492EF759B29DAA1

Function 002999F0 Relevance: 12.3, APIs: 8, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00299410: FindFirstFileW.KERNELBASE(?,?,D7557A70,?,?), ref: 00299469
Part of subcall function 00299410: FindClose.KERNELBASE(00000000), ref: 0029949E

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?), ref: 00299A79
_wcslen.LIBCMT ref: 00299B33
CreateDirectoryW.KERNELBASE(?,00000000,00000000,?,0033DBF8,00000000,?,?,?,?,?,?), ref: 00299B78
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00299B86
RemoveDirectoryW.KERNEL32(00000010), ref: 00299BAC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DirectoryFind$CloseCreateErrorExceptionFileFirstLastRaiseRemove_wcslen
String ID:
API String ID: 3936095028-0
Opcode ID: 949dc307d8117fc8862c17c51196d69a5ad09e16a22e855bff37bad93b614839
Instruction ID: 836d902c9d5b0fcebcbe94a486df84a0bc99745ab9e2075e061292fb642a7caf
Opcode Fuzzy Hash: 949dc307d8117fc8862c17c51196d69a5ad09e16a22e855bff37bad93b614839
Instruction Fuzzy Hash: B2A1BA716143419FD710DF2CC885A1AF7E8FF88324F048A6EF4A987291E731E956CB92

Function 002AD897 Relevance: 12.1, APIs: 8, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000C), ref: 002AD8AD
GetSystemMetrics.USER32(0000000B), ref: 002AD8B2
LoadImageW.USER32(00230000,00000080,00000001,00000000,?,?), ref: 002AD8C4
SendMessageW.USER32(000000FF,00000080,00000001,00000000), ref: 002AD8D8
GetSystemMetrics.USER32(00000032), ref: 002AD8E7
GetSystemMetrics.USER32(00000031), ref: 002AD8EC
LoadImageW.USER32(?,00000080,00000001,00000000,?,?), ref: 002AD8F6
SendMessageW.USER32(000000FF,00000080,00000000,00000000), ref: 002AD900

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MetricsSystem$ImageLoadMessageSend
String ID:
API String ID: 530543073-0
Opcode ID: 05a039f7f5065fe97b2e53571c7dbb7afd842561e0d5aaa5d21d9083a5a25aff
Instruction ID: 6b284f54fb1fdf8843d5eb60040cc28a7573037f29e1238cbea73e84e440f792
Opcode Fuzzy Hash: 05a039f7f5065fe97b2e53571c7dbb7afd842561e0d5aaa5d21d9083a5a25aff
Instruction Fuzzy Hash: 5C01A2716403047EF6215B66DC86F2B7FACFB88B60F000519F648961E0C9A2AD40CB75

Function 002A9D8A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,002A7DCB,?), ref: 002A9E86
SetFilePointer.KERNELBASE(80000001,7FFFFFFF,00000000,00000000), ref: 002A9ECE
SetEndOfFile.KERNELBASE(80000001), ref: 002A9ED5
CloseHandle.KERNELBASE(80000001), ref: 002A9EE0

Strings

Not enough disk space to extract file:, xrefs: 002A9DE3
%sholder%d.aiph, xrefs: 002A9E65

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$CloseCreateHandlePointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 22866420-929304071
Opcode ID: ade8bd63d65ae42303ad83a887bf16226cf66d53fe8ddfde2781886f659f930d
Instruction ID: 670fffca785fbcc4933ef590ca16a4c70cd216654010ab6b90ae28c0e361e62b
Opcode Fuzzy Hash: ade8bd63d65ae42303ad83a887bf16226cf66d53fe8ddfde2781886f659f930d
Instruction Fuzzy Hash: E7417F75A1030AABCF11EF65C885ADE7BA8EF05760F008516FD189B152DB719AA0CFA0

Function 002A8E59 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000,00000029,00000029,?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8E96
GetLastError.KERNEL32(?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8EA1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cbaa979699a312a54b634c04aaf0b131b2ab44e4d4d8a9585eb82ae0edf07566
Instruction ID: 06067ce1ca9cd7e7f5a76d65dcc3e82ee9f1ec3d54135f8726258a5c46fbff44
Opcode Fuzzy Hash: cbaa979699a312a54b634c04aaf0b131b2ab44e4d4d8a9585eb82ae0edf07566
Instruction Fuzzy Hash: FE416E71628306AFC704DF65D88596AF7E8FF89310F404A2EB295C2551DF70EA64CF62

Function 002A37CD Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369synchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 0025A4DF: __EH_prolog3.LIBCMT ref: 0025A4E6

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,?,?,00000013,00000003,00000003,00000000,?,?), ref: 002A3A95
CreateThread.KERNELBASE(00000000,00000000,Function_00073C41,?,00000000,?), ref: 002A3AB7
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A3AD2

Part of subcall function 0024D75F: _memmove_s.LIBCMT ref: 0024D76F

Part of subcall function 00272790: __EH_prolog3.LIBCMT ref: 00272797

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 0029A420: _memmove_s.LIBCMT ref: 0029A489

Strings

\m4, xrefs: 002A39C7, 002A3A06, 002A39CA
\\?\, xrefs: 002A3B57

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$Create_memmove_s$EventObjectSingleThreadWait
String ID: \\?\$\m4
API String ID: 3444011372-805315443
Opcode ID: c9967271de7753a6367d8a72ba7c4c7695d1d581166c300503949b3b44ec09c6
Instruction ID: d85fe3c174df9c4d84453f68b083ab02b361ae30489aee2f646d789f01f9829b
Opcode Fuzzy Hash: c9967271de7753a6367d8a72ba7c4c7695d1d581166c300503949b3b44ec09c6
Instruction Fuzzy Hash: 84D1717192024AAFCF11EFA4C881AEEB779AF05310F444466F815AB192DF709B69CF60

Function 002BE095 Relevance: 9.1, APIs: 6, Instructions: 85threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 002BE0B1

Part of subcall function 0024EF01: CloseHandle.KERNEL32(00000000,002B19F6), ref: 0024EF0C

CreateThread.KERNELBASE(00000000,00000000,Function_0008E2F0,?,00000000,00000000), ref: 002BE0D9
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002BE125
GetExitCodeThread.KERNELBASE(00000000,?), ref: 002BE130
CloseHandle.KERNEL32(00000000), ref: 002BE142
CloseHandle.KERNEL32(00000000), ref: 002BE151

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$CreateThread$CodeEventExitObjectSingleWait
String ID:
API String ID: 3973034109-0
Opcode ID: d353e371a1aae928312ea17c64bed43a60a8535c7f56ff92cf3e0faf6b1501fd
Instruction ID: f245b5809f02a1aff4d09a02e5c1654d48a6ebe7ecbacd01384b4614f435e233
Opcode Fuzzy Hash: d353e371a1aae928312ea17c64bed43a60a8535c7f56ff92cf3e0faf6b1501fd
Instruction Fuzzy Hash: 4B214D75910211AFCB11DF69CC88CDABBB8FF8A75171605A4F91597321DB30AD10CFA0

Function 002B3F0E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,002A55A0,?,002A55A0,00374704,?,[SystemFolder]msiexec.exe,00000004,00000000,?,?,?,?), ref: 002B3F29
RegQueryValueExW.KERNELBASE(002A55A0,003746CC,00000000,00000000,00374704,?,?,003746CC), ref: 002B3F64
RegDeleteValueW.ADVAPI32(002A55A0,003746CC), ref: 002B3F7C
RegCloseKey.ADVAPI32(002A55A0), ref: 002B3F87

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 002B3F1F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Value$CloseDeleteOpenQuery
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 647993726-1428018034
Opcode ID: a8921703b1f39604c05ef3bbb2a065f7466fc2c77f40e8dfbc0255f57eed8f98
Instruction ID: 084c1ddbbf15e070481cbe1cd19358bf4c58c824f97fa698b890c11f78f2f854
Opcode Fuzzy Hash: a8921703b1f39604c05ef3bbb2a065f7466fc2c77f40e8dfbc0255f57eed8f98
Instruction Fuzzy Hash: 3E01B136A00205BBDF128B54CC45FEE7BBCEF44790F104051FA04E7194DB70EA94CA50

Function 002AA1B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49registryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 002AA1C6
RegOpenKeyW.ADVAPI32(80000001,Software\Caphyon\Setups,00000000), ref: 002AA1EC
RegDeleteValueW.ADVAPI32(00000000,?), ref: 002AA1FD
RegCloseKey.ADVAPI32(00000000), ref: 002AA206

Strings

Software\Caphyon\Setups, xrefs: 002AA1E1, 002AA1E6, 002AA20C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseDeleteFreeLibraryOpenValue
String ID: Software\Caphyon\Setups
API String ID: 2275780903-2348175745
Opcode ID: f8acdd5cf085712bd88cffb96353f1a7ec71aa387f7ddc820fb70713e328c632
Instruction ID: 64b3df7a19be0fe8760028dee02142cae1279eef40cf4ce2475d6d682485554b
Opcode Fuzzy Hash: f8acdd5cf085712bd88cffb96353f1a7ec71aa387f7ddc820fb70713e328c632
Instruction Fuzzy Hash: B50169B2910104EBCB05EFA4EC89ADEBBBCEF09301F500059F906A6066DB349BA4DF50

Function 002A8CC4 Relevance: 7.6, APIs: 5, Instructions: 136fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000,00000000,00000029,00000029,002A7A30,00000031,?,?,00000029,?,002A46B9,00000001,00000000), ref: 002A8CFF
GetLastError.KERNEL32(?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8D0A

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

ReadFile.KERNEL32(?,?,00000018,?,00000000,?,?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8D77
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8DCA
GetLastError.KERNEL32(?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A8E28

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$ErrorLastRead$H_prolog3Pointer
String ID:
API String ID: 848458487-0
Opcode ID: 84fb2c94bf9295eacb15bc3be6e6bff40bf5436f2364fd95615b477e62274534
Instruction ID: a369c1274ccbeec18709575feb510ea7dbc5f5e51ffdf3b15a7affae0e00cd84
Opcode Fuzzy Hash: 84fb2c94bf9295eacb15bc3be6e6bff40bf5436f2364fd95615b477e62274534
Instruction Fuzzy Hash: C4415AB1528305AFC714DF65C88196BB7E8BF89310F404E2EF1AA82251EF70E965CF12

Function 002B4540 Relevance: 7.6, APIs: 5, Instructions: 84fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,-00000004,00000000), ref: 002B456A
CloseHandle.KERNEL32(00000000), ref: 002B4603

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: 715463673d445892a7b615a77fc2f46ad20eb624c55c49c2e8211baf3cc21e7c
Instruction ID: 937603eecff3f42d52b62a3788524df571165fa3fb71d103c6ba56b6deef667f
Opcode Fuzzy Hash: 715463673d445892a7b615a77fc2f46ad20eb624c55c49c2e8211baf3cc21e7c
Instruction Fuzzy Hash: F921D3B1610205BFCB21AF69DCC5EEF777CEB407A0F504615F911E2192DB709A64CB60

Function 002BB0F8 Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 002BB10F
GetWindowLongW.USER32(?,000000FC), ref: 002BB126
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 002BB138
GetWindowLongW.USER32(?,000000FC), ref: 002BB152
SetWindowLongW.USER32(?,000000FC,?), ref: 002BB161

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: 0c197461e177d092e7a0cff9ac8fa907be1ff88fe23eddd489e6b356f7aa745e
Instruction ID: 70e861371d7d2bd51627e0015128c6a43ab64f60c48321ed2f4dbcfa209a5bf0
Opcode Fuzzy Hash: 0c197461e177d092e7a0cff9ac8fa907be1ff88fe23eddd489e6b356f7aa745e
Instruction Fuzzy Hash: 88211875520605EFCB32CF69DD8489ABBF5FF48360B108A19F5AA86660C731E960DF50

Function 002AAC5A Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 002AAC6D
GetWindowRect.USER32(00000000,?), ref: 002AAC85
ShowWindow.USER32(?,?,?,?,?,?,?,?,00000003), ref: 002AAC9A
GetDlgItem.USER32(?,000003E9), ref: 002AACA8
GetWindowRect.USER32(00000000,?), ref: 002AACBE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ItemRect$Show
String ID:
API String ID: 4292884745-0
Opcode ID: aa29c8d365e0743b73e6d30c8b3ffa5b611c6fe89b7148c5875ccea495f389ef
Instruction ID: de7d0595bb43a762aadbeb5f4a7a060f892addec36b0d07d1242ebbb56c02995
Opcode Fuzzy Hash: aa29c8d365e0743b73e6d30c8b3ffa5b611c6fe89b7148c5875ccea495f389ef
Instruction Fuzzy Hash: 8911F6B5D10209AFDB11DFAAC9859AEBBF8FF08300F50856EE546E2250E734AA00DF50

Function 002B1157 Relevance: 7.6, APIs: 5, Instructions: 53windowthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_0008F343,?,00000000,?), ref: 002B117E
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002B119D
TranslateMessage.USER32(?), ref: 002B11AB
DispatchMessageW.USER32(?), ref: 002B11B5
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000001FF), ref: 002B11C5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$CreateDispatchMultipleObjectsPeekThreadTranslateWait
String ID:
API String ID: 2255091658-0
Opcode ID: 58ffec01192797580bef3750b671390b3caa68437fe66fb8fddc0ada958f94a6
Instruction ID: 94216d5bb28c112e4473cd15d109b94d6ca084e92b92264073b481c9f2a37d58
Opcode Fuzzy Hash: 58ffec01192797580bef3750b671390b3caa68437fe66fb8fddc0ada958f94a6
Instruction Fuzzy Hash: B20140B2D10229BBDB119FE99C88DEF7BBCEF497A0F044526FA11E2140D6749610CBA0

Function 002F5723 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 002F5741

Part of subcall function 002FF38A: __mtinitlocknum.LIBCMT ref: 002FF3A0
Part of subcall function 002FF38A: __amsg_exit.LIBCMT ref: 002FF3AC
Part of subcall function 002FF38A: EnterCriticalSection.KERNEL32(?,?,?,00305931,00000004,0034F570,0000000C,002FC457,?,?,00000000,00000000,00000000,?,002F93EB,00000001), ref: 002FF3B4

___sbh_find_block.LIBCMT ref: 002F574C
___sbh_free_block.LIBCMT ref: 002F575B
RtlFreeHeap.NTDLL(00000000,?,0034EF70,0000000C,002FF36B,00000000,0034F470,0000000C,002FF3A5,?,?,?,00305931,00000004,0034F570,0000000C), ref: 002F578B
GetLastError.KERNEL32(?,00305931,00000004,0034F570,0000000C,002FC457,?,?,00000000,00000000,00000000,?,002F93EB,00000001,00000214), ref: 002F579C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 21bd5c79aa16d75658d54d14c690041341a194ce1b69bb6ea66fb6c58b8a48f4
Instruction ID: 60a6c34fd7d7399711b6f478d6a1fe9ca22722c78a9688309bc3c172ec04c4d2
Opcode Fuzzy Hash: 21bd5c79aa16d75658d54d14c690041341a194ce1b69bb6ea66fb6c58b8a48f4
Instruction Fuzzy Hash: 9901A73192161EEADB317F709C06F7EF6A49F007E1F204575F704A6091DB3489608F94

Function 002A3C41 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0029748A
Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 002974AD

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

Part of subcall function 002BC8F4: CreateNamedPipeW.KERNELBASE(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,?,\\.\pipe\ToServer,00000000,?,?,002A3CC5,00000001), ref: 002BC955
Part of subcall function 002BC8F4: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,?,\\.\pipe\ToServer,00000000,?,?,002A3CC5,00000001,00000000), ref: 002BC971

SetEvent.KERNEL32(?,?,?,00000000,00000000,00000001,?,?,00000001,00000000,?,?,Advinst_Extract_,?,00000001,00000000), ref: 002A3DDA
SetEvent.KERNEL32(?,?,00000001,00000000,?,?,Advinst_Extract_,?,00000001,00000000), ref: 002A3E15

Part of subcall function 002A9F06: DeleteFileW.KERNELBASE(00000000,?,?,002A3E6F,000000FF,00000000,?,?,000000FF), ref: 002A9F23

Strings

Advinst_Extract_, xrefs: 002A3CFE
Advinst_Estimate_, xrefs: 002A3C59

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ByteCharCreateEventFileMultiWide$DeleteNamedPipe
String ID: Advinst_Estimate_$Advinst_Extract_
API String ID: 2528542574-4085305062
Opcode ID: 165d7daa13c2fbe1cd21884c2b6033f4be097239ad9a496743893a19a6ab4026
Instruction ID: ea41172727961f7bc133f60e2d1e9657735e0d2f7463ef16a4551ebd7f0e8533
Opcode Fuzzy Hash: 165d7daa13c2fbe1cd21884c2b6033f4be097239ad9a496743893a19a6ab4026
Instruction Fuzzy Hash: C471FB724283059FC601EF60C8829DFB7E8AF99754F400A2AF595A7161DF30EB59CF92

Function 002AA2C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 002AA8CD: EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,002AA913,?), ref: 002AA8E7

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,002A40DD,?,00000000), ref: 002AA376
GetActiveWindow.USER32 ref: 002AA3D2

Strings

Suggested language for UI, xrefs: 002AA334
Language selected by user for UI:, xrefs: 002AA427

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ActiveEnumExceptionLanguagesRaiseResourceWindow
String ID: Language selected by user for UI:$Suggested language for UI
API String ID: 3491832942-2966586800
Opcode ID: 7713345c2a853a4b1c2721aa8bbf0b4e15cdcfd4730048701278eddf7368df72
Instruction ID: 88394bed02e3b1bdb9980fb2099fbc5695be7d81ad2a8f69a937cb4482dc6484
Opcode Fuzzy Hash: 7713345c2a853a4b1c2721aa8bbf0b4e15cdcfd4730048701278eddf7368df72
Instruction Fuzzy Hash: 6151E471924216AFCB01EFB4C845AED7BB8BF0A300F444156F44197592DFB4AAA5CFA1

Function 00282053 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002820A1
__EH_prolog3_GS.LIBCMT ref: 0028210E

Strings

InstallUISequence, xrefs: 002820B3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_
String ID: InstallUISequence
API String ID: 2427045233-1326666714
Opcode ID: c3986bb1727d54fecf8c0caa4231e722988e84359a16e581c146606a30ee8749
Instruction ID: a2aa0782066c506abd5adf1ca9ea009dd42143908e3adf8b4a5ff85026a7be2b
Opcode Fuzzy Hash: c3986bb1727d54fecf8c0caa4231e722988e84359a16e581c146606a30ee8749
Instruction Fuzzy Hash: DD31273A931619DBCB60FBB4C845AEEB3689B40360F6007A5F01A971D1EF709EA5CB41

Function 002A3709 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(msi.dll), ref: 002A3716
FreeLibrary.KERNEL32(00000000), ref: 002A378A

Strings

Maintenance mode:, xrefs: 002A3758
msi.dll, xrefs: 002A370F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Library$FreeLoad
String ID: Maintenance mode:$msi.dll
API String ID: 534179979-1212335440
Opcode ID: 162710c722e86d6bc624e35655b8834144432e7f569b4dd2646473d007c1df55
Instruction ID: 004a877430a28f8ff3ba87a6d6270eaf922643ad0be6318739c8c089d4598b80
Opcode Fuzzy Hash: 162710c722e86d6bc624e35655b8834144432e7f569b4dd2646473d007c1df55
Instruction Fuzzy Hash: 80012BF1960345BBD311EBF18C85EE777AC9B06340F004825F15582002EFA4EA148B60

Function 0029CD30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0029CD53
CLSIDFromString.COMBASE(00000000,?,?,00000000,D7557A70), ref: 0029CD65
SysFreeString.OLEAUT32(00000000), ref: 0029CD6E

Strings

`<u, xrefs: 0029CD6E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String$AllocFreeFrom
String ID: `<u
API String ID: 3643976068-3367579956
Opcode ID: 5cf0def36750c34baf5b8c57bb823f7e1e0488627c5e69ae28a584f933a5779c
Instruction ID: 9cba9629619fc18440e61961e4b6932a6b3b4184323eee20d8866db6a967ac26
Opcode Fuzzy Hash: 5cf0def36750c34baf5b8c57bb823f7e1e0488627c5e69ae28a584f933a5779c
Instruction Fuzzy Hash: 9CF0F4329106119B8B05EF3CDC45A5E77E8AF89310F854469E505C7211DA30D8098BE2

Function 002A75FE Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 002A768D
GetLastError.KERNEL32 ref: 002A7695
RemoveDirectoryW.KERNELBASE(00000000), ref: 002A76DF
GetLastError.KERNEL32 ref: 002A76E8

Part of subcall function 002A7E05: RemoveDirectoryW.KERNEL32(?), ref: 002A7ED8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFile
String ID:
API String ID: 925978201-0
Opcode ID: 37f25fdc3636d73ecf4f49eafc6464a2f1e399be6a5e5fbf782192f9249e3b78
Instruction ID: 4483d63970bf5d41fd58e05d6de177794110aedceedffffacfa022cb2fdda538
Opcode Fuzzy Hash: 37f25fdc3636d73ecf4f49eafc6464a2f1e399be6a5e5fbf782192f9249e3b78
Instruction Fuzzy Hash: B6415675E24219DFCF01EFA8C98179DBBB4AF09300F1544B6D909AB206DB306E65CFA4

Function 002AAE39 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,002AAE1F,?,00000000,?,002AAE1F,00000000,?,?,002C464F,000000FF,00000000), ref: 002AAE50
GetFileVersionInfoW.VERSION(00000000,002AAE1F,00000000,00000000,00000000,002AAE1F,?,00000000,?,002AAE1F,00000000,?,?,002C464F,000000FF,00000000), ref: 002AAE80
VerQueryValueW.VERSION(00000000,0033DBF8,00000000,?,00000000,002AAE1F,00000000,00000000,00000000,002AAE1F,?,00000000,?,002AAE1F,00000000,?), ref: 002AAE97
GetLastError.KERNEL32(00000000,002AAE1F,?,00000000,?,002AAE1F,00000000,?,?,002C464F,000000FF,00000000), ref: 002AAEC0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileInfoVersion$ErrorLastQuerySizeValue
String ID:
API String ID: 867375363-0
Opcode ID: ba800669622e74f746abc4a163dd56207e77b0bf17ec73a0ad98794d21a8e141
Instruction ID: 095af68f94c93d0cc2f1bf64874000ed6a1430e4050ceaf94f4debb5c84dd9b7
Opcode Fuzzy Hash: ba800669622e74f746abc4a163dd56207e77b0bf17ec73a0ad98794d21a8e141
Instruction Fuzzy Hash: 9A11C136911209ABCB229F99C940ABFBBFCEF45760F14407AE8009B251DF309E10CB91

Function 002AABED Relevance: 6.0, APIs: 4, Instructions: 23threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002AABF5
DestroyWindow.USER32(?), ref: 002AAC03
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 002AAC15
IsWindow.USER32(?), ref: 002AAC1E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$CurrentDestroyMessagePostThread
String ID:
API String ID: 3186974096-0
Opcode ID: 5b17d6b83fb0a60360d2297c720898e489abd45dc6c67570bf962d92efd46465
Instruction ID: 7c162bcd98887197c99f8ab17f0052252236a41832ff36894d2a5e03ee0d1d11
Opcode Fuzzy Hash: 5b17d6b83fb0a60360d2297c720898e489abd45dc6c67570bf962d92efd46465
Instruction Fuzzy Hash: 06E012701527419FE7325F61DEC5857FBEABF15B11B04491DF18782821CB21A854DB19

Function 002E4A9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002E4AA5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002E4AB6

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0024FE5B: __EH_prolog3.LIBCMT ref: 0024FE62

Part of subcall function 002CCE48: __EH_prolog3.LIBCMT ref: 002CCE4F

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Strings

msi.dll, xrefs: 002E4B07

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_wcslen$DirectoryH_prolog3_Systemchar_traits
String ID: msi.dll
API String ID: 1246425549-3974507041
Opcode ID: d20fafa87e83b60327b0cb8d8a2855ffdd6349867f682c05549e9c93ffab08c4
Instruction ID: 5f069d1269cefc7b270ee830d27a0a5e07226c744b32fe3974cc1640a0ba31e5
Opcode Fuzzy Hash: d20fafa87e83b60327b0cb8d8a2855ffdd6349867f682c05549e9c93ffab08c4
Instruction Fuzzy Hash: FC518B71821268DACF24EBA4CD89BDDB7B8AF51304F5041E9E109A70A1DB746F99CF50

Function 002A5BDF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetExitCodeThread.KERNELBASE(?,00000003,?,?,?), ref: 002A5C06

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002A55FF: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001), ref: 002A562F

Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0029748A
Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 002974AD

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 002BCC2A: WriteFile.KERNEL32(?,?,?,?,00000000,?,002A5CA6,?,CLOSE,00000000,00000000,?,?,?,Advinst_Estimate_), ref: 002BCC3E
Part of subcall function 002BCC2A: FlushFileBuffers.KERNEL32(?,?,002A5CA6,?,CLOSE,00000000,00000000,?,?,?,Advinst_Estimate_), ref: 002BCC47

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

Part of subcall function 002BC990: CloseHandle.KERNELBASE(?,002A3EC3,000000FF), ref: 002BC999

Strings

Advinst_Estimate_, xrefs: 002A5C21
CLOSE, xrefs: 002A5C90

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$File$ByteCharMultiWide$BuffersCloseCodeExitFlushHandleModuleNameThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 152627384-755230127
Opcode ID: 5b27ba72ea36258630fb22e22ba4f7ad5d6f2600fd7b627059f3906709342ae5
Instruction ID: e6a5a75b9441d52197f050fc1075c12cf23f10d5af50d6ef98c94eefca4217e2
Opcode Fuzzy Hash: 5b27ba72ea36258630fb22e22ba4f7ad5d6f2600fd7b627059f3906709342ae5
Instruction Fuzzy Hash: 6A210A72D20619ABDB00EBA0DC869EEB378AF05310F500566F115B31A1DF74AB598F90

Function 00282406 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0027E6AD: __EH_prolog3.LIBCMT ref: 0027E6B4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

InterlockedExchange.KERNEL32(00373270,?), ref: 0028249D
InterlockedExchange.KERNEL32(00373270,?), ref: 002824AB

Part of subcall function 0027E6EB: __EH_prolog3.LIBCMT ref: 0027E6F2

Strings

p27, xrefs: 00282493

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExchangeH_prolog3Interlocked$char_traits
String ID: p27
API String ID: 2850239866-4269621308
Opcode ID: 086e7e4a742b3d421c066956fc2a66d77d6e4af22b5745553f9ef3f49692b44b
Instruction ID: 699bda7dff8005954700c4385e3987722de67a93602ce73b5e5f8454e474bbf4
Opcode Fuzzy Hash: 086e7e4a742b3d421c066956fc2a66d77d6e4af22b5745553f9ef3f49692b44b
Instruction Fuzzy Hash: 06216F76518344AFC701EF69DC81A5BB7ECFB88720F004A2EF955832A1DB34D914CBA2

Function 002F58C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 002F58E2

Part of subcall function 002F5659: __FF_MSGBANNER.LIBCMT ref: 002F567C
Part of subcall function 002F5659: __NMSG_WRITE.LIBCMT ref: 002F5683
Part of subcall function 002F5659: RtlAllocateHeap.NTDLL(00000000,?,00000001,00000000,00000000,?,002FC40D,?,00000001,?,?,002FF314,00000018,0034F470,0000000C,002FF3A5), ref: 002F56D0

std::bad_alloc::bad_alloc.LIBCMT ref: 002F5905

Part of subcall function 002F36F4: std::exception::exception.LIBCMT ref: 002F3700

Strings

Pd, xrefs: 002F5926

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID: Pd
API String ID: 3447465555-2643266211
Opcode ID: d586fcfea53d280b7cae055124dbc21f8a2117ef0f39a17522c68fbb723e24b1
Instruction ID: 4d3bf7900e7162ddb1398d456a42a5a3a0179a91e1d7b1ce560907113ea7557d
Opcode Fuzzy Hash: d586fcfea53d280b7cae055124dbc21f8a2117ef0f39a17522c68fbb723e24b1
Instruction Fuzzy Hash: 05F0273052062D37DB1B7B20DC13AB8BBE84F427D8F140034FB16A51D1DFA4DAA5AA84

Function 002D45CD Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D45E6
CloseHandle.KERNELBASE(?,00000038,?,?,?,?,?,?,?,?,?,?,?,?,?,002D41FE), ref: 002D46D1

Part of subcall function 002341AD: InitializeCriticalSection.KERNEL32(003746CC,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341BB
Part of subcall function 002341AD: EnterCriticalSection.KERNEL32(?,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341C7

Part of subcall function 002D423C: __EH_prolog3_GS.LIBCMT ref: 002D4243

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002D42A7: __EH_prolog3.LIBCMT ref: 002D42AE

LeaveCriticalSection.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000,?,00000001,00000000,?,00000001,00000000,?,00000000,00000000), ref: 002D46BE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection$H_prolog3$CloseEnterH_prolog3_HandleInitializeLeavechar_traits
String ID:
API String ID: 240650557-0
Opcode ID: d4d0a1becaa6689660cf39b8f2def22c1f1d3098b08de8702e199c8ce7782b34
Instruction ID: a6d5dfe35ec5f4f74f5313b2a6fe52b1809c123198627faa741dc98f5ce4aa3d
Opcode Fuzzy Hash: d4d0a1becaa6689660cf39b8f2def22c1f1d3098b08de8702e199c8ce7782b34
Instruction Fuzzy Hash: 263191711102489FEB14EF64DC86BED7768EF14318F400559F992672D2CBB1AE19CB50

Function 002314CF Relevance: 4.6, APIs: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00231509
__EH_prolog3_catch.LIBCMT ref: 00231516
char_traits.LIBCPMT ref: 002315C2

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8H_prolog3_catchThrow_mallocchar_traits
String ID:
API String ID: 1921451040-0
Opcode ID: 23ac1acc9f2574a12bbfb0568588ecc1312211968d218efb22a819243b121998
Instruction ID: 4d400f6ed38fc3b885f2a237c6b2a787e5071fb8deeb740ffacf7eb79f34af22
Opcode Fuzzy Hash: 23ac1acc9f2574a12bbfb0568588ecc1312211968d218efb22a819243b121998
Instruction Fuzzy Hash: A721AAF1D20209ABCF14EFA4C4419EDB7B9AF44350F54862AF52697581DB70EA71CF90

Function 002A798B Relevance: 4.6, APIs: 3, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000099,80000000,00000001,00000000,00000003,00000080,00000000,0000016D,00000001,?,00000029,?,002A46B9,00000001,00000000,00000001), ref: 002A79C8
GetLastError.KERNEL32(?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A79DC
GetLastError.KERNEL32(00000031,?,?,00000029,?,002A46B9,00000001,00000000,00000001,00000000,?), ref: 002A7A0A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 92fbe19eaaeb399a4e8e9fcddf8424b1a1527466c076cf630aa7dd6c0180e36b
Instruction ID: 2a923f986706fd4cdcd578e88217ec21dd8e05c4b3954096f220c361a5a2a8b4
Opcode Fuzzy Hash: 92fbe19eaaeb399a4e8e9fcddf8424b1a1527466c076cf630aa7dd6c0180e36b
Instruction Fuzzy Hash: 9F11C636A20200ABDB20AF65DC85F9A739CEB47750F150265FE11DB182DE606D50CBB4

Function 002BCB55 Relevance: 4.6, APIs: 3, Instructions: 57filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNELBASE(?,00000000,?,?,?,?,002BCB0A,?,000000FF,00000000,?,00000000,?,?), ref: 002BCB66
GetLastError.KERNEL32(?,?,?,002BCB0A,?,000000FF,00000000,?,00000000,?,?,?,?,?,002A3E2E,000000FF), ref: 002BCB70
ReadFile.KERNELBASE(?,?,00007F90,?,00000000,00000000,?,?,?,?,002BCB0A,?,000000FF,00000000,?,00000000), ref: 002BCB99

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ConnectErrorFileLastNamedPipeRead
String ID:
API String ID: 2929664045-0
Opcode ID: a11070b25149736998871c26cca149e140a2b839cc483f5fd6fff027b3256c2f
Instruction ID: 7911638d76d8bfdd6abf628f063c24c607d1be4aeaf401636dd0dbd3f7e96107
Opcode Fuzzy Hash: a11070b25149736998871c26cca149e140a2b839cc483f5fd6fff027b3256c2f
Instruction Fuzzy Hash: EF117CB556424ABFDB11DFA4CC86CAF7B6CEF14398B108929F51686150EB30EA24DB50

Function 0027E0F4 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027E0FB
CloseHandle.KERNEL32(00000000,00000000,0027DF58,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?,?), ref: 0027E11D
CloseHandle.KERNEL32(00000000,00000000,0027DF58,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?,?), ref: 0027E133

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$H_prolog3
String ID:
API String ID: 604870763-0
Opcode ID: c26093fd7f0e70f1a05cccb28ec864129974e0361a090faeb5e650a927bc5273
Instruction ID: e357bb7f4781c7b062cd4ec5804ed1a745f2b0fa5997ba9151e43203360faea7
Opcode Fuzzy Hash: c26093fd7f0e70f1a05cccb28ec864129974e0361a090faeb5e650a927bc5273
Instruction Fuzzy Hash: F2119370415349DBEB10EBB4C945BCEBBF89F15300F508498D595A7192DB78AB18CFA1

Function 002B10E1 Relevance: 4.5, APIs: 3, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 002B10EE
GetCurrentThreadId.KERNEL32 ref: 002B1118
SetWindowTextW.USER32(?,00000000), ref: 002B1133

Part of subcall function 002AAC5A: GetDlgItem.USER32(?,00000002), ref: 002AAC6D
Part of subcall function 002AAC5A: GetWindowRect.USER32(00000000,?), ref: 002AAC85
Part of subcall function 002AAC5A: ShowWindow.USER32(?,?,?,?,?,?,?,?,00000003), ref: 002AAC9A
Part of subcall function 002AAC5A: GetDlgItem.USER32(?,000003E9), ref: 002AACA8
Part of subcall function 002AAC5A: GetWindowRect.USER32(00000000,?), ref: 002AACBE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ItemRect$ActiveCurrentShowTextThread
String ID:
API String ID: 140715053-0
Opcode ID: 8445c1ccfca134399d163e4554e2b0fe4e7cf4b7085e241d7c3838acbd6ac441
Instruction ID: 911ea75cccbe60485950197103e40083861ae69d6b71f272c28a1bcf6f9ebd1e
Opcode Fuzzy Hash: 8445c1ccfca134399d163e4554e2b0fe4e7cf4b7085e241d7c3838acbd6ac441
Instruction Fuzzy Hash: 26F028312257C19FD322AB749855586FFD8BF0A300F04490EF5C683A11C7209474CF62

Function 002BF96C Relevance: 4.5, APIs: 3, Instructions: 31COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 002BF972

Part of subcall function 00233684: GetCurrentProcess.KERNEL32(00000000,0000000D,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002336B8
Part of subcall function 00233684: FlushInstructionCache.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002336BF

SetLastError.KERNEL32(0000000E,00000000), ref: 002BF991
DialogBoxParamW.USER32(000000D8,00000000,Function_0001D1F7,00000000,?), ref: 002BF9B2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ActiveCacheCurrentDialogErrorFlushInstructionLastParamProcessWindow
String ID:
API String ID: 2755743814-0
Opcode ID: 20dbb185e53f30d6451f1aa9db2e85c4b964f2683f9569004f0036411bf4231d
Instruction ID: c7d2437c3986a39fa26e67698ad01281909e4226bace9aeb565d157775c743da
Opcode Fuzzy Hash: 20dbb185e53f30d6451f1aa9db2e85c4b964f2683f9569004f0036411bf4231d
Instruction Fuzzy Hash: 97E022362902087BE7112B30DC8AF8677ACEB46792F014422FB06E6092DEE188158AA0

Function 0028285E Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00282865
CoInitialize.OLE32(00000000), ref: 00282873

Part of subcall function 00282053: __EH_prolog3_GS.LIBCMT ref: 002820A1

CoUninitialize.COMBASE ref: 00282898

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_H_prolog3_catch_InitializeUninitialize
String ID:
API String ID: 1180239551-0
Opcode ID: 19771a70ad20444dd9955e92e6ecf5dfbdc254e1e5fa90a1a5fa5ca209a66a4c
Instruction ID: a9203f24ad394fa7f660ffbc82aef128da5cf6908166800080e6788d174d237c
Opcode Fuzzy Hash: 19771a70ad20444dd9955e92e6ecf5dfbdc254e1e5fa90a1a5fa5ca209a66a4c
Instruction Fuzzy Hash: 65E0D839A66358DBDB12F7F486093DCBA904F14381F5880A5E944BB2C1CAB01E1CD765

Function 0026A1ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026A1F4

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Strings

xD7, xrefs: 0026A1FE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_malloc
String ID: xD7
API String ID: 2346879263-2299252724
Opcode ID: bf7422808ca286e7a200843d6c1aff50e9ba1524bb4dfccd0fde84241b876290
Instruction ID: cd1529503a9fd587c2b7016a7ed1e0e48d369a5cfba617f0d8c6d9a0ab38c918
Opcode Fuzzy Hash: bf7422808ca286e7a200843d6c1aff50e9ba1524bb4dfccd0fde84241b876290
Instruction Fuzzy Hash: DF21DEB0965349DEDB62DFA8E9453AE7FF4BB05310F20806DE24CAB291C7744A80EF11

Function 002AD34C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,00000000,?,000000DC), ref: 002AD3AB

Strings

[SystemFolder]msi.dll, xrefs: 002AD363

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionH_prolog3Raise
String ID: [SystemFolder]msi.dll
API String ID: 741760457-3188911305
Opcode ID: f8167cd31f8d9dbbf70f257829e4f1532d8a13ecb8a205c654dafee973ea71b0
Instruction ID: efb9777934d9c9f9360d5e9bd838c4fa82e3792ead7f2ff003928339eecd7e54
Opcode Fuzzy Hash: f8167cd31f8d9dbbf70f257829e4f1532d8a13ecb8a205c654dafee973ea71b0
Instruction Fuzzy Hash: 1A0148B292022AEBCF10EB95CC468DEBB7CEF05710B404166B202A3101DB70AA25CFE1

Function 00280D96 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00280D9D

Part of subcall function 002D9E83: __EH_prolog3.LIBCMT ref: 002D9E8A

Part of subcall function 002D40D6: __EH_prolog3.LIBCMT ref: 002D40DD

Strings

tX3, xrefs: 00280DB9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: tX3
API String ID: 431132790-1628155860
Opcode ID: ff376408c56041e4f0892055419d3518a2c51b9e5338d67a139eb66b5f4ec82d
Instruction ID: 8ed7bc442c6f555db374ff12dbfbf07dd12a97f2fe2389925d4e28b0bbe61a5f
Opcode Fuzzy Hash: ff376408c56041e4f0892055419d3518a2c51b9e5338d67a139eb66b5f4ec82d
Instruction Fuzzy Hash: D1011AB4401748DFC711DFA9C2046CAFBF8AF51304F15C99BD9999B3A1C3B1AA04CB51

Function 00239A7E Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00239A85
std::_String_base::_Xlen.LIBCPMT ref: 00239AC5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catchString_base::_Xlenstd::_
String ID:
API String ID: 2420811286-0
Opcode ID: 5a2e7def17b9a1caba79076d47e3fa7e8bff8e9f9d0ee797d149f73fc5a4d1b0
Instruction ID: 90a9134220d8d178aeb92c17a783e1fd152293ad62a341609b9d1ab6d5c1de41
Opcode Fuzzy Hash: 5a2e7def17b9a1caba79076d47e3fa7e8bff8e9f9d0ee797d149f73fc5a4d1b0
Instruction Fuzzy Hash: 676132B1A1020A9FCF09CF68C9815AEBBB1FF49310F148669E9059B355D770EE61CFA1

Function 002A8B78 Relevance: 3.1, APIs: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,?,00000000,?,?), ref: 002A8C49
GetLastError.KERNEL32 ref: 002A8C53

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 5b2f8627a36dd5f5ad1efff516b9c18f88bd94c27e007caed1c95918209e3bff
Instruction ID: 0609f5045d5e544e36b931f8d825b920c045816a82bc003e57734c95bef54447
Opcode Fuzzy Hash: 5b2f8627a36dd5f5ad1efff516b9c18f88bd94c27e007caed1c95918209e3bff
Instruction Fuzzy Hash: 4731077192110AABCF29DFA4C8859EDB7BAAF06314F140817E541E3161CF30EEA4CF65

Function 0023150F Relevance: 3.1, APIs: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00231516
char_traits.LIBCPMT ref: 002315C2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catchchar_traits
String ID:
API String ID: 1964944973-0
Opcode ID: 38cc8e30f8eb15965d1f5e99066ca11dc811b64261f06f658f41587756fb2e8f
Instruction ID: b8329cfed22ac4efeced52aa641297a9300ab79c205550bdbff6eaae0616e471
Opcode Fuzzy Hash: 38cc8e30f8eb15965d1f5e99066ca11dc811b64261f06f658f41587756fb2e8f
Instruction Fuzzy Hash: 241160B1D1010AABCF14DF6484815AEB7B6BB94310F64861AE526A7280C771AEB0DFD0

Function 002873C0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 002873CD

Part of subcall function 002F34E0: __EH_prolog3.LIBCMT ref: 002F34E7
Part of subcall function 002F34E0: __CxxThrowException@8.LIBCMT ref: 002F3512

std::_String_base::_Xlen.LIBCPMT ref: 002873DC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw
String ID:
API String ID: 1336181293-0
Opcode ID: ac03250cf413f510f4f340bf756517e92ff6ee17eb07fd06586a4f37c7a8f7df
Instruction ID: 9b8bf04a27ce2cbb48d9385ad1a50858893eb6f7cf750e6079d3052cdbaf5a5d
Opcode Fuzzy Hash: ac03250cf413f510f4f340bf756517e92ff6ee17eb07fd06586a4f37c7a8f7df
Instruction Fuzzy Hash: F311943232D6108A8621FB1DE44095BF3F5EFE4760721492FF4A6C7690DB60E855C7D6

Function 002BF851 Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 002BF883

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

SetWindowTextW.USER32(?,?), ref: 002BF8D6

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3TextWindow
String ID:
API String ID: 1221465820-0
Opcode ID: d39d6bb07ba448679ed31668c669f71cbfbefe686b6196010e7fcea373dfe57f
Instruction ID: 8189fb80e73801635d8d818cd0c590d72d6161bc3467cb2cb0dbd18c31ebaab8
Opcode Fuzzy Hash: d39d6bb07ba448679ed31668c669f71cbfbefe686b6196010e7fcea373dfe57f
Instruction Fuzzy Hash: 6711F8B6520119ABCF15EF94CD86CCE7BACAF04380B044061F9099B126EB31EFA5DB90

Function 002B82F0 Relevance: 3.1, APIs: 2, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,?), ref: 002B8311
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00020019,?), ref: 002B8335

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: InfoOpenQuery
String ID:
API String ID: 165108877-0
Opcode ID: 208bc013f60948a38a0ada204fff2899213c19d4d6374c323d9be1f628d1dd77
Instruction ID: 7cf7f99158fac80204130b0e282dfec546005de81dd6c52679002a1bb3cd70b3
Opcode Fuzzy Hash: 208bc013f60948a38a0ada204fff2899213c19d4d6374c323d9be1f628d1dd77
Instruction Fuzzy Hash: CF018172220108BFEB149BA4AC85DFB77ECEB04BD4F1008A9F605E2101EAA09D54DA71

Function 002AAB32 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnableWindow.USER32 ref: 002AAB88

Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000C), ref: 002AD8AD
Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000B), ref: 002AD8B2
Part of subcall function 002AD897: LoadImageW.USER32(00230000,00000080,00000001,00000000,?,?), ref: 002AD8C4
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000001,00000000), ref: 002AD8D8
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000032), ref: 002AD8E7
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000031), ref: 002AD8EC
Part of subcall function 002AD897: LoadImageW.USER32(?,00000080,00000001,00000000,?,?), ref: 002AD8F6
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000000,00000000), ref: 002AD900

Part of subcall function 002AAC5A: GetDlgItem.USER32(?,00000002), ref: 002AAC6D
Part of subcall function 002AAC5A: GetWindowRect.USER32(00000000,?), ref: 002AAC85
Part of subcall function 002AAC5A: ShowWindow.USER32(?,?,?,?,?,?,?,?,00000003), ref: 002AAC9A
Part of subcall function 002AAC5A: GetDlgItem.USER32(?,000003E9), ref: 002AACA8
Part of subcall function 002AAC5A: GetWindowRect.USER32(00000000,?), ref: 002AACBE

Part of subcall function 0024D493: GetWindowLongW.USER32(000000FF,000000F0), ref: 0024D4A9
Part of subcall function 0024D493: GetParent.USER32(000000FF), ref: 0024D4BF
Part of subcall function 0024D493: GetWindowRect.USER32(000000FF,00000000), ref: 0024D4D6
Part of subcall function 0024D493: GetWindowLongW.USER32(00000000,000000F0), ref: 0024D4F1
Part of subcall function 0024D493: MonitorFromWindow.USER32(000000FF,00000002), ref: 0024D516

DestroyWindow.USER32(?), ref: 002AAB9C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$MetricsSystem$Rect$ImageItemLoadLongMessageSend$DestroyEnableFromMonitorParentShow
String ID:
API String ID: 1028870786-0
Opcode ID: e3c54bc93def90b13b75f4c9d7e5818ec4c09cd31b0e4f7185ef8c575c73d75c
Instruction ID: 104f39291b1b8efe5a4487ebcb8827caac616da47a976779ef001d51be2ffc6d
Opcode Fuzzy Hash: e3c54bc93def90b13b75f4c9d7e5818ec4c09cd31b0e4f7185ef8c575c73d75c
Instruction Fuzzy Hash: 2C01F5714243099FDB216F24C8069A677A9EF22329F008D29F95291050DBB59860DF76

Function 002BF7CD Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002BF7ED
EndDialog.USER32(?,00000001), ref: 002BF80B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DialogUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 179010667-0
Opcode ID: 3314ad65afcc35b55eafb5df074dc1d341d185568064859493d0c53af932868d
Instruction ID: 1f146a3b08e4df6fd7d1bea745e8a56910b8d5def5d20077b65cc70b4133100a
Opcode Fuzzy Hash: 3314ad65afcc35b55eafb5df074dc1d341d185568064859493d0c53af932868d
Instruction Fuzzy Hash: 4EF03C75020714ABD234AB25EC45FD7B7F9AF95B10F044A2DF0C293151DBA0B868CBA1

Function 002AD7F6 Relevance: 3.0, APIs: 2, Instructions: 33threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00277D22: CreateEventW.KERNEL32(00000000,00000000,00000000,?,?,?,002719B0,Caphyon.AI.ExtUI.IEClickSoundRemover,?,?,?,?), ref: 00277D30
Part of subcall function 00277D22: GetLastError.KERNEL32(?,?), ref: 00277D42

SetEvent.KERNEL32(003746AC,?,?,00000000,?,002A2675,00000003,?,00000000,?,?,Advinst_,?,?,00000008,00000007), ref: 002AD813
CreateThread.KERNELBASE(00000000,00000000,Function_0007D863,003746A8,00000000,?), ref: 002AD82F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateEvent$ErrorLastThread
String ID:
API String ID: 387812677-0
Opcode ID: 0f7df1ea62513cced4506bb38e7892912a2832c9dd5762124cf0a6cf43deb6cd
Instruction ID: 1d962e43e4868f39c676984af6d4bd2bf0dc6a2f4c9a7b9ddf6abf261fe688f0
Opcode Fuzzy Hash: 0f7df1ea62513cced4506bb38e7892912a2832c9dd5762124cf0a6cf43deb6cd
Instruction Fuzzy Hash: 94F0A075520205BFAB109F65DC48CB77FACDE423A07058435F90AD7511EA35AC66CBA0

Function 002BD484 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 002BD624: CloseHandle.KERNELBASE(-00000003,?,002BE2D3,?,?,?,002BE220,?,?,?,?,?,002BE2FA), ref: 002BD632

FreeLibrary.KERNELBASE(00000000,00000000,00000078,00000000,002AA0DD,00000000,?), ref: 002BD4A8
CloseHandle.KERNEL32(00000000,00000000,00000078,00000000,002AA0DD,00000000,?), ref: 002BD4D9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$FreeLibrary
String ID:
API String ID: 736098846-0
Opcode ID: 018d8311101a88a7e29695bc2768e7a9615491c75a9b9fa5e1b0b59a3ce5ebb7
Instruction ID: 184d25f6d972241e8aea3e6211c66ca340b2d3b07ae9356504ea90653f814393
Opcode Fuzzy Hash: 018d8311101a88a7e29695bc2768e7a9615491c75a9b9fa5e1b0b59a3ce5ebb7
Instruction Fuzzy Hash: F2F0DAB59012429BDB229FA9EDC4585B7BCF744355B51093EE64CC3222D73078E4CB50

Function 002AACF5 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00233684: GetCurrentProcess.KERNEL32(00000000,0000000D,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002336B8
Part of subcall function 00233684: FlushInstructionCache.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002336BF

SetLastError.KERNEL32(0000000E,00000000,?,00000000,002B1118,00000000,?,002B10D5,?,?,?,?,?,?,?,002A26C4), ref: 002AAD0B
CreateDialogParamW.USER32(000000C9,?,0024D1F7,00000000,00000000), ref: 002AAD31

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CacheCreateCurrentDialogErrorFlushInstructionLastParamProcess
String ID:
API String ID: 2579392824-0
Opcode ID: 8a17d9a78e2f83bc55f05cffc0f6080c7e8405b19384fb5648981107af2c7802
Instruction ID: 5ade449c9d51bc8e8c5776ecdeecf37364cbe152ba43210158ac730b30807258
Opcode Fuzzy Hash: 8a17d9a78e2f83bc55f05cffc0f6080c7e8405b19384fb5648981107af2c7802
Instruction Fuzzy Hash: 13E026362202017BD7115B30AC0AF8626689F99B01F004D15FB06E9092CBA08465CA61

Function 002AAC30 Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002AAC38
SetWindowTextW.USER32(00000000,?), ref: 002AAC45

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ItemTextWindow
String ID:
API String ID: 2478532303-0
Opcode ID: 7b07859c147282f6a42258b44fce1b5407d5a58595facb8e1549189b6f2a7d5d
Instruction ID: 2b70d1329d7b7246e60e0a2b0c9efdb0267c9cf2b6dedd7317a940ae931e3627
Opcode Fuzzy Hash: 7b07859c147282f6a42258b44fce1b5407d5a58595facb8e1549189b6f2a7d5d
Instruction Fuzzy Hash: 3EC04C79500200EFCB029BA0DE8ED097BBDAB64701F058455F506C61F0C7318410DB10

Function 002FB676 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 002FB67E

Part of subcall function 002FB64B: GetModuleHandleW.KERNEL32(mscoree.dll,?,002FB683,?,?,002F5692,000000FF,0000001E,?,002FC40D,?,00000001,?,?,002FF314,00000018), ref: 002FB655
Part of subcall function 002FB64B: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002FB665

ExitProcess.KERNEL32 ref: 002FB687

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 9e30f9b33e2c253d4086dda683bfd65ec1a6775343c6b7d53ea25f3ef1d8e9c3
Instruction ID: f80a64cdd35e4c4d1d5562eb34a38adcf6aeb97f349dfb8db3665e787ecba7b5
Opcode Fuzzy Hash: 9e30f9b33e2c253d4086dda683bfd65ec1a6775343c6b7d53ea25f3ef1d8e9c3
Instruction Fuzzy Hash: 9FB0923500010CBBCB022F22ED0A85EBF2EEB857A0F148020F90889031DF72ADA39A84

Function 0024D126 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,00000000,?), ref: 0024D1B3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 61df7c6ec67b69057c08ac7fedfe614186ff9c021dc1599f1211e64a79b72983
Instruction ID: b127454fb85203bef381afd86089c400283c2fc0b4efe8aa5a72f01df008de95
Opcode Fuzzy Hash: 61df7c6ec67b69057c08ac7fedfe614186ff9c021dc1599f1211e64a79b72983
Instruction Fuzzy Hash: 04218B35520706AFCB39CF55C8C499EBBF5EF48710F10481AEC8E82660C371EAA0DBA1

Function 002BD566 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,002A9C4F,00000000,00000000,00000000,?,00000000), ref: 002BD586

Part of subcall function 0024EF01: CloseHandle.KERNEL32(00000000,002B19F6), ref: 0024EF0C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID:
API String ID: 3498533004-0
Opcode ID: db7ab044dc2f5ff21b9efe255b7cce892df312c6e8c30a97274a332984a79c33
Instruction ID: 6340df532a27db9b278b0d9d934b3cd44e878b9f48ed47c05ad40e5721964293
Opcode Fuzzy Hash: db7ab044dc2f5ff21b9efe255b7cce892df312c6e8c30a97274a332984a79c33
Instruction Fuzzy Hash: 7B210E75610208DFCB20DF68D885B8A7BE8EF48350F10406AFD09EB356E730E9618BE4

Function 002BE1A6 Relevance: 1.6, APIs: 1, Instructions: 64synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,002BE2FA), ref: 002BE1BA

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 23df99cdb3f2de3c556d260dce6111c345e215b5dde352bf1bc112040ce24df2
Instruction ID: 607f2003695d65b461309e3bb2f7be44037d388335ded59380b7b1be8035e4cd
Opcode Fuzzy Hash: 23df99cdb3f2de3c556d260dce6111c345e215b5dde352bf1bc112040ce24df2
Instruction Fuzzy Hash: 57214D351242029FCB11DF18C884A9AB7E9FF853A1F1A8558FC998B3A1DB30EC60CF51

Function 00299E00 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00299E90: _wcschr.LIBCMT ref: 00299F5A
Part of subcall function 00299E90: _wcschr.LIBCMT ref: 00299F86

PathFileExistsW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,002BE1E8,00000000,?), ref: 00299E3A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcschr$ExistsFilePath
String ID:
API String ID: 1536353879-0
Opcode ID: 971bf53903ec5dabdbcac9d6f592604451ad3ac61977a8e2c4ba2e14aa4dd4f6
Instruction ID: cd842247fd97c3fc36fce58af4e8305fae6699ab031e7dde905cfe2bbef33c38
Opcode Fuzzy Hash: 971bf53903ec5dabdbcac9d6f592604451ad3ac61977a8e2c4ba2e14aa4dd4f6
Instruction Fuzzy Hash: 7C0156B6108A419FD305CF28CC85B56B7A9FB89730F548B2AF469CB2E0D735A805CA91

Function 00231604 Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00231614

Part of subcall function 002F34E0: __EH_prolog3.LIBCMT ref: 002F34E7
Part of subcall function 002F34E0: __CxxThrowException@8.LIBCMT ref: 002F3512

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
String ID:
API String ID: 1675473389-0
Opcode ID: 2d0944450403dcb617543df6c90203fb68f9b87baa3850c983f6a6cd8aafa441
Instruction ID: 47a44ddef85a7daf257b428cc1683cfd1e2d5e97d4db0113dc60444fc5d68f89
Opcode Fuzzy Hash: 2d0944450403dcb617543df6c90203fb68f9b87baa3850c983f6a6cd8aafa441
Instruction Fuzzy Hash: 57F0E9F17345105ACB31A9A9880363FA6EE8FE0760F1D0E1FF45383280CE7098758D56

Function 002BFF19 Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0033414C,00000000,00000001,0033412C,00000000,?,?,002B3ACA,00000000,002A55A0,00000000,?,?,002A55A0), ref: 002BFF33

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 9957338ea2692f262772e85db37a6df566ed7e770e2a9126444256eb7da17d67
Instruction ID: 9406a048605d2537f33b13d7edf1d57d195f118ab530467d00940eaedbe8807a
Opcode Fuzzy Hash: 9957338ea2692f262772e85db37a6df566ed7e770e2a9126444256eb7da17d67
Instruction Fuzzy Hash: 4AF01D70650205BFDF00CFA5CD89FAA77ADEF4A745F1444A4F405DB181DA75E942DB20

Function 00234F65 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3b206ef6a4d999e6c208ebe1f8eb6ff9a6ec4ee3ae2e87e7c7e622de5e0a9140
Instruction ID: 552b8df2ba8863ef1e3cce51e49ec753006615179dffb10020b7b2e83db16970
Opcode Fuzzy Hash: 3b206ef6a4d999e6c208ebe1f8eb6ff9a6ec4ee3ae2e87e7c7e622de5e0a9140
Instruction Fuzzy Hash: 47F0F436210209AFDB16CF98DD05EAA3BBAEB48350F058155FD0897231D631EC20DB90

Function 002BCBE9 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(000000FF,?,?,?,00000000,?,002BCAD1,?,?,?,CLOSE,00000000,?,?,?,002BCE90), ref: 002BCC0F

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileH_prolog3Write
String ID:
API String ID: 3581554285-0
Opcode ID: faab342ccd3df09a3f737632eb36ea355f9db2dbf77492bbad0e7694ddba7d39
Instruction ID: 6e7dd1380bf572372f8ff331dc103ba4c6256a9f95fb966b9e1398d38ebaae11
Opcode Fuzzy Hash: faab342ccd3df09a3f737632eb36ea355f9db2dbf77492bbad0e7694ddba7d39
Instruction Fuzzy Hash: A4E06D34220205BFDB01DE10CC86EFD776DAB547A1F10C118FA298A2A0CBB0D961DB61

Function 00231774 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023173A: _wmemcpy_s.LIBCPMT ref: 00231749

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wmemcpy_schar_traits
String ID:
API String ID: 2735312651-0
Opcode ID: 3477b1569e704e2b031c4a605815bfb2a7058ade1a68c155c5beeeccb18d451e
Instruction ID: 24c4fba1be3ec67f0f4aa30ce46146080a244c3e5a080a382529b6912691fcd2
Opcode Fuzzy Hash: 3477b1569e704e2b031c4a605815bfb2a7058ade1a68c155c5beeeccb18d451e
Instruction Fuzzy Hash: 24E06571924340AED730AA15CC45B1BF7EDAF91714F188D1EF09452291C774E478CF92

Function 002938B0 Relevance: 1.5, APIs: 1, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

CreateThread.KERNELBASE(00000000,00000000,Function_00063900,00000000,00000000,00000000), ref: 002938D9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateThread_malloc
String ID:
API String ID: 3334740953-0
Opcode ID: 8b63dfc479ef4fa9424f69dd2259b6e45cef588e1b20a4e0df926c4ed77654b2
Instruction ID: 698a9dcf71870688a7328ab4e15aabb109a178b0671845e7bf422dcd4a2a2244
Opcode Fuzzy Hash: 8b63dfc479ef4fa9424f69dd2259b6e45cef588e1b20a4e0df926c4ed77654b2
Instruction Fuzzy Hash: 54E0D87178071167D720DF186C06F077A90DFC1B60F150438F348DB3C0D960E8248B96

Function 0027881F Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 00278858

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8Throw_malloc
String ID:
API String ID: 3476970888-0
Opcode ID: ec7e3fa09e77ccbc1c9d48b713aa7c8365d075438f4b3fa0cb5ed25259805dad
Instruction ID: 1227e2ee2d005b51a9d2a966b929f9db736b10f3214ae8ed90e2d8c8e8a56ecd
Opcode Fuzzy Hash: ec7e3fa09e77ccbc1c9d48b713aa7c8365d075438f4b3fa0cb5ed25259805dad
Instruction Fuzzy Hash: 9FE0CD70B6021C25DB0CB574AC1AB5D735C4B44790F504A39F731E10C1DF74D5354495

Function 002AA8CD Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,002AA913,?), ref: 002AA8E7

Part of subcall function 002AAA2D: _calloc.LIBCMT ref: 002AAA4A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EnumLanguagesResource_calloc
String ID:
API String ID: 2028956777-0
Opcode ID: c0b581ff65386170301ac4e209f6f38b10ef90415c207e8fb310f3dcbc961739
Instruction ID: d07947c7fde6409d638ba9e18849c0370615bf76f37a3529e607d51fe1307fb6
Opcode Fuzzy Hash: c0b581ff65386170301ac4e209f6f38b10ef90415c207e8fb310f3dcbc961739
Instruction Fuzzy Hash: 3AE09230A207456BCB70A724DD86B8BBBF4AF42714F50046DB493529A2DFB0F669CA51

Function 002FFE81 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 002FFE96

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 90258acf1930bfb605aa84ef51c725acb0aec5b4f44334d267e04fbb9ab9ddff
Instruction ID: cc427eda2fcb7e31d9538b0d7e341fdc1390b6062d7a3aa660c14942a1cc04ca
Opcode Fuzzy Hash: 90258acf1930bfb605aa84ef51c725acb0aec5b4f44334d267e04fbb9ab9ddff
Instruction Fuzzy Hash: 35D0A772A943495EDB219F717C087333BDCD7843E5F004436B90CC61A0F674C590DA80

Function 002A9F06 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000,?,?,002A3E6F,000000FF,00000000,?,?,000000FF), ref: 002A9F23

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f3c88c0d87580cf0ee3fcc654c46b7da520ffa9e481b59e6bd1bcb751f32d2fa
Instruction ID: 47bf2fb8050a4c0b5f636a439aa059505bf8d9bb3e16b00f1b1fe34b0155e82d
Opcode Fuzzy Hash: f3c88c0d87580cf0ee3fcc654c46b7da520ffa9e481b59e6bd1bcb751f32d2fa
Instruction Fuzzy Hash: E1E08C32220425ABCB06AA28ED817CDF324BB05300F024A22E827F30208A3028A98BD0

Function 0027C2A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027C2AA

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: a377b42481097ba1c46005719542a70be423c48474eef60c1a3e39edde533cea
Instruction ID: 59657bd14b2cf6ee9a9f06fab69735c314f723207dfa60462f158185fe091c98
Opcode Fuzzy Hash: a377b42481097ba1c46005719542a70be423c48474eef60c1a3e39edde533cea
Instruction Fuzzy Hash: B8E086317E57088BD726BFF4DA5F35876945701726F308A64EA15D10E3CF7845D08A00

Function 002B835E Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00020019,0000000C,00000004,?,002B8355,?,?,00000000,00020019,?), ref: 002B8387

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7da08693ddde21f4081df1863707163755e2e24ccfc2e1c8f58621398922126c
Instruction ID: acfa571e62012b741e60663a959b51a096b2656f73245db396f507557dfb6fbd
Opcode Fuzzy Hash: 7da08693ddde21f4081df1863707163755e2e24ccfc2e1c8f58621398922126c
Instruction Fuzzy Hash: 2DD017B9100301AFD3218F54DC85F87F7E8EB08B00F10881EBA8AD6201E770A890CBA0

Function 0027BD59 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0027BD60

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 9a70a9ba6d9fb4b9aab7056129458dd9ad5477942f87214746974b866359ce57
Instruction ID: e846f1c143bebc8db1d25f8b0b47580317a934a9090f5ce179d3de309e1f09f6
Opcode Fuzzy Hash: 9a70a9ba6d9fb4b9aab7056129458dd9ad5477942f87214746974b866359ce57
Instruction Fuzzy Hash: 0FE0177651124CEBDB05EF68D90279CB7A1AF043A0F7082A8F6245B2E0C7759FA4DF24

Function 00249693 Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024969A

Part of subcall function 002D07CA: __EH_prolog3.LIBCMT ref: 002D07D1

Part of subcall function 0024AF59: __EH_prolog3.LIBCMT ref: 0024AF60

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: b5ca1ee69766e464df8dc53049b9a77acbe5873021418cb7fe2e504ea44a6edf
Instruction ID: 9bbe1e0375f0c5d00a10b60c240074e6541d92c3f119719184996ceb88b40eaa
Opcode Fuzzy Hash: b5ca1ee69766e464df8dc53049b9a77acbe5873021418cb7fe2e504ea44a6edf
Instruction Fuzzy Hash: 79D05E7292121CA6DB04E7E48A4678DB264AF10761F184260BA146B181C730AB209FA5

Function 00234F03 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00234F0A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b4d55bc8f1c94daf3cada8066d14704434df6365b60056fbbf7cf0031e583e6d
Instruction ID: 8f0f94d365ddf06ad0d38b6f44a5674d4d54e3d901800510a2eafa204e1a524e
Opcode Fuzzy Hash: b4d55bc8f1c94daf3cada8066d14704434df6365b60056fbbf7cf0031e583e6d
Instruction Fuzzy Hash: D2C08C720082202A49153210980187FAA49DB84270F00881AB848012108A718CA08891

Function 002FB892 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 002FB89E

Part of subcall function 002FB766: __lock.LIBCMT ref: 002FB774
Part of subcall function 002FB766: __decode_pointer.LIBCMT ref: 002FB7AB
Part of subcall function 002FB766: __decode_pointer.LIBCMT ref: 002FB7C0
Part of subcall function 002FB766: __decode_pointer.LIBCMT ref: 002FB7EA
Part of subcall function 002FB766: __decode_pointer.LIBCMT ref: 002FB800
Part of subcall function 002FB766: __decode_pointer.LIBCMT ref: 002FB80D
Part of subcall function 002FB766: __initterm.LIBCMT ref: 002FB83C
Part of subcall function 002FB766: __initterm.LIBCMT ref: 002FB84C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: e5b6d48fc4bcd6c73f9190603badbdeebea3ec1b4a34324f14f61f4840931fe9
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 3FB0923358020C73DA212552EC03F56BB0A87C0BA0E640020BA0C191A2AAA2AA61888A

Function 002F27F4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 466410340234b1b8cac9f0f01574f3c9a4a5232480c497420dce6710b590ead9
Instruction ID: ee056ac6cfde56c739c4e76d422d7a88e77bd5bb9f6452ae369627675a58afc2
Opcode Fuzzy Hash: 466410340234b1b8cac9f0f01574f3c9a4a5232480c497420dce6710b590ead9
Instruction Fuzzy Hash: A2A00295179107FC3115A2515D46C76911CC5C1B513309529FA5194085588058A914B5

Function 002F2825 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: d003cb28e79b55da8efd5a719c2bc073d3293e20001757094118e7c7e51c5153
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: d003cb28e79b55da8efd5a719c2bc073d3293e20001757094118e7c7e51c5153
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2835 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: be2121193e7884b7a64cfb6b7a731c6261c5e5cb2fc61b07cd378b6c07106341
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: be2121193e7884b7a64cfb6b7a731c6261c5e5cb2fc61b07cd378b6c07106341
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2815 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 51a4a0e65dddf0c5dfba6c0b243e7731e72366f1d60efc4ed4d614717f34d555
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 51a4a0e65dddf0c5dfba6c0b243e7731e72366f1d60efc4ed4d614717f34d555
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2865 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: eb0dd9b838fe162db6735f990a92028ca23d42573207bc32e491db31058b8367
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: eb0dd9b838fe162db6735f990a92028ca23d42573207bc32e491db31058b8367
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2875 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: cd9f73b9945b1721a86dcdaf84735e0e6752553ffc33207d50883bed65952d29
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: cd9f73b9945b1721a86dcdaf84735e0e6752553ffc33207d50883bed65952d29
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2845 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 20007f2b492d517b3b19ab0e6114ba3f1228fb540072f56bd3d631155151fa51
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 20007f2b492d517b3b19ab0e6114ba3f1228fb540072f56bd3d631155151fa51
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2855 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 5547aa83dd7a36324a22d27ed9a4722894f609527a5563571d3b0e6132de2e92
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 5547aa83dd7a36324a22d27ed9a4722894f609527a5563571d3b0e6132de2e92
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 92f907e4307b797a50aaad1471b9571625b0ab1501d0966f7e579fc7748eee07
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 92f907e4307b797a50aaad1471b9571625b0ab1501d0966f7e579fc7748eee07
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28B5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f4609bf7e26251f14e84026fa8740a4f4439802b678a0d6198b42873b1e7ff58
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: f4609bf7e26251f14e84026fa8740a4f4439802b678a0d6198b42873b1e7ff58
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2885 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: bbbdd4d5b6575b07205ee2b03be35a510a5c588143004a2ff4e8125e5d12e2bc
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: bbbdd4d5b6575b07205ee2b03be35a510a5c588143004a2ff4e8125e5d12e2bc
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2895 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 779cf1ffe4394e5c2215d13042f320a416ed5bc19025304e54e744869bb5308f
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 779cf1ffe4394e5c2215d13042f320a416ed5bc19025304e54e744869bb5308f
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28E5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 442ba09fceec8755993ff7a94414ba40589bb1842778eb90e87e7363cd5f0bdb
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 442ba09fceec8755993ff7a94414ba40589bb1842778eb90e87e7363cd5f0bdb
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28F5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: dce44b1c8ac534526c898113fe7f5d478ba22695525fc13b4727ab6224cdcb2e
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: dce44b1c8ac534526c898113fe7f5d478ba22695525fc13b4727ab6224cdcb2e
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28C5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: 70c601b570fda85b4495a8daf2dc3b76f64a4da46a19d779de3cf9fddb7a4cb1
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: 70c601b570fda85b4495a8daf2dc3b76f64a4da46a19d779de3cf9fddb7a4cb1
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F28D5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 002F2801

Part of subcall function 002F2A80: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 002F2AF9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID:
API String ID: 123106877-0
Opcode ID: f4442b8ef1a5397fcabe6ff65e82187ff4b0c7267651b1eaa4731fd56921bc4c
Instruction ID: 74d684925958e059724120c4f621f8c24de9e04ae3e7fcca0e0e7f879925bbdb
Opcode Fuzzy Hash: f4442b8ef1a5397fcabe6ff65e82187ff4b0c7267651b1eaa4731fd56921bc4c
Instruction Fuzzy Hash: 2CA0029517D107FC3115A2515D06C76911CC5C5B913309529FA5294085548058A91475

Function 002F2E70 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 002F2E7D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 792fa663716d2f3e1023c0e24db57fb27546fd2387619519decfb5a877afa5d4
Instruction ID: 31fd46e816812a7951a28273cd01eaddcc12cacd8085b6b45e3b2335ef810570
Opcode Fuzzy Hash: 792fa663716d2f3e1023c0e24db57fb27546fd2387619519decfb5a877afa5d4
Instruction Fuzzy Hash: 40C09B36044108B7C7111B41DC05F46BF1DD795750F14C011F608450618773D431D694

Function 002495D5 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002495DC

Part of subcall function 00249693: __EH_prolog3.LIBCMT ref: 0024969A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 93ae32313f086ee5837f288d52491bba106ac553a8f2f02b83572ac860fe1a80
Instruction ID: 77ff33a2b732a46f5383f27491085ee4370af8cb5530eeb23edb9f43e00f0cea
Opcode Fuzzy Hash: 93ae32313f086ee5837f288d52491bba106ac553a8f2f02b83572ac860fe1a80
Instruction Fuzzy Hash: 9CC08C3812010DA9C609B6A48A03A4DB920AB103A0F208230B230280E1CB2006A18E10

Function 002A752F Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002A9F06: DeleteFileW.KERNELBASE(00000000,?,?,002A3E6F,000000FF,00000000,?,?,000000FF), ref: 002A9F23

Part of subcall function 002A75FE: DeleteFileW.KERNELBASE(00000000), ref: 002A768D
Part of subcall function 002A75FE: GetLastError.KERNEL32 ref: 002A7695
Part of subcall function 002A75FE: RemoveDirectoryW.KERNELBASE(00000000), ref: 002A76DF
Part of subcall function 002A75FE: GetLastError.KERNEL32 ref: 002A76E8

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

CloseHandle.KERNEL32(00000000,?,?,0027E182,?,?,00000000,0027DF58,00000000,?,?,?,00000001,00000000,?,?), ref: 002A75BB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteErrorFileLast$CloseDirectoryH_prolog3HandleRemove
String ID:
API String ID: 3098370020-0
Opcode ID: 87d0d1764ad72518d25cf35c70b5a84b9bf757801847d01b5a82667fff46c775
Instruction ID: 2964a1c0ffbbce34b50d2f58b6cb2c4f1983eabc412397221fb924def6a55048
Opcode Fuzzy Hash: 87d0d1764ad72518d25cf35c70b5a84b9bf757801847d01b5a82667fff46c775
Instruction Fuzzy Hash: AD11A271660902ABC609FF36CC52A98F764BF19300F81416AE51A53472EF307B39CFA0

Function 002BD624 Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(-00000003,?,002BE2D3,?,?,?,002BE220,?,?,?,?,?,002BE2FA), ref: 002BD632

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: efd2a7bd8ead8c196bc861ee75551a33df3971569338188efc10faa0d0b81127
Instruction ID: 491903bcce0e1a97175c728101a037a81692722b655c293f7788a53518b46ae7
Opcode Fuzzy Hash: efd2a7bd8ead8c196bc861ee75551a33df3971569338188efc10faa0d0b81127
Instruction Fuzzy Hash: 80D05E7121120287DB214F38EC44AD273ACAF807A2F040848F854D2018EB24E990DAA0

Function 002BC990 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,002A3EC3,000000FF), ref: 002BC999

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2ce00ed8c00bfc7cd76a745761e63c14e1a4cd7160e82cd8d8d8e2e7de4e8002
Instruction ID: af2984919ca50803dea88e71ee528ef860368683e623d929c995659a2807d2b6
Opcode Fuzzy Hash: 2ce00ed8c00bfc7cd76a745761e63c14e1a4cd7160e82cd8d8d8e2e7de4e8002
Instruction Fuzzy Hash: 4BD0C971020B009BC3299B65D848A66B7A4AB00371F208A09E17B818F0CB74B9658F00

Non-executed Functions

Function 0030645F Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 00306496
___getlocaleinfo.LIBCMT ref: 003064AB
___getlocaleinfo.LIBCMT ref: 003064C0
___getlocaleinfo.LIBCMT ref: 003064D5
___getlocaleinfo.LIBCMT ref: 003064ED
___getlocaleinfo.LIBCMT ref: 00306502
___getlocaleinfo.LIBCMT ref: 00306514
___getlocaleinfo.LIBCMT ref: 00306529
___getlocaleinfo.LIBCMT ref: 00306541
___getlocaleinfo.LIBCMT ref: 00306556

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 299729c7ea34d376af11e9129b6676d28c2e35ee94692d47b9de4bf62cb6efa5
Instruction ID: 356ab8734a0a18aa3d6a390ba85e2f4280a2fd957934a367aa25b43fee2d1f56
Opcode Fuzzy Hash: 299729c7ea34d376af11e9129b6676d28c2e35ee94692d47b9de4bf62cb6efa5
Instruction Fuzzy Hash: 42E1DFB390024EBEEB16DAF1CC51EFF77BEEB04744F04091AB255D6081EA75AA059B60

Function 002E18F3 Relevance: 42.7, APIs: 5, Strings: 19, Instructions: 710COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 002E1960

Strings

DATABASE, xrefs: 002E2256
`Sequence` > 0, xrefs: 002E204A
AI_RemoveTempFiles, xrefs: 002E2138
CLIENTPROCESSID, xrefs: 002E1966
`Sequence` < 0, xrefs: 002E1A14
ALLUSERS, xrefs: 002E1C61, 002E1FC1
#, xrefs: 002E23AE
ExecuteAction, xrefs: 002E1CB9
AiClearTemp, xrefs: 002E21D6
YES, xrefs: 002E1ABE
AI_TEMP_FILE_ROLLBACK_INFO, xrefs: 002E1B41, 002E1E21, 002E1E86
AITEMPFILESEXTRACTED, xrefs: 002E1DA1
Environment, xrefs: 002E2327
MSIINSTALLPERUSER, xrefs: 002E1B9B, 002E1EFA
AI_FIRSTTEMPFILES, xrefs: 002E1A50, 002E1D36
AiCloseAllHandles, xrefs: 002E2173
AITEMPFILESREMOVED, xrefs: 002E1AD7
AI_ExtractTempFiles, xrefs: 002E1E11
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\TempPackages, xrefs: 002E2356

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CurrentProcess
String ID: #$AITEMPFILESEXTRACTED$AITEMPFILESREMOVED$AI_ExtractTempFiles$AI_FIRSTTEMPFILES$AI_RemoveTempFiles$AI_TEMP_FILE_ROLLBACK_INFO$ALLUSERS$AiClearTemp$AiCloseAllHandles$CLIENTPROCESSID$DATABASE$Environment$ExecuteAction$MSIINSTALLPERUSER$SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\TempPackages$YES$`Sequence` < 0$`Sequence` > 0
API String ID: 2050909247-2508400129
Opcode ID: 322be2da38b37fd4a73da2876dc1ea0c84fcc97dc329d92e38627e34defdcf6e
Instruction ID: e58d0f12dee5929059256ff003cbf5d46b85f6cd85737b799982b56626b9b45c
Opcode Fuzzy Hash: 322be2da38b37fd4a73da2876dc1ea0c84fcc97dc329d92e38627e34defdcf6e
Instruction Fuzzy Hash: 3862B1710583829FD731DF24C889FEBBBE4AF85304F044A6CF4AA4A196DB74955CCB62

Function 0029E320 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 398fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,D7557A70,?,-00000004,?,?,?,00000000,00322EE0,000000FF,002946D8,0000002A,-00000004), ref: 0029E367

Part of subcall function 0023366C: __CxxThrowException@8.LIBCMT ref: 0023367E

FindResourceW.KERNEL32(00000000,?,00000006,?,?,00000000), ref: 0029E442
_wcslen.LIBCMT ref: 0029E493
_memcpy_s.LIBCMT ref: 0029E4A9
FindFirstFileW.KERNEL32(?,?,?,00000000,?,-00000004,?,?,?,00000000,00322EE0,000000FF,002946D8,0000002A,-00000004), ref: 0029E57C
_wcslen.LIBCMT ref: 0029E5AE
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,-00000004,?,?,?,00000000,00322EE0,000000FF,002946D8,0000002A,-00000004), ref: 0029E609
GetFullPathNameW.KERNEL32(?,00000000,?,00000000,?,-00000004,?,?,?,00000000,00322EE0,000000FF,002946D8,0000002A,-00000004), ref: 0029E633
_wcsnlen.LIBCMT ref: 0029E64B
FindClose.KERNEL32(?,?,00000000), ref: 0029E68F
SetLastError.KERNEL32(0000007B,?,00000000), ref: 0029E69D
_wcsrchr.LIBCMT ref: 0029E6E2
_wcsrchr.LIBCMT ref: 0029E705
_wcsnlen.LIBCMT ref: 0029E762

Strings

\\?\, xrefs: 0029E525, 0029E561
*.*, xrefs: 0029E3E9, 0029E5AD, 0029E5B7
L27, xrefs: 0029E3F7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$CloseFullNamePath_wcslen_wcsnlen_wcsrchr$ErrorException@8FileFirstLastResourceThrow_memcpy_s
String ID: *.*$L27$\\?\
API String ID: 1725437708-1758829748
Opcode ID: 13b131667bd00087fe2119dc8f015fb27c458115b2362919b42be56e41ad2d10
Instruction ID: f09e5219b36ee0206d55303aec558f6da98754c6842a3fad5b54a26066278c6e
Opcode Fuzzy Hash: 13b131667bd00087fe2119dc8f015fb27c458115b2362919b42be56e41ad2d10
Instruction Fuzzy Hash: 91E1AE702206019FDB14DF68C885B2AF3E9FF88324F158A6CE559CB292EB35E911CF55

Function 0029DF50 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 246threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00374670), ref: 0029DFCC
EnterCriticalSection.KERNEL32(00374670), ref: 0029DFDE
GetCurrentProcess.KERNEL32 ref: 0029DFEB
GetCurrentThread.KERNEL32 ref: 0029DFF7
SymSetOptions.DBGHELP(80000016,00000007), ref: 0029E01D
_wcslen.LIBCMT ref: 0029E043
SymInitialize.DBGHELP(00000000,00000000,00000001), ref: 0029E081
SymCleanup.DBGHELP(?,?,?), ref: 0029E0E9
_memset.LIBCMT ref: 0029E120
_wcslen.LIBCMT ref: 0029E171
StackWalk.DBGHELP(0000014C,00000000,?,?,?,00000000,6D02C910,6D02CCF0,00000000,00000000,?,?,00334684,00000000), ref: 0029E1BE
_wcslen.LIBCMT ref: 0029E23D
SymCleanup.DBGHELP(?,00000000,00000000,000000FF), ref: 0029E2C4
LeaveCriticalSection.KERNEL32(00374670), ref: 0029E2EF

Strings

pF7, xrefs: 0029DFB1
<--------------------MORE--FRAMES-------------------->, xrefs: 0029E238, 0029E246
*** Stack Trace (x86) ***, xrefs: 0029E149, 0029E17E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection_wcslen$CleanupCurrentInitialize$EnterLeaveOptionsProcessStackThreadWalk_memset
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$pF7
API String ID: 3544003415-2931720118
Opcode ID: ea9dd55002f52611d264894947b10ad57f9efd643adcf58e482d139eea90ed31
Instruction ID: fc37f7bcfefeb1e48364499de82d77a94f21e692c106a58ad70209fb6da97b69
Opcode Fuzzy Hash: ea9dd55002f52611d264894947b10ad57f9efd643adcf58e482d139eea90ed31
Instruction Fuzzy Hash: 53A1A1B15183809FDB21DF24C885BAFBBE8BF89314F04492CF69993290DB749954CB93

Function 0025E013 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 348COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0025E0AD

Strings

4, xrefs: 0025E234

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClientRect
String ID: 4
API String ID: 846599473-4088798008
Opcode ID: 85a5f5f7a0ea17fa7108cca0ef166381fef715ec7750b43e719f4e565a3522b4
Instruction ID: 9e2e06e53147e97d3ecb5d83dcda09aab0e4d7e258d69d384278879b767a2ddc
Opcode Fuzzy Hash: 85a5f5f7a0ea17fa7108cca0ef166381fef715ec7750b43e719f4e565a3522b4
Instruction Fuzzy Hash: D1E168B1518341AFD725DF24C885BABBBE8FF89701F004A1DF5C5822A1CB74DA19CB92

Function 00298A30 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 309fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00298AC7
_memset.LIBCMT ref: 00298AF2
FindFirstFileW.KERNEL32(?,?,0000024C,0033DAA0,00000000), ref: 00298B04
FindClose.KERNEL32(00000000), ref: 00298B1D
FindNextFileW.KERNEL32(00000000,?), ref: 00298BAA

Strings

., xrefs: 00298B84

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$File$CloseFirstNext_memset_wcslen
String ID: .
API String ID: 3654547159-248832578
Opcode ID: 4c77a5bf4bff732f3a45c2083e5d1827d6c19639e6fa84dc4e039db59a21493d
Instruction ID: 30e80634037c89417ea95f6926a0fa223c5afc3c4aca21a8071c1f69905ef7ba
Opcode Fuzzy Hash: 4c77a5bf4bff732f3a45c2083e5d1827d6c19639e6fa84dc4e039db59a21493d
Instruction Fuzzy Hash: BFB1BFB12143029FCB14DF28C884E6AB3E8FF85714F188A2DF595C7291DB70E915CBA1

Function 00260B3C Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 235windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001), ref: 00260C3E
InvalidateRect.USER32(?,?,00000001), ref: 00260C9A
UpdateWindow.USER32(?), ref: 00260CA3
PtInRect.USER32(?,00000000,?), ref: 00260CC9
SetFocus.USER32(?), ref: 00260CDA
SetCapture.USER32(?), ref: 00260CE3
GetCapture.USER32 ref: 00260CF5
ReleaseCapture.USER32 ref: 00260D04
PtInRect.USER32(?,?,?), ref: 00260D1A
InvalidateRect.USER32(?,00000000,00000001), ref: 00260D99
UpdateWindow.USER32(?), ref: 00260DA2
InvalidateRect.USER32(?,00000000,00000001), ref: 00260DFE

Part of subcall function 002610A0: DeleteObject.GDI32(?), ref: 002610AD
Part of subcall function 002610A0: InvalidateRect.USER32(?,00000000,00000001), ref: 002610E8
Part of subcall function 002610A0: UpdateWindow.USER32(?), ref: 002610F1

Strings

, xrefs: 00260D45

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$Invalidate$CaptureUpdateWindow$DeleteFocusObjectRelease
String ID:
API String ID: 726856145-3916222277
Opcode ID: 1ada5b3ac4023147376df49267d23f646e4299f6456272a52d2e41d78fd353df
Instruction ID: 17a0261dbaed519442ca928c8ed1229790b6a5817f18307f2d3460dc01f10771
Opcode Fuzzy Hash: 1ada5b3ac4023147376df49267d23f646e4299f6456272a52d2e41d78fd353df
Instruction Fuzzy Hash: AC81AB704243469FDB35CF54C8C4A6B7BE4FB95309F104A2AE892C6161DBB0EDE4EB52

Function 00298E90 Relevance: 21.4, APIs: 9, Strings: 3, Instructions: 428COMMON

Download Yara Rule

APIs

_wcsrchr.LIBCMT ref: 00299024
RemoveDirectoryW.KERNEL32(?), ref: 00299057
GetLogicalDriveStringsW.KERNEL32 ref: 00299132
GetDriveTypeW.KERNEL32(?), ref: 00299147
FindResourceW.KERNEL32(00000000,?,00000006,00000004), ref: 002991AF
_wcslen.LIBCMT ref: 002991FE
_memcpy_s.LIBCMT ref: 00299210

Part of subcall function 002725B9: __EH_prolog3.LIBCMT ref: 002725C0

_wcslen.LIBCMT ref: 002992A1
__recalloc.LIBCMT ref: 002992CD

Strings

L27, xrefs: 00298EBF
L27, xrefs: 0029915F
]%!, xrefs: 002990E5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Drive_wcslen$DirectoryFindH_prolog3LogicalRemoveResourceStringsType__recalloc_memcpy_s_wcsrchr
String ID: L27$L27$]%!
API String ID: 2735937488-3658035576
Opcode ID: c36bcbddd7cef6a8fbb20d58839952d6b93772963d45acdb612dd0709361acc9
Instruction ID: 285b4efbaf6174a6a784da691d05017a3cfe5b5657ab869b88694b324fe9fe6f
Opcode Fuzzy Hash: c36bcbddd7cef6a8fbb20d58839952d6b93772963d45acdb612dd0709361acc9
Instruction Fuzzy Hash: 5AF1EF71514702DFDB10DF18C880A6AF3E9FF85324F148A6DE8599B291D730E955CFA2

Function 002BD9FD Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 214fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 0027D894: _wcsnlen.LIBCMT ref: 0027D8C5

FindFirstFileW.KERNEL32(?,?,00000000,?,?,?,?,?,00000000,?,?), ref: 002BDA77
FindNextFileW.KERNEL32(00000000,?), ref: 002BDA8B
FindNextFileW.KERNEL32(?,?,?,.pack,?,?,0000002E,?,?), ref: 002BDBC4

Part of subcall function 002725B9: __EH_prolog3.LIBCMT ref: 002725C0

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 0027CF7A: __EH_prolog3.LIBCMT ref: 0027CF81

Part of subcall function 002BE021: __recalloc.LIBCMT ref: 002BE05F

FindClose.KERNEL32(?), ref: 002BDC53
FindFirstFileW.KERNEL32(?,?), ref: 002BDC6C
FindClose.KERNEL32(?), ref: 002BDC8A
FindNextFileW.KERNEL32(?,?), ref: 002BDCF6
FindClose.KERNEL32(00000000), ref: 002BDD0C

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

Part of subcall function 0027255D: __EH_prolog3.LIBCMT ref: 00272564

Part of subcall function 0027D803: __wcsicoll.LIBCMT ref: 0027D81F

Strings

.jar, xrefs: 002BDB52
.pack, xrefs: 002BDAD6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$H_prolog3$File$CloseNext$First$__recalloc__wcsicoll_wcsnlen_wcsrchr
String ID: .jar$.pack
API String ID: 2367335455-1219716722
Opcode ID: 6d19688cc02f80e37e68a2474a8510286f17d6d23c806ae11baaf0775b47773c
Instruction ID: ce9f413e0d676f614b468215a4ef719c9c1cb78490d630b7d0e7de6c92f8e9b9
Opcode Fuzzy Hash: 6d19688cc02f80e37e68a2474a8510286f17d6d23c806ae11baaf0775b47773c
Instruction Fuzzy Hash: 3681F7719151299BCF25EF64DC89AEEB7B8AF08300F5041E6E50DA3161EE31AF99CF50

Function 002C08EA Relevance: 16.6, APIs: 11, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00000000,00000000), ref: 002C08FE
LocalFree.KERNEL32(?,00000000,00000000), ref: 002C090E
GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,00000000,00000000), ref: 002C0940
GetLastError.KERNEL32 ref: 002C094A
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,00000000,00000000), ref: 002C096B
SetEntriesInAclW.ADVAPI32(?,?,?,?,00000000,00000000), ref: 002C097D
LocalAlloc.KERNEL32(00000040,00000014), ref: 002C098B
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 002C099B
GetLastError.KERNEL32 ref: 002C09A5
LocalFree.KERNEL32(?), ref: 002C09BA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002C09D0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Local$DescriptorFreeSecurity$DaclErrorLast$AllocEntriesExceptionInitializeRaise
String ID:
API String ID: 265855796-0
Opcode ID: db845d54c6d83ffb04f01a4387ac85b159bedf21f30d946461f294ad096e453f
Instruction ID: 10da012929ee297f9bd02066e251b8fe3873b5e1bc9debb7d156b9a71f1999ed
Opcode Fuzzy Hash: db845d54c6d83ffb04f01a4387ac85b159bedf21f30d946461f294ad096e453f
Instruction Fuzzy Hash: 8E312FB9610706EFEB309FA5DCC4F5ABBB8FB08745F104A2DE542D2552D770A954CB10

Function 002C1032 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 54shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002AC05F: GetVersion.KERNEL32(002AD3DF,?,?,00000001,?,?,002ACD09,00000000,?,00000000,00000000), ref: 002AC05F

GetCurrentProcess.KERNEL32(00000028,00000000,?,?,?,?,00000001,?), ref: 002C1050
OpenProcessToken.ADVAPI32(00000000), ref: 002C1057
CloseHandle.KERNEL32(00000000), ref: 002C1069
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 002C107D
AdjustTokenPrivileges.ADVAPI32(00000000,00000000), ref: 002C109C
GetLastError.KERNEL32 ref: 002C10A2
CloseHandle.KERNEL32(00000000), ref: 002C10B4
ExitWindowsEx.USER32(00000006,80040002), ref: 002C10C1

Strings

SeShutdownPrivilege, xrefs: 002C1077

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueVersionWindows
String ID: SeShutdownPrivilege
API String ID: 463828723-3733053543
Opcode ID: a7e2e27ec0665e0b036bb3e99a9a4cd1f810a325f31ba6d7044c5f84c516125b
Instruction ID: dc5514e9e913c6f7dac6b062ef436ee3c59ceb2989f6a8dd1d5c6bd9341b0b6a
Opcode Fuzzy Hash: a7e2e27ec0665e0b036bb3e99a9a4cd1f810a325f31ba6d7044c5f84c516125b
Instruction Fuzzy Hash: 88117975900229FBDB12AFA1DC4AEDEBFBCEF06711F004159F901E1122DB7446A0CBA1

Function 0029D420 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029D4F0
_wcslen.LIBCMT ref: 0029D64C
GetStdHandle.KERNEL32(000000F5,?,00000007), ref: 0029D7BF
SetConsoleTextAttribute.KERNEL32(00000000), ref: 0029D7C6
_wcslen.LIBCMT ref: 0029D8B3
_wcslen.LIBCMT ref: 0029D99F
IsWindow.USER32(?), ref: 0029D9E2

Strings

Error, xrefs: 0029D984, 0029D9A8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$AttributeConsoleHandleTextWindow
String ID: Error
API String ID: 4204222558-2619118453
Opcode ID: 8ee05459f8e89fbeaaa9f8235aba171947304e91552744b854a554162a24a248
Instruction ID: 6bdf5b3cc238b0e62818e65a11658a0ed246aad10d110c9ba8e859e7effad88c
Opcode Fuzzy Hash: 8ee05459f8e89fbeaaa9f8235aba171947304e91552744b854a554162a24a248
Instruction Fuzzy Hash: F7024BB1928380CED730DF25D885B9BF7E5AF95310F148A1DE199832A1DB70A855CF53

Function 00298750 Relevance: 12.1, APIs: 8, Instructions: 142fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002987C0
FindFirstFileW.KERNEL32(00000000,?), ref: 002987D0
FindClose.KERNEL32 ref: 0029883C
FindFirstFileW.KERNEL32(?,?,0000002A), ref: 00298887
FindClose.KERNEL32(00000000,?), ref: 002988B8
FindClose.KERNEL32(000000FF,?), ref: 002988DB
FindClose.KERNEL32(00000000), ref: 00298908
FindClose.KERNEL32(00000000), ref: 00298922

Part of subcall function 0023366C: __CxxThrowException@8.LIBCMT ref: 0023367E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$Close$FileFirst$Exception@8Throw_memset
String ID:
API String ID: 1440204717-0
Opcode ID: 4ca57494360c42fc203ec8226cde540116b9c50a8ea06c7a1488eb51f127c2ef
Instruction ID: 34889ef5b208dfdb5aa46f63e3c4eced4309284a11fb668e14a60eaf2dd488c1
Opcode Fuzzy Hash: 4ca57494360c42fc203ec8226cde540116b9c50a8ea06c7a1488eb51f127c2ef
Instruction Fuzzy Hash: A351A2754183859FCB20DF24C8C9A6ABBE8FB8A320F540A2DF499C3291DB309555CF53

Function 00280854 Relevance: 10.6, APIs: 7, Instructions: 120libraryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00280873
LoadLibraryExW.KERNEL32(?,00000000,00000002,0000001C), ref: 0028089F
FindResourceW.KERNEL32(00000000,?,?), ref: 002808BB
FreeLibrary.KERNEL32(00000001,?,?), ref: 002809BF

Part of subcall function 00276874: GetLastError.KERNEL32 ref: 00276874

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Library$ErrorFindFreeH_prolog3_catchLastLoadResource
String ID:
API String ID: 1376058422-0
Opcode ID: 5c79666d75bd07f629e7b6ad05a87305e6bef0c8b0a085740c1b9e764e4ec762
Instruction ID: 19fed43422f975e39601447dcb5777a02f964d9f896a1e1579ed14a15e899a01
Opcode Fuzzy Hash: 5c79666d75bd07f629e7b6ad05a87305e6bef0c8b0a085740c1b9e764e4ec762
Instruction Fuzzy Hash: 8141B17591124DEFDF20EF64C985AEDBBB4FF08310F508529EA09AB291D7309E58CB90

Function 002C8645 Relevance: 10.6, APIs: 7, Instructions: 52clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(?), ref: 002C864D
EmptyClipboard.USER32 ref: 002C865D
GlobalAlloc.KERNEL32(00000042,?,?,?,?,?,?,002C6763,?,?), ref: 002C8674
GlobalLock.KERNEL32(00000000), ref: 002C8683

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClipboardGlobal$AllocEmptyLockOpen
String ID:
API String ID: 3590494090-0
Opcode ID: 650495aa277892be836f6a5eee470a77364a1778ae0fa0a38d94040ee1a29c4c
Instruction ID: f92a04371ce5543b1104e83584cbb719a6b46b6dc3c16f37c1862becb69b62df
Opcode Fuzzy Hash: 650495aa277892be836f6a5eee470a77364a1778ae0fa0a38d94040ee1a29c4c
Instruction Fuzzy Hash: 4A119275620706FFCB019FA4DC89DABBBACFF05340B108528FA06C3220EB71A921DB54

Function 0028D270 Relevance: 9.4, APIs: 6, Instructions: 374fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0028CF50: GetTempPathW.KERNEL32(00000000,?), ref: 0028CFB1
Part of subcall function 0028CF50: GetTempPathW.KERNEL32(?,?), ref: 0028CFE0

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

GetTempFileNameW.KERNEL32(-00000004,?,00000000,?), ref: 0028D326
DeleteFileW.KERNEL32(?), ref: 0028D372
_wcslen.LIBCMT ref: 0028D398

Part of subcall function 0028CA50: std::_String_base::_Xlen.LIBCPMT ref: 0028CB60
Part of subcall function 0028CA50: std::_String_base::_Xlen.LIBCPMT ref: 0028CB71

PathFileExistsW.SHLWAPI(-00000004,?,?), ref: 0028D4E7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FilePathTemp_wcslen$String_base::_Xlenstd::_$DeleteExistsName
String ID:
API String ID: 2019026614-0
Opcode ID: 12c3513b7eba13cc44e67485b4d38fc33b6b5950b5ecf3a84a3979d28e153d39
Instruction ID: 3fc24e0f584e51176d684e82b3a4114fbe16a696cdaa269f2989ffa62cd0eec0
Opcode Fuzzy Hash: 12c3513b7eba13cc44e67485b4d38fc33b6b5950b5ecf3a84a3979d28e153d39
Instruction Fuzzy Hash: EAF1F9B59283808BD735DF25C881B9BF7E9BF99300F04892EE18D97291D6709658CF53

Function 00271496 Relevance: 9.1, APIs: 6, Instructions: 112keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0027149D
GetKeyState.USER32(00000010), ref: 002714D0
GetKeyState.USER32(00000011), ref: 002714E0
GetKeyState.USER32(00000012), ref: 002714EB
GetKeyState.USER32(00000011), ref: 00271529
GetKeyState.USER32(00000012), ref: 00271546

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: State$H_prolog3_catch_
String ID:
API String ID: 3994001762-0
Opcode ID: f14cf3e7dc20f26d2bafaed6e85ea121eb982e8e75f15270c857cad16d79ccbc
Instruction ID: f2aa49ab1ad4568e4582c19b022f0fc4fa240c80558e82ce46996950376d7307
Opcode Fuzzy Hash: f14cf3e7dc20f26d2bafaed6e85ea121eb982e8e75f15270c857cad16d79ccbc
Instruction Fuzzy Hash: E831C67062060A9BDF28DEADC4D4BEDB7A5BF45340FA4C479D45AD7282CB709DB08B50

Function 002C09E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll,00000000,?,002C080A,?,?,?,?,00000000), ref: 002C09E8
GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 002C09FF
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 002C0A0C

Strings

Advapi32.dll, xrefs: 002C09E3
ConvertStringSidToSidW, xrefs: 002C09F9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 145871493-1129428314
Opcode ID: e6fb2302de1c7d6ac97cafaeae827e91fa91376a9ad03284c008cbb5a92937a4
Instruction ID: 1f172dd1e00bea2a6ae18ea0ff6eb6b51942b3c78280c85fb06f3bf1bd794b30
Opcode Fuzzy Hash: e6fb2302de1c7d6ac97cafaeae827e91fa91376a9ad03284c008cbb5a92937a4
Instruction Fuzzy Hash: DFE020362B4312EB53235F145CC8F7F6E68EBD5F65F00051CF516D2150CB7088159790

Function 002F5574 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002FF01E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002FF033
UnhandledExceptionFilter.KERNEL32(00332854), ref: 002FF03E
GetCurrentProcess.KERNEL32(C0000409), ref: 002FF05A
TerminateProcess.KERNEL32(00000000), ref: 002FF061

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3d92450d1e4669b720e50e96385b604e0b38c109471e96ea98ca6fafa80ae966
Instruction ID: babff7aa17eb192dfe69b86ceef97ea6f53b80f754a7561f57755caca90ec321
Opcode Fuzzy Hash: 3d92450d1e4669b720e50e96385b604e0b38c109471e96ea98ca6fafa80ae966
Instruction Fuzzy Hash: D421CDF8811389EFC76ADF28E88A6557BBCFB08711F505119E50C87360E7B19AC4AF45

Function 00311429 Relevance: 4.6, APIs: 3, Instructions: 89keyboardCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0031146E
GetAsyncKeyState.USER32(00000001), ref: 003114C3
TrackMouseEvent.USER32(?,?,00000001), ref: 00311507

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AsyncEventMouseRectStateTrack
String ID:
API String ID: 2019282715-0
Opcode ID: 3ab926f89ee677119e4fb698e990ba147bb9055e1fa079764d81b0645cd8cd0c
Instruction ID: 0a0abe5e3817c0bf4dd0c137208322a6eeb39c5afe6553859e749be96fd5fcc3
Opcode Fuzzy Hash: 3ab926f89ee677119e4fb698e990ba147bb9055e1fa079764d81b0645cd8cd0c
Instruction Fuzzy Hash: 18313374A012089FCB59CFA6C584AEEBBF9FF48B11F11146DE546EB611DB30A984CF50

Function 002B886D Relevance: 4.6, APIs: 3, Instructions: 69fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,?), ref: 002B88ED
FindClose.KERNEL32(00000000), ref: 002B88F9
FindClose.KERNEL32(00000000), ref: 002B8924

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Find$Close$FileFirst
String ID:
API String ID: 3046750681-0
Opcode ID: e6f855e441eb108dc1b7871e7ddc9098f30360d29c0f9abf8cb3faad478568b5
Instruction ID: d578cea5e89b11c4157d4c15cd2993ec6539f9d1b06af659da2f439a386729ec
Opcode Fuzzy Hash: e6f855e441eb108dc1b7871e7ddc9098f30360d29c0f9abf8cb3faad478568b5
Instruction Fuzzy Hash: 0921C3715292059BCB14EF24DC859FBB3ECEF94360F54491AF499C32A0DB309A68CF52

Function 002D5393 Relevance: 4.5, APIs: 3, Instructions: 23synchronizationCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 002D539A

Part of subcall function 002F8CB9: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,002D589D,00000000,?,00000154,002D55C2,?,D7557A70,?), ref: 002F8CC4
Part of subcall function 002F8CB9: __aulldiv.LIBCMT ref: 002F8CE4

WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,D7557A70,?), ref: 002D53A9
__time64.LIBCMT ref: 002D53B1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Time__time64$FileObjectSingleSystemWait__aulldiv
String ID:
API String ID: 2194526215-0
Opcode ID: eedd369890bb1f050a18e3b7d7a98946c8f6eef06353d1269b0bc693244934c3
Instruction ID: e045ab640cc4c7ca4e1128ad316dbae39a8c1526e1c686786c129de7367b6c5b
Opcode Fuzzy Hash: eedd369890bb1f050a18e3b7d7a98946c8f6eef06353d1269b0bc693244934c3
Instruction Fuzzy Hash: F6E026396043005FC248AB39A985B56B7D0DBC4731F10423EFA18816C0ED34A40C4B31

Function 00298050 Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00298096
GetLastError.KERNEL32 ref: 002980A0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: cb0027ed10f843fca315ee8230bcf41906d4e84f3b3fd846d7b6165784785fea
Instruction ID: 68601f1ae30ed1aed8f562c952c16e67b26154198b8fa64a859295e0c84b71e0
Opcode Fuzzy Hash: cb0027ed10f843fca315ee8230bcf41906d4e84f3b3fd846d7b6165784785fea
Instruction Fuzzy Hash: 7D01ADB1218741ABEB10CF14CC85B6B77ECFB04B54F04092DF504D66C0D778E9088BA6

Function 002F20A0 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
Instruction ID: 08fb784974de6411c22aa4653c455f70c10eb87b729b66219d79ea2f7242617e
Opcode Fuzzy Hash: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
Instruction Fuzzy Hash: EB12C5BBB983194FDB48CEE5DCC169573E1FB98304F09A43C9A55C7306F6E8AA094790

Function 00294FB0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 7103fdcc1eb350ff6eee3c1cd06c67f716a49babfe959f44fb08b116273f9583
Instruction ID: 8db2d3ff2616fbff8a784fc5d6fea47e302502bb2e517b66fa5c7fc8b55f2bd7
Opcode Fuzzy Hash: 7103fdcc1eb350ff6eee3c1cd06c67f716a49babfe959f44fb08b116273f9583
Instruction Fuzzy Hash: E2919071F106199FCF09DF6CD980AAEB7B6FB88310F148669E8059B355EA70E911CB90

Function 0025CD87 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catch_TextWindow
String ID:
API String ID: 1289709583-0
Opcode ID: b75d7dee6a8ae6dd5031042eb0c525f463a9ce3a3fb5654fd94416b3942d8676
Instruction ID: 162b65167926affa2e20ee32808e2790f2409ffe02ec5dde2508b1cf28286865
Opcode Fuzzy Hash: b75d7dee6a8ae6dd5031042eb0c525f463a9ce3a3fb5654fd94416b3942d8676
Instruction Fuzzy Hash: 3951A2B1920229EFCF25DF54C9416AEB6B6EF54711F310456EC02E7140EB744F29EB89

Function 002F8D50 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: b283f53afa5501a562ba84b6d0205c70a952a19d3313f1782080bb13e3123e5d
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 94115B7722108B43D6548E3DD8B46B6E795EFF53A073C437AD3418B7C8CA32E8659500

Function 002AC079 Relevance: 96.5, APIs: 3, Strings: 52, Instructions: 281COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AC09E
GetVersionExW.KERNEL32(?,?,00378BB8,00000000), ref: 002AC0BD
GetVersionExW.KERNEL32(0000011C,?,00378BB8,00000000), ref: 002AC0D6

Strings

Windows Vista x64 Service Pack 1, xrefs: 002AC22A
OsNotIdentified, xrefs: 002AC0DC
Windows 98 SE, xrefs: 002AC457
Windows 8 x64, xrefs: 002AC161
Windows 8.1 x86, xrefs: 002AC132
Windows XP x86, xrefs: 002AC311
Windows XP x86 Service Pack 3, xrefs: 002AC328
Windows Server 2003 x86, xrefs: 002AC2E6
Windows NT 4.0 Service Pack 6, xrefs: 002AC3C5
Windows XP x86 Service Pack 1, xrefs: 002AC33C
Windows 7 x86 Service Pack 1, xrefs: 002AC1C5
Windows XP x86 Service Pack 2, xrefs: 002AC332
Windows 2000 Service Pack 4, xrefs: 002AC370
Windows 2000 Service Pack 2, xrefs: 002AC384
Windows Server 2008 x86, xrefs: 002AC26A
Windows Server 2003 x64 Service Pack 1, xrefs: 002AC2D6
Windows 98, xrefs: 002AC450
Windows XP x64 Service Pack 1, xrefs: 002AC2AA
Windows Vista x64, xrefs: 002AC216
Windows 7 x64 Service Pack 1, xrefs: 002AC1AE
Windows 7 x86, xrefs: 002AC1BB
Windows XP x64 Service Pack 2, xrefs: 002AC2A0
Windows Server 2008 R2 x64 Service Pack 1, xrefs: 002AC1EC
Windows Server 2003 x64, xrefs: 002AC2C2
Windows Vista x64 Service Pack 2, xrefs: 002AC220
Windows 2000 Service Pack 3, xrefs: 002AC37A
Windows NT 4.0, xrefs: 002AC3A5
Windows 95, xrefs: 002AC472
Windows 95 OSR, xrefs: 002AC41B
Windows 95 OSR2.5, xrefs: 002AC42C
Windows Vista x86 Service Pack 1, xrefs: 002AC24E
Windows 2000, xrefs: 002AC356
Windows NT 4.0 Service Pack 4, xrefs: 002AC3D9
Windows 7 x64, xrefs: 002AC1A4
Windows NT 4.0 Service Pack 5, xrefs: 002AC3CF
Windows XP x64, xrefs: 002AC296
Windows 2000 Service Pack 1, xrefs: 002AC38E
Windows Vista x86 Service Pack 2, xrefs: 002AC244
Windows Millennium, xrefs: 002AC46B
Windows NT 4.0 Service Pack 1, xrefs: 002AC3F7
Windows Server 2003 x64 Service Pack 2, xrefs: 002AC2CC
Windows Vista x86, xrefs: 002AC23A
Windows Server 2008 R2 x64, xrefs: 002AC1E2
Windows Server 2003 x86 Service Pack 1, xrefs: 002AC2FA
Windows Server 2012 x64, xrefs: 002AC181
Windows 8.1 x64, xrefs: 002AC128
Windows Server 2012 R2 x64, xrefs: 002AC144
Windows 8 x86, xrefs: 002AC16B
Windows NT 4.0 Service Pack 3, xrefs: 002AC3E3
Windows Server 2003 x86 Service Pack 2, xrefs: 002AC2F0
Windows Server 2008 x64, xrefs: 002AC260
Windows NT 4.0 Service Pack 2, xrefs: 002AC3ED

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Version$_memset
String ID: OsNotIdentified$Windows 2000$Windows 2000 Service Pack 1$Windows 2000 Service Pack 2$Windows 2000 Service Pack 3$Windows 2000 Service Pack 4$Windows 7 x64$Windows 7 x64 Service Pack 1$Windows 7 x86$Windows 7 x86 Service Pack 1$Windows 8 x64$Windows 8 x86$Windows 8.1 x64$Windows 8.1 x86$Windows 95$Windows 95 OSR$Windows 95 OSR2.5$Windows 98$Windows 98 SE$Windows Millennium$Windows NT 4.0$Windows NT 4.0 Service Pack 1$Windows NT 4.0 Service Pack 2$Windows NT 4.0 Service Pack 3$Windows NT 4.0 Service Pack 4$Windows NT 4.0 Service Pack 5$Windows NT 4.0 Service Pack 6$Windows Server 2003 x64$Windows Server 2003 x64 Service Pack 1$Windows Server 2003 x64 Service Pack 2$Windows Server 2003 x86$Windows Server 2003 x86 Service Pack 1$Windows Server 2003 x86 Service Pack 2$Windows Server 2008 R2 x64$Windows Server 2008 R2 x64 Service Pack 1$Windows Server 2008 x64$Windows Server 2008 x86$Windows Server 2012 R2 x64$Windows Server 2012 x64$Windows Vista x64$Windows Vista x64 Service Pack 1$Windows Vista x64 Service Pack 2$Windows Vista x86$Windows Vista x86 Service Pack 1$Windows Vista x86 Service Pack 2$Windows XP x64$Windows XP x64 Service Pack 1$Windows XP x64 Service Pack 2$Windows XP x86$Windows XP x86 Service Pack 1$Windows XP x86 Service Pack 2$Windows XP x86 Service Pack 3
API String ID: 4167444357-3488492181
Opcode ID: 5dcc8b298d4e4cafff32c0d4fd29e22761631a0c856f372ac5d12eb9072afa77
Instruction ID: b5b0dc4af04d2802fe73744af39674d49203e91a617fae05d554a0ce504a17a6
Opcode Fuzzy Hash: 5dcc8b298d4e4cafff32c0d4fd29e22761631a0c856f372ac5d12eb9072afa77
Instruction Fuzzy Hash: 9191C9607B830AD7CF374FA04852AB425B09717744FF485A3E6C669081DEF5ACB4DA0A

Function 002A1165 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 362fileprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 002974F0: GetVersionExW.KERNEL32 ref: 00297519

GetTempPathW.KERNEL32(00000104,?), ref: 002A1232
GetTempFileNameW.KERNEL32(?,tmp,00000000,?), ref: 002A1252
CreateFileW.KERNEL32(?,10000000,00000003,00000000,00000002,00000080,00000000), ref: 002A1277
GetTempPathA.KERNEL32(00000104,?), ref: 002A1286
GetTempFileNameA.KERNEL32(?,tmp,00000000,?), ref: 002A12A6
CreateFileA.KERNEL32(?,10000000,00000003,00000000,00000002,00000080,00000000), ref: 002A12CA
GetCurrentProcess.KERNEL32(?,00000002,00000001,00000000), ref: 002A1309
GetCurrentProcess.KERNEL32(?,00000000), ref: 002A1312
DuplicateHandle.KERNEL32(00000000), ref: 002A1315
GetStdHandle.KERNEL32(000000F6), ref: 002A131D
GetCurrentProcess.KERNEL32(?,00000002,00000001,00000000), ref: 002A1348
GetCurrentProcess.KERNEL32(?,00000000), ref: 002A1351
DuplicateHandle.KERNEL32(00000000), ref: 002A1354
GetStdHandle.KERNEL32(000000F6), ref: 002A135C

Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0029748A
Part of subcall function 00297450: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 002974AD

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,08000020,00000000,00000000,?,?), ref: 002A13A3
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000020,00000000,?,?,?), ref: 002A143F
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A14BD
CloseHandle.KERNEL32(?), ref: 002A14CA
CloseHandle.KERNEL32(?), ref: 002A14D2
GetExitCodeProcess.KERNEL32(?,?), ref: 002A14E1
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 002A1508
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 002A1516
CreateFileW.KERNEL32(?,10000004,00000003,00000000,00000004,00000080,00000000), ref: 002A154B
CreateFileA.KERNEL32(?,10000004,00000003,00000000,00000004,00000080,00000000), ref: 002A159B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 002A15D4
LockFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 002A15EA
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 002A1606
UnlockFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 002A161B
ReadFile.KERNEL32(?,?,000003FF,?,00000000), ref: 002A163B
CloseHandle.KERNEL32(00000000), ref: 002A164E
CloseHandle.KERNEL32(?), ref: 002A165A
DeleteFileW.KERNEL32(?), ref: 002A166F
DeleteFileA.KERNEL32(?), ref: 002A167D

Strings

tmp, xrefs: 002A129B
tmp, xrefs: 002A1247

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$CreateHandle$Process$CloseCurrentTemp$ByteCharDeleteDuplicateMultiNamePathWide$CodeExitLockObjectPointerReadSingleUnlockVersionWaitWrite
String ID: tmp$tmp
API String ID: 568214152-873286462
Opcode ID: 853e0a3b54e3ca32b2e4eaef26ab66827b23958610bf5a1d1d57fc6b794e666e
Instruction ID: 6928283a9f2b39f915aec1e40bf59e915393b549fe9c84df2affc59a402a51a2
Opcode Fuzzy Hash: 853e0a3b54e3ca32b2e4eaef26ab66827b23958610bf5a1d1d57fc6b794e666e
Instruction Fuzzy Hash: 87E15EB1920228ABDF219F648C85BDEBB7CEF49364F4001E5F709B2161DB705E958F68

Function 00241769 Relevance: 47.5, APIs: 1, Strings: 26, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00241770

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Strings

FrameBottomLeftInactive, xrefs: 002419EC
FrameTopRight, xrefs: 00241921
FrameBottomLeft, xrefs: 002419CF
SysMinHot, xrefs: 00241822
FrameLeftInactive, xrefs: 00241978
SysCloseDown, xrefs: 00241785
FrameTopMid, xrefs: 002418AD
FrameBottomRightInactive, xrefs: 00241A60
FrameTopLeft, xrefs: 00241879
SysMinNormal, xrefs: 0024183F
FrameTopRightInactive, xrefs: 0024193E
SysMinInactive, xrefs: 0024185C
FrameRight, xrefs: 00241995
FrameLeft, xrefs: 0024195B
SysCloseHot, xrefs: 002417B7
FrameBottomMidInactive, xrefs: 00241A26
SysMinDown, xrefs: 00241805
FrameCaptionInactive, xrefs: 00241904
FrameCaption, xrefs: 002418E7
SysCloseNormal, xrefs: 002417D1
FrameTopMidInactive, xrefs: 002418CA
FrameBottomMid, xrefs: 00241A09
FrameRightInactive, xrefs: 002419B2
FrameBottomRight, xrefs: 00241A43
FrameTopLeftInactive, xrefs: 00241893
SysCloseInactive, xrefs: 002417EB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3__wcslen
String ID: FrameBottomLeft$FrameBottomLeftInactive$FrameBottomMid$FrameBottomMidInactive$FrameBottomRight$FrameBottomRightInactive$FrameCaption$FrameCaptionInactive$FrameLeft$FrameLeftInactive$FrameRight$FrameRightInactive$FrameTopLeft$FrameTopLeftInactive$FrameTopMid$FrameTopMidInactive$FrameTopRight$FrameTopRightInactive$SysCloseDown$SysCloseHot$SysCloseInactive$SysCloseNormal$SysMinDown$SysMinHot$SysMinInactive$SysMinNormal
API String ID: 3251556500-1920592073
Opcode ID: 6a3646d1ec78756687081cfab40c2fe9a818d4338acb28d70df19f6f68499808
Instruction ID: e3c0a7342d6a4bb43ee8aa623a0f4778c862640752ed4f9101933a68174d1777
Opcode Fuzzy Hash: 6a3646d1ec78756687081cfab40c2fe9a818d4338acb28d70df19f6f68499808
Instruction Fuzzy Hash: 69714C36E34616AADF0CDB64EC926F8F3307F06710F61C150E9293759187A17EBE8A90

Function 0027D1A9 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 238libraryloaderwindowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,000000D0,00000010), ref: 0027D1F5
DeleteObject.GDI32(?), ref: 0027D4B5

Part of subcall function 0023A766: ImageList_Create.COMCTL32(?,D7557A70,00000021,?,?,?,00236C46,?,?,?,00000000,?), ref: 0023A777

CreateCompatibleDC.GDI32(?), ref: 0027D22A
GetProcAddress.KERNEL32(?,IsThemeActive), ref: 0027D258
GetProcAddress.KERNEL32(?,IsAppThemed), ref: 0027D286
GetProcAddress.KERNEL32(?,OpenThemeData), ref: 0027D2B4
SelectObject.GDI32(00000010,00000010), ref: 0027D2DD
GetLayout.GDI32(?,?,00000000), ref: 0027D312
OffsetRect.USER32(?,000000C0,00000000), ref: 0027D33D
GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 0027D39C
GetProcAddress.KERNEL32(?,DrawThemeEdge), ref: 0027D3E0
DrawFrameControl.USER32(?,?,00000004,00000000), ref: 0027D417
SelectObject.GDI32(00000010,?), ref: 0027D460
ImageList_AddMasked.COMCTL32(?,00000004,00FF00FF), ref: 0027D474
DeleteDC.GDI32(00000010), ref: 0027D4A0

Strings

DrawThemeBackground, xrefs: 0027D396
DrawThemeEdge, xrefs: 0027D3DA
IsAppThemed, xrefs: 0027D280
BUTTON, xrefs: 0027D2BF
unused, xrefs: 0027D35A
IsThemeActive, xrefs: 0027D252
OpenThemeData, xrefs: 0027D2AE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressProc$CreateObject$CompatibleDeleteImageList_Select$BitmapControlDrawFrameLayoutMaskedOffsetRect
String ID: BUTTON$DrawThemeBackground$DrawThemeEdge$IsAppThemed$IsThemeActive$OpenThemeData$unused
API String ID: 3393069973-356269395
Opcode ID: 0f457bc621a44290583ac6d8c6905e67ac2e90eafe3767f5da6f6301d764e4fd
Instruction ID: febfb6266c747afd5fcaef82b83fb93a05b186e16afbe0d67950c617f8bf9133
Opcode Fuzzy Hash: 0f457bc621a44290583ac6d8c6905e67ac2e90eafe3767f5da6f6301d764e4fd
Instruction Fuzzy Hash: B0919171518342EFCB229F61DC88A5ABBF9FF48711F04492EF589922A1CB70D954CF52

Function 002C031E Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(-00000004,000000F0), ref: 002C0340
GetWindowLongW.USER32(-00000004,000000EC), ref: 002C0376
SetWindowLongW.USER32(-00000004,000000EC,00000000), ref: 002C038A
SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 002C0396
SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 002C03A9
GetDlgItem.USER32(-00000004,0000E801), ref: 002C03B6
IsWindow.USER32(00000000), ref: 002C03C1
DestroyWindow.USER32(?,?,75C0A510), ref: 002C03E1
GetClientRect.USER32(-00000004,?), ref: 002C041E
GetDlgItem.USER32(-00000004,0000E801), ref: 002C043D
IsWindow.USER32(00000000), ref: 002C044A

Part of subcall function 00234F65: CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

IsWindow.USER32(00000000), ref: 002C0488
GetWindowRect.USER32(?,00000000), ref: 002C04A9
GetWindowRect.USER32(-00000004,?), ref: 002C0528
GetDlgItem.USER32(-00000004,0000042B), ref: 002C05BD
GetWindowRect.USER32(00000000,00000000), ref: 002C05D9
MapWindowPoints.USER32(00000000,-00000004,?,00000002), ref: 002C05EA
MapWindowPoints.USER32(00000000,-00000004,?,00000002), ref: 002C04BA

Part of subcall function 002C2D02: __recalloc.LIBCMT ref: 002C2D48

GetClientRect.USER32(-00000004,?), ref: 002C0514

Strings

SCROLLBAR, xrefs: 002C0479

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Rect$ItemLong$ClientMessagePointsSend$CreateDestroy__recalloc
String ID: SCROLLBAR
API String ID: 3544432297-324577739
Opcode ID: 6ca7463d364b2eb9601eee0e291768df99f70c5e50ffd6cacd36dc6238898a6a
Instruction ID: 04dbed3412bed5ecddfe6f7632e73c09f4c58c3eeb2c1f32c943c2a78fe9c09d
Opcode Fuzzy Hash: 6ca7463d364b2eb9601eee0e291768df99f70c5e50ffd6cacd36dc6238898a6a
Instruction Fuzzy Hash: 13A14371518341EFD751CF69C889A1ABBE8FB88350F108A2EF999C72A0D731D814CF62

Function 0026D6AF Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002335AF: GetWindowTextLengthW.USER32(00000000), ref: 002335B8
Part of subcall function 002335AF: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002335CB

GetClientRect.USER32(0000000F,?), ref: 0026D718
GetDC.USER32(0000000F), ref: 0026D733
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0026D738
IsRectEmpty.USER32(?), ref: 0026D775
ValidateRect.USER32(0000000F,?,?,?), ref: 0026D78B
GetDC.USER32(0000000F), ref: 0026D794
GetParent.USER32(0000000F), ref: 0026D7B1
SendMessageW.USER32(00000000,00000135,?,0000000F), ref: 0026D7CA
SetTextColor.GDI32(?,00000000), ref: 0026D7DE
GetBrushOrgEx.GDI32(?,?), ref: 0026D7ED
SetBrushOrgEx.GDI32(?,?,?,00000000), ref: 0026D803
FillRect.USER32(?,?,?), ref: 0026D816
SendMessageW.USER32(0000000F,00000031,00000000,00000000), ref: 0026D823
SelectObject.GDI32(?,00000000), ref: 0026D82A
IsWindowEnabled.USER32(0000000F), ref: 0026D83B
GetSysColor.USER32(00000011), ref: 0026D847
SetTextColor.GDI32(?,00000000), ref: 0026D852
DrawTextExW.USER32(?,00000000,000000FF,?,00000010,00000000), ref: 0026D8AC
DrawTextExW.USER32(?,00000000,000000FF,?,?,00000000), ref: 0026D915
SetTextColor.GDI32(?,?), ref: 0026D925
GetFocus.USER32 ref: 0026D989
DrawFocusRect.USER32(?,?), ref: 0026DA16

Part of subcall function 0023325B: __EH_prolog3.LIBCMT ref: 00233262
Part of subcall function 0023325B: BitBlt.GDI32(00000001,?,?,?,?,?,?,?,00CC0020), ref: 00233291
Part of subcall function 0023325B: SelectObject.GDI32(?,?), ref: 0023329C
Part of subcall function 0023325B: DeleteDC.GDI32(00000000), ref: 002332BC

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Text$Rect$Color$DrawH_prolog3Window$BrushFocusMessageObjectSelectSend$CapsClientDeleteDeviceEmptyEnabledFillLengthParentValidate
String ID:
API String ID: 3776431036-0
Opcode ID: c4eb74a701679bb32edc4db25d3ac2e4f289a511f0728c8d2217616f22963a0a
Instruction ID: fb6b3fc1d640268031af8a14fa5d29aaa8f71777b95c074768d9ad0819421efb
Opcode Fuzzy Hash: c4eb74a701679bb32edc4db25d3ac2e4f289a511f0728c8d2217616f22963a0a
Instruction Fuzzy Hash: 30B19971A18385AFCB11DF64C884A5BBBE9FF85300F04892DF9A5972A0D731D955CB42

Function 00249C18 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00249C65
GetWindowRect.USER32(?,?), ref: 00249C88
IsZoomed.USER32(?), ref: 00249C99
MonitorFromWindow.USER32(?,00000002), ref: 00249CA8
GetMonitorInfoW.USER32 ref: 00249CBC
CopyRect.USER32(?,?), ref: 00249CCC
OffsetRect.USER32(?,?,?), ref: 00249CE5
CreateRectRgnIndirect.GDI32(?), ref: 00249CF0

Part of subcall function 002492F4: __EH_prolog3.LIBCMT ref: 002492FB

OffsetRect.USER32(?,?,?), ref: 00249D0B
CreateRectRgn.GDI32(?,?,?,?), ref: 00249D26
CreatePolygonRgn.GDI32(?,?,00000001), ref: 00249D6B
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00249DB1
GetWindowRgn.USER32(?,00000000), ref: 00249DC1
EqualRgn.GDI32(?,00000000), ref: 00249DD0
SetWindowRgn.USER32(?,?,00000001), ref: 00249DE3
DeleteObject.GDI32(00000000), ref: 00249DFC
DeleteObject.GDI32(?), ref: 00249E15

Strings

(, xrefs: 00249CB4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$Window$Create$DeleteMonitorObjectOffset$CopyEqualFromH_prolog3IndirectInfoPolygonZoomed
String ID: (
API String ID: 2066328393-3887548279
Opcode ID: 770c584f937c8ba163047dcca69988574050986e91cdb8ce36abc7d7de5bde0e
Instruction ID: 77f41644b6fa0bd03af8a513c30deea3ccd7bf17521626f61aa94fcd30d55a33
Opcode Fuzzy Hash: 770c584f937c8ba163047dcca69988574050986e91cdb8ce36abc7d7de5bde0e
Instruction Fuzzy Hash: 90615771818342EFD715DF65C88995BBBE8FF88350F000A2EF59692260D730D994CF52

Function 00280048 Relevance: 30.2, APIs: 13, Strings: 4, Instructions: 420registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 00280696

Strings

Delete, xrefs: 002800DD
Val, xrefs: 00280206
ForceRemove, xrefs: 002800F9
NoRemove, xrefs: 002801D9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Close
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 3535843008-1781481701
Opcode ID: bd589e84b88bf1a4f0a74ec9654e4918bc097b6bef4b61cabdac35028c846af6
Instruction ID: 1141aed624457dff6bdc6664e3dff05f2cd2dc809d49c50fbb2c31d7c192ae22
Opcode Fuzzy Hash: bd589e84b88bf1a4f0a74ec9654e4918bc097b6bef4b61cabdac35028c846af6
Instruction Fuzzy Hash: 1A025975C2226AFBCF71BFA49DC959CB7B4AB58300F0441EAE509A3290D7354EA8CF51

Function 002B1AD7 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 181stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B1AFD
GetVersionExW.KERNEL32(?,?,?,?), ref: 002B1B1A
_memset.LIBCMT ref: 002B1B32
GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 002B1B47
lstrlenW.KERNEL32(?,?,?,?,?,?,?), ref: 002B1B80
lstrcpynW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?), ref: 002B1B9D

Strings

>> , xrefs: 002B1D46
MinorVersion: %u;, xrefs: 002B1BF3
SuiteMask: %u;, xrefs: 002B1CFD
MajorVersion: %u;, xrefs: 002B1BC8
PlatformId: %u;, xrefs: 002B1C49
CSDVersion: %s;, xrefs: 002B1C75
ServicePackMajor: %u;, xrefs: 002B1CA9
ServicePackMinor: %u;, xrefs: 002B1CD3
ProductType: %u;, xrefs: 002B1D27
BuildNumber: %u;, xrefs: 002B1C1E
<< OS Version: , xrefs: 002B1BA5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Version_memset$lstrcpynlstrlen
String ID: >> $ BuildNumber: %u;$ CSDVersion: %s;$ MajorVersion: %u;$ MinorVersion: %u;$ PlatformId: %u;$ ProductType: %u;$ ServicePackMajor: %u;$ ServicePackMinor: %u;$ SuiteMask: %u;$<< OS Version:
API String ID: 2900174237-2992633168
Opcode ID: 63e1b71f166b2b4bccdcf1117b0be3c0d91bf752cbd82957f6eb94328b288028
Instruction ID: 3ea2ee73e2425b2f3f42fb7bdd48a7accbad47f8681437ebbcadc7bab76c0633
Opcode Fuzzy Hash: 63e1b71f166b2b4bccdcf1117b0be3c0d91bf752cbd82957f6eb94328b288028
Instruction Fuzzy Hash: 38615EB5A41228AFDB12EB68CC46FDEB7BCAF09704F044091F50CE6252D635EB648F51

Function 0023CAEC Relevance: 28.4, APIs: 3, Strings: 13, Instructions: 421COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0023CAF6

Part of subcall function 002CCA1E: __EH_prolog3_GS.LIBCMT ref: 002CCA28

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

_wcslen.LIBCMT ref: 0023CBE5
_wcslen.LIBCMT ref: 0023CC0A

Strings

"', ', xrefs: 0023CEBB
AND , xrefs: 0023CE41
XZ3, xrefs: 0023CC04
') TEMPORARY, xrefs: 0023CF69
EndDialog, xrefs: 0023CCE1
Dialog, xrefs: 0023CB39, 0023CB3E, 0023CB4E
= ", xrefs: 0023CE8B
Control_Default, xrefs: 0023CB25
`Dialog_`=', xrefs: 0023CBC0
INSERT INTO `ControlEvent` (`Dialog_`, `Control_`,`Event`,`Argument`, `Condition`, `Ordering`) VALUES (', xrefs: 0023CD03
ControlEvent, xrefs: 0023CC31
', ', xrefs: 0023CCB7, 0023CD1F, 0023CD5C, 0023CD92, 0023CDDB
' AND `Control_`=', xrefs: 0023CBDF, 0023CBE4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3__wcslen$char_traits
String ID: = "$ AND $"', '$' AND `Control_`='$') TEMPORARY$', '$ControlEvent$Control_Default$Dialog$EndDialog$INSERT INTO `ControlEvent` (`Dialog_`, `Control_`,`Event`,`Argument`, `Condition`, `Ordering`) VALUES ('$XZ3$`Dialog_`='
API String ID: 3879366661-3024541762
Opcode ID: fa2f157a10da99b795e0157ff75c1793417256c87e076ed274ce9bb765634b58
Instruction ID: e10630219de7e48760191b1cff3b4149f8b8ea864b282dc5ae6b92c9e1024143
Opcode Fuzzy Hash: fa2f157a10da99b795e0157ff75c1793417256c87e076ed274ce9bb765634b58
Instruction Fuzzy Hash: 31F146B1C10258AADF21EBA4DC85FEEBB78AF11304F2441A9F145B7192DA701F68DF61

Function 002A4A93 Relevance: 26.7, APIs: 3, Strings: 12, Instructions: 409windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,0000005C,?,?,?,?,00000004,00000000,?,?,?), ref: 002A4C0D

Part of subcall function 002BD311: LoadLibraryW.KERNEL32(kernel32.dll,00000008,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF,00000000,?,002AC81B), ref: 002BD328
Part of subcall function 002BD311: FreeLibrary.KERNEL32(00000000,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF,00000000,?,002AC81B,?), ref: 002BD33E
Part of subcall function 002BD311: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002BD35B
Part of subcall function 002BD311: GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 002BD36D
Part of subcall function 002BD311: GetProcAddress.KERNEL32(IsWow64Process), ref: 002BD37F
Part of subcall function 002BD311: GetCurrentProcess.KERNEL32(00000000,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF), ref: 002BD38F

Part of subcall function 002989A0: _wcsrchr.LIBCMT ref: 002989D3

Part of subcall function 0027D094: __EH_prolog3.LIBCMT ref: 0027D09B

_wcslen.LIBCMT ref: 002A4AED

Part of subcall function 00298960: _wcsrchr.LIBCMT ref: 00298965

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

MessageBoxW.USER32(00000000,?,00000002,00000044), ref: 002A4D9E

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00299410: FindFirstFileW.KERNELBASE(?,?,D7557A70,?,?), ref: 00299469
Part of subcall function 00299410: FindClose.KERNELBASE(00000000), ref: 0029949E

Strings

%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s", xrefs: 002A4EF0
/p //, xrefs: 002A4E16
TRANSFORMS="%s", xrefs: 002A4D4B
TRANSFORMS=":%d", xrefs: 002A4C44
.x64, xrefs: 002A4AE7, 002A4AEC, 002A4AF7
"%s" , xrefs: 002A4E8B
/i //, xrefs: 002A4E31, 002A4E36
TRANSFORMS="%s\%d", xrefs: 002A4CD9
TRANSFORMS="%s;%s\%d", xrefs: 002A4CC0
/fvomus //, xrefs: 002A4E2A
EXE_CMD_LINE="%s ", xrefs: 002A4F3C
.mst, xrefs: 002A4C63, 002A4D09

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$AddressProc$FindLibrary_wcsrchr$CloseCurrentExceptionFileFirstFreeLoadMessageProcessRaise_wcslen
String ID: "%s" $ /fvomus //$ /i //$ /p //$ EXE_CMD_LINE="%s "$ TRANSFORMS="%s"$ TRANSFORMS="%s;%s\%d"$ TRANSFORMS="%s\%d"$ TRANSFORMS=":%d"$%s AI_SETUPEXEPATH="%s" SETUPEXEDIR="%s"$.mst$.x64
API String ID: 3764074632-2225827678
Opcode ID: 05d3c0f23adf66603eeed8d7b39c9d4761210d2f27fb9d38e6b6543080911cd6
Instruction ID: 788dd74718e6c69968f836937ff87f83f42b6d415b5d124a94f74bf04bc7ad39
Opcode Fuzzy Hash: 05d3c0f23adf66603eeed8d7b39c9d4761210d2f27fb9d38e6b6543080911cd6
Instruction Fuzzy Hash: 34E1AE71920209ABCF05FFA0D886AEE7BB9AF55304F404065F905A71A2DF70DB65CFA1

Function 00268B31 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 351windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(-00000188,0000110A,00000004,?), ref: 00268C08
SendMessageW.USER32(-00000188,0000110A,00000001,?), ref: 00268C7F
_wcslen.LIBCMT ref: 00268C8F
_wcslen.LIBCMT ref: 00268CAA
_wcslen.LIBCMT ref: 00268CD2
_wcslen.LIBCMT ref: 00268CF8
_wcslen.LIBCMT ref: 00268E16
_wcslen.LIBCMT ref: 00268E31

Part of subcall function 0023DAAA: std::_String_base::_Xlen.LIBCPMT ref: 0023DAF3
Part of subcall function 0023DAAA: char_traits.LIBCPMT ref: 0023DB30

_wcslen.LIBCMT ref: 00268E59

Strings

Neg, xrefs: 00268CCC, 00268CD1, 00268CF2, 00268CF7, 00268E53, 00268E58
Sel, xrefs: 00268BA7
Pos, xrefs: 00268CC5, 00268CEB, 00268E4C
Child, xrefs: 00268E10, 00268E15
Cost, xrefs: 00268CA4, 00268CA9, 00268E2B, 00268E30
Parent, xrefs: 00268C89, 00268C8E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$MessageSend$String_base::_Xlenchar_traitsstd::_
String ID: Child$Cost$Neg$Parent$Pos$Sel
API String ID: 2061956078-107250081
Opcode ID: 64c353fd943aebd1ea4e730ac52545303f9ac645bb8d3f8b8c0523d57deaecab
Instruction ID: c8a873bd0c4bd8cb60dabf7a41b35e1ec688df44c9a9e570e717d6780de3552b
Opcode Fuzzy Hash: 64c353fd943aebd1ea4e730ac52545303f9ac645bb8d3f8b8c0523d57deaecab
Instruction Fuzzy Hash: 95D19271118390DFD721EB24CC85F9BB7E8EF95314F004A2DF58997291CBB09995CBA2

Function 0024622E Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 224threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0024624D
GetDC.USER32(?), ref: 0024625F
GetSystemMetrics.USER32(0000000C), ref: 002462A6
GetSystemMetrics.USER32(0000000B), ref: 002462AB
LoadImageW.USER32(?,00000080,00000001,00000000), ref: 002462B8
GetSystemMetrics.USER32(00000032), ref: 002462D4
GetSystemMetrics.USER32(00000031), ref: 002462D9
LoadImageW.USER32(?,00000080,00000001,00000000), ref: 002462E8

Part of subcall function 00253A08: __EH_prolog3.LIBCMT ref: 00253A0F

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

GetCurrentThreadId.KERNEL32 ref: 002463DE
GetDC.USER32(?), ref: 0024641F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00246428
MulDiv.KERNEL32(00000010,00000000,00000060), ref: 00246433
SendMessageW.USER32(?,00000127,00030003,00000000), ref: 0024645E

Strings

AI_HIDE_CAPTION_ICON_AND_TEXT, xrefs: 00246377
AI_HIDE_CAPTION_ICON_AND_TEXT_ALL, xrefs: 002462F8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MetricsSystem$ImageLoad$CapsCurrentDeviceH_prolog3H_prolog3_catchMessageSendThreadchar_traits
String ID: AI_HIDE_CAPTION_ICON_AND_TEXT$AI_HIDE_CAPTION_ICON_AND_TEXT_ALL
API String ID: 2579799748-1831360935
Opcode ID: 05358d163160a0fe5f9396326fc8844ce15399b423e6e8a4da248c297fa254cb
Instruction ID: 945a1ad486e3f6187aadcf0f769f2c19e69ed73d12224d4df3fb59347ec65a72
Opcode Fuzzy Hash: 05358d163160a0fe5f9396326fc8844ce15399b423e6e8a4da248c297fa254cb
Instruction Fuzzy Hash: 53918B74900249EFDB15EF60DC89AEDBBA8FF05300F048198F9499B2A1CB706A58CF91

Function 002DC630 Relevance: 24.8, APIs: 3, Strings: 11, Instructions: 294COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002DC63A
GetCurrentProcessId.KERNEL32(CLIENTPROCESSID,000000F4,002DB88D,?,?,?,?,00000004,?,000002F4,002E2500,?,?,?,?,002E26B6), ref: 002DC65A

Part of subcall function 002DCB17: __EH_prolog3.LIBCMT ref: 002DCB1E

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

GetCurrentProcessId.KERNEL32(CHAINERUIPROCESSID,00000001,00000000,00000001,00000000,?,?,00000000,?,?,002E26B6,?,0000023C,002E2081,00000001,00000000), ref: 002DC6B7

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 002F0E33: __EH_prolog3.LIBCMT ref: 002F0E3A

Strings

SECONDSEQUENCE, xrefs: 002DC7F3
ADDDEFAULT, xrefs: 002DC9F3
REMOVE, xrefs: 002DC94E
CLIENTUILEVEL, xrefs: 002DC854
EXECUTEACTION, xrefs: 002DC783
CLIENTPROCESSID, xrefs: 002DC63F
ACTION, xrefs: 002DC72A
ADDSOURCE, xrefs: 002DC9BD
CHAINERUIPROCESSID, xrefs: 002DC6A0
ADVERTISE, xrefs: 002DC987
ADDLOCAL, xrefs: 002DC912

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$CurrentProcess$H_prolog3_char_traits
String ID: ACTION$ADDDEFAULT$ADDLOCAL$ADDSOURCE$ADVERTISE$CHAINERUIPROCESSID$CLIENTPROCESSID$CLIENTUILEVEL$EXECUTEACTION$REMOVE$SECONDSEQUENCE
API String ID: 2400660014-3644203557
Opcode ID: 8714250ee473032991b6c3980a75f5fa86c9c6e57cb4bc4d22b716a8156e92a9
Instruction ID: 5ff66fcc197f86e8f02c530ee92ecb81eeb415e191e066d127d2752335bd7f15
Opcode Fuzzy Hash: 8714250ee473032991b6c3980a75f5fa86c9c6e57cb4bc4d22b716a8156e92a9
Instruction Fuzzy Hash: AFC148B1821158EAEB11EB60DD92FEEBB7CAF11348F1442D8B14667182DB701F58DF61

Function 002BE383 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 198windowCOMMON

Download Yara Rule

APIs

SetWindowTextW.USER32(?,?), ref: 002BE399

Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000C), ref: 002AD8AD
Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000B), ref: 002AD8B2
Part of subcall function 002AD897: LoadImageW.USER32(00230000,00000080,00000001,00000000,?,?), ref: 002AD8C4
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000001,00000000), ref: 002AD8D8
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000032), ref: 002AD8E7
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000031), ref: 002AD8EC
Part of subcall function 002AD897: LoadImageW.USER32(?,00000080,00000001,00000000,?,?), ref: 002AD8F6
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000000,00000000), ref: 002AD900

GetDlgItem.USER32(?,?), ref: 002BE3B1
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 002BE3C6

Part of subcall function 0024D493: GetWindowLongW.USER32(000000FF,000000F0), ref: 0024D4A9
Part of subcall function 0024D493: GetParent.USER32(000000FF), ref: 0024D4BF
Part of subcall function 0024D493: GetWindowRect.USER32(000000FF,00000000), ref: 0024D4D6
Part of subcall function 0024D493: GetWindowLongW.USER32(00000000,000000F0), ref: 0024D4F1
Part of subcall function 0024D493: MonitorFromWindow.USER32(000000FF,00000002), ref: 0024D516

SetForegroundWindow.USER32(?), ref: 002BE3D0
GetDlgItem.USER32(?,00000412), ref: 002BE3DD
__wcsupr_s_l.LIBCMT ref: 002BE456

Part of subcall function 002FAF61: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002FAF70
Part of subcall function 002FAF61: _wcsupr_s_l_stat.LIBCMT ref: 002FAF7F

GetStringTypeW.KERNEL32(00000002,?,00000000,00000000,?,00000008,?), ref: 002BE4A9
SendMessageW.USER32(?,00000143,00000000,?), ref: 002BE542
SendMessageW.USER32(?,00000151,00000000,?), ref: 002BE552
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 002BE58B
SendMessageW.USER32(?,0000014E,?,00000000), ref: 002BE5AB

Part of subcall function 002BE60A: GetLocaleInfoW.KERNEL32(?,?,00334684,00000000,?,75C05540,?,002BE417,?,00000004,00000000), ref: 002BE623
Part of subcall function 002BE60A: GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,-00000001,?,002BE417,?,00000004,00000000), ref: 002BE644

Part of subcall function 002BE64E: GetLocaleInfoA.KERNEL32(?,00001001,003341BC,00000000,?,75C05540,?,002BE439,?,00000004,00000000), ref: 002BE663
Part of subcall function 002BE64E: _memset.LIBCMT ref: 002BE686
Part of subcall function 002BE64E: GetLocaleInfoA.KERNEL32(?,00001001,-00000010,00000000,?,002BE439,?,00000004,00000000), ref: 002BE6B5

Part of subcall function 002FAB6C: __calloc_crt.LIBCMT ref: 002FAB85

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

Strings

(%s) %s, xrefs: 002BE504
(%s (%s, xrefs: 002BE4ED
%s (%s), xrefs: 002BE514

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$LocaleWindow$InfoMetricsSystem$ImageItemLoadLong$ForegroundFromH_prolog3MonitorParentRectStringTextTypeUpdateUpdate::___calloc_crt__wcsupr_s_l_memset_wcsupr_s_l_stat
String ID: %s (%s)$(%s (%s$(%s) %s
API String ID: 1021556110-2136248406
Opcode ID: b56bb2bf536838a4c1e9e4eb526652ad64d7c00a181e6ee947204bd8cc23c690
Instruction ID: 6e17b729dba2888b1085d109eb0bba03bf839ec4088921a5702851b8e054b29f
Opcode Fuzzy Hash: b56bb2bf536838a4c1e9e4eb526652ad64d7c00a181e6ee947204bd8cc23c690
Instruction Fuzzy Hash: 8A617E75910209EBDF01EFA4CC86EEEBBB9EF08340F114065F605AB1A1EB719A60DF50

Function 0024D493 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(000000FF,000000F0), ref: 0024D4A9
GetParent.USER32(000000FF), ref: 0024D4BF
GetWindow.USER32(000000FF,00000004), ref: 0024D4C7
GetWindowRect.USER32(000000FF,00000000), ref: 0024D4D6
GetWindowLongW.USER32(00000000,000000F0), ref: 0024D4F1
MonitorFromWindow.USER32(000000FF,00000002), ref: 0024D516
GetMonitorInfoW.USER32(00000000,?), ref: 0024D533
GetWindowRect.USER32(00000000,00000000), ref: 0024D560
SetWindowPos.USER32(000000FF,00000000,002C44BD,000000FF,000000FF,000000FF,00000015,?,?,002C5C7D,?,?,?,002C5BB3,000000FF,?), ref: 0024D60B

Strings

(, xrefs: 0024D52C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID: (
API String ID: 1468510684-3887548279
Opcode ID: 88cf4bbdd46d8735ae85d363dbc077b5b09e21168594003e6645fcc7c0ab82e2
Instruction ID: 1f60117ad50b43ff304c7f7a7bacce6850db14ac865f243dc781d6491e86e43b
Opcode Fuzzy Hash: 88cf4bbdd46d8735ae85d363dbc077b5b09e21168594003e6645fcc7c0ab82e2
Instruction Fuzzy Hash: 85516C31A1010AAFDF16CFA9CC88AEDBBB9EF48314F558124E911B71A4DB70AD54CF50

Function 002DD96B Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002DD972

Part of subcall function 002E4A9B: __EH_prolog3_GS.LIBCMT ref: 002E4AA5
Part of subcall function 002E4A9B: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002E4AB6

Part of subcall function 002DDFB7: __EH_prolog3.LIBCMT ref: 002DDFBE

Strings

FASTOEM denied: Per User Installation, xrefs: 002DD9FA
FASTOEM denied: Not FirstTime Install, xrefs: 002DDA2F
AiPreferFastOem, xrefs: 002DD98A
FASTOEM denied: Some features are being removed, xrefs: 002DDA9E
REMOVE, xrefs: 002DDA89
FASTOEM denied: Some features are advertised, xrefs: 002DDA7F
FASTOEM denied: Some isolated components are being installed, xrefs: 002DDAB8
FASTOEM denied: Some features run from source, xrefs: 002DDA63
AI_INSTALL, xrefs: 002DDA0B
ADDSOURCE, xrefs: 002DDA4E
OLDPRODUCTS, xrefs: 002DDA1A
ADVERTISE, xrefs: 002DDA6A
FASTOEM denied: Install On other drive than extract drive, xrefs: 002DDA47

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$DirectoryH_prolog3_System
String ID: ADDSOURCE$ADVERTISE$AI_INSTALL$AiPreferFastOem$FASTOEM denied: Install On other drive than extract drive$FASTOEM denied: Not FirstTime Install$FASTOEM denied: Per User Installation$FASTOEM denied: Some features are advertised$FASTOEM denied: Some features are being removed$FASTOEM denied: Some features run from source$FASTOEM denied: Some isolated components are being installed$OLDPRODUCTS$REMOVE
API String ID: 4053871038-3511747737
Opcode ID: 4abd2a2581ea25270f5e77154a58565b3d5e1e5bc2ce44c4989e998ba0178748
Instruction ID: 671f2a4a566523bb4cb4cb0cd763b885ae62216c350cf23c1f97814ef37b8e07
Opcode Fuzzy Hash: 4abd2a2581ea25270f5e77154a58565b3d5e1e5bc2ce44c4989e998ba0178748
Instruction Fuzzy Hash: A031C3312F4F01BADF12AFA08952BFCB7656F12B10F144246F5453A3D28B922C79AB52

Function 00274165 Relevance: 24.3, APIs: 16, Instructions: 324COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 002741DF
IsWindow.USER32(?), ref: 002741EF
GetSysColor.USER32(00000005), ref: 0027423D
GetWindowLongW.USER32(?,000000F0), ref: 002742D5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ColorLongRedraw
String ID:
API String ID: 4056730343-0
Opcode ID: 39e7808eb70a5a95f5313d67344b239a64dca20a60642c9556b2dc6c676aa5fc
Instruction ID: b0c20afccd2aefd955a9e606167e66008017a209a6ef2dec55a49fb93eaa5f5e
Opcode Fuzzy Hash: 39e7808eb70a5a95f5313d67344b239a64dca20a60642c9556b2dc6c676aa5fc
Instruction Fuzzy Hash: 22C1CF70518342DFDB10EF64C884B6BBBE8EF84714F50891DF898972A1C774E969CB62

Function 0024826A Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 217windowtimeCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000432,00000000,0000002C), ref: 002483C7
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 002483D8
SendMessageW.USER32(?,00000421,?,?), ref: 002483EA
SendMessageW.USER32(?,00000418,00000000,0000012C), ref: 002483FB
GetWindowTextLengthW.USER32(?), ref: 002483FE
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 0024840E
ClientToScreen.USER32(?,?), ref: 00248431
GetWindowRect.USER32(?,?), ref: 0024844F
PtInRect.USER32(?,0000000A,0000000A), ref: 00248462
SendMessageW.USER32(?,00000412,00000000,?), ref: 002484B8
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 002484C9
SetTimer.USER32(?,?,00001388,00000000), ref: 002484E7

Strings

,, xrefs: 0024836E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$RectWindow$ClientLengthScreenTextTimer
String ID: ,
API String ID: 1047467966-3772416878
Opcode ID: dc293cf3d43eb6078ad3f9a8fb9273fff9bf84420cf1a02ee7e40d31f73e3e78
Instruction ID: e74f1893972595709b32c2936d1d7090eaa787fe6e32ef00096f79c3b1c88eab
Opcode Fuzzy Hash: dc293cf3d43eb6078ad3f9a8fb9273fff9bf84420cf1a02ee7e40d31f73e3e78
Instruction Fuzzy Hash: C6816AB1624712AFC715CF64CC81A5ABBE8FB88B10F004A2EF995D7290D770E950CF92

Function 0026118B Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 205stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00261192
GetClassNameW.USER32(?,?,00000008), ref: 002611B5
lstrcmpiW.KERNEL32(?,static), ref: 002611C8

Part of subcall function 0024D38B: GetWindowLongW.USER32(-00000004,000000F0), ref: 0024D395

GetWindowLongW.USER32(?,000000F0), ref: 002611E4
LoadCursorW.USER32(00000000,00007F89), ref: 0026122D
GetWindowTextLengthW.USER32(?), ref: 00261279
GetWindowTextW.USER32(000000FF,?,00000001), ref: 002612CB

Strings

Anchor Color Visited, xrefs: 002613A2
Anchor Color, xrefs: 00261374
static, xrefs: 002611BF
Software\Microsoft\Internet Explorer\Settings, xrefs: 00261347

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$LongText$ClassCursorH_prolog3_catch_LengthLoadNamelstrcmpi
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings$static
API String ID: 462771911-2739629574
Opcode ID: e05675f5748083838494577c32fa33f2c96666fc5fb44bab8b994181196e95a8
Instruction ID: 801eab8e681fd64c2e84ad233be8c998f005d35a5f613b193c7a0cfee7eca0b4
Opcode Fuzzy Hash: e05675f5748083838494577c32fa33f2c96666fc5fb44bab8b994181196e95a8
Instruction Fuzzy Hash: CC718D709203159BDF26DFA8C8C5AADB7F9EF45300F28465AE902E61A5D770ACF5CB01

Function 0027D913 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 146fileCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027D91A

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00298DF0: GetTempPathW.KERNEL32(00000104,?,?), ref: 00298E14

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 0027D871: _wcslen.LIBCMT ref: 0027D87D

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,.bat,?,EXE,?,00000058,002A8C8A,?,?), ref: 0027D98D
CloseHandle.KERNEL32(00000000), ref: 0027D9A9
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 0027DA0A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0027DA33
ShellExecuteW.SHELL32(00000000,open,?,00000000,?,00000000), ref: 0027DA63

Strings

@echo off ATTRIB -r "%s" :try del "%s" if exist "%s" goto tryATTRIB -r "%s" del "%s" | cls, xrefs: 0027D9DF, 0027D9F0
open, xrefs: 0027DA5D
EXE, xrefs: 0027D945
@echo off ATTRIB -r "%s" :try rd "%s" if exist "%s" goto tryATTRIB -r "%s" del "%s" | cls, xrefs: 0027D9D8
.bat, xrefs: 0027D96E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$CloseFileHandle$CreateExecutePathShellTempWrite_wcslen
String ID: .bat$@echo off ATTRIB -r "%s" :try del "%s" if exist "%s" goto tryATTRIB -r "%s" del "%s" | cls$@echo off ATTRIB -r "%s" :try rd "%s" if exist "%s" goto tryATTRIB -r "%s" del "%s" | cls$EXE$open
API String ID: 1354840372-3111465278
Opcode ID: c22f1c7cc00876138d4b9e1ce75490c3142aa9ba27bfb9b11b98dbbd22161ead
Instruction ID: d89ccdbd791f559347f4d994b3386e222bc1497a279dd74f7c68e45284d03a7d
Opcode Fuzzy Hash: c22f1c7cc00876138d4b9e1ce75490c3142aa9ba27bfb9b11b98dbbd22161ead
Instruction Fuzzy Hash: 39517DB0C10259EFCF01EBE4C889AEEBFB8AF09310F548095F504AB292D7748A15CB61

Function 00259C76 Relevance: 22.7, APIs: 15, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$MetricsPaintSystem$BeginBrushClientColorCreateDeleteFillH_prolog3_ObjectSolid
String ID:
API String ID: 1740118643-0
Opcode ID: f7c9b8a913ae72fc4270460155b2cc6cdc1f141640ed3e88207f2c96976c18ea
Instruction ID: 45f6fcf942dee34a980313155582d17a6b334698e8892cd0f269d20c9ac26713
Opcode Fuzzy Hash: f7c9b8a913ae72fc4270460155b2cc6cdc1f141640ed3e88207f2c96976c18ea
Instruction Fuzzy Hash: B37166B152161AEFCB11AF14CD82AAA7BA8FB09325F000515FC0593651C771ECB8DFE9

Function 002C2135 Relevance: 21.3, APIs: 14, Instructions: 301COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000000), ref: 002C2166
GetWindowRect.USER32(00000000,00000000), ref: 002C2174
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 002C2193
MulDiv.KERNEL32(?,?,?), ref: 002C21F5
MulDiv.KERNEL32(?,?,?), ref: 002C2224
GetDlgItem.USER32(?,?), ref: 002C223E
GetWindowRect.USER32(00000000,00000000), ref: 002C225A
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 002C226E
MulDiv.KERNEL32(?,?,002BDD54), ref: 002C22F7
MulDiv.KERNEL32(?,?,002BDD54), ref: 002C2322
GetDlgItem.USER32(?,?), ref: 002C2341
GetWindowRect.USER32(00000000,00000000), ref: 002C235D
MapWindowPoints.USER32(00000000,?,00000000,00000002), ref: 002C2371

Part of subcall function 00233176: SetWindowPos.USER32(?,?,?,?,?,?,W$,,00000000,002C2457,?,00000000,00000014), ref: 00233198

InvalidateRect.USER32(?,00000000,00000001), ref: 002C243B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Rect$ItemPoints$Invalidate
String ID:
API String ID: 687973450-0
Opcode ID: 15aaf925c7dc1a1e83c8913ed36149df9e5cab624114c1debece1468cca8eecb
Instruction ID: 2fd58e17ea5fd722a92e9ab26ea2e39acae6d4b6be41bac2545b2e5adc6f7c48
Opcode Fuzzy Hash: 15aaf925c7dc1a1e83c8913ed36149df9e5cab624114c1debece1468cca8eecb
Instruction Fuzzy Hash: 6CC14F7661020ADFCB14CFACC989F9EBBF5AF48300F088618E955EB255CB30E955CB50

Function 00279B57 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 162COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00279B5E

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

MsiPublishEvents, xrefs: 00279C8C
MessageBox, xrefs: 00279CBE
MsiGetBinaryPathIndirect, xrefs: 00279C5A
MsiResolveFormatted, xrefs: 00279BF6
GetFontHeight, xrefs: 00279D54
MsiGetBytesCountText, xrefs: 00279CF0
MsiGetBinaryPath, xrefs: 00279C28
MsiSetProperty, xrefs: 00279B63
MsiGetFormattedError, xrefs: 00279D22
MsiGetProperty, xrefs: 00279B96
MsiEvaluateCondition, xrefs: 00279BC4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3char_traits
String ID: GetFontHeight$MessageBox$MsiEvaluateCondition$MsiGetBinaryPath$MsiGetBinaryPathIndirect$MsiGetBytesCountText$MsiGetFormattedError$MsiGetProperty$MsiPublishEvents$MsiResolveFormatted$MsiSetProperty
API String ID: 2538163586-3153392536
Opcode ID: a97871f3d1a169b0199dbaf5171a268b47a58384af39f2b13834049de44c8102
Instruction ID: c8311a449ee4400a34f39a56a982c4b8a1d5571311885b57926a2ebd21988eba
Opcode Fuzzy Hash: a97871f3d1a169b0199dbaf5171a268b47a58384af39f2b13834049de44c8102
Instruction Fuzzy Hash: 915193B2A61208EEC714EBA4DD86DDEFB389F49720F145258F116B20D1DB305B69CF60

Function 002B8D51 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,?), ref: 002B8D7E
GetTempFileNameW.KERNEL32(?,URL,00000000,?), ref: 002B8DA8
DeleteFileW.KERNEL32(?), ref: 002B8DBD

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 0027D871: _wcslen.LIBCMT ref: 0027D87D

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,.url,?,?), ref: 002B8DFC
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,0000000C,?), ref: 002B8E55
CloseHandle.KERNEL32(00000000), ref: 002B8E62
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 002B8E7E
CloseHandle.KERNEL32(00000000,?,?,?,0000005C,?), ref: 002B8EDC

Strings

URL, xrefs: 002B8D9C
open, xrefs: 002B8E78
[InternetShortcut]URL=%s, xrefs: 002B8E35
.url, xrefs: 002B8DD6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$CloseHandleTemp$CreateDeleteExecuteH_prolog3NamePathShellWrite_wcslen
String ID: .url$URL$[InternetShortcut]URL=%s$open
API String ID: 3833555449-868183136
Opcode ID: 59946c9b4664cae6d2f99777d568ae6acd9893c2b0576eede535df33f6c8d429
Instruction ID: 86e68e0cf261fbb07041f7a6168d22b59902127272c8821d0c82dc0ce2044455
Opcode Fuzzy Hash: 59946c9b4664cae6d2f99777d568ae6acd9893c2b0576eede535df33f6c8d429
Instruction Fuzzy Hash: 244154B2A1011DAFDB21EB60DCC5EEE73BCEB48354F800599F209E7151DA709E948F64

Function 002C5309 Relevance: 19.6, APIs: 13, Instructions: 112windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,?,00000000,002C4496,?,?,?,000000FF), ref: 002C537E
GetDlgItem.USER32(?,000003F6), ref: 002C5399
SetWindowTextW.USER32(00000000,00334684), ref: 002C53A8
GetDlgItem.USER32(?,00000407), ref: 002C53B2
SetWindowTextW.USER32(00000000,00334684), ref: 002C53B6
GetDlgItem.USER32(?,000003F3), ref: 002C53C0
EnableWindow.USER32(00000000,00000000), ref: 002C53C6

Part of subcall function 002BA047: GetDlgItem.USER32(?,?), ref: 002BA04E
Part of subcall function 002BA047: EnableWindow.USER32(00000000,000000FF), ref: 002BA05B

GetDlgItem.USER32(?,00000402), ref: 002C541E
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002C5428
GetParent.USER32(?), ref: 002C543C
GetDlgItem.USER32(00000000,00003024), ref: 002C5440
GetParent.USER32(?), ref: 002C5447
PostMessageW.USER32(00000000,00000111,00003024,00000000), ref: 002C5451

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Item$Window$EnableMessageParentText$KillPostSendTimer
String ID:
API String ID: 4211057547-0
Opcode ID: 1a4df41c140f1975435727eb6150b6d72cf4f4b08fedf4379c0f2be508a50810
Instruction ID: b2ffd113e77e27933ad49db9b6ba76e30f80711de3dd8ba65fe56d2f0d7442b5
Opcode Fuzzy Hash: 1a4df41c140f1975435727eb6150b6d72cf4f4b08fedf4379c0f2be508a50810
Instruction Fuzzy Hash: 7B315A70650B05AFE7219B60DD86F677BA9EB44744F004828F6AA965A1C7B2FC509A20

Function 002ADC80 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,?,?,002A1F0D,?,?), ref: 002ADC9E
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,002A1F0D,?,?,?,?,?,?,?), ref: 002ADCB6
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,?,?,?,?,?,002A1F0D,?,?,?,?), ref: 002ADCEA
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,002A1F0D,?,?,?,?,?,?,?), ref: 002ADEF1

Strings

\m4, xrefs: 002ADD14
ServerFileName, xrefs: 002ADE3E
URL, xrefs: 002ADD91
No newer version found., xrefs: 002ADDF9
Found a newer version on server. Version found:, xrefs: 002ADE8D
Size, xrefs: 002ADDBB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID: Found a newer version on server. Version found:$No newer version found.$ServerFileName$Size$URL$\m4
API String ID: 3919263394-671226971
Opcode ID: 0df208bc6540c151128eb1417f2ea541b0bce6c52d08aa42fca7f0d0539584c5
Instruction ID: 0d2b692bd1435eb8909d9db588f89c4b83fc24c0a479dcbda0977197532d7143
Opcode Fuzzy Hash: 0df208bc6540c151128eb1417f2ea541b0bce6c52d08aa42fca7f0d0539584c5
Instruction Fuzzy Hash: A57160B2D2020AABCF10EFE4C9869EEB7B8AF09304F544466F111B7511DF74AA65CF60

Function 002E8CB6 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002E8CBD

Part of subcall function 002EA49D: __EH_prolog3_GS.LIBCMT ref: 002EA4A4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002E96EF: __EH_prolog3.LIBCMT ref: 002E96F6

Strings

SubActionPrefix, xrefs: 002E8D85
AiIgnoredDataFromActions, xrefs: 002E8CF7
ActionTextDoneSuffix, xrefs: 002E8D75
ActionText, xrefs: 002E8DAA
ActionDataPrefix, xrefs: 002E8D25
ActionTextSuffix, xrefs: 002E8D55
ActionDataDoneSuffix, xrefs: 002E8D65
ActionTextPrefix, xrefs: 002E8D35
ActionDataSuffix, xrefs: 002E8D45
AiIgnoredSummaryActions, xrefs: 002E8CC4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: ActionDataDoneSuffix$ActionDataPrefix$ActionDataSuffix$ActionText$ActionTextDoneSuffix$ActionTextPrefix$ActionTextSuffix$AiIgnoredDataFromActions$AiIgnoredSummaryActions$SubActionPrefix
API String ID: 3359205163-1294812868
Opcode ID: 1c5f39a5991008a26272658a404f05ab6c17fe9c214fb4ea52df456e281609f4
Instruction ID: 0589fb8d6e33b38e9b6ce87667a074aef9704d5fef73fa6ad671bb92de44cde7
Opcode Fuzzy Hash: 1c5f39a5991008a26272658a404f05ab6c17fe9c214fb4ea52df456e281609f4
Instruction Fuzzy Hash: E8316A71471714ABC711EBA2DD46DEEB7B8BF40710F40591AB0563A195DBB03A15CE90

Function 002F92D9 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0034F038,0000000C,002F9414,00000000,00000000,?,?,002F9441,?,002F9159,?,?,0029393C,00293990,D7557A70), ref: 002F92EB
__crt_waiting_on_module_handle.LIBCMT ref: 002F92F6

Part of subcall function 002FB5F2: Sleep.KERNEL32(000003E8,00000000,?,002F923C,KERNEL32.DLL,?,002F9288,?,?,002F9441,?,002F9159,?,?,0029393C,00293990), ref: 002FB5FE
Part of subcall function 002FB5F2: GetModuleHandleW.KERNEL32(?,?,002F923C,KERNEL32.DLL,?,002F9288,?,?,002F9441,?,002F9159,?,?,0029393C,00293990,D7557A70), ref: 002FB607

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 002F931F
GetProcAddress.KERNEL32(?,DecodePointer), ref: 002F932F
__lock.LIBCMT ref: 002F9351
InterlockedIncrement.KERNEL32(00370B10), ref: 002F935E
__lock.LIBCMT ref: 002F9372
___addlocaleref.LIBCMT ref: 002F9390

Strings

EncodePointer, xrefs: 002F9313
DecodePointer, xrefs: 002F9327
KERNEL32.DLL, xrefs: 002F92E5, 002F92EA, 002F92F5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 03b8c99c843b037981109d774e46e1f41a1bf8e1aa521ef3bc78a8e4d98d1f90
Instruction ID: 74ddfa685c648d74f443f720d11b38186a360ab0c0787222df449e25108fdb6c
Opcode Fuzzy Hash: 03b8c99c843b037981109d774e46e1f41a1bf8e1aa521ef3bc78a8e4d98d1f90
Instruction Fuzzy Hash: 1C11E472900709EED722AF79D841BAAFBE4AF04350F10456DE59997290CB74AA90CF10

Function 002C4195 Relevance: 18.2, APIs: 12, Instructions: 180windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(-00000004,000000F0), ref: 002C41B7
GetWindowLongW.USER32(-00000004,000000EC), ref: 002C41E8
SetWindowLongW.USER32(-00000004,000000EC,00000000), ref: 002C41FC
SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 002C4208
SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 002C421B
GetDlgItem.USER32(-00000004,0000E801), ref: 002C4228
IsWindow.USER32(00000000), ref: 002C4233
DestroyWindow.USER32(40000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 002C4253
GetClientRect.USER32(-00000004,?), ref: 002C4290

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Long$MessageSend$ClientDestroyItemRect
String ID:
API String ID: 2199592267-0
Opcode ID: a9566b2f02596fd7f679ecb860515a4c6a43ba71ace4bae2c4a4ee7de72f1c3b
Instruction ID: 35fc2f001910d28e213b3280f357828dbca52e270834f20c9188316153a120ea
Opcode Fuzzy Hash: a9566b2f02596fd7f679ecb860515a4c6a43ba71ace4bae2c4a4ee7de72f1c3b
Instruction Fuzzy Hash: 58615774118301DFD711DF69C889A1BBBE4FF84320F148A6EF9A9C72A1D770C8148B52

Function 002C1C73 Relevance: 18.2, APIs: 12, Instructions: 180windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(-00000004,000000F0), ref: 002C1C95
GetWindowLongW.USER32(-00000004,000000EC), ref: 002C1CC6
SetWindowLongW.USER32(-00000004,000000EC,00000000), ref: 002C1CDA
SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 002C1CE6
SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 002C1CF9
GetDlgItem.USER32(-00000004,0000E801), ref: 002C1D06
IsWindow.USER32(00000000), ref: 002C1D11
DestroyWindow.USER32(40000000,?,?,?,?,?,?,00000006,?,?,?,00000000), ref: 002C1D31
GetClientRect.USER32(-00000004,?), ref: 002C1D6E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Long$MessageSend$ClientDestroyItemRect
String ID:
API String ID: 2199592267-0
Opcode ID: eed326300a640fbcb73d1a503d28b8918f2dc26eb58ba26f657c54e78cbf46bc
Instruction ID: 4c656ca18fbc3575cfc588f92e626cf75f05cc376a940159aac2dd8d1edc7772
Opcode Fuzzy Hash: eed326300a640fbcb73d1a503d28b8918f2dc26eb58ba26f657c54e78cbf46bc
Instruction Fuzzy Hash: 25616B745183019FD711CF29C886A1ABBF5EF89360F148A2EF8A5C72A1D730C924CF52

Function 002C6047 Relevance: 18.2, APIs: 12, Instructions: 180windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(-00000004,000000F0), ref: 002C6069
GetWindowLongW.USER32(-00000004,000000EC), ref: 002C609A
SetWindowLongW.USER32(-00000004,000000EC,00000000), ref: 002C60AE
SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 002C60BA
SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 002C60CD
GetDlgItem.USER32(-00000004,0000E801), ref: 002C60DA
IsWindow.USER32(00000000), ref: 002C60E5
DestroyWindow.USER32(40000000), ref: 002C6105
GetClientRect.USER32(-00000004,?), ref: 002C6142

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Long$MessageSend$ClientDestroyItemRect
String ID:
API String ID: 2199592267-0
Opcode ID: 2736b83ff5aaaa9e4281785f55bf71775c6b842c5ba9097bbd0b834c8dc8ccdb
Instruction ID: 4961e06d3580b53c4895012b1d8bbcd92a127956bee8a3aaa0ccf53c13806dcb
Opcode Fuzzy Hash: 2736b83ff5aaaa9e4281785f55bf71775c6b842c5ba9097bbd0b834c8dc8ccdb
Instruction Fuzzy Hash: 456159745183019FD721CF29C889A1ABBE5FF88320F148A6DF9A9D72A1D771C8148F52

Function 002BD311 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,00000008,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF,00000000,?,002AC81B), ref: 002BD328
FreeLibrary.KERNEL32(00000000,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF,00000000,?,002AC81B,?), ref: 002BD33E
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002BD35B
GetProcAddress.KERNEL32(Wow64RevertWow64FsRedirection), ref: 002BD36D
GetProcAddress.KERNEL32(IsWow64Process), ref: 002BD37F
GetCurrentProcess.KERNEL32(00000000,?,?,002BD3C0,002ACB83,0000005C,0000003F,0000000C,?,00000004,?,000000FF), ref: 002BD38F

Strings

IsWow64Process, xrefs: 002BD36F
kernel32.dll, xrefs: 002BD323
Wow64RevertWow64FsRedirection, xrefs: 002BD35D
Wow64DisableWow64FsRedirection, xrefs: 002BD355

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressProc$Library$CurrentFreeLoadProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 1085388015-2588563345
Opcode ID: a63aea98dceadba4175d2c51087f8bf6e4353762347abc5040e07846c981ef09
Instruction ID: f1fb2a9c78a8dc99e88d2f2239c482bcfa5e9e335fb42c475475162c46098e4d
Opcode Fuzzy Hash: a63aea98dceadba4175d2c51087f8bf6e4353762347abc5040e07846c981ef09
Instruction Fuzzy Hash: 1F01AD31D1536AAFCB229BB1AD48BCA7FECE741391F040491E904D3262E778E990CF91

Function 0026DDC0 Relevance: 16.6, APIs: 11, Instructions: 123windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DDC7
GetDC.USER32(?), ref: 0026DDF2

Part of subcall function 00231DA0: __EH_prolog3.LIBCMT ref: 00231DA7
Part of subcall function 00231DA0: CreateCompatibleDC.GDI32(?), ref: 00231DCF
Part of subcall function 00231DA0: SelectObject.GDI32(?,?), ref: 00231DF2

DrawStateW.USER32(?,00000000,00000000,?,00000000,00000000,00000000,?,?,00000023), ref: 0026DE2B

Part of subcall function 0027D66F: __EH_prolog3.LIBCMT ref: 0027D676
Part of subcall function 0027D66F: DeleteObject.GDI32(00000000), ref: 0027D684

Part of subcall function 0023A766: ImageList_Create.COMCTL32(?,D7557A70,00000021,?,?,?,00236C46,?,?,?,00000000,?), ref: 0023A777

ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,00000000,00000006), ref: 0026DE6F
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DE7B
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DE87
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0026DE90
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DEA0
ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DEAC
SendMessageW.USER32(?,00001602,00000000,?), ref: 0026DEF8
DeleteObject.GDI32(?), ref: 0026DF0A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ImageList_$IconReplace$H_prolog3Object$CreateDelete$CompatibleDrawMaskedMessageSelectSendState
String ID:
API String ID: 865745488-0
Opcode ID: 5ce3149390cf34b3490c9f1d0f7beb7944d3996126fec2ce08db1f91a2c7709e
Instruction ID: c54fadd32803c180a67c7a724c96d1f8231230445eb9fdd4b09d178f377a331d
Opcode Fuzzy Hash: 5ce3149390cf34b3490c9f1d0f7beb7944d3996126fec2ce08db1f91a2c7709e
Instruction Fuzzy Hash: 6741D571900119AFCF12DFA4CC84ADEBBB6FF09350F144229F919AA2A4C7715A51DF50

Function 0025C1F5 Relevance: 16.6, APIs: 11, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025C1FC
GetWindowDC.USER32(?,00000048,0025BF6A,?,?,?,?,?,00259E9D,?,D7557A70,?), ref: 0025C214
GetWindowRect.USER32(?,?), ref: 0025C236
IsWindowEnabled.USER32(?), ref: 0025C246
CreatePen.GDI32(00000000,?,?), ref: 0025C291
SelectObject.GDI32(?,00000000), ref: 0025C29E
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,?,?,00259E9D,?,D7557A70,?), ref: 0025C2E9
Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0025C2F8
SelectObject.GDI32(?,?), ref: 0025C302
DeleteObject.GDI32(?), ref: 0025C314
DeleteDC.GDI32(?), ref: 0025C32D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipCreateEnabledExcludeH_prolog3Rectangle
String ID:
API String ID: 1666945881-0
Opcode ID: d4fb6628b520f1e28fec29157a266ad19bb6b0b1854bdc473ee76672da779454
Instruction ID: 26bda0e51b6e1eb06b7c471ea19e8e23e29c03bd1434d69260535b597cb3314a
Opcode Fuzzy Hash: d4fb6628b520f1e28fec29157a266ad19bb6b0b1854bdc473ee76672da779454
Instruction Fuzzy Hash: 0A412271C00219EFCF12CFA9C9889EEFBB8FF88301F20811AE915A7224D7745A45DB60

Function 002397AD Relevance: 16.6, APIs: 11, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002397B4
GetWindowDC.USER32(?,00000048,00238BBF,?,?,00236290,?,?,?,?,?,?,?,0023625F,?,?), ref: 002397CF
GetWindowRect.USER32(?,?), ref: 002397F1
IsWindowEnabled.USER32(?), ref: 00239801
CreatePen.GDI32(00000000,?,?), ref: 0023984C
SelectObject.GDI32(?,00000000), ref: 00239859
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,00236290,?,?,?,?,?,?,?,0023625F), ref: 002398A4
Rectangle.GDI32(?,00000000,00000000,?,?), ref: 002398B3
SelectObject.GDI32(?,?), ref: 002398BD
DeleteObject.GDI32(?), ref: 002398CF
DeleteDC.GDI32(?), ref: 002398E8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipCreateEnabledExcludeH_prolog3Rectangle
String ID:
API String ID: 1666945881-0
Opcode ID: 693ccd416f62f0563075f54a27d60606ade394fcf5839a2f959591428bb2a322
Instruction ID: ecb7db909f52cf52565999bb3f866a781447de767be59f81c9aa411319935c84
Opcode Fuzzy Hash: 693ccd416f62f0563075f54a27d60606ade394fcf5839a2f959591428bb2a322
Instruction Fuzzy Hash: 8941F3B1D00219EFDF11CFA9C9889EEFBB9FF89300F14811AE915A6254C7B55941DF60

Function 00265815 Relevance: 16.6, APIs: 11, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026581C
GetWindowDC.USER32(?,00000048,00265531,?,?,00263B5F,?,?,?,?,?,?,?,00263B2E,?,?), ref: 00265837
GetWindowRect.USER32(?,?), ref: 00265859
IsWindowEnabled.USER32(?), ref: 00265869
CreatePen.GDI32(00000000,?,?), ref: 002658B4
SelectObject.GDI32(?,00000000), ref: 002658C1
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,00263B5F,?,?,?,?,?,?,?,00263B2E), ref: 0026590C
Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0026591B
SelectObject.GDI32(?,?), ref: 00265925
DeleteObject.GDI32(?), ref: 00265937
DeleteDC.GDI32(?), ref: 00265950

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ObjectWindow$DeleteRectSelect$ClipCreateEnabledExcludeH_prolog3Rectangle
String ID:
API String ID: 1666945881-0
Opcode ID: d6983570f322b8635ee0b84969ff9303e85b14370814da90bff9337118a899be
Instruction ID: 379d20d64e17a4951cdbd0a51946d6f98522229a8d286948aeb81e389321b036
Opcode Fuzzy Hash: d6983570f322b8635ee0b84969ff9303e85b14370814da90bff9337118a899be
Instruction Fuzzy Hash: 90410171C01619EFDB12CFA9C8889EEFBB9FF89310F14811AE915A7224C7759A41DB60

Function 002E98C4 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 366COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002E98CE

Part of subcall function 002EAF31: __EH_prolog3.LIBCMT ref: 002EAF38

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002EAA2D: __EH_prolog3.LIBCMT ref: 002EAA34
Part of subcall function 002EAA2D: std::tr1::_Xbad.LIBCPMT ref: 002EAA52
Part of subcall function 002EAA2D: _wcslen.LIBCMT ref: 002EAA5C

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Part of subcall function 002EAA7B: __EH_prolog3.LIBCMT ref: 002EAA82

Strings

(.*)\[.\](.*), xrefs: 002E9B75
$1$2, xrefs: 002E9A01, 002E9B97, 002E9B9C, 002E9C29
(.*)(?:\{)?(.*)\[1\](.*)(?:\})?(.*), xrefs: 002E99E0
$1$4, xrefs: 002E9A7D, 002E9A82, 002E9B09
(.*)\{(.*)\[.\](.*)\}(.*), xrefs: 002E9A5A
, xrefs: 002E98E9, 002E98EE, 002E990A
1: , xrefs: 002E9921
$3$4, xrefs: 002E9A13

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits$H_prolog3_Xbad_wcslenstd::tr1::_
String ID: $$1$2$$1$4$$3$4$(.*)(?:\{)?(.*)\[1\](.*)(?:\})?(.*)$(.*)\[.\](.*)$(.*)\{(.*)\[.\](.*)\}(.*)$1:
API String ID: 1231339484-405284324
Opcode ID: b352d8d86222312de2f191214d59eb6269bcc89b583147fc080e5d986c59446f
Instruction ID: 004d118fb2b1e645add28b57a39d26374ee756bf837c79b2d826379498d2db07
Opcode Fuzzy Hash: b352d8d86222312de2f191214d59eb6269bcc89b583147fc080e5d986c59446f
Instruction Fuzzy Hash: E6E1BFB1815298EADB21EBA4CD45FDEBBB8AF51300F1441A9E146B7182DB702F58CF61

Function 002F02AC Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002F02B3

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002F0161: __EH_prolog3.LIBCMT ref: 002F0168

Strings

AI_XmlLocator, xrefs: 002F0496
Property, xrefs: 002F02C6, 002F02CB, 002F030B, 002F0352, 002F039E, 002F03EA, 002F0486
AppSearch, xrefs: 002F0317
AI_TempFile, xrefs: 002F03FA
AI_AppSearchEx, xrefs: 002F0362
Control, xrefs: 002F03AE
RetValPropName, xrefs: 002F0436
AI_PreRequisite, xrefs: 002F044A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits
String ID: AI_AppSearchEx$AI_PreRequisite$AI_TempFile$AI_XmlLocator$AppSearch$Control$Property$RetValPropName
API String ID: 3598086826-1047536484
Opcode ID: 543fed42cd6ada22bcdee1d22f43f445fd35e032b171b74f1b7d8444988e133b
Instruction ID: 0292b203ead83ca13e23fcb4c360a271208ea237b4c4a7b791130466ec3e70da
Opcode Fuzzy Hash: 543fed42cd6ada22bcdee1d22f43f445fd35e032b171b74f1b7d8444988e133b
Instruction Fuzzy Hash: 92615AB182110CFECB05EBA4EC95DEEBB78EF51704F148198B552671A1EB702B19CFA0

Function 0025CA35 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 140registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(003732A4), ref: 0025CA9A
GetClassInfoExW.USER32(00000000,?,?), ref: 0025CADD
GetClassInfoExW.USER32(?,?), ref: 0025CAF2

Part of subcall function 0024D9D2: LeaveCriticalSection.KERNEL32(?,?,00245B42,?,00000000,?,?,?,00000020), ref: 0024D9DD

LoadCursorW.USER32(?,?), ref: 0025CB55
swprintf.LIBCMT ref: 0025CB7F
GetClassInfoExW.USER32(?,00000000,?), ref: 0025CBA2
RegisterClassExW.USER32(?), ref: 0025CBB2

Strings

ATL:%p, xrefs: 0025CB74
0, xrefs: 0025CAD5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Class$Info$CriticalSection$CursorEnterLeaveLoadRegisterswprintf
String ID: 0$ATL:%p
API String ID: 4219454028-2453800769
Opcode ID: ba4b4a0e5b4fd82c2b6dfcebdb8915e50729a9b0610f6ec9cdbbe707e828555c
Instruction ID: cf6749700d4ffeb2d83f1a44c64d73ded9e5597c79715d2212c1eb0386a2557d
Opcode Fuzzy Hash: ba4b4a0e5b4fd82c2b6dfcebdb8915e50729a9b0610f6ec9cdbbe707e828555c
Instruction Fuzzy Hash: 45517871514301DFCB25CF64C8C1AAABBE8FB48725F104A5AFC498B296E770D948CB95

Function 00260A89 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00260AAE
GetDlgCtrlID.USER32(?), ref: 00260ABD
GetParent.USER32(?), ref: 00260AC4
GetDlgCtrlID.USER32(?), ref: 00260ADD
GetParent.USER32(?), ref: 00260AE8
SendMessageW.USER32(00000000,00000111,?,?), ref: 00260AFB
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00260B13
InvalidateRect.USER32(?,00000000,00000001), ref: 00260B2F

Strings

open, xrefs: 00260B0D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Ctrl$Parent$ExecuteInvalidateMessageRectSendShell
String ID: open
API String ID: 1200564152-2758837156
Opcode ID: 6e2a677a884508234e2574dcea406093dc1f6bc2e88c95577d8055b0b4290e29
Instruction ID: d80daa674b4c9eb46cc9b27f9c4ef15f3900fbba3f014e09ba462d053bd7b19e
Opcode Fuzzy Hash: 6e2a677a884508234e2574dcea406093dc1f6bc2e88c95577d8055b0b4290e29
Instruction Fuzzy Hash: 4211B171400348BFEB225BA5CC89EABBFF9EB44748F004408F157921A0C7B59C94DB10

Function 002E5D3F Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 175COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002E5D49

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Strings

InstallExecute, xrefs: 002E5DBB
InstallInitialize, xrefs: 002E5DA0
InstallExecuteAgain, xrefs: 002E5DE4
ExecuteAction, xrefs: 002E5D81
INSTALL, xrefs: 002E5D5F
RemoveExistingProducts, xrefs: 002E5E3C, 002E5E6C
InstallFinalize, xrefs: 002E5DFE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3__wcslen
String ID: ExecuteAction$INSTALL$InstallExecute$InstallExecuteAgain$InstallFinalize$InstallInitialize$RemoveExistingProducts
API String ID: 3251556500-1309907375
Opcode ID: 63eb8de6b6eee44beb419065d9dab0b64c0890c1543fa48e6893fc6f54bf3394
Instruction ID: 0f223b41660435d956107f4290bac0f8dc47f4f244827489566bbd539b75cb74
Opcode Fuzzy Hash: 63eb8de6b6eee44beb419065d9dab0b64c0890c1543fa48e6893fc6f54bf3394
Instruction Fuzzy Hash: AA51E870AB5AA79ADF24DF25C881BA8B3747F01304F9401DAE9096BA81C770ADA4CF50

Function 002B1954 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000208,003746CC,?,00000000), ref: 002B199C

Part of subcall function 00235A4B: _wcslen.LIBCMT ref: 00235A57

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

Part of subcall function 0029A420: _memmove_s.LIBCMT ref: 0029A489

Part of subcall function 0027D871: _wcslen.LIBCMT ref: 0027D87D

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,003746CC,?,00000000), ref: 002B19E7
GetLastError.KERNEL32 ref: 002B19FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 002B1A19
WriteFile.KERNEL32(00000000,?,00000002,?,00000000), ref: 002B1A44
FlushFileBuffers.KERNEL32(?), ref: 002B1A4C
CloseHandle.KERNEL32(00000000), ref: 002B1A8F

Strings

.log, xrefs: 002B19C9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$_wcslen$BuffersCloseCreateErrorFlushHandleLastModuleNamePointerWrite_memmove_s_wcsrchr
String ID: .log
API String ID: 2884912886-299349702
Opcode ID: c160c3bf6f132b68360e3f6f50ef1bb54e25a4a1c110d0a7693762968cb57287
Instruction ID: 0f490aaa86ab5ae6c792836b8bf14c75c7632157834905bb1d70107c1ab30b8d
Opcode Fuzzy Hash: c160c3bf6f132b68360e3f6f50ef1bb54e25a4a1c110d0a7693762968cb57287
Instruction Fuzzy Hash: 8941CC71A102189FEB21DFA4CC99BED73E8EF45350FA00129F605EB191DB70A961CF51

Function 0028C070 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0028C0B7

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

_strlen.LIBCMT ref: 0028C0DB
__CxxThrowException@8.LIBCMT ref: 0028C112
__CxxThrowException@8.LIBCMT ref: 0028C14A
__CxxThrowException@8.LIBCMT ref: 0028C179

Strings

ios_base::badbit set, xrefs: 0028C0C1, 0028C0E4
ios_base::eofbit set, xrefs: 0028C14F
ios_base::failbit set, xrefs: 0028C120

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise_strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3901800330-1866435925
Opcode ID: de9980d4c5275ac90772969357202a5afde518131e4b9a20923e883cffaa743f
Instruction ID: 658f5ab791823a70c1656546490d443b9e5079ff3790cb1d52a33f29a0103e1d
Opcode Fuzzy Hash: de9980d4c5275ac90772969357202a5afde518131e4b9a20923e883cffaa743f
Instruction Fuzzy Hash: 8221E375058344ABC301EB50CC42BDABBE4AF44794F044E2CF585561E2DBB4A654CF92

Function 00295700 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SHGetFileInfoW.SHELL32(C:\,00000010,?,000002B4,00004011), ref: 00295731
SHGetFileInfoW.SHELL32(C:\FAKE_DIR\,00000010,?,000002B4,00004011), ref: 0029574B
SHGetFileInfoW.SHELL32(C:\FAKE_DIR\,00000010,?,000002B4,00004013), ref: 0029576A
SHGetSpecialFolderLocation.SHELL32(00000000,00000011,?), ref: 0029577C
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004009), ref: 0029579C
SHGetMalloc.SHELL32(?), ref: 002957AA

Strings

C:\FAKE_DIR\, xrefs: 00295744, 00295762
C:\, xrefs: 0029572C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileInfo$FolderLocationMallocSpecial
String ID: C:\$C:\FAKE_DIR\
API String ID: 2377275491-2055520131
Opcode ID: 12ea30bd028580e0c36543922673a33a88387f1dc6706509547d27191f416683
Instruction ID: 3e7fe27717d2f12c66ad9e8923d03b9a1bebe3cc5d042b51c72ae4b2143bd782
Opcode Fuzzy Hash: 12ea30bd028580e0c36543922673a33a88387f1dc6706509547d27191f416683
Instruction Fuzzy Hash: F0212A71344305ABE724DF65DC86F6BB3E8ABC8B00F40891DF2959B2D1D7B4E8458B52

Function 0029DE50 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 65COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0029DEF7

Strings

SEH_AV_WRITE_BADPTR, xrefs: 0029DEB8
SEH_AV_WRITE_NULLPTR, xrefs: 0029DEAA
SEH_AV_DEP_BADPTR, xrefs: 0029DED4
SEH_AV_READ_NULLPTR, xrefs: 0029DE8E
SEH_AV_READ_BADPTR, xrefs: 0029DE9C
SEH_AV_DEP_NULLPTR, xrefs: 0029DEC6
SEH_GENERIC, xrefs: 0029DEEE, 0029DF00

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen
String ID: SEH_AV_DEP_BADPTR$SEH_AV_DEP_NULLPTR$SEH_AV_READ_BADPTR$SEH_AV_READ_NULLPTR$SEH_AV_WRITE_BADPTR$SEH_AV_WRITE_NULLPTR$SEH_GENERIC
API String ID: 176396367-4199215282
Opcode ID: b25a993744a7957ee9c297c0ee19c794917dd1a66f40c05403b3a3e6d5460a47
Instruction ID: 741490c31f8b7fff18df1a026b026d2ee72a5ed8366b1ba21c816b3e6314812d
Opcode Fuzzy Hash: b25a993744a7957ee9c297c0ee19c794917dd1a66f40c05403b3a3e6d5460a47
Instruction Fuzzy Hash: 6F118EB63387509BCA16BB149843B6FB7D4FB94B10F54091AF44787AC1C7B869109BC6

Function 00270376 Relevance: 13.7, APIs: 9, Instructions: 166windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 002703C9

Part of subcall function 0023338B: __EH_prolog3.LIBCMT ref: 00233392
Part of subcall function 0023338B: BeginPaint.USER32(?,?,00000000,00232604,?,?), ref: 002333AC

GetClientRect.USER32(?,?), ref: 0027040C

Part of subcall function 0025F11A: SetBkColor.GDI32(?,0000204E), ref: 0025F128
Part of subcall function 0025F11A: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0025F140
Part of subcall function 0025F11A: SetBkColor.GDI32(?,00000000), ref: 0025F149

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002335AF: GetWindowTextLengthW.USER32(00000000), ref: 002335B8
Part of subcall function 002335AF: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002335CB

SelectObject.GDI32(?,?), ref: 0027047E
SetBkMode.GDI32(?,00000001), ref: 0027048E
SetTextColor.GDI32(?,?), ref: 002704CF
GetWindowLongW.USER32(00000000), ref: 002704E2
SendMessageW.USER32(00000000), ref: 002704FD

Part of subcall function 00270F37: __EH_prolog3_GS.LIBCMT ref: 00270F3E
Part of subcall function 00270F37: _wcslen.LIBCMT ref: 00270F79
Part of subcall function 00270F37: _wmemcpy_s.LIBCPMT ref: 00270FB7

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

DrawTextW.USER32(?,?,?,?,00000010), ref: 0027054C
SelectObject.GDI32(?,FF000000), ref: 0027055A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Text$Window$ColorH_prolog3$ObjectSelect$BeginClientDrawEnabledH_prolog3_LengthLongMessageModePaintRectSend_wcslen_wmemcpy_s
String ID:
API String ID: 4041646843-0
Opcode ID: d06a6eaa015e9ba99942ec199709571b17217246bb3fd66151d3a17dcd7ebf5f
Instruction ID: 14de1291b76cadf66041c841652540b0d2800e4e418b623601943628da471c2b
Opcode Fuzzy Hash: d06a6eaa015e9ba99942ec199709571b17217246bb3fd66151d3a17dcd7ebf5f
Instruction Fuzzy Hash: 8051AD712183409FC714DF24C88ABAABBE8FF88701F404A1DF596872A1DB74D905CF52

Function 00274EE2 Relevance: 13.6, APIs: 9, Instructions: 74COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00274F07

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deafaba7c5b3a6a8723d9f155e33d6da4488ea3691747328efd7ca04aa38779d
Instruction ID: 0124a0e38ae7289238a74dd8f4d8098fe60564f0d8d3eb28e8c946a982b96004
Opcode Fuzzy Hash: deafaba7c5b3a6a8723d9f155e33d6da4488ea3691747328efd7ca04aa38779d
Instruction Fuzzy Hash: 77214871A1424BAFEB12EF69DC88BAABBFCBF04304F044419F985E2661D771D8608B51

Function 002DD0F6 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 343COMMON

Download Yara Rule

Strings

AiAlwaysAdmin, xrefs: 002DD313
TARGETDIR, xrefs: 002DD40D
ALLUSERS, xrefs: 002DD14A
MSIINSTALLPERUSER, xrefs: 002DD1C2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslenchar_traits
String ID: ALLUSERS$AiAlwaysAdmin$MSIINSTALLPERUSER$TARGETDIR
API String ID: 482843318-4190606541
Opcode ID: 2f331b30274f099591e5c06ab73c7cc4adc96b8ec1cc135cddfdceaff311e873
Instruction ID: aa2b73af0bad7ebaa282c8a767bc721191f012daa2a5a0f103dc5fd69ec5a256
Opcode Fuzzy Hash: 2f331b30274f099591e5c06ab73c7cc4adc96b8ec1cc135cddfdceaff311e873
Instruction Fuzzy Hash: 16E17D711183819FD721EB64C845BDABBE8BF89314F040A5DF1D987292CB74A928CB97

Function 002B8938 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 318fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,Starting download of:,00000000), ref: 002B8CDD

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

Part of subcall function 002725B9: __EH_prolog3.LIBCMT ref: 002725C0

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

Downloaded file was accepted., xrefs: 002B8BB6
Download failed. Error:, xrefs: 002B8C23
Downloaded file was rejected.(Invalid size or MD5)., xrefs: 002B8D17
Download completed succesfully., xrefs: 002B8B01
Download was canceled., xrefs: 002B8C94
Starting download of:, xrefs: 002B8AA0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$DeleteFile_wcsrchr
String ID: Download completed succesfully.$Download failed. Error:$Download was canceled.$Downloaded file was accepted.$Downloaded file was rejected.(Invalid size or MD5).$Starting download of:
API String ID: 19927120-3851136047
Opcode ID: fa15b2eca3f7f50dd927d3ebe43d32aaae6e9c6ec5bbe3c52608d8c8c84ba97a
Instruction ID: 452a6ed1786643815a2ab8f355b3e961468a8ae0072384d5c80537c3706c9458
Opcode Fuzzy Hash: fa15b2eca3f7f50dd927d3ebe43d32aaae6e9c6ec5bbe3c52608d8c8c84ba97a
Instruction Fuzzy Hash: 92B1C2B15243019FCB04FF64C845E9EB7E8AF48340F448959F85997262CF30EA29CFA2

Function 00269001 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026900B

Part of subcall function 00283570: __ltow_s.LIBCMT ref: 002835BD
Part of subcall function 00283570: _wcslen.LIBCMT ref: 002835DB

Part of subcall function 002C8CC0: __EH_prolog3.LIBCMT ref: 002C8CC7

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

MsiSelectionTreeSelectedFeature, xrefs: 00269031
MsiSelectionTreeChildrenCost, xrefs: 0026922A
MsiSelectionTreeSelectedCost, xrefs: 002692A8
MsiSelectonTreeChildrenCount, xrefs: 00269145
MsiSelectionTreeSelectedAction, xrefs: 002690B5
MsiSelectionTreeInstallingChildrenCount, xrefs: 002691B6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$__ltow_s_wcslenchar_traits
String ID: MsiSelectionTreeChildrenCost$MsiSelectionTreeInstallingChildrenCount$MsiSelectionTreeSelectedAction$MsiSelectionTreeSelectedCost$MsiSelectionTreeSelectedFeature$MsiSelectonTreeChildrenCount
API String ID: 1804852809-306884365
Opcode ID: 80fdf2bba84cf8c3c76ceb36c5e931af35ecd1858e0805903059b52f7644180f
Instruction ID: f494be49344bfb30d00ed0796fe98b1e0009638fc17bc0012153b5774e353fca
Opcode Fuzzy Hash: 80fdf2bba84cf8c3c76ceb36c5e931af35ecd1858e0805903059b52f7644180f
Instruction Fuzzy Hash: F9A15C71910248EEDF10EBA0C985BDEBF78AF05314F144299F541AB292CBB4AB55CFA1

Function 002A1B46 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00297B90: _wcschr.LIBCMT ref: 00297BFD
Part of subcall function 00297B90: _wcschr.LIBCMT ref: 00297CAE

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?,?,?,0000005C,?,?,?,?,?,0000005C,?,?), ref: 002A1C40
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,0000005C,?,?,?,/cmdloc,?,?,?,?), ref: 002A1C56

Part of subcall function 00272524: __EH_prolog3.LIBCMT ref: 0027252B

Part of subcall function 002ACF3B: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?,00000001,00000000,?,?), ref: 002ACF66
Part of subcall function 002ACF3B: RegQueryValueExW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002ACF90

RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,0000005C,?,0000005C,?,?,?,/cmdloc,?), ref: 002A1D53
RegOpenKeyExW.ADVAPI32(?,?,00000000,000F003F,?,?,0000005C,?,?,?,/cmdloc,?,?,?,?), ref: 002A1D6D
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,0000005C,?,?), ref: 002A1D87
RegDeleteKeyW.ADVAPI32(?,?), ref: 002A1D9C

Strings

/cmdloc, xrefs: 002A1B9C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$OpenQueryValue$Delete_wcschr$Info_wcsrchr
String ID: /cmdloc
API String ID: 2244513505-2282507673
Opcode ID: ba68aee8bf758fdf62f252383053958404a9621c223df0b496996672382b09a1
Instruction ID: 64f3116cde024e5aba3f97b00861a5236efcf0abadaa354b75da37b1314a8bc4
Opcode Fuzzy Hash: ba68aee8bf758fdf62f252383053958404a9621c223df0b496996672382b09a1
Instruction Fuzzy Hash: 1F710AB2D60119ABCF15EFA1DC828EEBB79AF09310F504066F515B2061DF34AB69DF60

Function 002AE1BB Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 214fileCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002AE28E
DeleteFileW.KERNEL32(?,?,00000000,00000000), ref: 002AE30C
DeleteFileW.KERNEL32(?,?,.part,?,?), ref: 002AE329

Part of subcall function 002B187C: LeaveCriticalSection.KERNEL32(?,00000000,0033E304,003746CC,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002B18FB

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

CoUninitialize.OLE32(00000000,00000000,00000000,?,Failed to download a newer version. Error:,00000000), ref: 002AE440

Part of subcall function 00298050: FormatMessageW.KERNEL32 ref: 00298096
Part of subcall function 00298050: GetLastError.KERNEL32 ref: 002980A0

Strings

.part, xrefs: 002AE318
Failed to download a newer version. Error:, xrefs: 002AE3F5
Newer version is at a local URL., xrefs: 002AE1F3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteFile$CriticalErrorFormatH_prolog3InitializeLastLeaveMessageSectionUninitialize
String ID: .part$Failed to download a newer version. Error:$Newer version is at a local URL.
API String ID: 2766389586-3010721716
Opcode ID: 9a6d385aa43b96a89ce3268c3a5cab29c51df8dd6eb148177bedd7d80348eb07
Instruction ID: 766e8660ccbb09a4a15878b2b807d542c3d94f728bbf5e519a22effde4fe68e8
Opcode Fuzzy Hash: 9a6d385aa43b96a89ce3268c3a5cab29c51df8dd6eb148177bedd7d80348eb07
Instruction Fuzzy Hash: 08716EB1920109ABCF11FFA4C886AEEB7BCAF09300F454455F505A7162DF74AB6ACF61

Function 002809DF Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 156stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002809FE

Part of subcall function 0027F06A: __EH_prolog3.LIBCMT ref: 0027F071

Part of subcall function 00275307: InitializeCriticalSection.KERNEL32(?,0034FCF8,0000000C,00274BA6,0000000C,00274C70,?), ref: 00275318

GetModuleFileNameW.KERNEL32(00230000,?,00000104), ref: 00280AA9
GetModuleHandleW.KERNEL32(00000000), ref: 00280AE9
lstrlenW.KERNEL32(?), ref: 00280B32

Strings

Module, xrefs: 00280B56
Module_Raw, xrefs: 00280B70
REGISTRY, xrefs: 00280BAC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3Module$CriticalFileHandleInitializeNameSectionlstrlen
String ID: Module$Module_Raw$REGISTRY
API String ID: 3104761286-549000027
Opcode ID: 2beac0708009e741282955c3f7686125b0dd2ff1a4d1c9c441e69f14cddc6ace
Instruction ID: 211e04a67fe9d09f67df09aa04c95493be67f280642405faab057658f5cf09e1
Opcode Fuzzy Hash: 2beac0708009e741282955c3f7686125b0dd2ff1a4d1c9c441e69f14cddc6ace
Instruction Fuzzy Hash: 8151E476926289DBCB65EFA4CCC0AED73A8AF04304F14447AEA09E7181D7B09F58CB51

Function 002C999D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 153COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002C99A4

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Part of subcall function 002F58C8: std::bad_alloc::bad_alloc.LIBCMT ref: 002F5905

Strings

Visible, xrefs: 002C9A34
PropertyValue, xrefs: 002C9B09
TimeRemaining, xrefs: 002C9ABB
Text, xrefs: 002C99D8
Progress, xrefs: 002C99AB
Enabled, xrefs: 002C9A76

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_malloc_wcslenstd::bad_alloc::bad_alloc
String ID: Enabled$Progress$PropertyValue$Text$TimeRemaining$Visible
API String ID: 1272119295-2691827946
Opcode ID: af5d8adb8b5537ae56445a22dab09988e8561826fa660a016e6ec34946d0c5c3
Instruction ID: 93fdf888d5b754544de734f12c3ae953adce97e1233a7c4996c6d5cc2248df13
Opcode Fuzzy Hash: af5d8adb8b5537ae56445a22dab09988e8561826fa660a016e6ec34946d0c5c3
Instruction Fuzzy Hash: DD518470965309EEDB14DF68D949B987BE0AF017A4F20829EE5099F2D1D7B08A90DF50

Function 002C4FF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C5040
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C5059
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002C507A
GetDlgItem.USER32(?,000003F6), ref: 002C513E
SetWindowTextW.USER32(00000000,?), ref: 002C5146

Part of subcall function 002BCE9A: LoadStringW.USER32(000000FF,?,00000514), ref: 002BCEC2

Strings

WD,, xrefs: 002C50F1
WD,, xrefs: 002C5060, 002C50B9, 002C506C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ItemLoadStringTextWindow
String ID: WD,$WD,
API String ID: 1109381321-193488006
Opcode ID: 8d2af0b8f5dbcc867f7481d5ca86345253ecaf909a06fa9c82580e496d58cad0
Instruction ID: 4f8682171aecbd8229fded531f15a29cce1aec62b69b14ad6a9e3c9c912cdb44
Opcode Fuzzy Hash: 8d2af0b8f5dbcc867f7481d5ca86345253ecaf909a06fa9c82580e496d58cad0
Instruction Fuzzy Hash: 60419F72D10219ABDB15EFA4CC46BEFBBB8AF04300F110126FA01B7191DB70AF558BA1

Function 002C83DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 95registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 0027D894: _wcsnlen.LIBCMT ref: 0027D8C5

RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00020019,?,?,00000000,00000000,SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\,?,?,?,15.0,?,00000000,?), ref: 002C8417
RegQueryValueExW.ADVAPI32(?,Location,00000000,?,?,?,00000000,?), ref: 002C844F
RegQueryValueExW.ADVAPI32(?,Location,00000000,?,00000000,000000EA,000000EA), ref: 002C8485
PathFileExistsW.SHLWAPI(?,?,BIN\STSADM.EXE), ref: 002C84B4

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Strings

Location, xrefs: 002C8443, 002C8448, 002C8481
SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\, xrefs: 002C83E4
BIN\STSADM.EXE, xrefs: 002C84A3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3QueryValue$ExistsFileOpenPath_wcsnlen
String ID: BIN\STSADM.EXE$Location$SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\
API String ID: 1017321179-3242783072
Opcode ID: a13d9b6713a43afe52de05855e45d477670582194728b9f37b34df4d9774fc3d
Instruction ID: 9e7578c06f2d1ddabfc653e095afee26cb25df6fc6f3e4b169cc3cba3de397a1
Opcode Fuzzy Hash: a13d9b6713a43afe52de05855e45d477670582194728b9f37b34df4d9774fc3d
Instruction Fuzzy Hash: 743104B591011ABBCF11EFA5CC86DEEBBBCEF04310F008166F514A6161DB309B659FA0

Function 002C17D4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00296B50: FindResourceW.KERNEL32(00230000,?,?,00000000,?,002BA221,lA,,?,?), ref: 00296B6F
Part of subcall function 00296B50: LoadResource.KERNEL32(00230000,00000000,?,?,?,?,?,?,?,?,002BA1DE,000000DD,?,?,002C416C), ref: 00296B7D
Part of subcall function 00296B50: LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,002BA1DE,000000DD,?,?,002C416C,?,?), ref: 00296B88
Part of subcall function 00296B50: SizeofResource.KERNEL32(00230000,00000000,?,?,?,?,?,?,?,?,002BA1DE,000000DD,?,?,002C416C), ref: 00296B96

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

GetDlgItem.USER32(?,000003FC), ref: 002C181D
SendMessageW.USER32(00000000,000000CF,00000001,00000000), ref: 002C1836
SendMessageW.USER32(?,00000435,00000000,?), ref: 002C1848

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

SendMessageW.USER32(?,00000446,00000000,00000110), ref: 002C1875
SendMessageW.USER32(?,00000449,00000002,?), ref: 002C1894
SetWindowLongW.USER32(?,000000FC,?), ref: 002C18B6

Strings

RTF_FILE, xrefs: 002C17DF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageResourceSend$FindH_prolog3ItemLoadLockLongSizeofWindow_malloc
String ID: RTF_FILE
API String ID: 894780053-1572295589
Opcode ID: b475799eb1b7b767164c5403d1aeb7dd0be0268c29eb8cb0c5dfeb9598dbb6f0
Instruction ID: 78a74adca4d7206d380b35a244bae33abe62ba6aeaa7e4a04a5236483126c2c4
Opcode Fuzzy Hash: b475799eb1b7b767164c5403d1aeb7dd0be0268c29eb8cb0c5dfeb9598dbb6f0
Instruction Fuzzy Hash: A3316C71A5020AAFDB11DFA5DC46F9DBBF8EF04740F108169E609AB291DB70AA14CF60

Function 002A04B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 002A051B
swprintf.LIBCMT ref: 002A0531

Part of subcall function 002F7C83: __vswprintf_s_l.LIBCMT ref: 002F7C97

_wcslen.LIBCMT ref: 002A053B
_wcslen.LIBCMT ref: 002A0552

Part of subcall function 0023DAAA: std::_String_base::_Xlen.LIBCPMT ref: 0023DAF3
Part of subcall function 0023DAAA: char_traits.LIBCPMT ref: 0023DB30

_wcslen.LIBCMT ref: 002A056A

Strings

[0x%.8Ix] , xrefs: 002A0522
MODULE_BASE_ADDRESS, xrefs: 002A054D, 002A055B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$HandleModuleString_base::_Xlen__vswprintf_s_lchar_traitsstd::_swprintf
String ID: MODULE_BASE_ADDRESS$[0x%.8Ix]
API String ID: 1886256149-3408254016
Opcode ID: a58bc22b0036e335f47fa9c22ac6903baa0d9738ec1761adaf318f9b2b9bad8f
Instruction ID: 8e2bde68d665142cb1d5aef857ffe16e50b156cb3b7caa1ad9dc8709cc6ee3b5
Opcode Fuzzy Hash: a58bc22b0036e335f47fa9c22ac6903baa0d9738ec1761adaf318f9b2b9bad8f
Instruction Fuzzy Hash: 592160B5558744AFD721EF68E886B9BB7E8FB5C710F00493EF049C3281E67495148BA2

Function 002F5155 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002F515C
std::_Lockit::_Lockit.LIBCPMT ref: 002F5166

Part of subcall function 0028AE00: std::_Lockit::_Lockit.LIBCPMT ref: 0028AE2F

codecvt.LIBCPMT ref: 002F51A0
std::bad_exception::bad_exception.LIBCMT ref: 002F51B4
__CxxThrowException@8.LIBCMT ref: 002F51C2
std::locale::facet::facet_Register.LIBCPMT ref: 002F51D8

Strings

bad cast, xrefs: 002F51AC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3RegisterThrowcodecvtstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 1373396938-3145022300
Opcode ID: c553c3ce162c796ba2cd3d9dcae40c245b1ea6fcaa423ef678ca053a1bcacf48
Instruction ID: 6549befb20c40bbfc61358f54d1195853cf2e836b5147a58f78ef27df671ab53
Opcode Fuzzy Hash: c553c3ce162c796ba2cd3d9dcae40c245b1ea6fcaa423ef678ca053a1bcacf48
Instruction Fuzzy Hash: 6901A53592022DA7CB06FBA0C9426FEF329AF407A0F640528F7117B2D1DF34AA119F90

Function 0027117C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 38libraryloaderwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00271183
LoadLibraryW.KERNEL32(UxTheme.dll,00000000,00271316,00000000,?,SysTreeView32,?,?,?,?,?), ref: 002711A1
GetProcAddress.KERNEL32(SetWindowTheme,00000000), ref: 002711E4
SendMessageW.USER32(?,0000112C,00000004,00000004), ref: 00271214

Strings

UxTheme.dll, xrefs: 0027119C
explorer, xrefs: 002711FE
SetWindowTheme, xrefs: 002711D9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressH_prolog3LibraryLoadMessageProcSend
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1824031409-3123591815
Opcode ID: 74a2795943e033ba1d6fb8dddb690e6dbae12ebc68b72042717bbf31767a001b
Instruction ID: 1e1eb7f6e5d6c13a454dac9a98a8bb789f2038c87c726e544e5464568bfe63db
Opcode Fuzzy Hash: 74a2795943e033ba1d6fb8dddb690e6dbae12ebc68b72042717bbf31767a001b
Instruction Fuzzy Hash: 1A019230692344ABD7369F60DD4EBAA3BA4AB02728F108155F719B91F0CBB045949F15

Function 002ADA15 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,002AD9CE), ref: 002ADA22
FreeLibrary.KERNEL32(00000000,?,002AD9CE), ref: 002ADA38
GetProcAddress.KERNEL32(00000000,FlashWindowEx), ref: 002ADA55
GetProcAddress.KERNEL32(FlashWindow), ref: 002ADA6B

Strings

user32.dll, xrefs: 002ADA16
FlashWindowEx, xrefs: 002ADA4F
FlashWindow, xrefs: 002ADA60

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: FlashWindow$FlashWindowEx$user32.dll
API String ID: 2256533930-1890803043
Opcode ID: c13ab717fbab02f12bc5e69fb6f76a2196fce2430007513e916ca2127d9306fc
Instruction ID: a75030908e6740b992d6e5196704d9c3a7e320489cd711cc8842aa32f2ac7b46
Opcode Fuzzy Hash: c13ab717fbab02f12bc5e69fb6f76a2196fce2430007513e916ca2127d9306fc
Instruction Fuzzy Hash: 97F0A774A543128BC7239F79AD845917BDDA716340F000191F919D3671EB70FC908FA0

Function 00232373 Relevance: 12.2, APIs: 8, Instructions: 157windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 00232403
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0023241E
GetWindowRect.USER32(00000000,?), ref: 00232465
UnionRect.USER32(?,?,?), ref: 00232478
GetWindowRect.USER32(00000000,?), ref: 002324A5
UnionRect.USER32(?,?,?), ref: 002324B2
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 002324E5
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,D7557A70), ref: 00232531

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$Window$MessageSendUnion$ExceptionRaiseVisible
String ID:
API String ID: 46580985-0
Opcode ID: 5a79b0123cb16d6a81e23418767668ff49f4cac775dc010f708a8e81ea8ffba5
Instruction ID: 31ed29adcb361b6d99a68e0050ee6ccf2b94709e71c2335c567d607a6d527f44
Opcode Fuzzy Hash: 5a79b0123cb16d6a81e23418767668ff49f4cac775dc010f708a8e81ea8ffba5
Instruction Fuzzy Hash: E7516A71118316EFC725DF25D88095ABBE8FF89B50F004A1EF58593261CB70E959CFA2

Function 002453BB Relevance: 12.1, APIs: 8, Instructions: 76threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002453C2

Part of subcall function 0024D9A8: __EH_prolog3.LIBCMT ref: 0024D9AF

EnterCriticalSection.KERNEL32(?,?,0000004C,0024EC95,?,00000000), ref: 00245402
GetCurrentThreadId.KERNEL32 ref: 0024540C

Part of subcall function 0024DA51: __recalloc.LIBCMT ref: 0024DA5A

LeaveCriticalSection.KERNEL32(?,?,?), ref: 0024542B

Part of subcall function 0024D9E9: __EH_prolog3.LIBCMT ref: 0024D9F0

Part of subcall function 00233684: GetCurrentProcess.KERNEL32(00000000,0000000D,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002336B8
Part of subcall function 00233684: FlushInstructionCache.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002336BF

SetLastError.KERNEL32(0000000E,00000000,?), ref: 00245455
CreateDialogParamW.USER32(0000278B,?,0024D1F7,00000000,?), ref: 00245479
GetLastError.KERNEL32 ref: 00245483
ShowWindow.USER32(00000002,0000000A), ref: 002454AA

Part of subcall function 0024D81C: __EH_prolog3.LIBCMT ref: 0024D823
Part of subcall function 0024D81C: EnterCriticalSection.KERNEL32(?,?,0000000C,002454BF), ref: 0024D838
Part of subcall function 0024D81C: GetCurrentThreadId.KERNEL32 ref: 0024D842
Part of subcall function 0024D81C: LeaveCriticalSection.KERNEL32(?,?), ref: 0024D871

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalH_prolog3Section$Current$EnterErrorLastLeaveThread$CacheCreateDialogFlushInstructionParamProcessShowWindow__recalloc
String ID:
API String ID: 750257728-0
Opcode ID: 806d562a57d7ad127f7dc21d859853a180d16b241ec60bb9f118eb0dd0639335
Instruction ID: 3ced0f3672b6e74c9c87e3c6619c24bf590b2ff4cf6e9f97879e5801fd94fb85
Opcode Fuzzy Hash: 806d562a57d7ad127f7dc21d859853a180d16b241ec60bb9f118eb0dd0639335
Instruction Fuzzy Hash: A7315679D10259EBCF12EFE4C8899DDBBB8BF08300F10852AE605BB252C7749A59DF51

Function 00299600 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 375COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00299796

Part of subcall function 00272524: __EH_prolog3.LIBCMT ref: 0027252B

_wcslen.LIBCMT ref: 00299708

Strings

\\?\, xrefs: 00299703, 00299711
L27, xrefs: 00299636
L27, xrefs: 00299654

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_wcschr_wcslen
String ID: L27$L27$\\?\
API String ID: 2968583522-3641051400
Opcode ID: adbd21c0337525cff93850c6eeb9ef3b15e18cd38facaef7855276664f9bfa9b
Instruction ID: 0ea006c0c852bc2dc650bcf28f7bb98d5e6e0d26fb9e20cdf283a762fb90da4b
Opcode Fuzzy Hash: adbd21c0337525cff93850c6eeb9ef3b15e18cd38facaef7855276664f9bfa9b
Instruction Fuzzy Hash: F9D1BD712247428FD701CF2CC881A5AB7E5FF89334F148A2DF4A58B2A1DB71E955CB92

Function 002408A5 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 268COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002408AC

Part of subcall function 0027B6CB: __EH_prolog3.LIBCMT ref: 0027B6D2

Part of subcall function 0027C32B: __EH_prolog3.LIBCMT ref: 0027C332

Part of subcall function 0024163C: __EH_prolog3_GS.LIBCMT ref: 00241646
Part of subcall function 0024163C: _wcslen.LIBCMT ref: 00241677

Part of subcall function 0024147F: __EH_prolog3.LIBCMT ref: 00241486
Part of subcall function 0024147F: GetDC.USER32(00000000), ref: 002414EF
Part of subcall function 0024147F: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00241501
Part of subcall function 0024147F: DeleteDC.GDI32(00000000), ref: 0024155A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

AI_CF_SYS_BTNS_XPOS, xrefs: 00240C00
AI_CF_SYS_BTNS_YPOS, xrefs: 00240C0E
", xrefs: 00240C81
AI_CF_SYS_BTNS_SPACING, xrefs: 00240BB1
AI_CF_SYS_BTNS_YPOS_FROM_FRAME, xrefs: 00240B79

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_$CapsDeleteDevice_wcslenchar_traits
String ID: "$AI_CF_SYS_BTNS_SPACING$AI_CF_SYS_BTNS_XPOS$AI_CF_SYS_BTNS_YPOS$AI_CF_SYS_BTNS_YPOS_FROM_FRAME
API String ID: 3315859388-222825858
Opcode ID: 556571270ab6e271a62e65fc5028b74c39495f805f9468166ecb38f2fa898d46
Instruction ID: 09648f5c5fbe88be649dbf6221439771ba3687cb270d3fe68e697453a2128f32
Opcode Fuzzy Hash: 556571270ab6e271a62e65fc5028b74c39495f805f9468166ecb38f2fa898d46
Instruction Fuzzy Hash: 39C1C070901A8AFEDB05EFB4C985BCDFBA8BF08304F548159E25897142C774A629DFA1

Function 002D8F71 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 266COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D8F8A

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Part of subcall function 002C8D0D: __EH_prolog3.LIBCMT ref: 002C8D14

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

Strings

AiDlgWeight, xrefs: 002D9045, 002D90D1
AiRefreshDlg, xrefs: 002D8F98
AiDlgHeight, xrefs: 002D9050
AiGifCommand, xrefs: 002D912D
AiRefreshCost, xrefs: 002D8FDE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_wcslen
String ID: AiDlgHeight$AiDlgWeight$AiGifCommand$AiRefreshCost$AiRefreshDlg
API String ID: 821321042-2845550424
Opcode ID: 4e52498895365905313334e2395926bfa72dc228536f586f1f1cfffc52e68546
Instruction ID: e902c3c22d9ef487f5bc45fe6658b6f6421756b70d502ca5d60b0b130efd84e1
Opcode Fuzzy Hash: 4e52498895365905313334e2395926bfa72dc228536f586f1f1cfffc52e68546
Instruction Fuzzy Hash: 90A19071510249EFDB00DFA0C885FDEBBB9AF49310F148199F9059B2C6DBB4EA59CB60

Function 00296360 Relevance: 10.7, APIs: 7, Instructions: 232COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 002964B0
__CxxThrowException@8.LIBCMT ref: 002964CF
__CxxThrowException@8.LIBCMT ref: 002964E4
_memmove_s.LIBCMT ref: 00296507
_memmove_s.LIBCMT ref: 0029657B
_memmove_s.LIBCMT ref: 0029659C
_memset.LIBCMT ref: 002965B6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _memmove_s$Exception@8Throw$_memsetstd::exception::exception
String ID:
API String ID: 3351781363-0
Opcode ID: 1ad9522ea9a0399b61a15f352d45b7243be59577b973ad8b315718714569e5ee
Instruction ID: e6b7c502e5ce816f2d8200039aa05fdc801afd3fb5a7d1870305390c33014f71
Opcode Fuzzy Hash: 1ad9522ea9a0399b61a15f352d45b7243be59577b973ad8b315718714569e5ee
Instruction Fuzzy Hash: A4819FB1A1061A9FCB14DF68C985AAEB7B5EF44710F10866DE815E7384E770ED14CB90

Function 002C462B Relevance: 10.7, APIs: 7, Instructions: 223windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EF), ref: 002C463B

Part of subcall function 002AB5C2: SendMessageW.USER32(00000000,00001037,00000000,00000000), ref: 002AB5DD
Part of subcall function 002AB5C2: SendMessageW.USER32(00000000,00001036,00000000,000000FF), ref: 002AB648

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002BCE9A: LoadStringW.USER32(000000FF,?,00000514), ref: 002BCEC2

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 00237C3D: SendMessageW.USER32(?,00001061,00000000,00000005), ref: 00237C8E

GetClientRect.USER32(000000FF,?), ref: 002C4855
SendMessageW.USER32(000000FF,0000101D,00000001,00000000), ref: 002C486E
SendMessageW.USER32(000000FF,0000101D,00000002,00000000), ref: 002C487B

Part of subcall function 00237C1F: SendMessageW.USER32(00000000,0000101E,00000000,00000000), ref: 00237C34

GetDlgItem.USER32(?,000003F1), ref: 002C48A2
GetDlgItem.USER32(?,000003F0), ref: 002C48B2
SetTimer.USER32(?,00000001,000003E8,00000000), ref: 002C48F5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$Item$H_prolog3$ClientLoadRectStringTimer
String ID:
API String ID: 474410861-0
Opcode ID: 532b1941e0d299fc4f7f50c69554bf280e6c413c6785082c9311c05838ba91ac
Instruction ID: 150bc389d48e33b36013f631ed2beff30e584a5754e9e4dbc3cb228a28e5600c
Opcode Fuzzy Hash: 532b1941e0d299fc4f7f50c69554bf280e6c413c6785082c9311c05838ba91ac
Instruction Fuzzy Hash: 8F714772A90214EBDB05EBA0DC83BDD7725AF04700F118066FA197F192CFB4AB658F91

Function 002F128D Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221librarycomloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002F1297
CoCreateInstance.OLE32(0033419C,00000000,00000017,0034CBE4,?,00000090,002F1589,?,?,?,?,?,?,0000008C,002F127B,?), ref: 002F12D1
LoadLibraryW.KERNEL32(Shell32.dll,?,?), ref: 002F141F
GetProcAddress.KERNEL32(SHCreateItemFromParsingName,?), ref: 002F1466

Strings

Shell32.dll, xrefs: 002F1416
SHCreateItemFromParsingName, xrefs: 002F1457

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressCreateH_prolog3_InstanceLibraryLoadProc
String ID: SHCreateItemFromParsingName$Shell32.dll
API String ID: 1454770395-214508289
Opcode ID: e7efe5340ea1e4901d4008afbfe5c2b5031032bbf148709e4d0283bfe52fd488
Instruction ID: 7505ebebd8fbb06e0915306ac4827c14e7e2e1c5da8ccd24c048d68ad37b8c15
Opcode Fuzzy Hash: e7efe5340ea1e4901d4008afbfe5c2b5031032bbf148709e4d0283bfe52fd488
Instruction Fuzzy Hash: 86918FB1910248DFCF05DFE4C889AADBBF8BF49304F5440A9E605EB291D770AA64DF60

Function 00248D95 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00248D9C

Part of subcall function 002DFFA9: __EH_prolog3.LIBCMT ref: 002DFFB0

Part of subcall function 00231F55: GetClientRect.USER32(?,?), ref: 00231F85
Part of subcall function 00231F55: GetParent.USER32(?), ref: 00231F94

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

Cancel, xrefs: 00248E27
Finish, xrefs: 00248E45
Install, xrefs: 00248E36
Back, xrefs: 00248E18
Next, xrefs: 00248E09

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClientH_prolog3H_prolog3_ParentRectchar_traits
String ID: Back$Cancel$Finish$Install$Next
API String ID: 234437041-735863087
Opcode ID: 0af4fb4571efca03f7aa4b73caa22f6c2240c624139f7d5df88c4aaba03bb593
Instruction ID: 7a740a286b47f9ba75316b8c42930bf442cbbfa7394494fc7cffea4232b015b0
Opcode Fuzzy Hash: 0af4fb4571efca03f7aa4b73caa22f6c2240c624139f7d5df88c4aaba03bb593
Instruction Fuzzy Hash: BA818A70A30209DFCB28DFA4D985AADB7F5BF08700F644169F505AB692CB30AD19CF51

Function 00294290 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

_memset.LIBCMT ref: 0029438C
swprintf.LIBCMT ref: 002943AD
_wcslen.LIBCMT ref: 002943BA
_wcslen.LIBCMT ref: 00294410

Strings

(0x%.8x) at address [0x%.8Ix], xrefs: 0029439B
..\core\ExceptionHandling.cpp, xrefs: 002943FE, 00294419

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_wcslen$_memsetswprintf
String ID: (0x%.8x) at address [0x%.8Ix]$..\core\ExceptionHandling.cpp
API String ID: 1094693061-3451490166
Opcode ID: 2a6b94a260bc050c117b6844ea3e7a5bb646bbb5b3836f8e0289f89839bbf1c8
Instruction ID: 97ba5dc9ca20687c18360a35951163d2caf6caee19c7c3f7f83f6663389f17d2
Opcode Fuzzy Hash: 2a6b94a260bc050c117b6844ea3e7a5bb646bbb5b3836f8e0289f89839bbf1c8
Instruction Fuzzy Hash: 62716BB19183809AC720EB25C882BABF7E9BFD8740F448D2EF18987251DB759515CF93

Function 0026DBD0 Relevance: 10.7, APIs: 7, Instructions: 159windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0026DC0D
DeleteObject.GDI32(00000000), ref: 0026DC22

Part of subcall function 0027BC59: GetClientRect.USER32(?,?), ref: 0027BC76

Part of subcall function 00261734: DestroyIcon.USER32(00000000,?,?,00000000,?,?,00080000,00000000), ref: 0026174C
Part of subcall function 00261734: LoadImageW.USER32(00000000,0007FFFC,00000001,00000000,?,00000010), ref: 00261828

Part of subcall function 002934D0: _memset.LIBCMT ref: 00293537
Part of subcall function 002934D0: _memset.LIBCMT ref: 0029358C

DestroyIcon.USER32(?), ref: 0026DC36
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0026DC64
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0026DD94
SendMessageW.USER32(?,000000F7,00000001,?), ref: 0026DDA5

Part of subcall function 0027D501: __EH_prolog3.LIBCMT ref: 0027D508

Part of subcall function 0026DDC0: __EH_prolog3.LIBCMT ref: 0026DDC7
Part of subcall function 0026DDC0: GetDC.USER32(?), ref: 0026DDF2
Part of subcall function 0026DDC0: DrawStateW.USER32(?,00000000,00000000,?,00000000,00000000,00000000,?,?,00000023), ref: 0026DE2B
Part of subcall function 0026DDC0: ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,00000000,00000006), ref: 0026DE6F
Part of subcall function 0026DDC0: ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DE7B
Part of subcall function 0026DDC0: ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DE87
Part of subcall function 0026DDC0: ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 0026DE90
Part of subcall function 0026DDC0: ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DEA0
Part of subcall function 0026DDC0: ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0026DEAC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: IconImage$List_$Replace$LongWindow$DestroyH_prolog3_memset$ClientDeleteDrawLoadMaskedMessageObjectRectSendState
String ID:
API String ID: 2174148635-0
Opcode ID: ae1e81e82181d03832a8a5185159a4d03c3a83924727e0864c791bdd3d2a8e6d
Instruction ID: 1916608cb0e3dd2e6b95d66ec082fd2f3989d120e3f3872da6b0e56061fc9f12
Opcode Fuzzy Hash: ae1e81e82181d03832a8a5185159a4d03c3a83924727e0864c791bdd3d2a8e6d
Instruction Fuzzy Hash: D2519E7261430A9FC711EF64C884F9AB7E8AF48314F104A19F995D72A0DB70E968CF51

Function 0024850A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00248511

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 00249B20: __EH_prolog3.LIBCMT ref: 00249B27

Strings

AI_CF_SHARP_CORNERS, xrefs: 00248623
,e3, xrefs: 00248527
AI_CF_ROUND_BOTTOM_CORNERS, xrefs: 002485D8
AI_CF_DRAG_FROM_ANY_POINT, xrefs: 00248678
AI_CF_TYPE, xrefs: 00248582

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_mallocchar_traits
String ID: ,e3$AI_CF_DRAG_FROM_ANY_POINT$AI_CF_ROUND_BOTTOM_CORNERS$AI_CF_SHARP_CORNERS$AI_CF_TYPE
API String ID: 1899720555-1759479766
Opcode ID: 3d88d9e85d8f1e3d79abbd31f404f43fbc49bddf32ff1bd597e22d6dc596c3db
Instruction ID: d4e88a37c043c5cfaa1975f9df44b050d072724fe7cce6a2188d2821d82d1db2
Opcode Fuzzy Hash: 3d88d9e85d8f1e3d79abbd31f404f43fbc49bddf32ff1bd597e22d6dc596c3db
Instruction Fuzzy Hash: 95516EB5811788EECB21DFA8D480ADEFFB0AF56704F14869CE1866B241C7746B18CF61

Function 002DE38A Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 155COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002DE3A6

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

FASTOEM=1 /qn, xrefs: 002DE48D
AiProductCode, xrefs: 002DE3C1, 002DE3CD
ARPSIZE=, xrefs: 002DE42F
ProductCode, xrefs: 002DE3E6
AiProductCode64, xrefs: 002DE3C8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3char_traits
String ID: ARPSIZE=$ FASTOEM=1 /qn$AiProductCode$AiProductCode64$ProductCode
API String ID: 2538163586-3789270168
Opcode ID: f2662efb0fabcc47bd06cece490e2a3afeee4a1124d76dfeae4e87d58021c6b5
Instruction ID: c4bb3105210f48ba166260e90f60786977859a854b7424a9cceaddc81a5169e6
Opcode Fuzzy Hash: f2662efb0fabcc47bd06cece490e2a3afeee4a1124d76dfeae4e87d58021c6b5
Instruction Fuzzy Hash: 035191B1811288EEDB15EBA4CC85FEEBBBCAF15304F144198F546A7292DA345F18CF61

Function 002C4DD0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EF), ref: 002C4DE3

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

GetDlgItem.USER32(?,000003F5), ref: 002C4E77
SetWindowTextW.USER32(00000000,00000000), ref: 002C4E8A
GetDlgItem.USER32(?,000003F4), ref: 002C4F9E
SetWindowTextW.USER32(00000000,00000000), ref: 002C4FB1

Strings

%d%%, xrefs: 002C4F88

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Item$H_prolog3TextWindow
String ID: %d%%
API String ID: 3561201444-1518462796
Opcode ID: dad803774f07df4a052e9f28d051e9b2b2671be48cc6a251f08d8c5a844f3a5a
Instruction ID: 2b209d727fbdd3db95e0faff26593d4c71f7ea7e3bdd7cd9f15e6a211d0c145c
Opcode Fuzzy Hash: dad803774f07df4a052e9f28d051e9b2b2671be48cc6a251f08d8c5a844f3a5a
Instruction Fuzzy Hash: B65184715142469FCB01FF60CC46A9E77A9FF48704F054969FC98AB162DB30EA25CF62

Function 00240F5C Relevance: 10.6, APIs: 7, Instructions: 137windowCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 00240FAE
PtInRect.USER32(?,?,?), ref: 0024100E
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00241023
PtInRect.USER32(?,?,?), ref: 00241045
PtInRect.USER32(?,?,?), ref: 00240FE3

Part of subcall function 00241C54: GetWindowLongW.USER32(?,000000EC), ref: 00241C6C

PtInRect.USER32(?,?,?), ref: 0024106A
PtInRect.USER32(00000000,?,?), ref: 0024109E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$LongMessageSendWindow
String ID:
API String ID: 1517528214-0
Opcode ID: 3c15a4372b6d980a6e36d6703a551e31520837c88ebd8cefe39d2ffe6c5ce00e
Instruction ID: 906179450e39f3fcd7c86ecb3612e29fcdbc39b6a75f1c5cb678b5fc2aca22e9
Opcode Fuzzy Hash: 3c15a4372b6d980a6e36d6703a551e31520837c88ebd8cefe39d2ffe6c5ce00e
Instruction Fuzzy Hash: A841D171214746AFEB25DF64CC81F67BBE8AF44700F044829FA44CA191D771E9A8CF62

Function 002A0000 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

SymGetLineFromAddr.DBGHELP ref: 002A00A1
_strlen.LIBCMT ref: 002A00C6
swprintf.LIBCMT ref: 002A0175
_wcslen.LIBCMT ref: 002A0182

Strings

%hs:%ld, xrefs: 002A0166
\, xrefs: 002A00ED

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddrFromLine_strlen_wcslenswprintf
String ID: %hs:%ld$\
API String ID: 2604491226-4047171963
Opcode ID: ab97bf3807bc82ecb53fc92db9abe3ae6fab4c52b9bb6a2b1ca395e0b64b73f6
Instruction ID: 353390afb1519c553fc1a2caaebe5dc46f6ce44a8eba9a9db16472071771b33c
Opcode Fuzzy Hash: ab97bf3807bc82ecb53fc92db9abe3ae6fab4c52b9bb6a2b1ca395e0b64b73f6
Instruction Fuzzy Hash: 0C5179B1418380DFD320DF68C884A9BFBE9BF89754F404A2DF19987291EB75A548CF52

Function 002C515B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,00000000,?,000000FF), ref: 002C5302

Part of subcall function 002BEC1B: SendMessageW.USER32(?,00000406,00000000,00000000), ref: 002BEC28

Part of subcall function 002B9D08: SendMessageW.USER32(?,00000402,?,00000000), ref: 002B9D15

GetDlgItem.USER32(?,000003EF), ref: 002C51C0

Part of subcall function 002BB9D3: GetWindowLongW.USER32(000000FF,000000F0), ref: 002BB9D7
Part of subcall function 002BB9D3: SendMessageW.USER32(000000FF,00001013,?,00000000), ref: 002BBA0C

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

GetDlgItem.USER32(?,00000407), ref: 002C525E
SetWindowTextW.USER32(00000000,00000000), ref: 002C526D

Part of subcall function 002C4DD0: GetDlgItem.USER32(?,000003EF), ref: 002C4DE3
Part of subcall function 002C4DD0: GetDlgItem.USER32(?,000003F5), ref: 002C4E77
Part of subcall function 002C4DD0: SetWindowTextW.USER32(00000000,00000000), ref: 002C4E8A
Part of subcall function 002C4DD0: GetDlgItem.USER32(?,000003F4), ref: 002C4F9E
Part of subcall function 002C4DD0: SetWindowTextW.USER32(00000000,00000000), ref: 002C4FB1

Part of subcall function 002C5B4F: GetDlgItem.USER32(?,000003F3), ref: 002C5B77
Part of subcall function 002C5B4F: EnableWindow.USER32(00000000,?), ref: 002C5B84

Part of subcall function 002B187C: LeaveCriticalSection.KERNEL32(?,00000000,0033E304,003746CC,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002B18FB

Strings

Started download from:, xrefs: 002C52A9
. Saving file to:, xrefs: 002C52A3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Item$Window$MessageSendText$CriticalEnableExceptionH_prolog3LeaveLongRaiseSection
String ID: . Saving file to:$Started download from:
API String ID: 3204911701-3348440721
Opcode ID: f33d418ecbc932e121261547ab68f359b72928834965c4f88570d6ac867c0c97
Instruction ID: 61b0a3ca0fca4ed0f2cd4cb833966cf7ce9a094253992496a5339b2dd94e651c
Opcode Fuzzy Hash: f33d418ecbc932e121261547ab68f359b72928834965c4f88570d6ac867c0c97
Instruction Fuzzy Hash: 5D416D75910205EFDB01EFA4C885FE97BB8AF44304F1884B8FD49AB256DB71AA158F60

Function 002320D6 Relevance: 10.6, APIs: 7, Instructions: 123COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000EB), ref: 0023214F
ShowWindow.USER32(00000000,00000000), ref: 0023216A
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00232175
GetWindowRect.USER32(00000000,?), ref: 00232193
UnionRect.USER32(?,?,?), ref: 002321A4
ShowWindow.USER32(00000000,00000000), ref: 002321AE
SetWindowLongW.USER32(00000000,000000EB,?), ref: 002321C2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Long$RectShow$Union
String ID:
API String ID: 216332576-0
Opcode ID: 8ee2c967eaeb76fcd68304a0c2820d418b6158e5dc617a0a524773c455cc7214
Instruction ID: 163f13c050aec1c085c9b0f6ea42b772344340fb2e06ed8e0084fde7a5834d6d
Opcode Fuzzy Hash: 8ee2c967eaeb76fcd68304a0c2820d418b6158e5dc617a0a524773c455cc7214
Instruction Fuzzy Hash: F3416DB0514351AFCB01CF24C988A6B7BE8BF89315F044A5DF995CB192D734D908CBA2

Function 002D4359 Relevance: 10.6, APIs: 7, Instructions: 119pipefileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D4360
ConnectNamedPipe.KERNEL32(000000FF,00000000,0000003C,002D4506,?,?,000000FF,00000001,?,00000028,002826CC,?,more data,00000001,00000001,00000000), ref: 002D4385
GetLastError.KERNEL32(?,00000028,002826CC,?,more data,00000001,00000001,00000000,?,?,AI_MORE_CMD_LINE,00000001,00000000,?,?,CLIENTPROCESSID), ref: 002D4396
ReadFile.KERNEL32(000000AC,00000000,00000000,00000400,?,00000000,00000000,0000003C,002D4506,?,?,000000FF,00000001,?,00000028,002826CC), ref: 002D43FF
GetLastError.KERNEL32(?,00000028,002826CC,?,more data,00000001,00000001,00000000,?,?,AI_MORE_CMD_LINE,00000001,00000000,?,?,CLIENTPROCESSID), ref: 002D440C
_wcslen.LIBCMT ref: 002D443D
PeekNamedPipe.KERNEL32(000000AC,00000000,00000000,00000000,00000000,?,00000000,?,?,00000028,002826CC,?,more data,00000001,00000001,00000000), ref: 002D4459

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorLastNamedPipe$ConnectFileH_prolog3_PeekRead_wcslen
String ID:
API String ID: 3740790596-0
Opcode ID: 2eea846c5642b87f4f7c05067caabd06bf81247f182e6ef85c6ea373f9bbf6c5
Instruction ID: b3963b64cc59a1420376554d3eebb878bdf8bedf4931fece9d85a3e26ec894cd
Opcode Fuzzy Hash: 2eea846c5642b87f4f7c05067caabd06bf81247f182e6ef85c6ea373f9bbf6c5
Instruction Fuzzy Hash: 3C4128B1D21159EFDF11EFA8E984AAEB7B8AF44344F24402AF515E3250D7309D61CB60

Function 00294630 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?), ref: 00294690
DeleteFileW.KERNEL32(-00000004), ref: 0029469F
DeleteFileW.KERNEL32(D7557A70,D7557A70,0000002A,-00000004), ref: 00294742
FindNextFileW.KERNEL32(?,0000002A), ref: 00294788

Strings

*, xrefs: 00294674
., xrefs: 00294703

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$Delete$FindNext
String ID: *$.
API String ID: 1410743141-3886413389
Opcode ID: b0c6bf839ef26ff35f1fe4dda29cc32c5742ab1168d78253682e6b6b3f68228f
Instruction ID: c886972f18555babbe198a70d4785c6aef9823f5dd92ce926dc8ab9da785f7e4
Opcode Fuzzy Hash: b0c6bf839ef26ff35f1fe4dda29cc32c5742ab1168d78253682e6b6b3f68228f
Instruction Fuzzy Hash: 804183B1528741CBDB34EF64C844FABB3E8EF86724F004A1DE59587290DB70E856CB96

Function 002A0300 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 002A0383

Part of subcall function 002F7C83: __vswprintf_s_l.LIBCMT ref: 002F7C97

_wcslen.LIBCMT ref: 002A038D

Part of subcall function 002A01F0: swprintf.LIBCMT ref: 002A029E
Part of subcall function 002A01F0: _wcslen.LIBCMT ref: 002A02A8

Part of subcall function 0023A7E6: std::_String_base::_Xlen.LIBCPMT ref: 0023A823
Part of subcall function 0023A7E6: char_traits.LIBCPMT ref: 0023A874

_wcslen.LIBCMT ref: 002A0410
_wcslen.LIBCMT ref: 002A0437

Strings

[0x%.8Ix] , xrefs: 002A036C
-> , xrefs: 002A040B, 002A0419

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$swprintf$String_base::_Xlen__vswprintf_s_lchar_traitsstd::_
String ID: -> $[0x%.8Ix]
API String ID: 3089523178-3364347800
Opcode ID: 13b3bfddc0bf1f0015a38569bc26e9e4af7a9bd73ab33bba9663157ad6fd171e
Instruction ID: c9fa4629f8023e0b163bf455346745ee34e5ba12ef818ad66d0a9c778b557665
Opcode Fuzzy Hash: 13b3bfddc0bf1f0015a38569bc26e9e4af7a9bd73ab33bba9663157ad6fd171e
Instruction Fuzzy Hash: 96416CB151C3809BD720EF69D889A5BF7E8BF89704F404A2DF19983281DAB595148F93

Function 0025DB72 Relevance: 10.6, APIs: 7, Instructions: 104windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025DB79
SetTextColor.GDI32(?,00000000), ref: 0025DBC2
SetBkColor.GDI32(?,?), ref: 0025DBEA
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,?,?,0025CD7A,?,?,?), ref: 0025DC30
RedrawWindow.USER32(?,00000000,00000000,00000541,?,?,?,?,?,0025CD7A,?,?,?,?), ref: 0025DC43
SendMessageW.USER32(?,00000030,?,00000001), ref: 0025DC6C
CreateSolidBrush.GDI32(?), ref: 0025DC9A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ColorWindow$BrushCreateH_prolog3MessageRedrawSendSolidText
String ID:
API String ID: 3810788690-0
Opcode ID: e4634a9a19c998069a1d3589f07229d44b7253295484d25769fdec33d8ef6d3f
Instruction ID: 1576e77da9d3b7969807caeed73d64e43470d5ab491374cb9ef30aefbb45b09d
Opcode Fuzzy Hash: e4634a9a19c998069a1d3589f07229d44b7253295484d25769fdec33d8ef6d3f
Instruction Fuzzy Hash: CE31A070610526EFDB18DF64CC88AE9BBA4FF58342F008259F91A972A0C770A955CBA0

Function 002C1A3E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 002C1A5F
RemovePropW.USER32(?,IsExterior), ref: 002C1A96
GetParent.USER32(?), ref: 002C1AB6
SendMessageW.USER32(00000000,0000004E,?,?), ref: 002C1AC3

Strings

IsExterior, xrefs: 002C1A57, 002C1A87
$, xrefs: 002C1AF7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Prop$MessageParentRemoveSend
String ID: $$IsExterior
API String ID: 1666963903-1491276584
Opcode ID: ef0605435084ea7c025e5e029d426092f1ec9b7ac8d078d63424e61bb9eda0a2
Instruction ID: 0460dfe3f769213bf6125347055d1481a7ba04a23ed60c038cfbf3903a91194d
Opcode Fuzzy Hash: ef0605435084ea7c025e5e029d426092f1ec9b7ac8d078d63424e61bb9eda0a2
Instruction Fuzzy Hash: BC314A70520B06EFCB218F61CC4AF667BE8FB06324F008A2DE466855A2D770D9B1CF91

Function 002C5CEE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SetPropW.USER32(?,IsExterior,00000001), ref: 002C5D0F
RemovePropW.USER32(?,IsExterior), ref: 002C5D46
GetParent.USER32(?), ref: 002C5D66
SendMessageW.USER32(00000000,0000004E,?,00000000), ref: 002C5D73

Strings

$, xrefs: 002C5DA7
IsExterior, xrefs: 002C5D07, 002C5D37

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Prop$MessageParentRemoveSend
String ID: $$IsExterior
API String ID: 1666963903-1491276584
Opcode ID: ad7477e445b2888fcbae8e37fb7269f93f40714ebc2a92b61858226a10e8bfea
Instruction ID: 64679942cdbf756c28f9e68a19eefec6752855f488032bd304cad97267fb7f32
Opcode Fuzzy Hash: ad7477e445b2888fcbae8e37fb7269f93f40714ebc2a92b61858226a10e8bfea
Instruction Fuzzy Hash: 1B310570920F5AEFCB219F21CC4CE667BE4FB05325F008A2DE466865A1D774E8A1CF51

Function 002C5F80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 002C5F9F
GetDesktopWindow.USER32 ref: 002C5FA7
GetDC.USER32(00000000), ref: 002C5FAE
GetDeviceCaps.GDI32(00000000), ref: 002C5FB5
GetDlgItem.USER32(?,0000041B), ref: 002C6003

Strings

HeaderBitmap, xrefs: 002C5FDC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CapsClientDesktopDeviceItemRectWindow
String ID: HeaderBitmap
API String ID: 3446444355-4000061209
Opcode ID: e6a6a5d6af9d23595839a3423089ec99c7d1dd98089ad6b60e157761dc5826b7
Instruction ID: 1a8159a5facf5bd7abce4a4e842c98ee3de02b0a3367e49a982e843875c72fda
Opcode Fuzzy Hash: e6a6a5d6af9d23595839a3423089ec99c7d1dd98089ad6b60e157761dc5826b7
Instruction Fuzzy Hash: 67213EB1910209AFDB01DFA5DD869EEBBBDEB08301F10446AF606E7191D6B1AA508F90

Function 00260F7E Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

PtInRect.USER32(?,00000000,?), ref: 00260FA3
SetCursor.USER32(?), ref: 00260FB0
InvalidateRect.USER32(?,?,00000001), ref: 00260FD1
UpdateWindow.USER32(?), ref: 00260FDA
_TrackMouseEvent.COMCTL32(00260C6D), ref: 00261000
InvalidateRect.USER32(?,?,00000001), ref: 00261026
UpdateWindow.USER32(?), ref: 0026102F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$InvalidateUpdateWindow$CursorEventMouseTrack
String ID:
API String ID: 1598129390-0
Opcode ID: a95472577545568e47e449d88fd2514b0a86f3a70806d7be82f384535ec8adc5
Instruction ID: 31ff200b5f7656822d122e3f9eec475a09e4535687e1c3facf5e53ec923ba655
Opcode Fuzzy Hash: a95472577545568e47e449d88fd2514b0a86f3a70806d7be82f384535ec8adc5
Instruction Fuzzy Hash: 8021C531010B859FEB228F58C989BABBBF8EF45745F044819E8C396660C771F895DB10

Function 00275D6C Relevance: 10.6, APIs: 7, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00275D73
SysFreeString.OLEAUT32(00000001), ref: 00275DDE
SysStringLen.OLEAUT32(?), ref: 00275DEE
SysStringLen.OLEAUT32(?), ref: 00275DF7
CoTaskMemAlloc.OLE32(00000002,?,?,?,?,00000004), ref: 00275DFE
SysFreeString.OLEAUT32(?), ref: 00275E14

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String$Free$AllocH_prolog3Task
String ID:
API String ID: 3758553694-0
Opcode ID: 84a0b5b803097cff89fe568d37852657b7acc85018e3ab9ffca9164c0f262198
Instruction ID: fa590770558f53cb99445984f9def6a1a98ab224cec9642ec855b161e7f9b259
Opcode Fuzzy Hash: 84a0b5b803097cff89fe568d37852657b7acc85018e3ab9ffca9164c0f262198
Instruction Fuzzy Hash: 67218EB551021AEFCF01DF64CD849AEBBB5FF48340F108569F919AB260C7B19A61DF50

Function 002B237B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104,?,AppDataFolder,?,ProgramFilesFolder,00000000), ref: 002B23FE

Strings

AppDataFolder, xrefs: 002B23AF, 002B23C9, 002B23D4
APPDATA, xrefs: 002B23E8
ProgramFiles, xrefs: 002B23B8
PROGRAMFILES, xrefs: 002B23EF, 002B23FD
ProgramFilesFolder, xrefs: 002B23A4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EnvironmentVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFilesFolder
API String ID: 1431749950-2484927405
Opcode ID: c3a0df89500c5bf816dc4ba780a31585bff88822c784b2eb6c3e0b6bc574952e
Instruction ID: 45d9489d718dca675266ed5dbc3c55b2d659f6078bc83dac59a9bf381d1e9b43
Opcode Fuzzy Hash: c3a0df89500c5bf816dc4ba780a31585bff88822c784b2eb6c3e0b6bc574952e
Instruction Fuzzy Hash: 40112621930719A6DB35AF70AD42BFE23A89F06780F00846CE815DB181EA2499598FA1

Function 0024616D Relevance: 10.6, APIs: 7, Instructions: 71windowCOMMON

Download Yara Rule

APIs

TranslateAcceleratorW.USER32(?,?,?), ref: 002461AC
GetFocus.USER32 ref: 002461BB
IsChild.USER32(?,00000000), ref: 002461C7
GetParent.USER32(00000000), ref: 002461DB
GetParent.USER32(00000000), ref: 002461E7
SendMessageW.USER32(00000000,0000037F,00000000,?), ref: 002461F9
IsDialogMessageW.USER32(?,?), ref: 00246208

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageParent$AcceleratorChildDialogFocusSendTranslate
String ID:
API String ID: 3031028519-0
Opcode ID: 091c51f31d8558ea00e07a0b53f3cf13a9c42d073de3f29de03d4152454bdcf8
Instruction ID: 0e896cfaee9d99288aded3d1f3c88b36d83a89820e1456bf4ae119605cba3aa0
Opcode Fuzzy Hash: 091c51f31d8558ea00e07a0b53f3cf13a9c42d073de3f29de03d4152454bdcf8
Instruction Fuzzy Hash: 7D1198316201016FE7299F69DC8CE6ABAECEB87750F144935F84DD2261D660DC548636

Function 00298530 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,D7557A70,?), ref: 0029857F
GetTempFileNameW.KERNEL32(?,log,00000000,?), ref: 002985B3

Strings

L27, xrefs: 00298592
L27, xrefs: 002985C5
log, xrefs: 002985A6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: L27$L27$log
API String ID: 3285503233-1787428341
Opcode ID: a0f4275b93cb437e0c909b56909707894b47fea066f17a990c13135fd4c27a3a
Instruction ID: 215351a842cfa6fda685c16dd96b220d16302881efc130451132069557ad8756
Opcode Fuzzy Hash: a0f4275b93cb437e0c909b56909707894b47fea066f17a990c13135fd4c27a3a
Instruction Fuzzy Hash: B7214FB1214241ABD325CF24DC85BABB7E8FB88700F454D1DE585C7261EB74E5488B95

Function 002C1705 Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FC), ref: 002C171E
GetWindowLongW.USER32(00000000,000000F0), ref: 002C1728
GetDlgItem.USER32(?,00000419), ref: 002C173D
GetClientRect.USER32(00000000,?), ref: 002C1754
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 002C1762
RedrawWindow.USER32(00000000,?,00000000,00000105,?,00000001), ref: 002C177A
RedrawWindow.USER32(?,00000000,00000000,00000105,?,00000001), ref: 002C1782

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ItemRedraw$ClientLongPointsRect
String ID:
API String ID: 4163971341-0
Opcode ID: 120c6a406de9b310a2a10a81f5677c1990f2a0f3a9d40fe3caf6ac56c7e318e7
Instruction ID: 7b0d317955208c17d114595349fab237ef89b388a9f3c632a881ce30d83cef98
Opcode Fuzzy Hash: 120c6a406de9b310a2a10a81f5677c1990f2a0f3a9d40fe3caf6ac56c7e318e7
Instruction Fuzzy Hash: 5E012D71900119BFEB019FAA9D85EFFBBBCEF45750F14416AB501E2161D6B09E008BB0

Function 002ED34B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002ED352
std::_Lockit::_Lockit.LIBCPMT ref: 002ED35C

Part of subcall function 0028AE00: std::_Lockit::_Lockit.LIBCPMT ref: 0028AE2F

std::bad_exception::bad_exception.LIBCMT ref: 002ED3AA
__CxxThrowException@8.LIBCMT ref: 002ED3B8
std::locale::facet::facet_Register.LIBCPMT ref: 002ED3CE

Strings

bad cast, xrefs: 002ED3A2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prolog3RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 4062345122-3145022300
Opcode ID: 4e17569d66d2656894e58af74b85a7275fb03f61241609a6ca18bc4592d0f259
Instruction ID: 2ebfa845015cdd392c1039d768506c7e756cbab016c78d8aa4b1bad463c29838
Opcode Fuzzy Hash: 4e17569d66d2656894e58af74b85a7275fb03f61241609a6ca18bc4592d0f259
Instruction Fuzzy Hash: 3F01C83596121DABCB06FBA0C8426FDB335AF44760F640528F610771E1DF349A518F91

Function 0029DBB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,D7557A70,00000040,?,003146EE,000000FF,00293862), ref: 0029DBF3
GetProcAddress.KERNEL32(00000000), ref: 0029DBFA
GetCurrentProcess.KERNEL32(?,D7557A70,00000040,?,003146EE,000000FF,00293862), ref: 0029DC23
IsWow64Process.KERNEL32(00000000), ref: 0029DC2A

Strings

IsWow64Process, xrefs: 0029DBE9
kernel32, xrefs: 0029DBEE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Process$AddressCurrentHandleModuleProcWow64
String ID: IsWow64Process$kernel32
API String ID: 1745181078-3789238822
Opcode ID: a17a82ed33fe5b6aec6c90ce8f58c8b87bed6f74554c6804d123b8cb8b736e70
Instruction ID: 9bc0f55c3d6b74b3e82af0ed58edee0e089e0a7b14b28d4681bb52d8f5f4ca9a
Opcode Fuzzy Hash: a17a82ed33fe5b6aec6c90ce8f58c8b87bed6f74554c6804d123b8cb8b736e70
Instruction Fuzzy Hash: 39118B75148B81EFD72ACF60DC4CB467BECFB48721F004A1DE059826E0CB789184CB05

Function 0024808C Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00248096
GetDlgItem.USER32(?,?), ref: 00248178
GetClientRect.USER32(00000000,?), ref: 00248185
GetComboBoxInfo.USER32(00000000,?,?,?,?,?,?,?,0000005C,00247024,?), ref: 002481A3
SendMessageW.USER32(?,00000418,00000000,0000012C), ref: 00248226
SendMessageW.USER32(?,00000432,00000000,0000002C), ref: 00248236

Part of subcall function 00249813: CreateWindowExW.USER32(-00000001,tooltips_class32,00000000,00000000,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00249874
Part of subcall function 00249813: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,002480F9,00000088,00247448,?,?,?,?,?), ref: 0024988A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSendWindow$ClientComboCreateH_prolog3InfoItemRect
String ID:
API String ID: 3268066477-0
Opcode ID: 102795d5b1c0e477257c73d85f84a7752118bd11fe5fa45ed61222874d202ace
Instruction ID: fd94195f8efa37efb670f5858584e59d3cb1fb2d2ad83125a26739212a4ca775
Opcode Fuzzy Hash: 102795d5b1c0e477257c73d85f84a7752118bd11fe5fa45ed61222874d202ace
Instruction Fuzzy Hash: 8A518071D2061ADFCF18DFA4C885BADBBB0FF05320F148269D919AB291DB709955CF90

Function 00241D41 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00241D48
GetClientRect.USER32(?,?), ref: 00241D64
OffsetRect.USER32(?,?,?), ref: 00241D8D
ExcludeClipRect.GDI32(?,?,?,00000000,?), ref: 00241DA1
GetWindowRect.USER32(?,?), ref: 00241DBC
OffsetRect.USER32(?,?,?), ref: 00241DD2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$Offset$ClientClipExcludeH_prolog3Window
String ID:
API String ID: 602654454-0
Opcode ID: 0cafe0213c01c43ce4f1d42a95f2846ff77452cdd7e9c0524941007f7c608ac3
Instruction ID: 6f83adba41a32ffbec5dd90c6dfac0cfac052602b78dff84b15d1d1a435d7f16
Opcode Fuzzy Hash: 0cafe0213c01c43ce4f1d42a95f2846ff77452cdd7e9c0524941007f7c608ac3
Instruction Fuzzy Hash: 21419BB5E1064AAFDF09DFA5C8809EEFF74BF08300F44811AE924A3251C73169A4DF50

Function 00245A55 Relevance: 9.1, APIs: 6, Instructions: 93threadwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00245A74

Part of subcall function 00244F2A: __EH_prolog3.LIBCMT ref: 00244F31

Part of subcall function 00251C2C: __EH_prolog3_GS.LIBCMT ref: 00251C33

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 00233684: GetCurrentProcess.KERNEL32(00000000,0000000D,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002336B8
Part of subcall function 00233684: FlushInstructionCache.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002336BF

SetLastError.KERNEL32(0000000E,00000000,00000001,00000000,?,00000000,?,?,?,00000020), ref: 00245AF4
GetCurrentThreadId.KERNEL32 ref: 00245B02
EnterCriticalSection.KERNEL32(003732A4,?,00000000,?,?,?,00000020), ref: 00245B1C
DialogBoxParamW.USER32(0000278B,?,0024D1F7,00000000), ref: 00245B54
PostMessageW.USER32(?,000005F8,00000000,00000000), ref: 00245B65

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Current$CacheCriticalDialogEnterErrorFlushH_prolog3H_prolog3_H_prolog3_catchInstructionLastMessageParamPostProcessSectionThreadchar_traits
String ID:
API String ID: 2478496670-0
Opcode ID: 5ec71737362e506cb75612b1e2cc5f36e7200dce25262a83bf416a995381be07
Instruction ID: 6cbbc5cfcba6788e085e58ddc0a27549c18da92c8fb83083a35be4570e0c0759
Opcode Fuzzy Hash: 5ec71737362e506cb75612b1e2cc5f36e7200dce25262a83bf416a995381be07
Instruction Fuzzy Hash: 44416B75915288EBDF25DF64DC89BDE7BB8BB44300F00806AE9499B292DB749748CF60

Function 00259B62 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F00), ref: 00259B8F
SetCursor.USER32(00000000), ref: 00259B96
GetParent.USER32(?), ref: 00259BEB
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00259BF9
GetParent.USER32(?), ref: 00259C25
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00259C33

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CursorMessageParentSend$Load
String ID:
API String ID: 2491973872-0
Opcode ID: adc0a89161c5611b3ff51edd6426f9745f04c12b278bb21d26a2ed66abf84f3a
Instruction ID: ea7e3a65d07c0ba663c7eec05000906e78b61cf48db575053579cdc2489812c7
Opcode Fuzzy Hash: adc0a89161c5611b3ff51edd6426f9745f04c12b278bb21d26a2ed66abf84f3a
Instruction Fuzzy Hash: 2F2180B0A1020ADFDB25CF55C884D7AB7F9FF98316F00011AE94A87251C7B4DDA9CB54

Function 0027D66F Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027D676
DeleteObject.GDI32(00000000), ref: 0027D684
_memset.LIBCMT ref: 0027D6A4
GetObjectW.GDI32(?,00000018,?), ref: 0027D6B5
GetBitmapBits.GDI32(?,?,?), ref: 0027D70E
CreateBitmapIndirect.GDI32(?), ref: 0027D743

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: BitmapObject$BitsCreateDeleteH_prolog3Indirect_memset
String ID:
API String ID: 1269731461-0
Opcode ID: 604f6643d2f6c5b0c0d2b5d3d1ad96fec8cbef29e2ee9f5115d04daf112e3d2c
Instruction ID: bd8c88d1297efba9b21e8dc1be396b3fb3ff3440ef231a2419fcf38599fd297a
Opcode Fuzzy Hash: 604f6643d2f6c5b0c0d2b5d3d1ad96fec8cbef29e2ee9f5115d04daf112e3d2c
Instruction Fuzzy Hash: BB21D771D1021EABCF15DFE8D9859EEFBBCAF08340F50802AE619E7151D7349A259BA0

Function 002BD842 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,002A9771,?,?,?,?,?), ref: 002BD864

Part of subcall function 0024EF01: CloseHandle.KERNEL32(00000000,002B19F6), ref: 0024EF0C

CreateThread.KERNEL32(00000000,00000000,002BD8DD,?,00000000,00000000), ref: 002BD88C
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,002A9771,?,?,?,?,?,?,?,?,00000000), ref: 002BD8A2
GetExitCodeThread.KERNEL32(00000000,00000000,?,?,?,002A9771,?,?,?,?,?,?,?,?,00000000), ref: 002BD8AD
CloseHandle.KERNEL32(00000000,?,?,?,002A9771,?,?,?,?,?,?,?,?,00000000), ref: 002BD8BF
CloseHandle.KERNEL32(00000000,?,?,?,002A9771,?,?,?,?,?,?,?,?,00000000), ref: 002BD8CE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$CreateThread$CodeEventExitObjectSingleWait
String ID:
API String ID: 3973034109-0
Opcode ID: 15b362603ff579f030405758bb931aaee74041c62e358e347b353e650643ec5f
Instruction ID: 962b2233a67f386521251481fc618dda80a3c4ea4cc2e3a275a03d4a16fce773
Opcode Fuzzy Hash: 15b362603ff579f030405758bb931aaee74041c62e358e347b353e650643ec5f
Instruction Fuzzy Hash: 52119D75610211AFCB119F69DCCCCEB7BADEF89B927150268F506D3250EA709D02CB60

Function 002C0655 Relevance: 9.1, APIs: 6, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 002C067E
GetWindowTextLengthW.USER32(00000000), ref: 002C0683
GetWindowTextW.USER32(00000000,00000000,?), ref: 002C06A4
MessageBeep.USER32(000000FF), ref: 002C06C9
GetDlgItem.USER32(?,000000FF), ref: 002C06E0
SetFocus.USER32(00000000,?,?), ref: 002C06E3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ItemTextWindow$BeepFocusLengthMessage
String ID:
API String ID: 2221317226-0
Opcode ID: 4b1bdd34752f02ce935ce30a8d388a9e6fcf6b3911d610ab381144abb4af9453
Instruction ID: 6ec6e333e9a96942812369093442e5eecb57f3f0c8365775c78a26d824fdf6bd
Opcode Fuzzy Hash: 4b1bdd34752f02ce935ce30a8d388a9e6fcf6b3911d610ab381144abb4af9453
Instruction Fuzzy Hash: BA118275910608EFDB019FA5DC89EAEBBBDEF84361F248355F82593290D7709E218B60

Function 002B5DBC Relevance: 9.1, APIs: 6, Instructions: 51threadsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000EA60,00000000,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5DDE
GetExitCodeThread.KERNEL32(?,?,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5DEB
TerminateThread.KERNEL32(?,00000000,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5E03
CloseHandle.KERNEL32(?,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5E0C
CloseHandle.KERNEL32(?,00000000,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5E1E
CloseHandle.KERNEL32(?,00000000,?,?,002ADC6E,?,?,00000001,Tv4,?,upd,?,?), ref: 002B5E2C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$Thread$CodeExitObjectSingleTerminateWait
String ID:
API String ID: 3492862915-0
Opcode ID: 64ed07e141ece87700cb7ada06b1d21e802caa6461b4945782ece73b4a32f627
Instruction ID: 1bf372c5ede97cf9647b7e01c6f38d292de2efa641da1ebf9963c35d26729f42
Opcode Fuzzy Hash: 64ed07e141ece87700cb7ada06b1d21e802caa6461b4945782ece73b4a32f627
Instruction Fuzzy Hash: 6B114870210B059BD730EF22DC45B9BB3E8AF08741F44082CE482869A0EF70FA54CB20

Function 002FC986 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 002FC9AE

Part of subcall function 002FC1ED: __getptd.LIBCMT ref: 002FC1FB
Part of subcall function 002FC1ED: __getptd.LIBCMT ref: 002FC209

__getptd.LIBCMT ref: 002FC9B8

Part of subcall function 002F9439: __getptd_noexit.LIBCMT ref: 002F943C
Part of subcall function 002F9439: __amsg_exit.LIBCMT ref: 002F9449

__getptd.LIBCMT ref: 002FC9C6
__getptd.LIBCMT ref: 002FC9D4
__getptd.LIBCMT ref: 002FC9DF
_CallCatchBlock2.LIBCMT ref: 002FCA05

Part of subcall function 002FC292: __CallSettingFrame@12.LIBCMT ref: 002FC2DE

Part of subcall function 002FCAAC: __getptd.LIBCMT ref: 002FCABB
Part of subcall function 002FCAAC: __getptd.LIBCMT ref: 002FCAC9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 65f57004cdf54c8c73fe54ccbd17c4d9972d354fb7d3d87afd51353f1d345779
Instruction ID: 21059955daad508bd0eb7047d36273ef68e880225e780215120b2dd23604d928
Opcode Fuzzy Hash: 65f57004cdf54c8c73fe54ccbd17c4d9972d354fb7d3d87afd51353f1d345779
Instruction Fuzzy Hash: 1911D7B1C1020DDFDB01EFA4D546BAEBBB0FF04354F50806AFA14AB251DB789A61AF50

Function 002610FE Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00261105
DeleteObject.GDI32(?), ref: 00261113
GetStockObject.GDI32(0000000D), ref: 00261126
_memset.LIBCMT ref: 0026113E
GetObjectW.GDI32(?,0000005C,?), ref: 0026114D
CreateFontIndirectW.GDI32(?), ref: 00261174

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Object$CreateDeleteFontH_prolog3_IndirectStock_memset
String ID:
API String ID: 380223295-0
Opcode ID: a6bcdf0b9240a74ca4a1f6f379cbd1ff4ea253f530ed47318167ae16309e0c5f
Instruction ID: b8e223f27dc54929fc86bc77762969bede59aa1d08523d427164c88798175d30
Opcode Fuzzy Hash: a6bcdf0b9240a74ca4a1f6f379cbd1ff4ea253f530ed47318167ae16309e0c5f
Instruction Fuzzy Hash: 8C1108309207C88BE7219BB0CD4A79ABBE8AF01319F544458E691DA5D1D3F9A494CF10

Function 002BC677 Relevance: 9.0, APIs: 6, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000007D1), ref: 002BC688
GetDlgItem.USER32(?,0000042D), ref: 002BC694
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002BC6A6
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 002BC6BC
RedrawWindow.USER32(00000000,00000000,00000000,00000105,?,?,?,002BC59B), ref: 002BC6C6
SetFocus.USER32(00000000,?,?,?,002BC59B), ref: 002BC6CD

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ItemMessageSend$FocusRedrawWindow
String ID:
API String ID: 3063293149-0
Opcode ID: d95a0008da6661fad4ed53b1e4091808512298f525c0b28cc4f4bca116baa5b0
Instruction ID: 82f4f32d527acfa2f0c39fc6d994f1c46d6de13781a79a0f30d173826265b174
Opcode Fuzzy Hash: d95a0008da6661fad4ed53b1e4091808512298f525c0b28cc4f4bca116baa5b0
Instruction Fuzzy Hash: 8EF0A77124030C7BD62027B3DD8AE677B9CDBC5755F134401F60296491DAB6F4109930

Function 002D59A0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 258threadCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D59AA

Part of subcall function 002D1E8D: __EH_prolog3_GS.LIBCMT ref: 002D1E97

GetCurrentThreadId.KERNEL32 ref: 002D5AC4

Strings

UnInstallingPackage, xrefs: 002D5AFC
InstallingPackage, xrefs: 002D5AF1
ConfigurePackage, xrefs: 002D5B03, 002D5B08

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_$CurrentThread
String ID: ConfigurePackage$InstallingPackage$UnInstallingPackage
API String ID: 3929242399-3279804734
Opcode ID: 97811e97e8f89b0130b9479c5b15d529df394bcdc497361204f3bbe9ad41343b
Instruction ID: 3376c5352577de77a6a34a47b20b673cc0dfaae0aad87bbb0676db82a0281f0c
Opcode Fuzzy Hash: 97811e97e8f89b0130b9479c5b15d529df394bcdc497361204f3bbe9ad41343b
Instruction Fuzzy Hash: CCB14E71820258DEDB20DBA8CD85FEDB7B8AF05304F5441DAE54AA7281DBB06F94CF61

Function 0023D0A1 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 240COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0023D0AB

Part of subcall function 0024F563: __EH_prolog3.LIBCMT ref: 0024F56A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 0023DEFC: __EH_prolog3.LIBCMT ref: 0023DF03

Strings

Show, xrefs: 0023D210
Hide, xrefs: 0023D0F6
= ", xrefs: 0023D24B
<> ", xrefs: 0023D139

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits
String ID: <> "$ = "$Hide$Show
API String ID: 3598086826-289022205
Opcode ID: 9d925c13325e926617d6b2ff04022c5a6de6893ebdd2786699e6fc188b506671
Instruction ID: ff07a1021024b2c7a9648c9f04950ad3d796ac9c684a6d65993d15024b8ef482
Opcode Fuzzy Hash: 9d925c13325e926617d6b2ff04022c5a6de6893ebdd2786699e6fc188b506671
Instruction Fuzzy Hash: 44916AB1811248EEDF01EBA0DD86BDEBB78AF11308F148195F145AB192DB746F29CF61

Function 002F09FC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002F0A06
_wcslen.LIBCMT ref: 002F0B8F
_wcslen.LIBCMT ref: 002F0C32

Strings

p3, xrefs: 002F0B89
="", xrefs: 002F0B7F, 002F0C31

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$H_prolog3_
String ID: =""$p3
API String ID: 2000020936-290226426
Opcode ID: da5e8c381cf80ee1731c7d27fa36f444b7a48053b01381d18f373d16e693bf85
Instruction ID: 92f8188af84f91944bf9becaee695e8c9a75e943bae3c5e52e5efb836c5ad09b
Opcode Fuzzy Hash: da5e8c381cf80ee1731c7d27fa36f444b7a48053b01381d18f373d16e693bf85
Instruction Fuzzy Hash: 7D818A71821268AECF11EBA4DD95FEEBB78BF11314F144259F54667192CB702A28CF90

Function 0025630C Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00256313

Part of subcall function 0026F197: __EH_prolog3.LIBCMT ref: 0026F19E

Part of subcall function 00259F18: __EH_prolog3.LIBCMT ref: 00259F1F
Part of subcall function 00259F18: GetSysColor.USER32(00000011), ref: 0025A013

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Strings

PrereqMandatoryInstallAction, xrefs: 0025652F
PrereqInstallAction, xrefs: 002564DC
PrereqInstalled, xrefs: 00256486
PrereqSkipAction, xrefs: 00256582

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits$Color_malloc
String ID: PrereqInstallAction$PrereqInstalled$PrereqMandatoryInstallAction$PrereqSkipAction
API String ID: 955435578-2596446688
Opcode ID: 0057df8bdd1ef1ce5d69865a911aaae733407f3bd7abcbd79ed7f980b1d5609f
Instruction ID: 199e6a5cc800443981f811059c9b9437777abf9328747a467be4eb43659e293f
Opcode Fuzzy Hash: 0057df8bdd1ef1ce5d69865a911aaae733407f3bd7abcbd79ed7f980b1d5609f
Instruction Fuzzy Hash: DFA1D2B0815288EFCB05DFA4C984ADDFBB4BF15304F14829DE455A7292CB702B18DFA1

Function 002444D2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002444DC

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002C8CC0: __EH_prolog3.LIBCMT ref: 002C8CC7

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

SetWindowTextW.USER32(00000000,?), ref: 002445D7
GetFocus.USER32 ref: 002445DD
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 002445F5

Part of subcall function 002CB5D7: __EH_prolog3.LIBCMT ref: 002CB5DE

Strings

ProductName, xrefs: 0024467E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$FocusH_prolog3_MessageSendTextWindowchar_traits
String ID: ProductName
API String ID: 1977205419-3586724618
Opcode ID: dcd28bc70866c4e372f049bf57510c2269c1d6476437ba9a99ac049f2e00f6bf
Instruction ID: 4b0f4dc3d4828b93ddb22925f48fd19d1646dd64640b49147937659721bf26d3
Opcode Fuzzy Hash: dcd28bc70866c4e372f049bf57510c2269c1d6476437ba9a99ac049f2e00f6bf
Instruction Fuzzy Hash: FA818170910258EFDB15EBA4CC89FEDBBB8AF1A304F144199E146A7291CB706F58CF61

Function 002DA30D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002DA314

Part of subcall function 0024F563: __EH_prolog3.LIBCMT ref: 0024F56A

Part of subcall function 002D0276: __EH_prolog3.LIBCMT ref: 002D027D

Part of subcall function 0026A056: __EH_prolog3.LIBCMT ref: 0026A05D

Part of subcall function 002492F4: __EH_prolog3.LIBCMT ref: 002492FB

Strings

REBOOTPROMPT, xrefs: 002DA43D, 002DA526
REBOOT, xrefs: 002DA4A8, 002DA4E7
ReallySuppress, xrefs: 002DA497
Force, xrefs: 002DA4D6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: Force$REBOOT$REBOOTPROMPT$ReallySuppress
API String ID: 431132790-3866756026
Opcode ID: e8d8a73412fd1966ada52d3fb68dee49d93551b050d14646a0c1d1178e532ebf
Instruction ID: 16d9e5db326ff4d3ed4e3b28506c0b24c0d7d55013af7f436534b935b022cc31
Opcode Fuzzy Hash: e8d8a73412fd1966ada52d3fb68dee49d93551b050d14646a0c1d1178e532ebf
Instruction Fuzzy Hash: 7871ABB1811788DFDB11EFA4C981BDEBBF0AF10300F14859EE1966B292D7B06A59CF51

Function 002761EF Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002761F6
SysFreeString.OLEAUT32(00000000), ref: 00276310
SysStringLen.OLEAUT32(?), ref: 00276316
SysFreeString.OLEAUT32(?), ref: 0027633A

Strings

`<u, xrefs: 002762C6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String$Free$H_prolog3_catch
String ID: `<u
API String ID: 1415682657-3367579956
Opcode ID: 4a8ea6a9c1718068fab53207573d9fce0c5a9b56b98c6568ef1a7e4a0b26ed03
Instruction ID: 61e6c8434fcc5c5705eb5a91af1f189f8ea0348a8fdde7abfbb34959261e1611
Opcode Fuzzy Hash: 4a8ea6a9c1718068fab53207573d9fce0c5a9b56b98c6568ef1a7e4a0b26ed03
Instruction Fuzzy Hash: 17415E7191020ADFDB15CFA4C989AAEBBF8FF08310F208159E909EB261D734E950CF60

Function 002A1896 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,80000002,?,80000002,?,?,?,?,?,?,002A17C4,80000002,?), ref: 002A18BC
GetLastError.KERNEL32(?,80000002,?,?,?,?,?,?,002A17C4,80000002,?), ref: 002A18C2
RegEnumValueA.ADVAPI32(80000002,00000000,?,?,00000000,?,?,?,?,80000002), ref: 002A193F
RegEnumValueA.ADVAPI32(80000002,00000000,?,?,00000000,?,00000000,?,?,80000002), ref: 002A1993

Strings

InstallLanguage, xrefs: 002A191A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EnumValue$ErrorLastOpen
String ID: InstallLanguage
API String ID: 3004463046-2755071137
Opcode ID: 720b2c09daf2a9b16b0fb7872dfdcb7b187e52e183a88a708afe4845ce89d91e
Instruction ID: 71f91d27bdd5b4ae9f9efde8ad8045e9905f2d20fd49fc4308d811887ccf4579
Opcode Fuzzy Hash: 720b2c09daf2a9b16b0fb7872dfdcb7b187e52e183a88a708afe4845ce89d91e
Instruction Fuzzy Hash: 16410C72D1421A9FDF01DFA8CC456EEBBB8EF49320F140226E661B31A0DB715A65CF64

Function 00278B78 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00278B7F
VariantClear.OLEAUT32(?), ref: 00278BBE

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

VariantClear.OLEAUT32(?), ref: 00278C7A
SysFreeString.OLEAUT32(?), ref: 00278C87

Strings

`<u, xrefs: 00278C87

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearH_prolog3Variant$FreeString
String ID: `<u
API String ID: 2282774976-3367579956
Opcode ID: 3a6035fed422efb032ede11b2ecd4a0bdf591a13b04950f6d6d5dfb35de25f78
Instruction ID: b0a5fe268cf14d5a586bd3a113274c3d0a907e87321d154335754cb614a5a0f4
Opcode Fuzzy Hash: 3a6035fed422efb032ede11b2ecd4a0bdf591a13b04950f6d6d5dfb35de25f78
Instruction Fuzzy Hash: 53317A71811248EECF12EFA8D909ADEBBB4AF04754F24C199F109AB1A1CB745F18DF61

Function 00278DA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00278DA7
VariantClear.OLEAUT32(?), ref: 00278DE6

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

VariantClear.OLEAUT32(?), ref: 00278EA3
SysFreeString.OLEAUT32(?), ref: 00278EB0

Strings

`<u, xrefs: 00278EB0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearH_prolog3Variant$FreeString
String ID: `<u
API String ID: 2282774976-3367579956
Opcode ID: 114d0668bd6d4652d3e9f3ddb0df34d2aedc97e57bf3017175f794285cb0f1d1
Instruction ID: eb7b655a970df70dbe285a89dce86d046e7f52e457cbbaad1c1990fc9c2b0071
Opcode Fuzzy Hash: 114d0668bd6d4652d3e9f3ddb0df34d2aedc97e57bf3017175f794285cb0f1d1
Instruction Fuzzy Hash: 53317871911248EBCF12EFA8C909ADEBBB4AF04714F24C158F409AB1A1DB749F18DF60

Function 00251C2C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00251C33

Part of subcall function 0023A7E6: std::_String_base::_Xlen.LIBCPMT ref: 0023A823
Part of subcall function 0023A7E6: char_traits.LIBCPMT ref: 0023A874

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Strings

AI_FRAME_NO_CAPTION_, xrefs: 00251C3A
Z3, xrefs: 00251CF0
Dialog, xrefs: 00251CCB
`Dialog` = ', xrefs: 00251C99

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3char_traits$H_prolog3_String_base::_Xlenstd::_
String ID: AI_FRAME_NO_CAPTION_$Dialog$`Dialog` = '$Z3
API String ID: 3935908814-4063770133
Opcode ID: 6551fc04ce6d6b0e23bc573c9a42391274dfcb88f6f3ac96025e9a40a1979f7d
Instruction ID: 3c31b1ec8ccf383ac117ec5acc1a2fb6f3827663ec23e591753665106bb1eb25
Opcode Fuzzy Hash: 6551fc04ce6d6b0e23bc573c9a42391274dfcb88f6f3ac96025e9a40a1979f7d
Instruction Fuzzy Hash: 6231C1B580038CEEDB11EBE4CC85DEEBFB8AF52304F184298F15667181CA705E19CB61

Function 002612B6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(000000FF,?,00000001), ref: 002612CB
RegCloseKey.ADVAPI32(?,80000001,Software\Microsoft\Internet Explorer\Settings,0002001F,?,?,?,00000001), ref: 002613D7

Strings

Anchor Color Visited, xrefs: 002613A2
Anchor Color, xrefs: 00261374
Software\Microsoft\Internet Explorer\Settings, xrefs: 00261347

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseTextWindow
String ID: Anchor Color$Anchor Color Visited$Software\Microsoft\Internet Explorer\Settings
API String ID: 230337406-3433146436
Opcode ID: 70a8588a76f8343f6c7bbe8b13a9dcf19a5e9628c26d343c46ebda06fde27ef2
Instruction ID: a56f60aed8be7748e5e328c691cbb04d80739b56267107096cc6a83ed692b147
Opcode Fuzzy Hash: 70a8588a76f8343f6c7bbe8b13a9dcf19a5e9628c26d343c46ebda06fde27ef2
Instruction Fuzzy Hash: 86315870920209DBDB21DFA8C981AEDB7B9AF44314F294656E811F7265D770BDBA8B00

Function 0025D668 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00234F42: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00234F5D

GetComboBoxInfo.USER32(00000000,?), ref: 0025D6CC
SendMessageW.USER32(?,000000C5,?,00000000), ref: 0025D6F1
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 0025D72C
RedrawWindow.USER32(?,00000000,00000000,00000541), ref: 0025D73C

Part of subcall function 0027D62C: GetWindowLongW.USER32(?,000000F0), ref: 0027D632

Strings

4, xrefs: 0025D6C5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$MessageSend$ComboInfoLongRedraw
String ID: 4
API String ID: 2250787898-4088798008
Opcode ID: f8894840c6d6e5c69eb9484d08101ba09ca6de166011c3fbbdd1d9b984dff423
Instruction ID: c831918077629b8162cc005191da0f172f6e4b3eb254474e34c8f622c30ad21f
Opcode Fuzzy Hash: f8894840c6d6e5c69eb9484d08101ba09ca6de166011c3fbbdd1d9b984dff423
Instruction Fuzzy Hash: 53217F31A102119FDF209FB8DC89EEABBBCEF09301F0441A4ED0ADB165DB70A915CB60

Function 0028A1B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0028A1DC

Part of subcall function 0028AE00: std::_Lockit::_Lockit.LIBCPMT ref: 0028AE2F

std::bad_exception::bad_exception.LIBCMT ref: 0028A25A
__CxxThrowException@8.LIBCMT ref: 0028A269
std::locale::facet::facet_Register.LIBCPMT ref: 0028A280

Strings

bad cast, xrefs: 0028A251

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 08a39bb8b364321cff97f3dcd0bbe01c12eedc63057dcf1f6671467ecd44738a
Instruction ID: c06f16819734281a4dd66a97ba4b1248ffa4ab909aff4db09703cf5908538da4
Opcode Fuzzy Hash: 08a39bb8b364321cff97f3dcd0bbe01c12eedc63057dcf1f6671467ecd44738a
Instruction Fuzzy Hash: D92154795252019FD725EF24C881AAAB3E8EB84760F440A2EF851573D1DB35AC15CF93

Function 00298260 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 002982AE

Strings

L27, xrefs: 002982F1
\, xrefs: 002982CF
L27, xrefs: 002982C1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: PathTemp
String ID: L27$L27$\
API String ID: 2920410445-2643387983
Opcode ID: 39c023175ead9495877c166f29cc617c0c9a5229ee1bc97a085f91c48c36e148
Instruction ID: d11d56c9b06ff2ca9fc76698611c7ad2a0c3cf26a10c4365c3cc6cdbb9f551e0
Opcode Fuzzy Hash: 39c023175ead9495877c166f29cc617c0c9a5229ee1bc97a085f91c48c36e148
Instruction Fuzzy Hash: BF318EB1214751DBD321DF28D845B6BB7E8FB88B00F04492DE88AC7351EBB4D9548B92

Function 0027C8BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0027C8D8
SendMessageW.USER32(?,0000120C,?,00000004), ref: 0027C922
SendMessageW.USER32(?,0000120C,?,00000024), ref: 0027C96B
SendMessageW.USER32(00000000,00001051,?,0027C992), ref: 0027C97C

Strings

$, xrefs: 0027C927

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend
String ID: $
API String ID: 3850602802-3993045852
Opcode ID: afe03deed8331c7070ab25b236aa13c67918cec03b5816cd6ac01046949e11b3
Instruction ID: e82a6af4cc507ca88add836155175908315645857997d803ad92d5c2e53bc857
Opcode Fuzzy Hash: afe03deed8331c7070ab25b236aa13c67918cec03b5816cd6ac01046949e11b3
Instruction Fuzzy Hash: BB212A70510609EFDF60DF65CC85AAEB7F9FF09304F20841AE649A72A0D3B59954DF50

Function 002A01F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0029FDC0: LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,D7557A70,00000000,003146BE,000000FF,0029E067), ref: 0029FE05
Part of subcall function 0029FDC0: GetProcAddress.KERNEL32(00000000), ref: 0029FE0C

swprintf.LIBCMT ref: 002A029E

Part of subcall function 002F7C83: __vswprintf_s_l.LIBCMT ref: 002F7C97

_wcslen.LIBCMT ref: 002A02A8
_wcslen.LIBCMT ref: 002A02BC

Strings

%hs(), xrefs: 002A028F
-----, xrefs: 002A02B7, 002A02C5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$AddressLibraryLoadProc__vswprintf_s_lswprintf
String ID: %hs()$-----
API String ID: 3806047636-1169171486
Opcode ID: 29e48850ae94727e73125b72b47abac1335053eec737d259ed571cd7698b6b53
Instruction ID: b638c0a0c10b3315ae2f2d58308604da9b12e3996b9900c943d0f2e3fb1cfda9
Opcode Fuzzy Hash: 29e48850ae94727e73125b72b47abac1335053eec737d259ed571cd7698b6b53
Instruction Fuzzy Hash: BF212BB1618781AFD338DF15D845B6BB7E8FF98750F00463EE04993680DB74A5158B92

Function 002B22A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shfolder.dll,?,00000000), ref: 002B22F6
FreeLibrary.KERNEL32(00000000), ref: 002B230C
GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 002B2327

Strings

shfolder.dll, xrefs: 002B22F1
SHGetFolderPathW, xrefs: 002B2321

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHGetFolderPathW$shfolder.dll
API String ID: 145871493-3387970553
Opcode ID: c73f259c1f09ab2aa718bc294c1a22de976b337cdf79d39d5c8177b4521d44f4
Instruction ID: 4795b64bed22956525b4993d6ee111174ab6e07a60ebc1cce751bb1c10c55174
Opcode Fuzzy Hash: c73f259c1f09ab2aa718bc294c1a22de976b337cdf79d39d5c8177b4521d44f4
Instruction Fuzzy Hash: D91103B0B60324DBCB23AF349D89CED7BEDAB05B90F000455F40AC7151DA388A958B91

Function 002C9093 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002C909A

Part of subcall function 0023A7E6: std::_String_base::_Xlen.LIBCPMT ref: 0023A823
Part of subcall function 0023A7E6: char_traits.LIBCPMT ref: 0023A874

_wcslen.LIBCMT ref: 002C90C5

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

OpenEventW.KERNEL32(00000000,00000000,?,00000000,?,00000000,000000FF,0033EB08,0000003C,002C8E04,00000004,00235DEA,00000000,?,00000001), ref: 002C90F5
CreateEventW.KERNEL32(00000000,00000001,00000001,?,?,00000000,000000FF,0033EB08,0000003C,002C8E04,00000004,00235DEA,00000000,?,00000001), ref: 002C9113

Strings

_pbl_evt, xrefs: 002C90BF, 002C90C4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Event$CreateH_prolog3H_prolog3_OpenString_base::_Xlen_wcslenchar_traitsstd::_
String ID: _pbl_evt
API String ID: 1265201892-4023232351
Opcode ID: c03efdd2d5bd8f1a18e975bbc0d64e79472336d34e7f0597e444214d30c9c1d6
Instruction ID: 565c1ff16f040aae6d78ced92ab55f937f5ddd03e0057f95977c0c0cf63881f6
Opcode Fuzzy Hash: c03efdd2d5bd8f1a18e975bbc0d64e79472336d34e7f0597e444214d30c9c1d6
Instruction Fuzzy Hash: 9F119071924218AFDB01EBA4CC86FEDB678AF04350F584264F602B72D1C6A01F56CBA1

Function 002B9C58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000C), ref: 002AD8AD
Part of subcall function 002AD897: GetSystemMetrics.USER32(0000000B), ref: 002AD8B2
Part of subcall function 002AD897: LoadImageW.USER32(00230000,00000080,00000001,00000000,?,?), ref: 002AD8C4
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000001,00000000), ref: 002AD8D8
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000032), ref: 002AD8E7
Part of subcall function 002AD897: GetSystemMetrics.USER32(00000031), ref: 002AD8EC
Part of subcall function 002AD897: LoadImageW.USER32(?,00000080,00000001,00000000,?,?), ref: 002AD8F6
Part of subcall function 002AD897: SendMessageW.USER32(000000FF,00000080,00000000,00000000), ref: 002AD900

Part of subcall function 0024D493: GetWindowLongW.USER32(000000FF,000000F0), ref: 0024D4A9
Part of subcall function 0024D493: GetParent.USER32(000000FF), ref: 0024D4BF
Part of subcall function 0024D493: GetWindowRect.USER32(000000FF,00000000), ref: 0024D4D6
Part of subcall function 0024D493: GetWindowLongW.USER32(00000000,000000F0), ref: 0024D4F1
Part of subcall function 0024D493: MonitorFromWindow.USER32(000000FF,00000002), ref: 0024D516

SetWindowTextW.USER32(?,?), ref: 002B9C7D

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

GetDlgItem.USER32(?,0000040A), ref: 002B9C9D
SetWindowTextW.USER32(00000000,?), ref: 002B9CA7

Part of subcall function 002C11EC: GetWindowLongW.USER32(00000000,000000F0), ref: 002C11F5
Part of subcall function 002C11EC: GetParent.USER32(00000000), ref: 002C1203

CreateThread.KERNEL32(00000000,00000000,VWj,?,00000000,?), ref: 002B9CC6

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

VWj, xrefs: 002B9CBF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$MetricsSystem$Long$H_prolog3ImageLoadMessageParentSendText$CreateFromItemMonitorRectThread
String ID: VWj
API String ID: 2642684354-3488467141
Opcode ID: 578823b820fc8849d3dc9556b1949c45f8dc78a886aa951a810e6a31975d9792
Instruction ID: 9ccb558065abc0d8b8999fcad7b32d4a5ee3e46b21b19551ff1e431c380e9c70
Opcode Fuzzy Hash: 578823b820fc8849d3dc9556b1949c45f8dc78a886aa951a810e6a31975d9792
Instruction Fuzzy Hash: 0E01E9B6510205FFEB05EFE4DD8AD9AB7ACFF09310B100555F24192461EB75EA609BA0

Function 00265735 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026573C

Strings

Network, xrefs: 00265770
Advertise, xrefs: 00265783
Absent, xrefs: 0026578A
Local, xrefs: 00265777

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: Absent$Advertise$Local$Network
API String ID: 431132790-2783015521
Opcode ID: 4cb293031a57687a85980d132c96dac6b5dbe88dd71c9c94288c93848d3ccd93
Instruction ID: 7660111f1f63ba29a8427b764c3a1411d9453bbff4d12688fc008a593a4df915
Opcode Fuzzy Hash: 4cb293031a57687a85980d132c96dac6b5dbe88dd71c9c94288c93848d3ccd93
Instruction Fuzzy Hash: B8F0B475630639CACB27EEE858C257CE150BB44710F280227F912D61C1C7F089F29AD2

Function 002FC6C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 002FC6DC

Part of subcall function 002F9439: __getptd_noexit.LIBCMT ref: 002F943C
Part of subcall function 002F9439: __amsg_exit.LIBCMT ref: 002F9449

__getptd.LIBCMT ref: 002FC6ED
__getptd.LIBCMT ref: 002FC6FB

Strings

MOC, xrefs: 002FC6CE
csm, xrefs: 002FC6D5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 536c6dbb97de8ecf56f2930af6310e668012e98a17c9c97c307c3e8fa210a0d9
Instruction ID: 261aa2b895f3fc3556968219253088a067973d5e469bef0ec03345ffb2de0ca1
Opcode Fuzzy Hash: 536c6dbb97de8ecf56f2930af6310e668012e98a17c9c97c307c3e8fa210a0d9
Instruction Fuzzy Hash: A5E04F3112020CCFD710AF78D546B38B798FB54754F6510B1E64CCB262C774DCA1AE42

Function 00285720 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00285774

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlenstd::_
String ID:
API String ID: 1541887531-0
Opcode ID: 96f61d3f3463634785d28605bdc13cd0d76b5d842fccfc06254ab4681ecc3c70
Instruction ID: 60f460d2acf7b3fb0735a815f5dbffba0bc2a3df61b606de1ecd7456940a4c09
Opcode Fuzzy Hash: 96f61d3f3463634785d28605bdc13cd0d76b5d842fccfc06254ab4681ecc3c70
Instruction Fuzzy Hash: E961C276A1161A9FCB14DF68C984AAEBBB5EF44310F10866DE815D7381EB30EE15CB90

Function 002C1EFD Relevance: 7.7, APIs: 5, Instructions: 190windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 002C1F22
IsWindowVisible.USER32(?), ref: 002C1F52
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 002C1F67
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 002C2117
RedrawWindow.USER32(?,00000000,00000000,00000185,?,?,002C44BD,000000FF,?,?,00000000,?,00000000,?), ref: 002C2127

Part of subcall function 002C43B9: RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,002AC720,?,?,000000FF), ref: 002C43D3

Part of subcall function 002C2135: GetDlgItem.USER32(?,00000000), ref: 002C2166
Part of subcall function 002C2135: GetWindowRect.USER32(00000000,00000000), ref: 002C2174

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$MessageSend$ExceptionItemLongRaiseRectRedrawVisible
String ID:
API String ID: 3933933581-0
Opcode ID: 4bb5eede317a8ecccb5e46fd5d8bd51df3b202b7122e5b7f2e77eb8b22cd90d2
Instruction ID: 9eeed19db3fb277bd278e1f78a96e612c4444d025d5cdeba301a2c9cfb3505ef
Opcode Fuzzy Hash: 4bb5eede317a8ecccb5e46fd5d8bd51df3b202b7122e5b7f2e77eb8b22cd90d2
Instruction Fuzzy Hash: D3614A312143419BC715EF29C896E1AB7E6AFC4710F148A6EF8599B262DB71DC28CF81

Function 0027636F Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027638E
EnterCriticalSection.KERNEL32(003744E8,0000001C), ref: 002763BE
GetModuleFileNameW.KERNEL32(0000FFFF,00000104), ref: 00276422
LoadTypeLib.OLEAUT32(?,?), ref: 00276447
LoadRegTypeLib.OLEAUT32(00378238,?,?,?,?), ref: 00276468

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LoadType$CriticalEnterFileH_prolog3ModuleNameSection
String ID:
API String ID: 3289395776-0
Opcode ID: 45fe33914734c0b22a555fa4bd106c748fd91d6eee4c5a2c6268824fa27b652e
Instruction ID: 545983bcf557c9f405bb7b0e679ee0deeb15fe8a0efe741ada39987efc21e83c
Opcode Fuzzy Hash: 45fe33914734c0b22a555fa4bd106c748fd91d6eee4c5a2c6268824fa27b652e
Instruction Fuzzy Hash: DA7179B1D1065ADFCF21DFA4C888AAEBBB8FF08300F548469E519E7211D7749A54DF60

Function 00284460 Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00284495
std::_String_base::_Xlen.LIBCPMT ref: 002844B3
_memmove_s.LIBCMT ref: 00284531
_memmove_s.LIBCMT ref: 00284581

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlen_memmove_sstd::_
String ID:
API String ID: 2295234635-0
Opcode ID: b3f4b2a07b997dca5bef98b5192f646fdaaeeed13ca059f963086a4bd511685a
Instruction ID: d59463e20ad56784f54c19efc7ec34a29e67723fba0788db7d1e3382ad2c3447
Opcode Fuzzy Hash: b3f4b2a07b997dca5bef98b5192f646fdaaeeed13ca059f963086a4bd511685a
Instruction Fuzzy Hash: D251EC7422570A8F8724FF58D9C096EB3E5FF947047904A2DE052C7691E734F968CB91

Function 002C0D3C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,?,00000001,?,003746CC,00000000,?,?), ref: 002C0DD3

Part of subcall function 002B187C: LeaveCriticalSection.KERNEL32(?,00000000,0033E304,003746CC,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002B18FB

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Sleep.KERNEL32(000007D0,?,00000000,?,?,00000001,?,003746CC,00000000,?,?), ref: 002C0EB7

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

Strings

Launching file:, xrefs: 002C0D62
Return code of launched file:, xrefs: 002C0E34
Launch failed. Error:, xrefs: 002C0DF6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$CriticalErrorLastLeaveSectionSleep
String ID: Launch failed. Error:$Launching file:$Return code of launched file:
API String ID: 1660949086-1780239047
Opcode ID: 05aef13f0f0a02fc20ef4c0a47c2d7056341b9e273b121bf51cd25ac84669d9d
Instruction ID: 8b2ee61d4cc77062b931a25a947756da44ae2413ab31489adb5b8a86dd1ccbf2
Opcode Fuzzy Hash: 05aef13f0f0a02fc20ef4c0a47c2d7056341b9e273b121bf51cd25ac84669d9d
Instruction Fuzzy Hash: 734192B5910309ABDF05FBB4C896EAE7BB9AF09304F044859F041E3152DF74A669CF61

Function 002C8E7D Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002C8E9C
CoInitialize.OLE32(00000000), ref: 002C8EAD

Part of subcall function 002C8D0D: __EH_prolog3.LIBCMT ref: 002C8D14

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

SetEvent.KERNEL32(?,?), ref: 002C8F84
CloseHandle.KERNEL32(?,00000000), ref: 002C8FA3
CoUninitialize.OLE32(?,00000000), ref: 002C8FBE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$CloseEventH_prolog3_catchHandleInitializeUninitialize
String ID:
API String ID: 182575154-0
Opcode ID: 959c94a26922a95e2599b1e8307a6789bbec4c70bdd5389332878cdf5e13d621
Instruction ID: 40f4b8ee4efdc8df615b4f55f11c157c3c6715e6a0e8029d4425f3876faf0bcb
Opcode Fuzzy Hash: 959c94a26922a95e2599b1e8307a6789bbec4c70bdd5389332878cdf5e13d621
Instruction Fuzzy Hash: 04419071900288EFDB11DFA4C989BDEBBB9BF08304F14859DE58597281DB75AB04CF61

Function 002D4B6A Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D4B71

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002495D5: __EH_prolog3.LIBCMT ref: 002495DC

Part of subcall function 00282EFF: __EH_prolog3.LIBCMT ref: 00282F06

CloseHandle.KERNEL32(00000000,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4C8E
CloseHandle.KERNEL32(00282091,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4C9F
CloseHandle.KERNEL32(00280EDE,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4CB0
CloseHandle.KERNEL32(?,?,?,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000001), ref: 002D4CC0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$H_prolog3$char_traits
String ID:
API String ID: 1585547468-0
Opcode ID: e9efa0e6d34ba563b932a199fde021afc0eec335ea66f5798d8cfbdde6e4fcec
Instruction ID: 68aa6790f9d9a47e84af704945fe38abdd92e1efeef5b7c8aeb5778cb1b17c43
Opcode Fuzzy Hash: e9efa0e6d34ba563b932a199fde021afc0eec335ea66f5798d8cfbdde6e4fcec
Instruction Fuzzy Hash: 55417EB4411688EEDB21EB68C985BEBFBF8AF12344F14455DE0C2575A2CB706E14CF20

Function 00232232 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 002322A5
GetWindowLongW.USER32(?,000000EB), ref: 002322CB
ShowWindow.USER32(00000000,?), ref: 002322E4
GetWindowRect.USER32(00000000,?), ref: 00232312
UnionRect.USER32(?,?,?), ref: 00232323

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$RectShow$LongUnion
String ID:
API String ID: 3764436756-0
Opcode ID: 2e0b0ac589ebea297dcfd54b21be16eff078bd7633f355be7ef5acf54df806a1
Instruction ID: f59c261b1a9e185d98cf76290ab3ede8a3eef8d29844141faa90f8afdf7474e8
Opcode Fuzzy Hash: 2e0b0ac589ebea297dcfd54b21be16eff078bd7633f355be7ef5acf54df806a1
Instruction Fuzzy Hash: F0415BB1514206EFC710DF25C88486ABBF9FF89314F048A5EF89987261D730E969CF92

Function 002BD154 Relevance: 7.6, APIs: 5, Instructions: 109fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,?), ref: 002BD188
GetFileSize.KERNEL32(00000000,00000000,?,?), ref: 002BD1A0
CloseHandle.KERNEL32(00000000,?,?), ref: 002BD1DC
ReadFile.KERNEL32(00000000,?,00010000,?,00000000,?,00010000,?,?), ref: 002BD21F
CloseHandle.KERNEL32(00000000,?,?), ref: 002BD29D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID:
API String ID: 3664964396-0
Opcode ID: e4b07b92729b92cf4b0cedff1f1bca3d5f0cd0176be29ee9ee35d0e680c0d642
Instruction ID: 82bf3d2109db81df2e4dcaabbcdbb36a31179e22893b934f719a5e5d50ea130d
Opcode Fuzzy Hash: e4b07b92729b92cf4b0cedff1f1bca3d5f0cd0176be29ee9ee35d0e680c0d642
Instruction Fuzzy Hash: 60417F75D202299FCB219F68CC80BEDBBB9BB05394F5041A9E959A3252DB305E94CF50

Function 0025D95F Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0025D966

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

SendMessageW.USER32(?,00000146,00000000,00000000), ref: 0025D9D2
SendMessageW.USER32(?,00000150,?,00000000), ref: 0025D9FB
SendMessageW.USER32(?,0000014E,?,00000000), ref: 0025DA6A
SetWindowTextW.USER32(00000000), ref: 0025DA87

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$H_prolog3_TextWindowchar_traits
String ID:
API String ID: 3616564468-0
Opcode ID: 6a5746184695b362bba2974b507322a5303266c5e19e53611b5faa34edf4f3ce
Instruction ID: e964d4224ae73150c835d925771ef5fe180cf2c45a47a08614c918f167b8f701
Opcode Fuzzy Hash: 6a5746184695b362bba2974b507322a5303266c5e19e53611b5faa34edf4f3ce
Instruction Fuzzy Hash: CE415B70A10209EFDB15DFA4C985FEEBBB5BF08301F244159F546AB291C770AD58CB54

Function 00244E4B Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,000005FB,00000000,00000000), ref: 00244E9F
IsWindow.USER32 ref: 00244EC4
GetCursorPos.USER32 ref: 00244EF7
SetCursorPos.USER32(?,?), ref: 00244F0F
SetCursorPos.USER32(?,?), ref: 00244F17

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Cursor$MessagePostWindow
String ID:
API String ID: 3246667796-0
Opcode ID: d70160cd1903255512998c13e12a403b6355a475884c7d30f927812b876bc535
Instruction ID: 15328572ad2107da76a68461f93ffc8597224e37a113cd9c153f114dca12d68e
Opcode Fuzzy Hash: d70160cd1903255512998c13e12a403b6355a475884c7d30f927812b876bc535
Instruction Fuzzy Hash: AC216B31534102EFEB29AFB8CC49BD9BBE8FB05301F150054E8829B1A0C7B29D24DB90

Function 00299D20 Relevance: 7.6, APIs: 5, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,D7557A70,00000000,00000000,?,?,?), ref: 00299D5E
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00299D7C
GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00299D9C
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00299DB0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: f3454a95493d7c0d3f37fb3e9457408eb38f644f3279695d7d65d31937e27cd9
Instruction ID: 966d840efb839b682bfb184b76f5f6437c99d984693a2f39af2a66288d1430aa
Opcode Fuzzy Hash: f3454a95493d7c0d3f37fb3e9457408eb38f644f3279695d7d65d31937e27cd9
Instruction Fuzzy Hash: 53214F755087409FC725DF2AD845B8BBBE8FBC5B30F404A5EF46593290D73495058F62

Function 002340C7 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002340CE

Part of subcall function 002341AD: InitializeCriticalSection.KERNEL32(003746CC,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341BB
Part of subcall function 002341AD: EnterCriticalSection.KERNEL32(?,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341C7

_clock.LIBCMT ref: 002340E5

Part of subcall function 002F78D9: GetSystemTimeAsFileTime.KERNEL32(D7557A70,00000000,?,?,?,002340EA,0000000C,00233AC5,D7557A70), ref: 002F78E5
Part of subcall function 002F78D9: __aulldiv.LIBCMT ref: 002F7916

KillTimer.USER32(?,00000001,0000000C,00233AC5,D7557A70), ref: 0023411E
SetTimer.USER32(?,00000001,00000000,00000000), ref: 00234173

Part of subcall function 00233F3E: __EH_prolog3.LIBCMT ref: 00233F45
Part of subcall function 00233F3E: LeaveCriticalSection.KERNEL32(?), ref: 00233F7C

LeaveCriticalSection.KERNEL32(?), ref: 00234187

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection$H_prolog3LeaveTimeTimer$EnterFileInitializeKillSystem__aulldiv_clock
String ID:
API String ID: 287207125-0
Opcode ID: 5d0a40ebcbbe326981b083124fe123dd01a86477f62242066b0f75f2ac741f7b
Instruction ID: e8f7fb2d6262d2f2bb279ca1ce68dd2f101519d6c7c042990320a4816685dbf7
Opcode Fuzzy Hash: 5d0a40ebcbbe326981b083124fe123dd01a86477f62242066b0f75f2ac741f7b
Instruction Fuzzy Hash: ED2190B1A205098FDF11BF7889C67A97B75AF50340F1440E0ED99AF257C770ADA2DBA0

Function 0025DAA5 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025DAAC
SetTextColor.GDI32(?,00000000), ref: 0025DAEB
SetBkColor.GDI32(?,00000001), ref: 0025DB16
SendMessageW.USER32(?,00000030,?,00000001), ref: 0025DB47
CreateSolidBrush.GDI32(00000001), ref: 0025DB5A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Color$BrushCreateH_prolog3MessageSendSolidText
String ID:
API String ID: 574452768-0
Opcode ID: fb873f00b8a8c900e4d9d206225bc44dd1350e55eb860b9d0aaae82b54bd77f9
Instruction ID: 832c62c2a4550cb3de479058359d65268902a38a327616cfd0bea3aabd4f5998
Opcode Fuzzy Hash: fb873f00b8a8c900e4d9d206225bc44dd1350e55eb860b9d0aaae82b54bd77f9
Instruction Fuzzy Hash: 60219F71A10119EFDB15DF64C988AEDBBF4FF08345F004269F91597260C7709A59CF90

Function 00311783 Relevance: 7.6, APIs: 5, Instructions: 58windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0031178A

Part of subcall function 0023338B: __EH_prolog3.LIBCMT ref: 00233392
Part of subcall function 0023338B: BeginPaint.USER32(?,?,00000000,00232604,?,?), ref: 002333AC

GetClientRect.USER32(?,?), ref: 003117B5

Part of subcall function 002332CA: __EH_prolog3.LIBCMT ref: 002332D1
Part of subcall function 002332CA: CreateCompatibleDC.GDI32(00000001), ref: 002332F9
Part of subcall function 002332CA: SelectObject.GDI32(?,?), ref: 0023331F
Part of subcall function 002332CA: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00233338

GetParent.USER32(00000001), ref: 003117D9
SendMessageW.USER32(00000000,00000135,?,00000001), ref: 003117EE
FillRect.USER32(?,?,00000000), ref: 003117FF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3Rect$BeginClientCompatibleCreateFillH_prolog3_MessageObjectPaintParentSelectSendViewport
String ID:
API String ID: 3093121641-0
Opcode ID: 130ea2d52000b86efc323e33c1fd6b237506530d9ed8dc717b2d4220318d8943
Instruction ID: 219ca90ba555313f2e63f61de12d8af5b87a245bd28b1aa39e867b3aa946edc3
Opcode Fuzzy Hash: 130ea2d52000b86efc323e33c1fd6b237506530d9ed8dc717b2d4220318d8943
Instruction Fuzzy Hash: 0221C871C00209EFCF11DFE4C9859DDBBB9BF08300F5185A9E55AAB150DB31AA95DF50

Function 002F19C0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002F19C7
GetParent.USER32(?), ref: 002F19CF
GetDlgItem.USER32(00000000,00000461), ref: 002F19E3
GetDlgItem.USER32(00000000), ref: 002F19E6
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 002F19F9

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 0027D016: _memset.LIBCMT ref: 0027D02D

Part of subcall function 002F1D2C: GetParent.USER32(?), ref: 002F1D2F
Part of subcall function 002F1D2C: SendMessageW.USER32(00000000,00000468,FFFFFDA5,FFFFFDA5), ref: 002F1D43

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ItemMessageParentSend$_memset
String ID:
API String ID: 871626909-0
Opcode ID: fbcf29b86d0fd6b84568e1e74be971091b1d510a3cdc9693c825eed6a2f56ca1
Instruction ID: b9a295e68db4bcaee643d8156989fc4c9bb4e85b3d575e69dfb0797423374a00
Opcode Fuzzy Hash: fbcf29b86d0fd6b84568e1e74be971091b1d510a3cdc9693c825eed6a2f56ca1
Instruction Fuzzy Hash: 2011467592121DEBDB11EB64CD4AF6EB678AB04390F504121F625A71E1D770DE20CA54

Function 002682ED Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002682F4

Part of subcall function 002587E5: SendMessageW.USER32(?,0000113E,00000000,?), ref: 00258813

CreatePopupMenu.USER32 ref: 0026831F

Part of subcall function 00267CC0: __EH_prolog3.LIBCMT ref: 00267CC7
Part of subcall function 00267CC0: AppendMenuW.USER32(00000000,00000020,00007531,-00000004), ref: 00267D66
Part of subcall function 00267CC0: AppendMenuW.USER32(00000000,00000000,00007532,-00000004), ref: 00267DC1

ClientToScreen.USER32(-00000168,00000000), ref: 00268345
TrackPopupMenu.USER32(00000000,00000000,00000000,?,00000000,-00000168,00000000), ref: 0026835B
DestroyMenu.USER32(00000000,?,?,?,00000090,0026744E,?,?,?,?,002673CE,?,?,?,?,?), ref: 0026836D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Menu$AppendH_prolog3Popup$ClientCreateDestroyMessageScreenSendTrack
String ID:
API String ID: 411101008-0
Opcode ID: d84f0e4c26fdf4a152a0b4d816999092b35980eb477e0deddacca11d490a496b
Instruction ID: 1f27d384a4e55187d1d6dccfa97e4fdec4f862a9842d8ba40ae03b1ba613c811
Opcode Fuzzy Hash: d84f0e4c26fdf4a152a0b4d816999092b35980eb477e0deddacca11d490a496b
Instruction Fuzzy Hash: 1F114C36810109EFDF129FA1D849ADEBBB5EF85721F10C215F919AA260CB35CA61CF50

Function 00300B6E Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00300B7A

Part of subcall function 002F9439: __getptd_noexit.LIBCMT ref: 002F943C
Part of subcall function 002F9439: __amsg_exit.LIBCMT ref: 002F9449

__amsg_exit.LIBCMT ref: 00300B9A
__lock.LIBCMT ref: 00300BAA
InterlockedDecrement.KERNEL32(?), ref: 00300BC7
InterlockedIncrement.KERNEL32(02B72CE0), ref: 00300BF2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 8f08eaca5c2858408dff14bf7756acc43bd6773700a0bd6720bae037ae77ae46
Instruction ID: e8f94ced5ee1b8c80a3e893d1d4fd9f8f4ab00608c0a4983d1e3f75fcdcd2aac
Opcode Fuzzy Hash: 8f08eaca5c2858408dff14bf7756acc43bd6773700a0bd6720bae037ae77ae46
Instruction Fuzzy Hash: F001C432D12715DBDB2BAB649426B6DB764BF047A4F114115E504BB2C0CB34ED91CFC1

Function 00311704 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0031170B
GetClientRect.USER32(?,?), ref: 0031172A
GetParent.USER32(?), ref: 00311739
SendMessageW.USER32(00000000,00000135,?,?), ref: 0031174B
FillRect.USER32(?,?,00000000), ref: 00311759

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$ClientFillH_prolog3MessageParentSend
String ID:
API String ID: 2219663710-0
Opcode ID: 0a39c39c9f0d73e60cc5e1620ea3ae6ea8de96ac513d6666898408f5a3feaead
Instruction ID: 2e60931530f175cbef7454660c84b5fadb8fa061d4c46c16a6c6451583ebe5e6
Opcode Fuzzy Hash: 0a39c39c9f0d73e60cc5e1620ea3ae6ea8de96ac513d6666898408f5a3feaead
Instruction Fuzzy Hash: EA012976800209EFCF169FA5C9488EEFBF9FF48310F158519EA96A7260C7349A50DF50

Function 002B9B10 Relevance: 7.5, APIs: 5, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 002B9B13

Part of subcall function 00233684: GetCurrentProcess.KERNEL32(00000000,0000000D,00000000,00000000,0034F82C,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?), ref: 002336B8
Part of subcall function 00233684: FlushInstructionCache.KERNEL32(00000000,?,0023360F,80004005,00235A87,00000000,002BE292,?,?,00000000,?,?,?,?,002BE220), ref: 002336BF

SetLastError.KERNEL32(0000000E,00000000,?,002A3256,?,00000000,00000000,?,?,?,?,?,00000015,?,?,?), ref: 002B9B2F
DialogBoxParamW.USER32(000000D8,00000000,0024D1F7,00000000,?), ref: 002B9B53
WaitForSingleObject.KERNEL32(?,000000FF,?,002A3256,?,00000000,00000000,?,?,?,?,?,00000015,?,?,?), ref: 002B9B60
CloseHandle.KERNEL32(?,?,002A3256,?,00000000,00000000,?,?,?,?,?,00000015,?,?,?,?), ref: 002B9B69

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ActiveCacheCloseCurrentDialogErrorFlushHandleInstructionLastObjectParamProcessSingleWaitWindow
String ID:
API String ID: 3191049921-0
Opcode ID: 77d1001087d050186eba591abd39e9cfaf18cde953414f73f9a198d571e25c5a
Instruction ID: e100dfcacfad049b35844e7d5cf85e7694c87c828f58874b068eb74500e36465
Opcode Fuzzy Hash: 77d1001087d050186eba591abd39e9cfaf18cde953414f73f9a198d571e25c5a
Instruction Fuzzy Hash: 83F0B4362102106FDB125B74EC89F557A6CEB117B6F114261FE16EA1F2DBA08891DB90

Function 002613E9 Relevance: 7.5, APIs: 5, Instructions: 32windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002613F0
GetParent.USER32(?), ref: 002613FC
SendMessageW.USER32(00000000,00000138,?,?), ref: 0026140E
GetClientRect.USER32(?,00000000), ref: 0026142D
FillRect.USER32(?,00000000,00000000), ref: 0026143B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$ClientFillH_prolog3MessageParentSend
String ID:
API String ID: 2219663710-0
Opcode ID: c9ff2464a1b4e6c97e2276c505ff26179e99c0b3e53373b9f14e13f9059d84ef
Instruction ID: 85802d0060e4431a2e0670ba7aeedcbe9320164389d4fbd2535717f1e13aa937
Opcode Fuzzy Hash: c9ff2464a1b4e6c97e2276c505ff26179e99c0b3e53373b9f14e13f9059d84ef
Instruction Fuzzy Hash: 2EF06D7690060ABFDB029FE0CD4AAEEBBB8EF18301F008524F75292060CB749954DF10

Function 002E606B Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002E6075

Part of subcall function 002CB459: __EH_prolog3.LIBCMT ref: 002CB460

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002E5270: __EH_prolog3.LIBCMT ref: 002E5277

Part of subcall function 002CB24B: __EH_prolog3.LIBCMT ref: 002CB252

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Part of subcall function 002E7A2D: __EH_prolog3.LIBCMT ref: 002E7A34

Part of subcall function 002E64DC: __EH_prolog3.LIBCMT ref: 002E64E3

Part of subcall function 00282E8B: __EH_prolog3.LIBCMT ref: 00282E92

Strings

AiGlobalProgress, xrefs: 002E6099
AI_CountRowAction, xrefs: 002E63E9
AI_DefaultActionCost, xrefs: 002E6454

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits$H_prolog3_
String ID: AI_CountRowAction$AI_DefaultActionCost$AiGlobalProgress
API String ID: 2353304083-1740901879
Opcode ID: 59da5956ff0529f111d61da5720b0aad87c4c5f6da898fee65cfc655c9d9daa2
Instruction ID: 0cd25e4d000d7df297a7c96141804fa2c37708dde8dc04384268a41678d23248
Opcode Fuzzy Hash: 59da5956ff0529f111d61da5720b0aad87c4c5f6da898fee65cfc655c9d9daa2
Instruction Fuzzy Hash: 9EC13B7181125CAADB21EBA0CC9AFDDBB78AF11304F5441D8B24977092DB702F99CF61

Function 0027987A Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002798F8
VariantClear.OLEAUT32(?), ref: 00279A75
SysFreeString.OLEAUT32(?), ref: 00279A84

Strings

`<u, xrefs: 00279A84

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearVariant$FreeString
String ID: `<u
API String ID: 3697210081-3367579956
Opcode ID: 514c4108951c9760243ad2e7b7c3dc831fe1097b3857120c4e7c6acc58eadc9f
Instruction ID: fddcfe11e91789bc55b308c819bb5b9d9c9c8277fa10f75af994d9621c729499
Opcode Fuzzy Hash: 514c4108951c9760243ad2e7b7c3dc831fe1097b3857120c4e7c6acc58eadc9f
Instruction Fuzzy Hash: C8617971128740CFE320DF68C885B5ABBE4EF88754F20891DF699972A1D770E998CF52

Function 0025849F Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002584A9

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Strings

Exact, xrefs: 0025861F
MinOnly, xrefs: 00258557
MaxOnly, xrefs: 002585BB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: char_traits$H_prolog3H_prolog3_
String ID: Exact$MaxOnly$MinOnly
API String ID: 3208253003-799421204
Opcode ID: 3f17a63e429e4afea88beab4a820bac3fc7751d7fe7416246d3a978a4283dc67
Instruction ID: 0fbd0bc10313b12bcb190df52075741fb442eff664cab267eb720e1253c3e551
Opcode Fuzzy Hash: 3f17a63e429e4afea88beab4a820bac3fc7751d7fe7416246d3a978a4283dc67
Instruction Fuzzy Hash: B76129B1810248EEDB11EBA0CD95FEEBBB8AF51304F088199F1466B191EB701B18CF61

Function 002F4DC9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002F4DD0
_Fputc.LIBCPMT ref: 002F4F81

Strings

, xrefs: 002F4EF4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FputcH_prolog3_
String ID:
API String ID: 4013897487-3916222277
Opcode ID: 2f624c2c2f167cffed98fcd8959243c8798ba1d204c6232a1f933816e3859de5
Instruction ID: 977732abdbf1c4a01808d95c11d30075946e28050e11614bd159df10d630597b
Opcode Fuzzy Hash: 2f624c2c2f167cffed98fcd8959243c8798ba1d204c6232a1f933816e3859de5
Instruction Fuzzy Hash: 535165729202199FDB14EFA4C891AFFB3B5BF54740F104539F606A7681EBB0A964CF50

Function 002D972B Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D9735

Strings

`.7, xrefs: 002D974C
Feature, xrefs: 002D97C4
ALL, xrefs: 002D976B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: ALL$Feature$`.7
API String ID: 431132790-3841716093
Opcode ID: b2f512f96afebbedd56ebfa3afc1f296f0678f0d8c68e1b06537280e6d2206f6
Instruction ID: 4cc6a8bd1074f9032503f23747ce11be8c2b1870ba8464e6cd5b85a713c97dd0
Opcode Fuzzy Hash: b2f512f96afebbedd56ebfa3afc1f296f0678f0d8c68e1b06537280e6d2206f6
Instruction Fuzzy Hash: B16136B5C10249EFCF11EFE4C8859EEBBB9AF05300F10816AF515A7251D730AAA5DF60

Function 00260300 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0024258A: __EH_prolog3.LIBCMT ref: 00242591

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

_wcslen.LIBCMT ref: 002604B4

Strings

<a>, xrefs: 002604AE, 002604B3
</a>, xrefs: 00260431
<a href=", xrefs: 00260366

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_wcslenchar_traits
String ID: </a>$<a href="$<a>
API String ID: 1851516346-4210067781
Opcode ID: 8a445297557e22a93be3200294fcad0482ea6b8d6af9ee5c9e41a519ad74154d
Instruction ID: 60806d75730133527250d629bf8eb51819320e0ae6cf04bc9a40b39c115d00de
Opcode Fuzzy Hash: 8a445297557e22a93be3200294fcad0482ea6b8d6af9ee5c9e41a519ad74154d
Instruction Fuzzy Hash: 1F518BB1514385AFCB25AF10CC95EAB7BA8FF84754F000A1CF9858B1A1CB719EA4CB91

Function 00244F2A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00244F31

Part of subcall function 0024DABE: __EH_prolog3.LIBCMT ref: 0024DAC5

Part of subcall function 002437E8: __EH_prolog3.LIBCMT ref: 002437EF

Part of subcall function 0024386D: __EH_prolog3.LIBCMT ref: 00243874

Part of subcall function 0024850A: __EH_prolog3.LIBCMT ref: 00248511

Part of subcall function 0024886B: __EH_prolog3.LIBCMT ref: 00248872

Part of subcall function 00248A33: __EH_prolog3.LIBCMT ref: 00248A3A

Part of subcall function 00251B9C: __EH_prolog3.LIBCMT ref: 00251BA3

Part of subcall function 002492F4: __EH_prolog3.LIBCMT ref: 002492FB

Part of subcall function 00250F40: __EH_prolog3.LIBCMT ref: 00250F47

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Strings

po3, xrefs: 00245004
to3, xrefs: 0024500B
o3, xrefs: 00244FBF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: o3$po3$to3
API String ID: 1683881009-1965142036
Opcode ID: 74d1e233957f0a6fb6ca73e784ea2a7c75b8dab116fc3dbeb84e70b8f827289e
Instruction ID: 990a5383c78db07142dad747beae30b522262b3473e55d48220d80b3226430ed
Opcode Fuzzy Hash: 74d1e233957f0a6fb6ca73e784ea2a7c75b8dab116fc3dbeb84e70b8f827289e
Instruction Fuzzy Hash: F8713CB0815B89EFCB12DF68C5843CABBF4BF09304F50895DE5999B242C3B4A654DFA1

Function 00288710 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 00288740

Part of subcall function 002F8D28: __getptd.LIBCMT ref: 002F8D28

Part of subcall function 002F3D44: ____lc_handle_func.LIBCMT ref: 002F3D47
Part of subcall function 002F3D44: ____lc_codepage_func.LIBCMT ref: 002F3D4F

Part of subcall function 002F3B49: ____lc_handle_func.LIBCMT ref: 002F3B7D
Part of subcall function 002F3B49: ____lc_codepage_func.LIBCMT ref: 002F3B85
Part of subcall function 002F3B49: __GetLocaleForCP.LIBCPMT ref: 002F3BAE
Part of subcall function 002F3B49: ____mb_cur_max_l_func.LIBCMT ref: 002F3BC4
Part of subcall function 002F3B49: MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000002,?,00000000,00000000,00000001,?,00000000,0028AA58,00000000,?,?,?,?), ref: 002F3BE3
Part of subcall function 002F3B49: ____mb_cur_max_l_func.LIBCMT ref: 002F3BF1
Part of subcall function 002F3B49: ___pctype_func.LIBCMT ref: 002F3C16
Part of subcall function 002F3B49: ____mb_cur_max_l_func.LIBCMT ref: 002F3C3C
Part of subcall function 002F3B49: ____mb_cur_max_l_func.LIBCMT ref: 002F3C54
Part of subcall function 002F3B49: ____mb_cur_max_l_func.LIBCMT ref: 002F3C6C
Part of subcall function 002F3B49: MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,?,00000000,00000000,00000001,?,00000000,0028AA58,00000000,?,?,?,?), ref: 002F3C79

Part of subcall function 002F3B49: MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,00000000,00000001,?,00000000,0028AA58,00000000,?,?,?,?), ref: 002F3CAA

Strings

true, xrefs: 002887A4
false, xrefs: 00288784
,, xrefs: 00288895

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$____lc_codepage_func____lc_handle_func$Locale___pctype_func__getptd_localeconv
String ID: ,$false$true
API String ID: 2736391094-760133229
Opcode ID: 3fe8c8f5d9ed1a44d55dc995a61cb8855c72c41cdca2f54192945e3bd118de24
Instruction ID: adfd7cab3fa02b370f7b8b9f9fb892a16e203aeb819ed3a427d40ca4b6f9dd60
Opcode Fuzzy Hash: 3fe8c8f5d9ed1a44d55dc995a61cb8855c72c41cdca2f54192945e3bd118de24
Instruction Fuzzy Hash: 65513CB6C10249AECB04EFE5C8819EEFBB8FF58710F04852EE615A7241E7749644CFA5

Function 002796BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00279734

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002D1891: __EH_prolog3_GS.LIBCMT ref: 002D1898

VariantClear.OLEAUT32(?), ref: 00279826
SysFreeString.OLEAUT32(?), ref: 00279835

Strings

`<u, xrefs: 00279835

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearVariant$FreeH_prolog3H_prolog3_Stringchar_traits
String ID: `<u
API String ID: 597698024-3367579956
Opcode ID: 751c3192fcba3808efd1b9891373af0ad1202ff2afbc429b178a2c3583b6301d
Instruction ID: 2fcb2ea43ebffc1e210467cadc446f4cca63cda0838bb0cc272fd215575f86d4
Opcode Fuzzy Hash: 751c3192fcba3808efd1b9891373af0ad1202ff2afbc429b178a2c3583b6301d
Instruction Fuzzy Hash: 0E519C72428780DFC325DF28C849A5BBBE8BF85714F108A1DF199972A1DB70E919CF52

Function 00279082 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00279103

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0024FBA0: __EH_prolog3.LIBCMT ref: 0024FBA7

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

VariantClear.OLEAUT32(?), ref: 0027921E
SysFreeString.OLEAUT32(?), ref: 00279230

Strings

`<u, xrefs: 00279230

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearH_prolog3Variant_wcslen$FreeStringchar_traits
String ID: `<u
API String ID: 2256938867-3367579956
Opcode ID: 65ae9f12d01efcf02fc7d84a00c96bdfd92b54be651bcfa5426983def410e1a1
Instruction ID: 361769ceccffc70bb2121bdead256755d3f9f065cc2a65c57bc8b5a0ff6214d9
Opcode Fuzzy Hash: 65ae9f12d01efcf02fc7d84a00c96bdfd92b54be651bcfa5426983def410e1a1
Instruction Fuzzy Hash: 5E516A71118381DFC725EF24C889B9BBBE8BF84714F54891DF489972A1DB30A958CB92

Function 002649A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 00264A6D
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00264A94
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00264AB2

Strings

d, xrefs: 00264AC0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend
String ID: d
API String ID: 3850602802-2564639436
Opcode ID: dd53e2eb702bd01e6a4b96ee6b72cb61e4ac508f4c80ac4ebced28cbb84c7efd
Instruction ID: e596f041c623d9c74b953cec18b0dee281e2427d572c433a93558c052bcefbef
Opcode Fuzzy Hash: dd53e2eb702bd01e6a4b96ee6b72cb61e4ac508f4c80ac4ebced28cbb84c7efd
Instruction Fuzzy Hash: 9B41F131A64302ABCB20EF24C880A5AB7E6FFC4714F14492DF59597290CB70EDA5CB95

Function 0024DD6F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0024DD79

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

PostMessageW.USER32(?,000005F5,?,00000000), ref: 0024DEFB

Strings

_BrowseProperty, xrefs: 0024DDCE, 0024DDE7, 0024DE4C
AiPredefOpen, xrefs: 0024DDC3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: char_traits$H_prolog3_MessagePost
String ID: AiPredefOpen$_BrowseProperty
API String ID: 1876461406-2866284378
Opcode ID: 654fa4fec53247b059bd38430e4d4d82a2c737fd508ac6fb9890cc494a081264
Instruction ID: dea2a924ae0d96ccda524efc7015d9dadcf243678a4db58d5ce49be037515233
Opcode Fuzzy Hash: 654fa4fec53247b059bd38430e4d4d82a2c737fd508ac6fb9890cc494a081264
Instruction Fuzzy Hash: 23515AB1914249EFDF05DBE4C981AEDBB78AF14304F244259F111AB291DB706F64CF61

Function 0026C2D4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002934D0: _memset.LIBCMT ref: 00293537
Part of subcall function 002934D0: _memset.LIBCMT ref: 0029358C

SendMessageW.USER32(?,0000109D,00000001,00000000), ref: 0026C460

Strings

VolumeCostOthersGroup, xrefs: 0026C3E3
VolumeCostBadGroup, xrefs: 0026C30F
VolumeCostDrivesGroup, xrefs: 0026C378

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _memset$MessageSend
String ID: VolumeCostBadGroup$VolumeCostDrivesGroup$VolumeCostOthersGroup
API String ID: 2497471678-3834040249
Opcode ID: a9146210e6544b325465b85398245da533416e13c68012604f04bb6c9b77b282
Instruction ID: cd521536254c33661b10d84f9efee76109a8faf056c6cfbad1b8ffdb024bf76a
Opcode Fuzzy Hash: a9146210e6544b325465b85398245da533416e13c68012604f04bb6c9b77b282
Instruction Fuzzy Hash: 4A418E71128380AFD314EB24C886FABB7E8EF91714F148A4CF595972E1DBF0A554CB52

Function 002C4965 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EF), ref: 002C4982
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 002C4994
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002C4AE0

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Strings

???, xrefs: 002C4A33

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$H_prolog3Item
String ID: ???
API String ID: 2559409407-1053719742
Opcode ID: 68b9e9449cec031d3e1a8324c2075e26d1de8de7d4ef8e8f91739e8278c8a7dd
Instruction ID: ceed7769d14ae25f510f57d68092cd011a81d1c289b01858844b31f5713fae9d
Opcode Fuzzy Hash: 68b9e9449cec031d3e1a8324c2075e26d1de8de7d4ef8e8f91739e8278c8a7dd
Instruction Fuzzy Hash: CA419F71614302AFC310EF25C855F5BBBE8AF88714F00861EF59997291D770DA65CF92

Function 00295880 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

PathAddBackslashW.SHLWAPI(?), ref: 002958F7
_wcsnlen.LIBCMT ref: 00295909
SHGetFileInfoW.SHELL32(?,00000010,?,000002B4,00004013), ref: 00295952

Part of subcall function 0023366C: __CxxThrowException@8.LIBCMT ref: 0023367E

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00295A12

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: BackslashException@8FileInfoPathThrow_wcsnlen
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 2039506491-1713319389
Opcode ID: 7afefeb986c1be3a28d108f86b38820565eee76ce76341e8467a006fec6e1c86
Instruction ID: 7c7aa19ccab71d9b4216f3c017ee6369573fab523d24a2cd7538a6f448e2e742
Opcode Fuzzy Hash: 7afefeb986c1be3a28d108f86b38820565eee76ce76341e8467a006fec6e1c86
Instruction Fuzzy Hash: 76516071218B819FD325DF28D889B6AF7E9FB88720F004A1EE559C7390D775A805CF91

Function 002C58CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Download failed. Error:, xrefs: 002C58F0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$CriticalErrorFormatH_prolog3LastLeavePostSection
String ID: Download failed. Error:
API String ID: 2226085711-1306278414
Opcode ID: a954de8022e79c4368ca2d397f8f00d81f1532125f327e3490013cadd69f8590
Instruction ID: 1f7883e3763c2e66fc9be8b4df580922abe3b222d87a605114bf3ee4dc3bc679
Opcode Fuzzy Hash: a954de8022e79c4368ca2d397f8f00d81f1532125f327e3490013cadd69f8590
Instruction Fuzzy Hash: EE41C171620A06EBDF11EF61CC85FAE7768BF04310F50462AF515970A2DB74EAB48F90

Function 00278ECA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00278F39

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 0024FBA0: __EH_prolog3.LIBCMT ref: 0024FBA7

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

VariantClear.OLEAUT32(?), ref: 00279044
SysFreeString.OLEAUT32(?), ref: 00279056

Strings

`<u, xrefs: 00279056

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearH_prolog3Variant_wcslen$FreeString
String ID: `<u
API String ID: 1189065343-3367579956
Opcode ID: 4a77507973c7111fc90447cedc68b3a941fdb8cdcbb16892956e4b2467198eb6
Instruction ID: dc125d283588e5a10e12c3a1e39585c86e067db659df7b5752563a801f7579d0
Opcode Fuzzy Hash: 4a77507973c7111fc90447cedc68b3a941fdb8cdcbb16892956e4b2467198eb6
Instruction Fuzzy Hash: A6417B32528381DEC721EF65C849B8BBBE8BF95714F008A1DF0D9971A1DB349958CB93

Function 00268617 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,?), ref: 002686DE
SendMessageW.USER32(?,0000110A,00000001,?), ref: 0026870E
SendMessageW.USER32(FFFFFCB5,0000110A,00000009,00000000), ref: 00268732

Strings

d, xrefs: 0026871A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend
String ID: d
API String ID: 3850602802-2564639436
Opcode ID: 9eefaa47e679b8ff81c672c938d4140afcdc958d59865a9ac8552f019a6e1032
Instruction ID: 4924af91e88c23b386105b60bb8f7502096f58783c4e436e662cb897217a8690
Opcode Fuzzy Hash: 9eefaa47e679b8ff81c672c938d4140afcdc958d59865a9ac8552f019a6e1032
Instruction Fuzzy Hash: F9416F755283029FC711DF24C880A5AF7E9FF88354F144A2DF984A7290DB70DEA5CBA2

Function 00299E90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00299F5A
_wcschr.LIBCMT ref: 00299F86

Strings

L27, xrefs: 00299EDE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcschr
String ID: L27
API String ID: 2691759472-3540802760
Opcode ID: 6093d9fae1317888011226a108e6563a1d5931c30dac725bceb47203c7cc7495
Instruction ID: 32a2ebfb70580b3f80ced5f0b8544a6c21f024a2a45a20d270ee9d8e6f089d70
Opcode Fuzzy Hash: 6093d9fae1317888011226a108e6563a1d5931c30dac725bceb47203c7cc7495
Instruction Fuzzy Hash: A031BE716246129FDB10DF1DCC81B2BF7D8EF54324F14052DE908C7781EB66E8658EA2

Function 0029CE00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?), ref: 0029CE53
FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,?,00000000,00000000), ref: 0029CE6C
_wcslen.LIBCMT ref: 0029CF2E

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 0029CEBE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FormatFreeLocalMessage_wcslen
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 2211890955-3373098694
Opcode ID: 585d2904b4f0924b5832b2351686b53ca1977a5cb23c3fe637b4cd34f2c3f319
Instruction ID: 19c061d25f5deb1626fe0ff6ef498a4c8b743e836a5f6a3f05353616a532369a
Opcode Fuzzy Hash: 585d2904b4f0924b5832b2351686b53ca1977a5cb23c3fe637b4cd34f2c3f319
Instruction Fuzzy Hash: B1416BB15183419FD321EF24D981F5BBBECEB84754F10492DF08586282D774E9088FA2

Function 00270F37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00270F3E
_wcslen.LIBCMT ref: 00270F79
_wmemcpy_s.LIBCPMT ref: 00270FB7

Strings

L27, xrefs: 00270F48

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3__wcslen_wmemcpy_s
String ID: L27
API String ID: 3674138192-3540802760
Opcode ID: efaa7a48face09bce501a3c329ad4f2484123ba6fc38f3da35e05df64b40558b
Instruction ID: e7d2b86162c9b1c2812b1eaea224fa8f0c60fb96fcb9cd3334eb464aba65a794
Opcode Fuzzy Hash: efaa7a48face09bce501a3c329ad4f2484123ba6fc38f3da35e05df64b40558b
Instruction Fuzzy Hash: 1A310471E206499BCF14EFA8C5416EDB3B9AF48350F248029E509F7282EB31CE708B65

Function 002CC812 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002CC819

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

`Key` = ', xrefs: 002CC830
UIText, xrefs: 002CC866
Text, xrefs: 002CC8D6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: Text$UIText$`Key` = '
API String ID: 3359205163-4152437424
Opcode ID: 536b732989a69c3caea2313661b8bbd8a4caa8b978f1d1d594a4ad38fd6df8a1
Instruction ID: b231d795bd38ad2767d1b41b459c8dace1470dd5393bd662e64c2ebf551cde0a
Opcode Fuzzy Hash: 536b732989a69c3caea2313661b8bbd8a4caa8b978f1d1d594a4ad38fd6df8a1
Instruction Fuzzy Hash: C13117B192025CAACB01EBE4DC86FDEB7B8AF15700F144169F545BB282DB706A19CF51

Function 002CC6E5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002CC6EC

Part of subcall function 002CE2A3: __EH_prolog3.LIBCMT ref: 002CE2C2
Part of subcall function 002CE2A3: __itow_s.LIBCMT ref: 002CE2DC

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

Error = , xrefs: 002CC717
Message, xrefs: 002CC7A8
Error, xrefs: 002CC735

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3___itow_schar_traits
String ID: Error$Error = $Message
API String ID: 273429427-1238453267
Opcode ID: 2be5a17b7c9ec82f824c5b2ed7e571deb2823c9e13c5843a4856f7e4eb0b9ea7
Instruction ID: 0e458c9add7d6d6f919f059b7ec2ca88999c59ae97c04dc547364a137c970eaa
Opcode Fuzzy Hash: 2be5a17b7c9ec82f824c5b2ed7e571deb2823c9e13c5843a4856f7e4eb0b9ea7
Instruction Fuzzy Hash: A83146B1D2021CAACF01EBE4DC86BEDB779AF15304F144169F5057B282CB706A29CF90

Function 0025D746 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0025D74D
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0025D765

Part of subcall function 002506BA: __EH_prolog3_GS.LIBCMT ref: 002506C1

SendMessageW.USER32(?,00000151,00000000,?), ref: 0025D82F

Strings

T, xrefs: 0025D85B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_MessageSend
String ID: T
API String ID: 591282594-3187964512
Opcode ID: 6bae169038bb8e3703ea0d3539ec6b506877bde644bd4c5cd1f48c74301c46c7
Instruction ID: 4c6853f7344df7c4fdfe207b8b6d181d18d63bd7bb269572a88d0e36f0438959
Opcode Fuzzy Hash: 6bae169038bb8e3703ea0d3539ec6b506877bde644bd4c5cd1f48c74301c46c7
Instruction Fuzzy Hash: 48414D35A10209EFDB14DFA4C889BDCF7B5FF04305F108119E515AB290CBB1AA59CF95

Function 002A484C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002A55FF: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001), ref: 002A562F

Part of subcall function 00298260: GetTempPathW.KERNEL32 ref: 002982AE

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

Part of subcall function 00272524: __EH_prolog3.LIBCMT ref: 0027252B

Part of subcall function 0027D894: _wcsnlen.LIBCMT ref: 0027D8C5

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

GetFileAttributesW.KERNEL32(?,?,00000000,00000000,?,0000005C,?,000000DC,?,00000003), ref: 002A4893
SetFileAttributesW.KERNEL32(?,00000080), ref: 002A48A6

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 002AB724: _memset.LIBCMT ref: 002AB73D
Part of subcall function 002AB724: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,0000000C,00000000,00000000,00000044,?,?,?,00000000), ref: 002AB791

CopyFileW.KERNEL32(00000000,?,00000000), ref: 002A48B4

Strings

"%s" %s, xrefs: 002A48F3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: File$H_prolog3$Attributes$CopyCreateModuleNamePathProcessTemp_memset_wcsnlen_wcsrchr
String ID: "%s" %s
API String ID: 967803995-1070868581
Opcode ID: 24d95cd812892708c204e7204303f5f0832093b1def63c973546d73aeab9164b
Instruction ID: 03047074efd344f29c7b5fb886730be06f55b2da029df50b541a2f252c9dccbd
Opcode Fuzzy Hash: 24d95cd812892708c204e7204303f5f0832093b1def63c973546d73aeab9164b
Instruction Fuzzy Hash: 38314B75A10118BBCB01FFA4DC86EDEB7BCAF09700F5001A1F512A3062DB75AB258B90

Function 002ADB76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 00298DF0: GetTempPathW.KERNEL32(00000104,?,?), ref: 00298E14

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

CopyFileW.KERNEL32(?,?,00000000,?,upd,?,?), ref: 002ADBC1

Part of subcall function 00298050: FormatMessageW.KERNEL32 ref: 00298096
Part of subcall function 00298050: GetLastError.KERNEL32 ref: 002980A0

Part of subcall function 002B187C: LeaveCriticalSection.KERNEL32(?,00000000,0033E304,003746CC,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002B18FB

Strings

upd, xrefs: 002ADB84
Downloading of updates failed. Error:, xrefs: 002ADC31
Tv4, xrefs: 002ADBDF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$CopyCriticalErrorFileFormatLastLeaveMessagePathSectionTemp
String ID: Downloading of updates failed. Error:$Tv4$upd
API String ID: 21240099-2883466849
Opcode ID: 6bf378cd3707d1cfa88d3d9e1119cd8ab972444d9ab9d6cea8968ef741db3ca3
Instruction ID: f88fe40d929a99fe6a883805c3c4fae0e8fc564fb98d4995cd4ad714730a1508
Opcode Fuzzy Hash: 6bf378cd3707d1cfa88d3d9e1119cd8ab972444d9ab9d6cea8968ef741db3ca3
Instruction Fuzzy Hash: 7321C375A60605ABCB10FBA4C886BDD73B99F05300F844465F505AB0A2DF70AF69CF60

Function 002D9A68 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D9A6F

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Part of subcall function 002E50B1: __EH_prolog3_GS.LIBCMT ref: 002E50BB

Strings

AiGlobalProgress, xrefs: 002D9A79
AiInstallDataLog, xrefs: 002D9B32
AiInstallTextLog, xrefs: 002D9B13

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3__malloc_wcslen
String ID: AiGlobalProgress$AiInstallDataLog$AiInstallTextLog
API String ID: 1712041456-2145378038
Opcode ID: c570e47726e5763786e76843814ad0d21edd31ff06b9661f02586c19f221f4c0
Instruction ID: bdc4df3c9f74fcf3676803e50f84620432a2b0ac79c9180c069a3c22cd90fa5f
Opcode Fuzzy Hash: c570e47726e5763786e76843814ad0d21edd31ff06b9661f02586c19f221f4c0
Instruction Fuzzy Hash: EF21FB356246118BCB11EF28E485659B7E0AF06734F29819BFC495F386CB75DCA1CF50

Function 0027169C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002716B5
VariantCopy.OLEAUT32(?), ref: 002716FC
SysFreeString.OLEAUT32(?), ref: 00271753

Strings

`<u, xrefs: 00271753

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CopyFreeH_prolog3_catchStringVariant
String ID: `<u
API String ID: 2410776249-3367579956
Opcode ID: dfe83a50631280fea7feb1ca97610999b41dc8b04e46320cc4adf526979d71c7
Instruction ID: 7e74fd58b97865f834973d0862169a15da0bf6d29fd65dcbbd2d0c1243649ff6
Opcode Fuzzy Hash: dfe83a50631280fea7feb1ca97610999b41dc8b04e46320cc4adf526979d71c7
Instruction Fuzzy Hash: 4F313C71D2524CEBDF10EFA8DD85ADEBBB9BB04300F10857AF609A7241DB749A14DB50

Function 002DD77B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002DD782

Part of subcall function 0028F580: __wcsnicmp.LIBCMT ref: 0028F5DF

Strings

ftp://, xrefs: 002DD7DB
http://, xrefs: 002DD789
https://, xrefs: 002DD7B3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3__wcsnicmp
String ID: ftp://$http://$https://
API String ID: 1790924198-2804853444
Opcode ID: 3a06b9eddb1700c9eefbf99ee680f368fa688e9e78ab1f721c9cf34918241b46
Instruction ID: 897a2fa24fad0912e5c74d180088004cd32ed948a54e9e72dc0c9b725b3860cc
Opcode Fuzzy Hash: 3a06b9eddb1700c9eefbf99ee680f368fa688e9e78ab1f721c9cf34918241b46
Instruction Fuzzy Hash: D521A0B581031EAACB05EF94D945AEEBB74AF15324F144259E865272C1CBB01F59CB90

Function 002C197F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002C5F21: GetDlgItem.USER32(?,0000041C), ref: 002C5F46
Part of subcall function 002C5F21: SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 002C5F63

GetDlgCtrlID.USER32(?), ref: 002C19EB
SetBkMode.GDI32(?,00000001), ref: 002C1A07
GetStockObject.GDI32(00000005), ref: 002C1A0F

Strings

N, xrefs: 002C19AD

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CtrlItemMessageModeObjectSendStock
String ID: N
API String ID: 2923990603-1130791706
Opcode ID: f6e25608465d28ba1ebb6a526a3cfcf1b08e875533b5c5a4ad1dae2b40f213e8
Instruction ID: bb5a22e48d2a5fc4049312f0fb31f0c318edee97b305ca323aa92fb6685c8418
Opcode Fuzzy Hash: f6e25608465d28ba1ebb6a526a3cfcf1b08e875533b5c5a4ad1dae2b40f213e8
Instruction Fuzzy Hash: FB215E70520609EFEB229F26CC89FAA77E5EF46311F10452DE112961A1D374D8B1DF11

Function 002C5C2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002C5F21: GetDlgItem.USER32(?,0000041C), ref: 002C5F46
Part of subcall function 002C5F21: SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 002C5F63

GetDlgCtrlID.USER32(00000000), ref: 002C5C9B
SetBkMode.GDI32(?,00000001), ref: 002C5CB7
GetStockObject.GDI32(00000005), ref: 002C5CBF

Strings

N, xrefs: 002C5C5D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CtrlItemMessageModeObjectSendStock
String ID: N
API String ID: 2923990603-1130791706
Opcode ID: 71db117671668951d2169e39f690d9697680bdc73aece2bf080bf3723cc64a47
Instruction ID: 165b3586a54cb620d5f812c8eab8f2543e315316b3dfcfaab1a8b9219e8a6376
Opcode Fuzzy Hash: 71db117671668951d2169e39f690d9697680bdc73aece2bf080bf3723cc64a47
Instruction Fuzzy Hash: AE216F70520F29EFEB228F66C884FAA7BE5EB45311F10462EE112C6160D774EAE0DF11

Function 002C8156 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

Solutions.list, xrefs: 002C81C4
-o enumsolutions, xrefs: 002C81A3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateDirectoryH_prolog3PathTemp
String ID: -o enumsolutions$Solutions.list
API String ID: 2270001860-1495771650
Opcode ID: 904787e530b8a8cf1cc36c797b28340ad473c2b6702d21ba5abc1713bc388f3b
Instruction ID: ef1df856c8c9c5de83acefc1ff342da061969d1917faac7a5a33717a5236cbdb
Opcode Fuzzy Hash: 904787e530b8a8cf1cc36c797b28340ad473c2b6702d21ba5abc1713bc388f3b
Instruction Fuzzy Hash: 15113771960109FFCB02EBA0D886EDDBBB9AF10360F108165F408A6061DF719BA6AF50

Function 002E4620 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002E4627

Part of subcall function 002E16D2: __EH_prolog3.LIBCMT ref: 002E16D9

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

REMOVE, xrefs: 002E469B
ALL, xrefs: 002E4669
InstallUISequence, xrefs: 002E4644

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits
String ID: ALL$InstallUISequence$REMOVE
API String ID: 3598086826-1347810215
Opcode ID: 220f57aabb2aae8a5d6952b2f68b5ccc76070456d3eddbe7cf9e5045e6f78847
Instruction ID: 9f70d917f3069666768607b9caa851d67be88d927c5a2f0005381d4f21c22f78
Opcode Fuzzy Hash: 220f57aabb2aae8a5d6952b2f68b5ccc76070456d3eddbe7cf9e5045e6f78847
Instruction Fuzzy Hash: 48218CB5410688EADB12EBA0C916FDEBBF4EF55310F54404CF5512B281CBB02B59CF61

Function 002580B6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 002580C0
GetMessagePos.USER32 ref: 002580DF
ScreenToClient.USER32(?,?), ref: 00258104

Part of subcall function 002588E7: SendMessageW.USER32(?,00001111,00000000,?), ref: 00258912

Strings

@, xrefs: 00258121

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$ClientH_prolog3_catch_ScreenSend
String ID: @
API String ID: 1750232797-2766056989
Opcode ID: 43981438d22e8347031c16a8f684f026c1157a06f9c59c54319109925582e13e
Instruction ID: 493182818b220d03bc459e9f03a11f317578c8ee34f3936692415e2907d6167a
Opcode Fuzzy Hash: 43981438d22e8347031c16a8f684f026c1157a06f9c59c54319109925582e13e
Instruction Fuzzy Hash: D8117F328206098BDB20DFB4C94479CBBB1BF04315F208629E855F7292CFB19D2A8F14

Function 002B610F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,002B5FDA,?,?,?,00000000,?,00000000,?), ref: 002B611F

Part of subcall function 0024EF01: CloseHandle.KERNEL32(00000000,002B19F6), ref: 0024EF0C

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,002B5FDA,?,?,?,00000000,?,00000000,?), ref: 002B6132
GetLastError.KERNEL32(?,?,00000000,?,00000000,?), ref: 002B6178

Strings

AdvancedInstaller, xrefs: 002B6160

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateEvent$CloseErrorHandleLast
String ID: AdvancedInstaller
API String ID: 503765110-1372594473
Opcode ID: 03efabfcf5503ab2ab4471e2455bc1187c6d444a1b37918b079bc13a2f258849
Instruction ID: 0afc7b50c56c6541d4422f6d00b9613d0bf35664d8892ff1644eb4d502d662f9
Opcode Fuzzy Hash: 03efabfcf5503ab2ab4471e2455bc1187c6d444a1b37918b079bc13a2f258849
Instruction Fuzzy Hash: 34014F71624304AEEB10AF759C4DFB777ADEB447A0F010821FE05D7241DB74AD558A60

Function 002AA243 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registrylibraryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\Caphyon\Setups,?), ref: 002AA261

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 002AB18D: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,000000C8,?,00000000,?,00000000,00000000,?), ref: 002AB1D1

LoadLibraryExW.KERNEL32(?,00000000,00000001,?,?,?,?), ref: 002AA293

Part of subcall function 002AA56F: InterlockedExchange.KERNEL32(00373270,00000000), ref: 002AA588
Part of subcall function 002AA56F: FreeLibrary.KERNEL32(?,?,?,?,002AA691,?,?,?,?,?,?,002A4079,00000009,?,000000DC,?), ref: 002AA593
Part of subcall function 002AA56F: InterlockedExchange.KERNEL32(00373270,00000009), ref: 002AA5A2

RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 002AA2BA

Strings

Software\Caphyon\Setups, xrefs: 002AA24F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExchangeInterlockedLibrary$CloseFreeH_prolog3LoadOpenQueryValue
String ID: Software\Caphyon\Setups
API String ID: 2374180122-2348175745
Opcode ID: 3bde2a527ad29cbf5c13aba3e7d4c891c3cb60d4e1e584dbdae69a0cdfd17b50
Instruction ID: eafc080a9a2a8a8622bfc2a5d8c0c3fe44898b2f0878f481c4f4ed93e8a0f597
Opcode Fuzzy Hash: 3bde2a527ad29cbf5c13aba3e7d4c891c3cb60d4e1e584dbdae69a0cdfd17b50
Instruction Fuzzy Hash: 1001E5B2D10209BBDB01AFD4DC86AEDB77CEF05341F5040A5F912A2055DB355A24CE51

Function 0025142B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00251432

Part of subcall function 00234F03: _wcslen.LIBCMT ref: 00234F0A

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

Control, xrefs: 0025143F
`Dialog_` = ', xrefs: 0025144F
Y3, xrefs: 00251494

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3__wcslenchar_traits
String ID: Control$`Dialog_` = '$Y3
API String ID: 1893968492-3700286900
Opcode ID: ee41c1d89e82b4ed893bf31cf5ec68130402a97a360d99850b25d40631763f1e
Instruction ID: ad1a8419a1d9c2d3727b1c9561d788733409bbbaf5d9a92505f71b8eaf3c9e1c
Opcode Fuzzy Hash: ee41c1d89e82b4ed893bf31cf5ec68130402a97a360d99850b25d40631763f1e
Instruction Fuzzy Hash: A90192B095020CAADB12EBE4CC82EEEBBB8AF14350F548569F155B7281C6705E14CBB1

Function 002514B8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002514BF

Part of subcall function 00234F03: _wcslen.LIBCMT ref: 00234F0A

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

AI_ControlEx, xrefs: 002514CC
Y3, xrefs: 00251521
`Dialog_` = ', xrefs: 002514DC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3__wcslenchar_traits
String ID: AI_ControlEx$`Dialog_` = '$Y3
API String ID: 1893968492-3857169976
Opcode ID: cda262072499f4fae75af12094cd02b27da0a775aa2eda04eecb6e9c75d28ef7
Instruction ID: ea4087e9453e07c955274acf83541d7d8ce9f36929fa39bce4e73ea4642b3690
Opcode Fuzzy Hash: cda262072499f4fae75af12094cd02b27da0a775aa2eda04eecb6e9c75d28ef7
Instruction Fuzzy Hash: 370192B095020CAADB12EBE4C882DEEBB7CAF14350F548569F156B7282CA705E14CBA1

Function 00279ACB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00279AD2

Part of subcall function 00283570: __ltow_s.LIBCMT ref: 002835BD
Part of subcall function 00283570: _wcslen.LIBCMT ref: 002835DB

VariantClear.OLEAUT32(?), ref: 00279B3C
SysFreeString.OLEAUT32(?), ref: 00279B49

Strings

`<u, xrefs: 00279B49

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClearFreeH_prolog3StringVariant__ltow_s_wcslen
String ID: `<u
API String ID: 4059528181-3367579956
Opcode ID: e01520f46f1dbc0a399330d1b69f81f5dab7d52d731ae6e29dcbdd21269b0bf6
Instruction ID: 33e6fbedb3b3696980218f28cb721c8eb4f7b2cf740ad0d4bb08e3312c4b6414
Opcode Fuzzy Hash: e01520f46f1dbc0a399330d1b69f81f5dab7d52d731ae6e29dcbdd21269b0bf6
Instruction Fuzzy Hash: 1201D232920208DADF11EBA4ED4AA9CBBB8FF50300F208015F145AB1A2CB709E64DF10

Function 002FCD33 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 002FCD46

Part of subcall function 002FCCA1: ___BuildCatchObjectHelper.LIBCMT ref: 002FCCD7

_UnwindNestedFrames.LIBCMT ref: 002FCD5D
___FrameUnwindToState.LIBCMT ref: 002FCD6B

Strings

csm, xrefs: 002FCD42, 002FCD57, 002FCD6A, 002FCD88, 002FCD98

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: aae3f32ad8ccfe59daac0685551b08edf8197154abcb4eb8bbcde58ee6bce31d
Instruction ID: f8c25337e65e60ee09982ddf2d5d422e7d89bd3c7187cb40f0df71d5d4fe3888
Opcode Fuzzy Hash: aae3f32ad8ccfe59daac0685551b08edf8197154abcb4eb8bbcde58ee6bce31d
Instruction Fuzzy Hash: FD01EF7102010EBBDF166E51CE45EBEBF6AEF08390F244120FE1915561E77299B1EFA1

Function 002D5314 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D531B

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

CreateEventW.KERNEL32(00000000,00000001,00000001,?,00000001,00000000,_ddlg_evt,0000003C,002D4B5C,?,?,?,00000000,00281C41,?,0033E2B0), ref: 002D5361
SetEvent.KERNEL32(?), ref: 002D5378

Strings

_ddlg_evt, xrefs: 002D5322

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Event$CreateH_prolog3H_prolog3_char_traits
String ID: _ddlg_evt
API String ID: 260751409-3353429416
Opcode ID: c0bfe260bef2e63713fa593da070839149d55783dfd287bbb57028859d99e5b5
Instruction ID: a46ef49ed603a629cd817a2c4b219958a527d64fd1c6c25747a43f5eb44f4a90
Opcode Fuzzy Hash: c0bfe260bef2e63713fa593da070839149d55783dfd287bbb57028859d99e5b5
Instruction Fuzzy Hash: 8B017171C1011DDFEB01EBA4CC86BEDB778EF00394F144155E65177191CBB06E1A8BA0

Function 00309B41 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,002FBEC8), ref: 00309B46
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00309B56

Strings

IsProcessorFeaturePresent, xrefs: 00309B50
KERNEL32, xrefs: 00309B41

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: d622e7dfff7c140171b3722f478682c39fc7687db5b7e33b9236bec2ffb9c2b4
Instruction ID: a089e583415c654656d66dda7e3d74faeefa35358089100cc9bc879640064bf5
Opcode Fuzzy Hash: d622e7dfff7c140171b3722f478682c39fc7687db5b7e33b9236bec2ffb9c2b4
Instruction Fuzzy Hash: 45F03030A05A09E2DF021BA1BC5E7AE7B7CBB80752F824490E192E00C5DFB081B4D256

Function 002645FA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00264604
GetMessagePos.USER32 ref: 00264612
ScreenToClient.USER32(?,?), ref: 00264637

Part of subcall function 002588E7: SendMessageW.USER32(?,00001111,00000000,?), ref: 00258912

Part of subcall function 00264588: SendMessageW.USER32(?,00000464,00000000,00000000), ref: 002645F0

Strings

@, xrefs: 00264654

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$Send$ClientH_prolog3_catch_Screen
String ID: @
API String ID: 1576738753-2766056989
Opcode ID: 85781615103fbeecf8ec2ac9109c07fa248432cb1516d0f93327345998b5361c
Instruction ID: 7638455e37b4b26724a0620054f37f4b4390e1b7f328f76a53e23d7d20aa08f7
Opcode Fuzzy Hash: 85781615103fbeecf8ec2ac9109c07fa248432cb1516d0f93327345998b5361c
Instruction Fuzzy Hash: B9014671D1421D9BEF25EFB4C9857ECBBB4AF08301F704269A990A3192CB714A548F41

Function 0027221F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00272226

Part of subcall function 002434C7: __EH_prolog3.LIBCMT ref: 002434CE

SendMessageW.USER32(00000000), ref: 00272268
VariantClear.OLEAUT32(?), ref: 00272275

Strings

MsiPropertyChanged, xrefs: 00272258

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ClearMessageSendVariant
String ID: MsiPropertyChanged
API String ID: 2902236036-1228265352
Opcode ID: 0c4d0072f589be2ccb4609d5efe3244588bf46258812b8fd6fdd71d4a017bf9a
Instruction ID: f58a8c513c776a68082e9ed179b51601bf0a3bf69ae5d61367cf38b7df65d096
Opcode Fuzzy Hash: 0c4d0072f589be2ccb4609d5efe3244588bf46258812b8fd6fdd71d4a017bf9a
Instruction Fuzzy Hash: 3FF02B72E101149FCB109F94CD4969E7778AF01321F158010F949A7291C734DD19CBD0

Function 00254EBF Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 0024317D: __EH_prolog3.LIBCMT ref: 00243184

Part of subcall function 0027D7AA: __EH_prolog3.LIBCMT ref: 0027D7B1
Part of subcall function 0027D7AA: SystemParametersInfoW.USER32(00000042,0000000C,?,00000000), ref: 0027D7D9

__EH_prolog3.LIBCMT ref: 00254F1A

Part of subcall function 0024FBA0: __EH_prolog3.LIBCMT ref: 0024FBA7

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023459C: __EH_prolog3.LIBCMT ref: 002345A3

Part of subcall function 0027C32B: __EH_prolog3.LIBCMT ref: 0027C332

DeleteObject.GDI32(00000000), ref: 00255016
GetWindowLongW.USER32(?,000000EC), ref: 0025505E
GetClientRect.USER32(?,?), ref: 00255154

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_wcslen$ClientDeleteInfoLongObjectParametersRectSystemWindowchar_traits
String ID:
API String ID: 1216546689-0
Opcode ID: 9919784ed43a0453c0b8b5fe4c6ab9b5eea83fd48c012bd5ca06e6c2dec7f685
Instruction ID: c52d5d0dff30e6063935a7b89eb4d7309756155a2149636943b2794b0a4c0828
Opcode Fuzzy Hash: 9919784ed43a0453c0b8b5fe4c6ab9b5eea83fd48c012bd5ca06e6c2dec7f685
Instruction Fuzzy Hash: 86A1FF31920658EFDF15EF64C894BDD7BA4AF09301F1480A8FD05AB292DB71EE58CB90

Function 0028CA50 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 0028CAE0

Part of subcall function 002F34E0: __EH_prolog3.LIBCMT ref: 002F34E7
Part of subcall function 002F34E0: __CxxThrowException@8.LIBCMT ref: 002F3512

std::_String_base::_Xlen.LIBCPMT ref: 0028CAF6
std::_String_base::_Xlen.LIBCPMT ref: 0028CB60
std::_String_base::_Xlen.LIBCPMT ref: 0028CB71

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlenstd::_$Exception@8H_prolog3Throw
String ID:
API String ID: 1336181293-0
Opcode ID: e56998aefb5e2e2d72b8973aad0a06fc581f0643b7ca5b6230c206825c7c90ac
Instruction ID: 77f172c297b896d235114b9d7b80b58875ccf50918c2cb55c0647e1391fd9bb6
Opcode Fuzzy Hash: e56998aefb5e2e2d72b8973aad0a06fc581f0643b7ca5b6230c206825c7c90ac
Instruction Fuzzy Hash: 0E519134222E058AC734FF24D58162AB3F6EF947547310A2DE1A68B6D1DB30A96887B5

Function 002845F0 Relevance: 6.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

APIs

std::_String_base::_Xlen.LIBCPMT ref: 00284655
std::_String_base::_Xlen.LIBCPMT ref: 00284670
_memmove_s.LIBCMT ref: 002846FA
_memcpy_s.LIBCMT ref: 0028471A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlenstd::_$_memcpy_s_memmove_s
String ID:
API String ID: 946766286-0
Opcode ID: d712d8c1daf59a5c8db1e857c9c0091a295b4bdec585f7c66882b582bfb7c19d
Instruction ID: fa048ad0a6929ffb903053d38e7776797de56601c4c88e4d7fa74abab31c3904
Opcode Fuzzy Hash: d712d8c1daf59a5c8db1e857c9c0091a295b4bdec585f7c66882b582bfb7c19d
Instruction Fuzzy Hash: 2C41BA357256164B8724FF18D8C096BF3EEFFD2311720462DE152C7695E730E8658BA1

Function 002EDFE7 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

std::tr1::_Xbad.LIBCPMT ref: 002EE026

Part of subcall function 002F52F9: __CxxThrowException@8.LIBCMT ref: 002F5315

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Exception@8ThrowXbadstd::tr1::_
String ID:
API String ID: 198843936-0
Opcode ID: 68a5ca6ae9381838a0e88be27136c76e6bfb4be9c0d9751f4ab0d5363a9bfd55
Instruction ID: c2cd5be246e35d3d1b13df6920d56527e2cc839638db3c8f13b7d55f4ca21989
Opcode Fuzzy Hash: 68a5ca6ae9381838a0e88be27136c76e6bfb4be9c0d9751f4ab0d5363a9bfd55
Instruction Fuzzy Hash: 9641F3707F0BD24ACD34AE17C89273A62945F12B40FE6041EF21B9E982C7B59CF18A47

Function 002410C7 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 002411D8
CreateRectRgn.GDI32(?,?,?,?), ref: 0024120C
SelectClipRgn.GDI32(?,00000000), ref: 00241221
DeleteObject.GDI32(00000000), ref: 00241231

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$ClipCreateDeleteEmptyObjectSelect
String ID:
API String ID: 2693651733-0
Opcode ID: 7d1fbadeea1021940fa7cfe074fdd727b13525809b69477282c12ca85851e5a2
Instruction ID: 2f2585db476fe48b1c87f870007395f39b6cade1b81d33dbb1aed6ebf23dd42a
Opcode Fuzzy Hash: 7d1fbadeea1021940fa7cfe074fdd727b13525809b69477282c12ca85851e5a2
Instruction Fuzzy Hash: 6A516F71614746AFD728CF24C880BAABBE9FF48350F040A2EF599D7150D771A9A4CF92

Function 003112E6 Relevance: 6.1, APIs: 4, Instructions: 126windowCOMMON

Download Yara Rule

APIs

SetCapture.USER32(?,?,00000000,00000001,?,?,?,002C8A02,00000204,?), ref: 003112F6
PtInRect.USER32(?,?,?), ref: 00311344
GetFocus.USER32 ref: 0031140F
SetFocus.USER32(?,?,00000000,00000001,?,?,?,002C8A02,00000204,?), ref: 0031141A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Focus$CaptureRect
String ID:
API String ID: 2471391044-0
Opcode ID: 5c03153e85ebc9c6d52a27f3a00777ab6ae75d4dac6310935b2baeb54f603891
Instruction ID: a01bf47059d11eed116f620e1b20f54119cb1bc6f4ccdbf4441c7aebef46773a
Opcode Fuzzy Hash: 5c03153e85ebc9c6d52a27f3a00777ab6ae75d4dac6310935b2baeb54f603891
Instruction Fuzzy Hash: B0411834A002049FCB1ADF65D484AEDBBF5EF4C740F214459EA16EB655D771DD80CB90

Function 00295D00 Relevance: 6.1, APIs: 4, Instructions: 126COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,D7557A70,00000000,?,?,00000000), ref: 00295D53
_strlen.LIBCMT ref: 00295D76
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 00295DCD
_strlen.LIBCMT ref: 00295E62

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ByteCharMultiWide_strlen
String ID:
API String ID: 550581524-0
Opcode ID: 2805972a3bd3966877fe1a4419839b6d4d78ffd7ed86150a3e74a8bc1dec1390
Instruction ID: 6cedd51610b9df1595d5180220a6dfcc0eacb1eaa93239e1aed4596a0f93f1fa
Opcode Fuzzy Hash: 2805972a3bd3966877fe1a4419839b6d4d78ffd7ed86150a3e74a8bc1dec1390
Instruction Fuzzy Hash: C6419F71218B10ABD721EF65CC85B6BBBE8EBC9B58F00091CF58187341D7B5E9548BA2

Function 002F1B33 Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002F1B3D

Part of subcall function 0028D930: PathFileExistsW.SHLWAPI(-00000004,D7557A70,?,?,?,00000000), ref: 0028D9B8

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Part of subcall function 0023459C: __EH_prolog3.LIBCMT ref: 002345A3

Part of subcall function 002F17EF: __EH_prolog3.LIBCMT ref: 002F17F6

SetLastError.KERNEL32(0000000E,00000000,00000001,00000000,00000000,00000000,000000FF,?,?,?,?,?), ref: 002F1C41

Part of subcall function 0024D23E: __EH_prolog3.LIBCMT ref: 0024D245
Part of subcall function 0024D23E: GetCurrentThreadId.KERNEL32 ref: 0024D257
Part of subcall function 0024D23E: EnterCriticalSection.KERNEL32(003732A4), ref: 0024D271

GetOpenFileNameW.COMDLG32(?,?,00000000,00000001,00000000,00000000,00000000,000000FF,?,?,?,?,?), ref: 002F1CB1
GetSaveFileNameW.COMDLG32(?,?,00000000,00000001,00000000,00000000,00000000,000000FF,?,?,?,?,?), ref: 002F1CB9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileH_prolog3$Name_wcslen$CriticalCurrentEnterErrorExistsH_prolog3_LastOpenPathSaveSectionThread
String ID:
API String ID: 1675285612-0
Opcode ID: 5a2bbc2c3f93f1f31122d5f403ce0b842991c4b5b4971119be4ef785cfe5a77d
Instruction ID: 75dd46923f8db76b63d02a78fbb657af8a09c3f849c362d26303ad62034873b7
Opcode Fuzzy Hash: 5a2bbc2c3f93f1f31122d5f403ce0b842991c4b5b4971119be4ef785cfe5a77d
Instruction Fuzzy Hash: 7B516B7181156CEECF21EBA4CD41BEEBBB8AF09305F5041EAE109A3141DB305BA8CF61

Function 002A2191 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 002A55FF: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001), ref: 002A562F

Part of subcall function 0027D894: _wcsnlen.LIBCMT ref: 0027D8C5

Part of subcall function 0027D871: _wcslen.LIBCMT ref: 0027D87D

Part of subcall function 002341AD: InitializeCriticalSection.KERNEL32(003746CC,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341BB
Part of subcall function 002341AD: EnterCriticalSection.KERNEL32(?,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341C7

LeaveCriticalSection.KERNEL32(?,?," ====,?,?,?,?,====== Starting logging of ",0000000B,?,?,?), ref: 002A2229

Strings

" ====, xrefs: 002A21F7
d27, xrefs: 002A2215
====== Starting logging of ", xrefs: 002A21CE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection$H_prolog3$EnterFileInitializeLeaveModuleName_wcslen_wcsnlen
String ID: ====== Starting logging of "$" ====$d27
API String ID: 2828250662-3242255911
Opcode ID: 224a5fe2f11795752ec7222e2236bb2bf7dc1f949766ce3f0923108c25909e46
Instruction ID: 4911dd85c42919ca8f41ea0a58ea990d25cfc254afc944e68a3253e507087503
Opcode Fuzzy Hash: 224a5fe2f11795752ec7222e2236bb2bf7dc1f949766ce3f0923108c25909e46
Instruction Fuzzy Hash: DF316F71A34245EBEB00FFA8AD42BEE73699F42344F804065BD05A7152DFB0DE399E61

Function 00261734 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(00000000,?,?,00000000,?,?,00080000,00000000), ref: 0026174C
GetWindowRect.USER32(?,?), ref: 002617B5
LoadImageW.USER32(00000000,0007FFFC,00000001,00000000,?,00000010), ref: 00261828
DestroyIcon.USER32(?), ref: 00261842

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DestroyIcon$ImageLoadRectWindow
String ID:
API String ID: 1425567235-0
Opcode ID: 85de803b5a61b29a98e5279c91d63a6f704dcb79542c62c69f0d8ffc6839b089
Instruction ID: b5d5edd4d26baed402d605202b7c5198b0a6a89b5b9f7771bc1cea239289cbe9
Opcode Fuzzy Hash: 85de803b5a61b29a98e5279c91d63a6f704dcb79542c62c69f0d8ffc6839b089
Instruction Fuzzy Hash: 42419A746243069FDB12CF19D8C0A6AB7EAFB89310F288919F855D7290D770ECB4DB91

Function 00274BF5 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00274CBB
GetClientRect.USER32(?,?), ref: 00274CC3
CreateAcceleratorTableW.USER32(?,00000001), ref: 00274CE2
GetParent.USER32(?), ref: 00274D06

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: 15b0e028f64eb3dbc11743d4805821f2b062370c9394d8e95b5fc40b7ccdffb8
Instruction ID: 9587cfd84272c53d7ebe792e34a7ab64f76ab967b54a42ac05e90ee75acac315
Opcode Fuzzy Hash: 15b0e028f64eb3dbc11743d4805821f2b062370c9394d8e95b5fc40b7ccdffb8
Instruction Fuzzy Hash: 0941527551060AEFCB12EF64C884A9ABBF5FF89351F248419E849C7310E731E991CF50

Function 00309FE0 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0030A014
__isleadbyte_l.LIBCMT ref: 0030A048
MultiByteToWideChar.KERNEL32(00000080,00000009,002F8545,?,00000000,00000000,?,?,?,?,002F8545,00000000,?), ref: 0030A079
MultiByteToWideChar.KERNEL32(00000080,00000009,002F8545,00000001,00000000,00000000,?,?,?,?,002F8545,00000000,?), ref: 0030A0E7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 0f1699a627a407c50b7527a139b6a40accf4ad1d4933fd5152ad4a6dcd840cb9
Instruction ID: c78f8fd3db1ebc58f99fa76549568a88e0b1b758cebb74ea20cccfb96e45b352
Opcode Fuzzy Hash: 0f1699a627a407c50b7527a139b6a40accf4ad1d4933fd5152ad4a6dcd840cb9
Instruction Fuzzy Hash: 3231F031A0274AEFCB22DF64E8A0DBE7BA5BF01310F1685A8E4558B1D1D731DD40DB52

Function 0024487D Relevance: 6.1, APIs: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00244884
LoadStringW.USER32(?,?,00000100,00000010), ref: 002448EA
LoadStringW.USER32(?,?,00000100,00000010), ref: 00244970
MessageBoxW.USER32(?,?,?,?), ref: 0024498C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LoadString$H_prolog3_catchMessage
String ID:
API String ID: 1190379205-0
Opcode ID: 0cea07c092ca8b364074f931b41f6347973bb4a83ad70170d2c0803caf1a3e06
Instruction ID: 7b34088d74d369220a342c9bb27493c6f04c4e7ae5c96e76c9e91a2f4b030bdf
Opcode Fuzzy Hash: 0cea07c092ca8b364074f931b41f6347973bb4a83ad70170d2c0803caf1a3e06
Instruction Fuzzy Hash: 5231E77282020EABDB19EF64DC067BFBBB4BF44361F20411EF915A6190D7744A61AF90

Function 002C4BCA Relevance: 6.1, APIs: 4, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EF), ref: 002C4BDA

Part of subcall function 0026D12A: _memset.LIBCMT ref: 0026D138
Part of subcall function 0026D12A: SendMessageW.USER32(?,0000104B,00000000,?), ref: 0026D15D

Part of subcall function 002C4965: GetDlgItem.USER32(?,000003EF), ref: 002C4982
Part of subcall function 002C4965: SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 002C4994

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002C4C0E
PostMessageW.USER32(?,00000465,00000000,00000000), ref: 002C4CBA
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002C4CD2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$Send$Item$Post_memset
String ID:
API String ID: 2796785858-0
Opcode ID: cd5f79c6cf9719a29c4718b3d39c728836f6f7f9bff03cc45c848cc3d0374777
Instruction ID: ac133e12d03f2d5b45cb2e481377e2520e2fe6245b51dbf6b8c40f62f8446766
Opcode Fuzzy Hash: cd5f79c6cf9719a29c4718b3d39c728836f6f7f9bff03cc45c848cc3d0374777
Instruction Fuzzy Hash: 5941A270A1064BBFEB15AF748C41FDAFA68BF04304F00836AE529A21A1D3716960DB90

Function 0026C04A Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026C051
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 0026C066
ImageList_LoadImageW.COMCTL32(000000FF,00000010,00000001,000000FF,00000000,00002040,?,?,00000001), ref: 0026C145
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0026C158

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ImageMessageSend$H_prolog3List_Load
String ID:
API String ID: 3615588349-0
Opcode ID: ab460c1eb431378f1b893a652114455cbad744c26680538f8fc84df7ad345d4f
Instruction ID: 61d37486a5676d8b24fe14f67c3e6cc6142be2e50732b692ff1c39c4278af84a
Opcode Fuzzy Hash: ab460c1eb431378f1b893a652114455cbad744c26680538f8fc84df7ad345d4f
Instruction Fuzzy Hash: 59317C71960215EBDF20EBA4CC86FEE7775BB00710F244664FA51BB1D2CBB06A54CB50

Function 002C0A74 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

LookupAccountSidW.ADVAPI32(00000000,00000005,?,?,?,00000005,?), ref: 002C0AC1
GetLastError.KERNEL32(?,?,00000000), ref: 002C0AD1
LookupAccountSidW.ADVAPI32(00000000,?,?,?,?,?,?), ref: 002C0B1D
GetLastError.KERNEL32(?,?,00000000), ref: 002C0B23

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: AccountErrorLastLookup
String ID:
API String ID: 3062591017-0
Opcode ID: 835d3d6b106fb7eaae5bfe4766b1550aa7a17d29c5043d8f694d2c737580390c
Instruction ID: 2e7febb7e5164ca0fc8924135fa82ba1f5062548108d386428c94c23752fc6dd
Opcode Fuzzy Hash: 835d3d6b106fb7eaae5bfe4766b1550aa7a17d29c5043d8f694d2c737580390c
Instruction Fuzzy Hash: D431087691410DFFCF01EFA4CD81DEEBBBDEF05354F1044AAEA04A2121DA319A65AF50

Function 00256102 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00256109
IsWindowEnabled.USER32(?), ref: 00256156
ImageList_Add.COMCTL32(?,?,00000000,?,00000010,00000010,00000001,00000001,00000001,?,?,?,00000000,00000014,00255D39), ref: 002561B5
DeleteObject.GDI32(?), ref: 002561D9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteEnabledH_prolog3ImageList_ObjectWindow
String ID:
API String ID: 3501115802-0
Opcode ID: 9a536f5eeab55191d779b7b3a0f605c61592f5b0679bfdafe9eaf4e4f09c8169
Instruction ID: 265d7785b26428752cac656418eb7aa7991dcd31448df3dde7e0fe9619da0eb4
Opcode Fuzzy Hash: 9a536f5eeab55191d779b7b3a0f605c61592f5b0679bfdafe9eaf4e4f09c8169
Instruction Fuzzy Hash: AF31CF71A1060AEFCF20DFA4CD85AFDBBB1BF05305F608128E655A72A2C7B14E55DB50

Function 00258BE9 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00258BF0
IsWindowEnabled.USER32(?), ref: 00258C3F
ImageList_Add.COMCTL32(?,00000000,00000000,?,00000010,00000010,00000001,00000001,?,00000000,FF000000), ref: 00258C98
DeleteObject.GDI32(00000000), ref: 00258CBF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteEnabledH_prolog3ImageList_ObjectWindow
String ID:
API String ID: 3501115802-0
Opcode ID: c035cc0ca95a139a2515505068137a2285115b394eed75327830dc84ed5fb714
Instruction ID: c823d226436734a7dbf6daac934893c33421a68e73101a650da2fc725b4cbc46
Opcode Fuzzy Hash: c035cc0ca95a139a2515505068137a2285115b394eed75327830dc84ed5fb714
Instruction Fuzzy Hash: 6F31F431A1121AEBDF119FA0CD45BEEBB70BF04302F144254FA65BB2D0CBB05A14DBA4

Function 00241273 Relevance: 6.1, APIs: 4, Instructions: 77COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 00241301
GetWindowDC.USER32(?,?,?,?,?,?,?,?,?,?,?,?,0031A38E,000000FF), ref: 00241312
SelectClipRgn.GDI32(00000000,00000000), ref: 00241321
DeleteObject.GDI32(00000000), ref: 00241337

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClipCreateDeleteObjectRectSelectWindow
String ID:
API String ID: 4107537635-0
Opcode ID: b6c832e03b29f9d5e2f90fa52ef283c567c7c131a0bb22b8822c8433e7f9f3c1
Instruction ID: 9162d29f010bc55c4fbcf34ed950a375da7168545f3351a803505abaa1592efa
Opcode Fuzzy Hash: b6c832e03b29f9d5e2f90fa52ef283c567c7c131a0bb22b8822c8433e7f9f3c1
Instruction Fuzzy Hash: 8A219AB2518381EFC315CF54C880A6BFBE8FB88364F000A2EF995D2250D7749955CF92

Function 00241277 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 00241301
GetWindowDC.USER32(?,?,?,?,?,?,?,?,?,?,?,?,0031A38E,000000FF), ref: 00241312
SelectClipRgn.GDI32(00000000,00000000), ref: 00241321
DeleteObject.GDI32(00000000), ref: 00241337

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClipCreateDeleteObjectRectSelectWindow
String ID:
API String ID: 4107537635-0
Opcode ID: f3257660e8a7ed4ec19d01768c48d49485a3c1307becc5483024b653a5db5b94
Instruction ID: 937504edda5a725318b0886fdfe807ebee1511fe5eab7e4f3f607609dcf5fb4d
Opcode Fuzzy Hash: f3257660e8a7ed4ec19d01768c48d49485a3c1307becc5483024b653a5db5b94
Instruction Fuzzy Hash: 88217AB2518341EFC316CF15D880A5BFBE8FB88364F000A2EF99592250D7749964CF92

Function 0024147F Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00241486
GetDC.USER32(00000000), ref: 002414EF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00241501
DeleteDC.GDI32(00000000), ref: 0024155A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CapsDeleteDeviceH_prolog3
String ID:
API String ID: 842384874-0
Opcode ID: 9ebf5110f233dd2f08b425206684207817dacf52f6fa9cee0377dbf088f39493
Instruction ID: c25835a4ac8f482468923dbb85cc3664990dd7dceadbe585a3148bd2f279b9f1
Opcode Fuzzy Hash: 9ebf5110f233dd2f08b425206684207817dacf52f6fa9cee0377dbf088f39493
Instruction Fuzzy Hash: 003125746017019FC769EF34C988AAABBF4FF48301F10196DE99797A62E730E9068F01

Function 00238238 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0023823F
GetSysColor.USER32(00000005), ref: 0023828E
ImageList_Add.COMCTL32(?,?,00000000,?,00000010,00000010,00000001,00000001,?,00001026,?,00001022,?,00000000,00000010,00236969), ref: 002382D1
DeleteObject.GDI32(?), ref: 002382EF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ColorDeleteH_prolog3ImageList_Object
String ID:
API String ID: 2683517748-0
Opcode ID: 3e1ef8a5f47f45c9ee61b66a2da22bdc9588c241317ab5a53b988c781585a05d
Instruction ID: ba5f954bba48ca283cbb4871dc1963f16ad7c2a95a78e753b8a6ff2e49c2e632
Opcode Fuzzy Hash: 3e1ef8a5f47f45c9ee61b66a2da22bdc9588c241317ab5a53b988c781585a05d
Instruction Fuzzy Hash: 122171B191075BEFCF119FE48D856AEBBB5AF04300F244529F6516B291CBB10A61DF50

Function 00271CF3 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(D7557A70), ref: 00271D58
VariantClear.OLEAUT32(D7557A70), ref: 00271D99
VariantClear.OLEAUT32(?), ref: 00271DA5
VariantClear.OLEAUT32(?), ref: 00271DB1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 6aecd6f3302419d01a811d62bd8b5c394826f17e0b366e7457658be206a7d58d
Instruction ID: a817b2825d27c0cdacba734b1a61cd4e6e34f60841ba424fe94a7b9d18796903
Opcode Fuzzy Hash: 6aecd6f3302419d01a811d62bd8b5c394826f17e0b366e7457658be206a7d58d
Instruction Fuzzy Hash: 15215A72518344AFD310CB68C888B96BBFCAB89724F148A1EF594C72A0D775E904CB92

Function 002B5BE5 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 002B5C0E
GetForegroundWindow.USER32 ref: 002B5C1B
GetWindowThreadProcessId.USER32(?,00000000), ref: 002B5C2C
GetCurrentThreadId.KERNEL32 ref: 002B5C34

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Thread$ActiveCurrentForegroundProcess
String ID:
API String ID: 1436835073-0
Opcode ID: 22d9173245e705cadfb8ea116f8f5760bf1f4de4047cdda87398b6e13ca32c24
Instruction ID: d1d6aaad3c45bcd04ec19be03f2988ac98c23b7b693eeb96c2a6b87024bff530
Opcode Fuzzy Hash: 22d9173245e705cadfb8ea116f8f5760bf1f4de4047cdda87398b6e13ca32c24
Instruction Fuzzy Hash: 8121CDB25207159BCB00EF64DCC64DABFA9AE50390F14493BF8468B151EA30DEA9CA91

Function 002C80A3 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,?), ref: 002C80BD
__wfopen_s.LIBCMT ref: 002C80DB
_feof.LIBCMT ref: 002C8117

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExistsFileH_prolog3Path__wfopen_s_feof
String ID:
API String ID: 4121712542-0
Opcode ID: aa3e6a1a95021ffae71fd82064e4a1a3c5870840d769a0cc4063782da1e8ed68
Instruction ID: 291c72ff50e9c774382bad232967be0fc76850b22ee69e4e822935493200bc2f
Opcode Fuzzy Hash: aa3e6a1a95021ffae71fd82064e4a1a3c5870840d769a0cc4063782da1e8ed68
Instruction Fuzzy Hash: A2118E71A2010D9BDF12EFF5DC42EAEB7AC9F04340F10412AF901AA115EF21DA2A8E51

Function 00261984 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026198B

Part of subcall function 0024FBA0: __EH_prolog3.LIBCMT ref: 0024FBA7

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Part of subcall function 00261734: DestroyIcon.USER32(00000000,?,?,00000000,?,?,00080000,00000000), ref: 0026174C
Part of subcall function 00261734: LoadImageW.USER32(00000000,0007FFFC,00000001,00000000,?,00000010), ref: 00261828

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 002934D0: _memset.LIBCMT ref: 00293537
Part of subcall function 002934D0: _memset.LIBCMT ref: 0029358C

GetWindowLongW.USER32(?,000000F0), ref: 00261A07
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00261A2F
SendMessageW.USER32(?,00000170,?,00000000), ref: 00261A44

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: LongWindow_memset_wcslen$DestroyH_prolog3H_prolog3_IconImageLoadMessageSendchar_traits
String ID:
API String ID: 2037789679-0
Opcode ID: c1ee5d06078214a45eb1a7a56997856b764c7f912f28dd1942712e65f3d15726
Instruction ID: 3eaf95c58dfc91b67c5a903894a038f85ba02b645a6fb5e119c3d2cab1a8464d
Opcode Fuzzy Hash: c1ee5d06078214a45eb1a7a56997856b764c7f912f28dd1942712e65f3d15726
Instruction Fuzzy Hash: 35216D71820209ABDF01EFA4CD89FEDBB75AF49310F648154F911AB1D1CB746A65CF60

Function 002609BD Relevance: 6.1, APIs: 4, Instructions: 66stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002609C4
lstrlenW.KERNEL32(?,0000000C,002612FC,?,?,?,?), ref: 002609DC
IsWindow.USER32(?), ref: 00260A4A
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00260A5F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catchMessageSendWindowlstrlen
String ID:
API String ID: 2687504486-0
Opcode ID: 4d3e2637415e407be3e5054a661daa49f8ee9913339426519e0e5f099fe32ebf
Instruction ID: 307bd305423a5c7ce308099fff17589c54443ff4e2600b0b1d1ebba430152e27
Opcode Fuzzy Hash: 4d3e2637415e407be3e5054a661daa49f8ee9913339426519e0e5f099fe32ebf
Instruction Fuzzy Hash: 7821A235520304ABDB20DF65CD86BAAB7F8AF48350F108529F246971B0CB71ADA09F10

Function 0026160E Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0026162C
_memset.LIBCMT ref: 00261649
GetVersionExW.KERNEL32(00000114,?,?,?,?,00000000,?), ref: 00261658
GetParent.USER32(?), ref: 0026167C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _memset$ParentVersion
String ID:
API String ID: 1014152498-0
Opcode ID: 6d63ca62cad0c2eeeaf5e8467a0d6d4152c7d2cc5f85870372c3b14761dc9f71
Instruction ID: 53d9ee8cc661cd2727f7188a76e1edc1cfa0b320bd10f7bee9b28b995e0e5bcb
Opcode Fuzzy Hash: 6d63ca62cad0c2eeeaf5e8467a0d6d4152c7d2cc5f85870372c3b14761dc9f71
Instruction Fuzzy Hash: 7E218C70910318DBDB25DF25C886BDABBF8BF04750F588499EA089F145E7B0E994CFA4

Function 0025A0EF Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000120A,?,00000007), ref: 0025A15A
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 0025A16B
GetSystemMetrics.USER32(00000002), ref: 0025A17A
SendMessageW.USER32(?,0000120A,00000000,00000007), ref: 0025A190

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$MetricsSystem
String ID:
API String ID: 3542082049-0
Opcode ID: ea92162ab1bf9607eca2525e2d76ab7c35f176a69e7b69683ae8d23018fe2384
Instruction ID: 5c0e808263f7e66301ec348183454c8bbd0bbe3c7360fcd344cb6bac7666905e
Opcode Fuzzy Hash: ea92162ab1bf9607eca2525e2d76ab7c35f176a69e7b69683ae8d23018fe2384
Instruction Fuzzy Hash: 36113D72910209ABDB11EFA9DC85F8EBBBDEF48311F108126F904E7151D774A9148FA4

Function 002C4B0D Relevance: 6.1, APIs: 4, Instructions: 63timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000003E8,00000000), ref: 002C4B2E

Part of subcall function 002BA047: GetDlgItem.USER32(?,?), ref: 002BA04E
Part of subcall function 002BA047: EnableWindow.USER32(00000000,000000FF), ref: 002BA05B

Part of subcall function 002C4965: GetDlgItem.USER32(?,000003EF), ref: 002C4982
Part of subcall function 002C4965: SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 002C4994

GetDlgItem.USER32(?,00000402), ref: 002C4B8A
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002C4BAF
EnableWindow.USER32(00000000,00000000), ref: 002C4BBE

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Item$EnableMessageSendWindow$Timer
String ID:
API String ID: 234023021-0
Opcode ID: 2e16f8c92d2f52fc99b69d79da35f4db47e4de9f50dddeb8e7ec0cdd0024c620
Instruction ID: 97134221d21c429b417784cfc1a4314e78dee75070a31b68bb80de4d1252b68f
Opcode Fuzzy Hash: 2e16f8c92d2f52fc99b69d79da35f4db47e4de9f50dddeb8e7ec0cdd0024c620
Instruction Fuzzy Hash: A5110A70651A827FE303AB349C96FDBFBACFF06354F084124F65897191CB649C2497A1

Function 002C4D20 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F3), ref: 002C4D38

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

SetWindowTextW.USER32(00000000,?), ref: 002C4D5E
SetWindowTextW.USER32(00000000,?), ref: 002C4D80
GetDlgItem.USER32(?,000003EF), ref: 002C4D9B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ItemTextWindow$H_prolog3
String ID:
API String ID: 2851488854-0
Opcode ID: 4a7ece16162af6e6f861f44b121d284acfc793495eef8387c111f2899f969a8a
Instruction ID: 1c0711695a1644a45a59a1905ead4d4d25092c4484dabaa34858720ed3780693
Opcode Fuzzy Hash: 4a7ece16162af6e6f861f44b121d284acfc793495eef8387c111f2899f969a8a
Instruction Fuzzy Hash: B3111F76510204BFDB02AFA0DC86FAA7BADAB05300F0441B5FD059F1A6DB719A549F70

Function 0023C3DF Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0023C3E6
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 0023C411
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0023C423
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0023C46E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$H_prolog3_catch_
String ID:
API String ID: 2406996401-0
Opcode ID: 96a623fc389f1fb55bef650e3d36534656032082e647390c4717b9c8d8b93231
Instruction ID: 211553496e4f1e7d50a393c3421940b1bded0190720c664ac4241c0aba7176f9
Opcode Fuzzy Hash: 96a623fc389f1fb55bef650e3d36534656032082e647390c4717b9c8d8b93231
Instruction Fuzzy Hash: 5E1173B0A24219AEDB149F78CC918BCBBB5FF48340F70412EA615F3292CB705D219F50

Function 00231F55 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00231F85
GetParent.USER32(?), ref: 00231F94
SetWindowLongW.USER32(?,000000EB), ref: 00231FB7
ShowWindow.USER32(?,00000000,?,?,?,?,?,D7557A70,?,?,00000000), ref: 00231FCD

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$ClientLongParentRectShow
String ID:
API String ID: 1812722836-0
Opcode ID: 801d422f1be27b2ac1e0918bc09508db7e389ea8239692556fd7d964bce4a8d0
Instruction ID: 17b6b9de21633862dcd9760038e03dfe5a23a616f57e73649baa39a35070b5b3
Opcode Fuzzy Hash: 801d422f1be27b2ac1e0918bc09508db7e389ea8239692556fd7d964bce4a8d0
Instruction Fuzzy Hash: 4C112AB4904705AFCB11DF66C88886ABBF8FF08314F50866DE55693A61D730E950CF50

Function 00309A2D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00309A53

Part of subcall function 00309878: __fltout2.LIBCMT ref: 003098A4

__cftog_l.LIBCMT ref: 00309A79
__cftoe_l.LIBCMT ref: 00309AAB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 2ffa5f7a9133869784291037da9cf51586faa4904a51ee3a5b4a2ff24323cb18
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: AC118C7210114ABBCF135E84CC21EEE3F26BB49350B59841AFE19581B2C332D9B2EB81

Function 002BA064 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00003026), ref: 002BA076
GetClientRect.USER32(?,?), ref: 002BA08B
GetWindowRect.USER32(?,?), ref: 002BA0A4

Part of subcall function 002331A2: ScreenToClient.USER32(?,?), ref: 002331AF
Part of subcall function 002331A2: ScreenToClient.USER32(?,?), ref: 002331BB

SetWindowPos.USER32(?,00000000,00000000,00000254,?,?,00000254), ref: 002BA0D5

Part of subcall function 002BA4AD: GetWindowLongW.USER32(-00000004,000000F0), ref: 002BA4CC
Part of subcall function 002BA4AD: GetWindowLongW.USER32(-00000004,000000EC), ref: 002BA4FE
Part of subcall function 002BA4AD: SetWindowLongW.USER32(-00000004,000000EC,00000000), ref: 002BA512
Part of subcall function 002BA4AD: SendMessageW.USER32(-00000004,0000007F,00000000,00000000), ref: 002BA524
Part of subcall function 002BA4AD: SendMessageW.USER32(-00000004,00000080,00000000,00000000), ref: 002BA533
Part of subcall function 002BA4AD: GetDlgItem.USER32(-00000004,0000E801), ref: 002BA53E
Part of subcall function 002BA4AD: IsWindow.USER32(00000000), ref: 002BA548
Part of subcall function 002BA4AD: DestroyWindow.USER32(?), ref: 002BA567
Part of subcall function 002BA4AD: GetClientRect.USER32(-00000004,?), ref: 002BA5A1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Client$LongRect$ItemMessageScreenSend$Destroy
String ID:
API String ID: 3319840898-0
Opcode ID: 82d4a3629ef064201f987e73d5ad236ee8e747e0d6479cd925df980ada831074
Instruction ID: e00e6adf5913910da5e3e5f255121c8796362ead567a10fcd6d8643febe8d5e0
Opcode Fuzzy Hash: 82d4a3629ef064201f987e73d5ad236ee8e747e0d6479cd925df980ada831074
Instruction Fuzzy Hash: 51111275D0012AAFDF01EF95CE898EEBBB9EF48700F104056E501A2260C7709A10CFA1

Function 00298DF0 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?), ref: 00298E14
GetTempFileNameW.KERNEL32(?,?,00000000,?), ref: 00298E48
DeleteFileW.KERNEL32(?,?,00000000,?), ref: 00298E57
_wcslen.LIBCMT ref: 00298E62

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileTemp$DeleteNamePath_wcslen
String ID:
API String ID: 308002304-0
Opcode ID: f3e8d16c6e66ee8125ca1d0052ec70c0ee8cf873b75fb1aac0a7159a626e9159
Instruction ID: b9e6e1045beccdb16cf88d3621d2650cf8747b500049e26745b0b6670748b65b
Opcode Fuzzy Hash: f3e8d16c6e66ee8125ca1d0052ec70c0ee8cf873b75fb1aac0a7159a626e9159
Instruction Fuzzy Hash: 9B01D6B1510308ABC734DB20DC45BEB73DCAF88700F404D2DB649C2161EA70A5548BA2

Function 00240141 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00240164
GetWindowRect.USER32(?,00000000), ref: 00240179
IntersectRect.USER32(?,00000000,?), ref: 00240193
EqualRect.USER32(?,00000000), ref: 002401A1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Rect$Window$EqualIntersect
String ID:
API String ID: 1255885235-0
Opcode ID: 900fdb540e7acd774c00d97d4dabfe8b0df443e2b80b6349e4c5f76c81f19efa
Instruction ID: 87c8570e185cbbd33a095795fd82536c443612b6ea2ff4bcf43f4467f4eae890
Opcode Fuzzy Hash: 900fdb540e7acd774c00d97d4dabfe8b0df443e2b80b6349e4c5f76c81f19efa
Instruction Fuzzy Hash: 1B014BB6C1022DAA8B01DFD9D8848EEBBBCFA48B10F14411BE911E2210D7749605CFE4

Function 0024D69B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024D6A2

Part of subcall function 0024D9A8: __EH_prolog3.LIBCMT ref: 0024D9AF

EnterCriticalSection.KERNEL32(?,?,00000008,00244B53,00000000,?,?,?,?,00244AE3,?,?,?,?,?,?), ref: 0024D6B7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00244AE3,?,?,?,?,?,?), ref: 0024D6EF
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000,?,?,?,?,?,00244AE3,?,?,?,?,?,?), ref: 0024D71B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterExceptionLeaveRaise
String ID:
API String ID: 2241115223-0
Opcode ID: eec64c73cba65b5d22515965150b5cf8da5da622372e3410be78ff38536035c8
Instruction ID: db61de4daf92fbaf5371d94cc079ffcaba80612155bc15f014ba841ba959d811
Opcode Fuzzy Hash: eec64c73cba65b5d22515965150b5cf8da5da622372e3410be78ff38536035c8
Instruction Fuzzy Hash: 3E01B134A1011A9BDF26DBF0CD45B9EB7B8AB05325F204615E651F32D1C7B0AA15CB61

Function 0027E075 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027E07C
CloseHandle.KERNEL32(00000000,00000000,0027DF68,?,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?), ref: 0027E09E
CloseHandle.KERNEL32(00000000,00000000,0027DF68,?,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?), ref: 0027E0B4
CloseHandle.KERNEL32(00000000,00000000,0027DF68,?,00000000,?,?,?,00000001,00000000,?,?,?,00000000,00000F04,?), ref: 0027E0CA

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CloseHandle$H_prolog3
String ID:
API String ID: 604870763-0
Opcode ID: 2a8b22d27a88201d0146d6e6a9e45dd0117fd647399f9aef759a4d62cdd68725
Instruction ID: 95d543d80522b81308579c2ef7ed84662316cd222a3accb481f0667a8e3c9d29
Opcode Fuzzy Hash: 2a8b22d27a88201d0146d6e6a9e45dd0117fd647399f9aef759a4d62cdd68725
Instruction Fuzzy Hash: 590144355112499FDF20EFA4CD447CDB7E8AF04311F1544A8ED84AB282D7B4DA54CBB1

Function 00274FB3 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00274FCE
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00274FF7
DeleteDC.GDI32(?), ref: 00275000
ReleaseDC.USER32(?,?), ref: 00275012

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClientDeleteRectRelease
String ID:
API String ID: 2015589292-0
Opcode ID: 0da22c8847e607fab97efff0b0b0aaafff7fdf16b1a218ae97b8f490cc31f74c
Instruction ID: edc52427a06697995acf2c65b66b14af9e7fb452e08a1af88e5e0a406bd03807
Opcode Fuzzy Hash: 0da22c8847e607fab97efff0b0b0aaafff7fdf16b1a218ae97b8f490cc31f74c
Instruction Fuzzy Hash: 5801E436900219FFDB12DFA8DC49FAEBBB9FF08310F008518FA55A6260C7B1A950DB50

Function 002653AF Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002653B6
LoadBitmapW.USER32(?,00000004), ref: 002653D8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: BitmapH_prolog3Load
String ID:
API String ID: 1107220172-0
Opcode ID: cd42fc85097e8a907c4c2f536b9e1c458d010a26f5b7f77b3c7b8c47856a5249
Instruction ID: 01a6aa62e6f6d4d3da2420a6c8796828336bc5e43e8df64333e2628166477659
Opcode Fuzzy Hash: cd42fc85097e8a907c4c2f536b9e1c458d010a26f5b7f77b3c7b8c47856a5249
Instruction Fuzzy Hash: 76F03670920629DBCB119F65CC444BEBAB4FF45761F104766F565D72A0CBB089D0DB50

Function 003119E8 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003119EF
DestroyWindow.USER32(?,00000000,0027A544,?,?,?,?,?,?,?,?,00000000,0027A4BE), ref: 00311A32
IsWindow.USER32(00000000), ref: 00311A37
DestroyWindow.USER32(00000000,?,?,?,?,?,?,00000000,0027A4BE), ref: 00311A44

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Destroy$H_prolog3
String ID:
API String ID: 2902806391-0
Opcode ID: e4a6b9031b13c1b6ad62c45cb7a437d13736b2d3cd58770aa73c037dde3fc78f
Instruction ID: 53d552f19a797bca3b823d2a6941cb756d3bdf67ed481397feae6c057de77774
Opcode Fuzzy Hash: e4a6b9031b13c1b6ad62c45cb7a437d13736b2d3cd58770aa73c037dde3fc78f
Instruction Fuzzy Hash: D801DC75101B059BCB22EFA0C90979AFBF5AF48360F258918E6969B690CB30E880CF50

Function 003115BC Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 003115D1
GetParent.USER32(?), ref: 003115E6
GetWindowRect.USER32(00000000,?), ref: 003115F1
OffsetRect.USER32(?,?,?), ref: 00311606

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: RectWindow$OffsetParentPoints
String ID:
API String ID: 163569895-0
Opcode ID: 46e31c304646d7561d51db4e7709cc6b35d890cd373a399711ea2d31f86beda3
Instruction ID: b1a94b0636930fc363f58000c9f6ab3cb45368e3481c787b08dfbfe870ab6987
Opcode Fuzzy Hash: 46e31c304646d7561d51db4e7709cc6b35d890cd373a399711ea2d31f86beda3
Instruction Fuzzy Hash: C0F092B1900119BFDB119F9ADC49CAEFBBCFF99341F00455AE915A2260D6B05911DA60

Function 0024D81C Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024D823

Part of subcall function 0024D9A8: __EH_prolog3.LIBCMT ref: 0024D9AF

EnterCriticalSection.KERNEL32(?,?,0000000C,002454BF), ref: 0024D838
GetCurrentThreadId.KERNEL32 ref: 0024D842
LeaveCriticalSection.KERNEL32(?,?), ref: 0024D871

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalH_prolog3Section$CurrentEnterLeaveThread
String ID:
API String ID: 4208023338-0
Opcode ID: 4caed7224e8506618cd7296bd5d4a647f5cb542376f477361dd9d161f6e6cb18
Instruction ID: 505e8eeaf3d3df345f4407a6f38d96ebbd89f1b38dbcd1c677c1d59e9535faef
Opcode Fuzzy Hash: 4caed7224e8506618cd7296bd5d4a647f5cb542376f477361dd9d161f6e6cb18
Instruction Fuzzy Hash: D7F0AF39D10119DBCF16EBF0C90A6EEFBB8AF04720F100265E611E3291DBB44A528F91

Function 00234007 Relevance: 6.0, APIs: 4, Instructions: 33timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0023400E

Part of subcall function 002341AD: InitializeCriticalSection.KERNEL32(003746CC,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341BB
Part of subcall function 002341AD: EnterCriticalSection.KERNEL32(?,002B188E,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002341C7

_clock.LIBCMT ref: 00234034

Part of subcall function 002F78D9: GetSystemTimeAsFileTime.KERNEL32(D7557A70,00000000,?,?,?,002340EA,0000000C,00233AC5,D7557A70), ref: 002F78E5
Part of subcall function 002F78D9: __aulldiv.LIBCMT ref: 002F7916

SetTimer.USER32(00000000,00000001,0000000A,00000000), ref: 00234050
LeaveCriticalSection.KERNEL32(?), ref: 00234064

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection$Time$EnterFileH_prolog3InitializeLeaveSystemTimer__aulldiv_clock
String ID:
API String ID: 1824787798-0
Opcode ID: 7c0a3f28ffd6dc20f19678670df30359fe26340c1a4101b7158dec81571839ed
Instruction ID: 29477e5e5dd46f125aede930deb8bbe037d5add284d45998d816c723eb481e41
Opcode Fuzzy Hash: 7c0a3f28ffd6dc20f19678670df30359fe26340c1a4101b7158dec81571839ed
Instruction Fuzzy Hash: CAF0A97491022A8ADF00FFA4C9867DDBBB8FF05350F1041A5FA45BB182C7B09952CBA0

Function 002BC6D9 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000007D1), ref: 002BC6EB
GetWindowTextLengthW.USER32(00000000), ref: 002BC6F9
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002BC70B

Part of subcall function 00233591: _wcsnlen.LIBCMT ref: 002335A1

EndDialog.USER32(?,00000001), ref: 002BC723

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: TextWindow$DialogItemLength_wcsnlen
String ID:
API String ID: 2310324983-0
Opcode ID: ebae3617ef311e342d5d485ac5f554605c57d7713c03672d21c149748060f4ce
Instruction ID: 9401b1dd4fa00ab70d92c2af1d98f9553d72e1143f5f99a6377a4c79a16fb22e
Opcode Fuzzy Hash: ebae3617ef311e342d5d485ac5f554605c57d7713c03672d21c149748060f4ce
Instruction Fuzzy Hash: F2F0A776114205BFDB016F619CCDD9B7B7CEF88755F108024B50566022CB749A11AF60

Function 0024D23E Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024D245
GetCurrentThreadId.KERNEL32 ref: 0024D257
EnterCriticalSection.KERNEL32(003732A4), ref: 0024D271

Part of subcall function 0024D9D2: LeaveCriticalSection.KERNEL32(?,?,00245B42,?,00000000,?,?,?,00000020), ref: 0024D9DD

RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,00000008,002F1CA2,?,00000000,00000001,00000000,00000000,00000000,000000FF,?,?,?), ref: 0024D2A8

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionH_prolog3LeaveRaiseThread
String ID:
API String ID: 3666527294-0
Opcode ID: 176fc9919a21dcf742c5fae28dc4a9aaf0daa3a1c8a59ba4dce3d11336001af1
Instruction ID: 1df870fb5312f01b84ab3e4ed1e4b24bdf06e8967c33dea05b69040bfcf3fb06
Opcode Fuzzy Hash: 176fc9919a21dcf742c5fae28dc4a9aaf0daa3a1c8a59ba4dce3d11336001af1
Instruction Fuzzy Hash: DEF0AF34A1031A9FD725DFE4CD4979DBBE8AF00711F10891CEA55E72A1D7B09640DF10

Function 002F9F40 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 002F9F4C

Part of subcall function 002F9439: __getptd_noexit.LIBCMT ref: 002F943C
Part of subcall function 002F9439: __amsg_exit.LIBCMT ref: 002F9449

__getptd.LIBCMT ref: 002F9F63
__amsg_exit.LIBCMT ref: 002F9F71
__lock.LIBCMT ref: 002F9F81

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 16a88a22f4610946db66026423be35e07b3a5d79ae6e71374194f28f35f02822
Instruction ID: 70ff7a027d167b593d746c229bb7febbb4563062fe81dd7ae641c194352fa7a6
Opcode Fuzzy Hash: 16a88a22f4610946db66026423be35e07b3a5d79ae6e71374194f28f35f02822
Instruction Fuzzy Hash: 7DF0623293070CCAD761BB749403B79F3A06F007A0F504279E745DB591CB7458A29E52

Function 002BA395 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000475,00000000,?), ref: 002BA3AD
IsWindow.USER32(?), ref: 002BA3B6
SendMessageW.USER32(?,00000476,00000000,00000000), ref: 002BA3CC
PostQuitMessage.USER32(00000000), ref: 002BA3D4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Message$Send$PostQuitWindow
String ID:
API String ID: 1571817601-0
Opcode ID: a46f85e654bd2fa3632cb7486efbf4ae09701799510d3b046120f743a26466d9
Instruction ID: fd76ce85b08d883e9950e703de6f1f2efc4da6c5478ee44a186a0138e7ad71b5
Opcode Fuzzy Hash: a46f85e654bd2fa3632cb7486efbf4ae09701799510d3b046120f743a26466d9
Instruction Fuzzy Hash: 6AF06531764202BAF7211B229C49F9776E5EB90B91F018425F6C6D61E0D6A18C21A625

Function 0026DAF4 Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026DAFB
IsWindow.USER32(00000003), ref: 0026DB21
EnableWindow.USER32(00000003,00000000), ref: 0026DB30
DestroyIcon.USER32(?,?,?,?,?,00000000,002555E3,?,?,?,00000004), ref: 0026DB45

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$DestroyEnableH_prolog3Icon
String ID:
API String ID: 122062217-0
Opcode ID: 8e001db5d361ea104d0e793fdc3a3024784d515ca91955b8342cdad1cc08ad05
Instruction ID: 8cca9b3d9b44dbe9cf2163e40a1f1ea981f708d5543ee52780f2f615cb42dba9
Opcode Fuzzy Hash: 8e001db5d361ea104d0e793fdc3a3024784d515ca91955b8342cdad1cc08ad05
Instruction Fuzzy Hash: A4F0F670610606FFCB12EFB5D94978CFBB4BF01300F108214E555A7290C771AA64DFA0

Function 0029D2E0 Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000007,00000007,000000FF,D7557A70,00000000,00000008,?,00000007), ref: 0029D30C
GetConsoleScreenBufferInfo.KERNEL32(00000000), ref: 0029D30F
GetStdHandle.KERNEL32(000000F5,0000000C), ref: 0029D320
SetConsoleTextAttribute.KERNEL32(00000000), ref: 0029D323

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ConsoleHandle$AttributeBufferInfoScreenText
String ID:
API String ID: 154019741-0
Opcode ID: 0a448e8912fd0ded60acddec67d2231fe21329e1b36c32ba8d34c9d52afcb6cd
Instruction ID: 0247b44c8dc2bf578391be3db4ff926013d39c81980ef11ee2ba4d5c70f72b47
Opcode Fuzzy Hash: 0a448e8912fd0ded60acddec67d2231fe21329e1b36c32ba8d34c9d52afcb6cd
Instruction Fuzzy Hash: 47F01C74908341AFC350EF688C4495BBBE8EFC4B20F508A2EF5A8C32A0E734C544CB92

Function 002B9C0B Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,0000040A), ref: 002B9C1D
SetWindowTextW.USER32(00000000,?), ref: 002B9C24
GetDlgItem.USER32(00000000,0000040B), ref: 002B9C35
SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 002B9C42

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Item$MessageSendTextWindow
String ID:
API String ID: 2101643998-0
Opcode ID: 0fd3e7f314af3f0bba9adbb992de09192ebcb4d7c4ccd0b2010f21f04dc7cbba
Instruction ID: e3691cdbe973ac283e37370096fb6b69358c6a19e790b3c601578b3aee14b450
Opcode Fuzzy Hash: 0fd3e7f314af3f0bba9adbb992de09192ebcb4d7c4ccd0b2010f21f04dc7cbba
Instruction Fuzzy Hash: 59E06D76500300AFD7326B61EC4AE1ABBB9EF94310F05CA19F742610F086B06826CB14

Function 002C5819 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 002BA047: GetDlgItem.USER32(?,?), ref: 002BA04E
Part of subcall function 002BA047: EnableWindow.USER32(00000000,000000FF), ref: 002BA05B

GetDlgItem.USER32(?,000003F3), ref: 002C5836
EnableWindow.USER32(00000000), ref: 002C583D
GetDlgItem.USER32(?,000003F6), ref: 002C5855
SetWindowTextW.USER32(00000000,00334684), ref: 002C585D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ItemWindow$Enable$Text
String ID:
API String ID: 894361193-0
Opcode ID: 09bfc7b39fe6852b1b0b5d882a037b7f70245dc22bb1e8e14027b1213273f10c
Instruction ID: 0c1616f348421362d57eca4b45b9bb43c22370f3379d0964805451e152d5d2c2
Opcode Fuzzy Hash: 09bfc7b39fe6852b1b0b5d882a037b7f70245dc22bb1e8e14027b1213273f10c
Instruction Fuzzy Hash: 87E04F70581741BFE7236BA5FC9BEA77BECEB95701F080528F692560A0CB65A9508B20

Function 00246062 Relevance: 6.0, APIs: 4, Instructions: 23windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00246069
IsWindow.USER32(00000000), ref: 00246089
DestroyWindow.USER32(00000000,?,?,?,?,00244AE3,?,?,?,?,?,?), ref: 00246096
PostQuitMessage.USER32(?), ref: 0024609F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$DestroyH_prolog3_catch_MessagePostQuit
String ID:
API String ID: 4063796250-0
Opcode ID: 2831566c9cc04c1ca17c485c52505d8f6ede06e5e3dc114ffb92d57080cb52c7
Instruction ID: ad9060bb04ba70d59882815e2207c0eb4f56541f4c1d2e310a719dcaf8eb7f6f
Opcode Fuzzy Hash: 2831566c9cc04c1ca17c485c52505d8f6ede06e5e3dc114ffb92d57080cb52c7
Instruction Fuzzy Hash: 59F085309102088FDB269FB0C94EA89BBB0BF11391F108268A596A30B1CB31AA20DF50

Function 00291420 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00291472
__CxxThrowException@8.LIBCMT ref: 002914DB

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

map/set<T> too long, xrefs: 00291461, 0029147B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow_strlen
String ID: map/set<T> too long
API String ID: 3319886796-1285458680
Opcode ID: a70db8be91c5a844a560ba9cb525c6c63533f156abbff4c128dfdfa0ccddd611
Instruction ID: 5e7405e8cc49013752756dcef2cbd13ed633fb21e5b741848e68c4d3af612754
Opcode Fuzzy Hash: a70db8be91c5a844a560ba9cb525c6c63533f156abbff4c128dfdfa0ccddd611
Instruction Fuzzy Hash: 8FB168B1914742DFCB25CF16C180416FBA6BF99314B6A869DE49A5B751C332F862CBC0

Function 002D1E8D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D1E97

Part of subcall function 00231110: std::_String_base::_Xlen.LIBCPMT ref: 00231122

Strings

Message type, xrefs: 002D1F53
Argument, xrefs: 002D1F91

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlenstd::_
String ID: Argument$Message type
API String ID: 4170987114-322207959
Opcode ID: f6ba973d60c24afd9ef85176067e1874b0da603199bec13031d236dae5d51299
Instruction ID: 76e8e6b4c587c85aa2984b9483a49fcec5da03a41637e9a8df48431913f40f2b
Opcode Fuzzy Hash: f6ba973d60c24afd9ef85176067e1874b0da603199bec13031d236dae5d51299
Instruction Fuzzy Hash: 6B81DCB1C24209DEDF11EFE4C991BECB775AF20300F14806AE1466B2D2DBB09DA9CB50

Function 002CDCC6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002CDCCD

Part of subcall function 0023A6F5: __EH_prolog3.LIBCMT ref: 0023A6FC

__CxxThrowException@8.LIBCMT ref: 002CDD01

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

invalid map/set<T> iterator, xrefs: 002CDCDB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: f37d4059c9628d45467bb4d27a74c3817e98250ab685245418c8da3b6b7dbc6a
Instruction ID: e4b2f92f16ef6c6d9cdd77b8e68a7ac536c947b4b538a02ae096fe1fb8170445
Opcode Fuzzy Hash: f37d4059c9628d45467bb4d27a74c3817e98250ab685245418c8da3b6b7dbc6a
Instruction Fuzzy Hash: 4CA16F71925282DFDB25DF24C184F64BFA1AF56308F1881ACD58A4F352D7B6EC92CB90

Function 00239D54 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00239D5B

Part of subcall function 0023A6F5: __EH_prolog3.LIBCMT ref: 0023A6FC

__CxxThrowException@8.LIBCMT ref: 00239D8F

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

invalid map/set<T> iterator, xrefs: 00239D69

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: b49e59f37fb8ca4a0bb41d61359a6e37f2f677b1a397d9b9c5f4d1eebf2c8491
Instruction ID: 877f92019d35f7040fc45d78db901e3bfc714edc95c220a45cc0225aec5b88ff
Opcode Fuzzy Hash: b49e59f37fb8ca4a0bb41d61359a6e37f2f677b1a397d9b9c5f4d1eebf2c8491
Instruction Fuzzy Hash: F0A14DB05282859FDB25DF24C084BA4BFA2BF56308F18809ED5854F752D7B2ECD5CB91

Function 002C94CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002C9556

Strings

hG7, xrefs: 002C959A
G7, xrefs: 002C957E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen
String ID: G7$hG7
API String ID: 176396367-1033660060
Opcode ID: a6be83e5802f4126e71139603a8f740c7a6d09031252c87bde76ea35211f23f9
Instruction ID: 82556f717739313688453bc0f36816792adf445231be20aca24715b715e091fb
Opcode Fuzzy Hash: a6be83e5802f4126e71139603a8f740c7a6d09031252c87bde76ea35211f23f9
Instruction Fuzzy Hash: 8C718A716287419FC715EF24C881A1EB7E8BF88750F510A2DF594A72A1CB30ED95CF92

Function 002F07D7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002F07E1

Part of subcall function 002F0D9F: __EH_prolog3.LIBCMT ref: 002F0DA6

_wcslen.LIBCMT ref: 002F0856

Strings

:, xrefs: 002F090E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3__wcslen
String ID: :
API String ID: 1523997010-336475711
Opcode ID: 364c6df94d16c75b103fcd8de7a61687ea88013d40216da7a995434504790755
Instruction ID: 06d66bf2a992fe110857a18fd4d212b1da0f562c8c2963616d6c1575a6bf513d
Opcode Fuzzy Hash: 364c6df94d16c75b103fcd8de7a61687ea88013d40216da7a995434504790755
Instruction Fuzzy Hash: 07618C71D2122CDBDF14EBA4C880AEEFB78AF05380F148165E645A7182DB705F59CFA1

Function 002683C9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002683D3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002683EA

Part of subcall function 002587E5: SendMessageW.USER32(?,0000113E,00000000,?), ref: 00258813

Part of subcall function 002C8CC0: __EH_prolog3.LIBCMT ref: 002C8CC7

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

AiRefreshCost, xrefs: 0026853A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$H_prolog3H_prolog3_char_traits
String ID: AiRefreshCost
API String ID: 2167020979-1756256600
Opcode ID: a843d37363fabd29a765031cab1f3c4fd9d903ede21153921375552c79dd7e05
Instruction ID: eefa6e723249ef9e34cee854809ee0f9c70c2ff5082326bbeae5c816ee6ab894
Opcode Fuzzy Hash: a843d37363fabd29a765031cab1f3c4fd9d903ede21153921375552c79dd7e05
Instruction Fuzzy Hash: A4616C7491021AAFDB10EFA0CC95BEDB778AF04304F108299E655AB291DFB46B94CF91

Function 002D0032 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D003C

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 0023DEFC: __EH_prolog3.LIBCMT ref: 0023DF03

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

) AND ( , xrefs: 002D0134
Show, xrefs: 002D00EF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: ) AND ( $Show
API String ID: 3359205163-3000258348
Opcode ID: a30ca7ffd627c4cb3951ee61d5a67a5cd250e697ae0e50be1ab41cdb24a39cd8
Instruction ID: 9a7311e1e777ea1383f884dd6053ad7d168561ef433992f92b7c8f8656a88d7e
Opcode Fuzzy Hash: a30ca7ffd627c4cb3951ee61d5a67a5cd250e697ae0e50be1ab41cdb24a39cd8
Instruction Fuzzy Hash: AE5173B1C10258AADB21EBB4CC86FDEBBB8AF11710F14419AF508B7292DB705E64CF51

Function 00261CF8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00261CFF
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00261D42

Strings

AiIndirectListProperty, xrefs: 00261D55

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_MessageSend
String ID: AiIndirectListProperty
API String ID: 591282594-2049087350
Opcode ID: 54fe543b7e93bd755f778cc60cd99525365a905204c37cd9bb014b67c0a314d3
Instruction ID: d9fceb9c7dca217989333b9427b038e223fcd6c1d4b92eb3422461f904554290
Opcode Fuzzy Hash: 54fe543b7e93bd755f778cc60cd99525365a905204c37cd9bb014b67c0a314d3
Instruction Fuzzy Hash: FB61BD71A10248EFDF09DFA4C885BDDFBB4BF09300F148159E556AB291CBB16A68CF51

Function 00284F80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0028510D

Strings

+, xrefs: 002850AB
%, xrefs: 0028509D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 56ef91abec7bbaac6dc562e9c85231b7e92b5eceaed5c3563ddefefdc1cbaa87
Instruction ID: 38b2a3c3500dca8de1d4ff6b2d6bc523f7ba244e24f827c4bfe7b6e644747fc7
Opcode Fuzzy Hash: 56ef91abec7bbaac6dc562e9c85231b7e92b5eceaed5c3563ddefefdc1cbaa87
Instruction Fuzzy Hash: 8F51AD77A297119BD712FE18C8847DB7BE8EB49380F20494CE981872D2E7758C258FC2

Function 0025229B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002522A5

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

{&^&}, xrefs: 00252313
MsiRMFilesInUse, xrefs: 002522F7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_char_traits
String ID: MsiRMFilesInUse${&^&}
API String ID: 2209240912-75527770
Opcode ID: cea634f38177b064aee35327bbe68b9f440e09c133dbfb3d5ea448a2ab758cb0
Instruction ID: 65f847f0034a72127f998d21a4f42b969ae601d9328f25cc4eb90d51ff5dad8f
Opcode Fuzzy Hash: cea634f38177b064aee35327bbe68b9f440e09c133dbfb3d5ea448a2ab758cb0
Instruction Fuzzy Hash: 13612871D10268DEDB21EBA4C881BDDB7B8AF05310F1481D6E649B7282DB306F98CF65

Function 00285160 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 002852DD

Strings

+, xrefs: 0028527B
%, xrefs: 0028526D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 8cab57b8aaf2beb62fb5394a535dded1e2adcf443aa3e19aa0befb3070481ce1
Instruction ID: 7709a714cd6cf02bfdf4829b70f324041360ddd36c6f77c42d3b63d72ecaef13
Opcode Fuzzy Hash: 8cab57b8aaf2beb62fb5394a535dded1e2adcf443aa3e19aa0befb3070481ce1
Instruction Fuzzy Hash: 9651BC76A29B109FD716EE58C8847D77BE8EB46340F20494CFC85C72D6EA748C258BD2

Function 002D9B59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D9B60

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0024258A: __EH_prolog3.LIBCMT ref: 00242591

Strings

PIDTemplate, xrefs: 002D9B67
PIDKEY, xrefs: 002D9C18

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3_char_traits
String ID: PIDKEY$PIDTemplate
API String ID: 3685356560-3823902873
Opcode ID: eab4aa1765ec71269855742c6820c94fb922d5758aec50793ed436e4cfafdd68
Instruction ID: 5357b6643ddff93961b7ffd0491cc7d32bbf0d483b12cb78ff3801e2ab81acf3
Opcode Fuzzy Hash: eab4aa1765ec71269855742c6820c94fb922d5758aec50793ed436e4cfafdd68
Instruction Fuzzy Hash: 51517271C20149EACF15EBE4C885DEEBBB8AF55700F14855BF022A72A1EB705E65CF60

Function 0026C6FC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026C71B

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0023DF4F: _wcslen.LIBCMT ref: 0023DF54

Part of subcall function 002C8D0D: __EH_prolog3.LIBCMT ref: 002C8D14

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

Part of subcall function 002C8CC0: __EH_prolog3.LIBCMT ref: 002C8CC7

Strings

InstallValidate, xrefs: 0026C7AB
CostingComplete, xrefs: 0026C722

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_wcslenchar_traits
String ID: CostingComplete$InstallValidate
API String ID: 1744582454-3487920639
Opcode ID: 083b79a4f5b97503a8473ee9047e681f27ff5e1ab8748f35a3b181295872631c
Instruction ID: dd3c78cc4f6ba29e7bf58fe51f6a9757218b09940752191046c151705e866940
Opcode Fuzzy Hash: 083b79a4f5b97503a8473ee9047e681f27ff5e1ab8748f35a3b181295872631c
Instruction Fuzzy Hash: AC41907191424CEFDB05EFA4C885FEDBBB8AF15304F148199F645A7182DB74AB08CB61

Function 002C567A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00233634: __EH_prolog3.LIBCMT ref: 0023363B

Part of subcall function 0024D307: __EH_prolog3.LIBCMT ref: 0024D30E

Part of subcall function 002C5819: GetDlgItem.USER32(?,000003F3), ref: 002C5836
Part of subcall function 002C5819: EnableWindow.USER32(00000000), ref: 002C583D
Part of subcall function 002C5819: GetDlgItem.USER32(?,000003F6), ref: 002C5855
Part of subcall function 002C5819: SetWindowTextW.USER32(00000000,00334684), ref: 002C585D

Part of subcall function 002BCE9A: LoadStringW.USER32(000000FF,?,00000514), ref: 002BCEC2

DeleteFileW.KERNEL32(?,00000000,?,00000002,?,?,-00000024,?,?,00000000,?), ref: 002C5735
RemoveDirectoryW.KERNEL32(00000000,?,00000000,0000005C,?,00000000,?), ref: 002C5750

Part of subcall function 002B187C: LeaveCriticalSection.KERNEL32(?,00000000,0033E304,003746CC,00000000,74DEE010,Failed to extract file:,?, Error:,00000000), ref: 002B18FB

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

MD5 of downloaded file is invalid., xrefs: 002C570C

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ItemWindow$CriticalDeleteDirectoryEnableFileLeaveLoadRemoveSectionStringText
String ID: MD5 of downloaded file is invalid.
API String ID: 2442286444-2340931374
Opcode ID: 667f1420b75444df7c7f8a44ce7ca90a1818f1656664613aaafa5a94f4fb2734
Instruction ID: 11cdaaf1df9c5b1b64ecc7683bb56d19d89d561398e72cb3bfa2739aaa431c09
Opcode Fuzzy Hash: 667f1420b75444df7c7f8a44ce7ca90a1818f1656664613aaafa5a94f4fb2734
Instruction Fuzzy Hash: 6F41A971A20209EBDB05EFA0C846FDCB775AF04310F448199F8156B2A2CF71AAA8DF50

Function 002BDDEE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0027D853: _wcsrchr.LIBCMT ref: 0027D85A

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,0000002E,?,00000000,?), ref: 002BDE82
DeleteFileW.KERNEL32(?,?,0000005C,?,?,?,?,?,?,?,?,0000002E,?,00000000,?), ref: 002BDF24

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 002BDE32

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DeleteFile$_wcsrchr
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 1262466089-3685554107
Opcode ID: 7a3ac7cf9a697bd23a1d3a11fa3279121ce54db47f58e12f9d5ff70a6093078c
Instruction ID: 2c51b9d3f97641588dd21fb7271938dec16c9fd3fa7a728cd3046837cc75d64a
Opcode Fuzzy Hash: 7a3ac7cf9a697bd23a1d3a11fa3279121ce54db47f58e12f9d5ff70a6093078c
Instruction Fuzzy Hash: 9E418172910208AFCF05EFE4C845AEEB779AF18310F404455F511AB162DB71EB69CFA1

Function 0024037D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00240384

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002403C5

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

deque<T> too long, xrefs: 0024039F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: deque<T> too long
API String ID: 1412866469-309773918
Opcode ID: 266640e56f4c534967a071285ec89da3294126e1b6af380f824359664132c156
Instruction ID: b6aca65657bda23d00657e219f9bd5c4256b648eb00ca3ae945c57c0ba11171f
Opcode Fuzzy Hash: 266640e56f4c534967a071285ec89da3294126e1b6af380f824359664132c156
Instruction Fuzzy Hash: 32417671A206059BDB1CDEB8C8D19AEB7F5BF44310B200A3DE316D7681EB70E995CB50

Function 0029A150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0029A5A0: GetEnvironmentVariableW.KERNEL32(00000001,00000000,00000000,?,?,?,00000000,002B1EAB,?,?,?,?,?,0025005D,?,?), ref: 0029A5AF

__wcsicoll.LIBCMT ref: 0029A1F1

Strings

USERPROFILE, xrefs: 0029A194
L27, xrefs: 0029A17E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EnvironmentVariable__wcsicoll
String ID: L27$USERPROFILE
API String ID: 2193328707-2297048866
Opcode ID: 5ea9defc80861dd69146c586e7802582f41a4ddaea6d2f53aa81f9fd80d2f522
Instruction ID: da6fb5726199e4c5e20a40d2fc838355c57d8947fac12ab814a79362c0429d9b
Opcode Fuzzy Hash: 5ea9defc80861dd69146c586e7802582f41a4ddaea6d2f53aa81f9fd80d2f522
Instruction Fuzzy Hash: 0E4158706147428FD704CF2CC841A5AB7E5FF89334F158B69E8689B2E1E735E909CB92

Function 00271838 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0027183F

Part of subcall function 00242F88: __EH_prolog3.LIBCMT ref: 00242F8F

_memset.LIBCMT ref: 0027186C

Part of subcall function 00277522: EnterCriticalSection.KERNEL32(003732A4,D7557A70,?,00000000), ref: 00277562
Part of subcall function 00277522: RegisterWindowMessageW.USER32 ref: 00277578
Part of subcall function 00277522: RegisterWindowMessageW.USER32(WM_ATLGETCONTROL), ref: 00277584
Part of subcall function 00277522: GetClassInfoExW.USER32(AtlAxWin90,00000001), ref: 002775A3
Part of subcall function 00277522: LoadCursorW.USER32 ref: 002775DC
Part of subcall function 00277522: RegisterClassExW.USER32 ref: 002775FF
Part of subcall function 00277522: _memset.LIBCMT ref: 0027762C
Part of subcall function 00277522: GetClassInfoExW.USER32(AtlAxWinLic90,?), ref: 00277649
Part of subcall function 00277522: LoadCursorW.USER32 ref: 0027768A

Part of subcall function 002F58C8: _malloc.LIBCMT ref: 002F58E2

Part of subcall function 00279DD6: __EH_prolog3.LIBCMT ref: 00279DDD

Strings

Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 002719A3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ClassH_prolog3Register$CursorInfoLoadMessageWindow_memset$CriticalEnterSection_malloc
String ID: Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 2977409614-1457952470
Opcode ID: eba2ed622eb64b275f72d9378b8c0c5437c81863a9fc4c5c8ee7a483ce1fcb8c
Instruction ID: c14696ad8109c5e1aed81a9d170eb94d378d42f65a02c23232630ca1c8e3214b
Opcode Fuzzy Hash: eba2ed622eb64b275f72d9378b8c0c5437c81863a9fc4c5c8ee7a483ce1fcb8c
Instruction Fuzzy Hash: 61518CB0911799EECB06DF68C4846DDFFF4BF0A300F14819AE1589B342D7B49618CB92

Function 002E420B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002E4212

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002E4253

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

deque<T> too long, xrefs: 002E422D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: deque<T> too long
API String ID: 1412866469-309773918
Opcode ID: abeec11e4baee5d96ecdd30701692c7b1ad059b2c8f525b5ad30ee66aa57860f
Instruction ID: 737e333bc638c584a31a9c249e1b381082d292c94451e5d842d6bdb565c61b2f
Opcode Fuzzy Hash: abeec11e4baee5d96ecdd30701692c7b1ad059b2c8f525b5ad30ee66aa57860f
Instruction Fuzzy Hash: DB41C570B6034A8BCB28EEB5C4D19AEB3B5BF44300B60093DE616D7640DB70E965CF50

Function 002BCF0F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002BCF22
GetLastError.KERNEL32 ref: 002BCF6C

Strings

L27, xrefs: 002BCF47

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ErrorLast_memset
String ID: L27
API String ID: 533350023-3540802760
Opcode ID: ef6e22783c8941a24ca24b059d81ac6a537562e9a1606e832eae2c3bd75f3a5e
Instruction ID: 17d3e78a620477c5d4256ac6bc4995ad9d2006b93584506bcd63e7fdcc9b86dd
Opcode Fuzzy Hash: ef6e22783c8941a24ca24b059d81ac6a537562e9a1606e832eae2c3bd75f3a5e
Instruction Fuzzy Hash: 8C413875A10119DBCF11AF98C8416DDBBB2AF48350F148026FD05B7361DB34AE66CF90

Function 002CD047 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002CD04E

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002CD084

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

map/set<T> too long, xrefs: 002CD05E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1412866469-1285458680
Opcode ID: 2bbb086b2be6f32d6adadb0d6e61249ba4270d492f6798e45c0ab475afac08cd
Instruction ID: a725f18b97791eb72a96be93564b664ead484abd50e19ae54f30b9a5c57e0262
Opcode Fuzzy Hash: 2bbb086b2be6f32d6adadb0d6e61249ba4270d492f6798e45c0ab475afac08cd
Instruction Fuzzy Hash: 574146746106419FC321DF18C184FA9BBF1BF59304F5982ADE5494B262C7B6FC96CB90

Function 0023948A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00239491

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002394C7

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

map/set<T> too long, xrefs: 002394A1

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1412866469-1285458680
Opcode ID: 9800019f82a9246691b0f885e147b85faacd12f42ded5e89e306603a4f624a05
Instruction ID: 1e363968d69566d2a244fabde23e316fc8e746dfc5f86582e0584b8f46b71da4
Opcode Fuzzy Hash: 9800019f82a9246691b0f885e147b85faacd12f42ded5e89e306603a4f624a05
Instruction Fuzzy Hash: 954138B42106419FC722DF18C184EA9BBF1BF5A304F998598E5494B362C7B6FC95CF90

Function 00292260 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 002922A5
_wcslen.LIBCMT ref: 00292339

Strings

*** Stack Trace (x86) ***, xrefs: 00292324, 00292342

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _strlen_wcslen
String ID: *** Stack Trace (x86) ***
API String ID: 2847511282-1035257212
Opcode ID: f5d211bcdc772c05b743da019d149de55e1d03089abf5cdeb233799d68aa4461
Instruction ID: e3fb9c4108cf99a64d9fd1df716cb97108afec108f9fb8782bf70b122ed30be1
Opcode Fuzzy Hash: f5d211bcdc772c05b743da019d149de55e1d03089abf5cdeb233799d68aa4461
Instruction Fuzzy Hash: 83415CB1518380EFD300EF65C885A6BFBE8BF99754F044A2DF58982291D7B9D8188B52

Function 0028DD10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0028DD9F
_wcslen.LIBCMT ref: 0028DE54

Strings

\\?\, xrefs: 0028DD89, 0028DDA8, 0028DE4F, 0028DE5D

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen
String ID: \\?\
API String ID: 176396367-4282027825
Opcode ID: 0e45db0770eb056e96c52f419f9ffc7611ac2d423bdc5a08f985d7571d44fbda
Instruction ID: a7d7ecfdcdf16a581224950e9293d87967b74205c4c256c88df89ba70c5bafce
Opcode Fuzzy Hash: 0e45db0770eb056e96c52f419f9ffc7611ac2d423bdc5a08f985d7571d44fbda
Instruction Fuzzy Hash: 3E41BBB1529341AFD700EF25C881B2AB7E4BF94718F444A2DF895872C1D7B4E929CF82

Function 00248A33 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00248A3A

Part of subcall function 0024AC38: __EH_prolog3.LIBCMT ref: 0024AC3F

Part of subcall function 002492F4: __EH_prolog3.LIBCMT ref: 002492FB

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

AI_COLLAPSIBLE_GROUP_ADJUST_HOST, xrefs: 00248B1E
AI_COLLAPSIBLE_GROUP_ANIMATE, xrefs: 00248AB6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$char_traits
String ID: AI_COLLAPSIBLE_GROUP_ADJUST_HOST$AI_COLLAPSIBLE_GROUP_ANIMATE
API String ID: 3598086826-2952334163
Opcode ID: 08881b844b6d9501d49552b7b63e37daf7d5872856ac0fd155f288144f731268
Instruction ID: 6cd9d31463541dd397e848ebf058da2cbedbde79b780c2235bd627f0305b3f2e
Opcode Fuzzy Hash: 08881b844b6d9501d49552b7b63e37daf7d5872856ac0fd155f288144f731268
Instruction Fuzzy Hash: E4415BB5800748EEDB11DFB8C585ADEFBF4AF15704F14C99DE096AB292C7746A08CB21

Function 002D9947 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D9960

Part of subcall function 002D9B59: __EH_prolog3_GS.LIBCMT ref: 002D9B60

Part of subcall function 002C8D0D: __EH_prolog3.LIBCMT ref: 002C8D14

Part of subcall function 00234BA5: __EH_prolog3.LIBCMT ref: 00234BAC

Strings

ProductID, xrefs: 002D99CC
ProductCode, xrefs: 002D99B9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_
String ID: ProductCode$ProductID
API String ID: 4240126716-35337189
Opcode ID: 8d6783ad47564eb017109f3ebb486d04cd0fd3bf87084f6512db32bfe18203b8
Instruction ID: 1ee94b6bc6a56d62960401d3f0534d2791ea0d9f63cae26f72cf4ce7640002b2
Opcode Fuzzy Hash: 8d6783ad47564eb017109f3ebb486d04cd0fd3bf87084f6512db32bfe18203b8
Instruction Fuzzy Hash: 3831B0B1910348EFDB01EFA0C886BDEB7B8AF05304F50859AF5529B2D1DB74AB19CB50

Function 0024163C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00241646
_wcslen.LIBCMT ref: 00241677

Part of subcall function 0024FBA0: __EH_prolog3.LIBCMT ref: 0024FBA7

Part of subcall function 00241769: __EH_prolog3_GS.LIBCMT ref: 00241770

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

Strings

AI_CF_, xrefs: 00241664

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: _wcslen$H_prolog3_$H_prolog3
String ID: AI_CF_
API String ID: 2779543113-2623589081
Opcode ID: cf174f880882f7fb65f9fb2895044b9463d68bd3c133bd7869aeea01e1e32f7f
Instruction ID: af020375912f8cadec57abf42e372014b206c92dcfa762baa71d7bd01a3c4218
Opcode Fuzzy Hash: cf174f880882f7fb65f9fb2895044b9463d68bd3c133bd7869aeea01e1e32f7f
Instruction Fuzzy Hash: 4131B271910348DFCF15EBA4C945BDDFBB4AF55300F248099E105AB292CB70AB99CB51

Function 002B8398 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,00000000,?), ref: 002B83EF

Part of subcall function 0027BD59: __EH_prolog3_catch.LIBCMT ref: 0027BD60

RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?,?,?), ref: 002B841B

Part of subcall function 0027E5ED: __EH_prolog3.LIBCMT ref: 0027E5F4

Strings

L27, xrefs: 002B8422

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: EnumValue$H_prolog3H_prolog3_catch
String ID: L27
API String ID: 3109124844-3540802760
Opcode ID: be5c45bde68e8aec8688dfd3b7a03dc69b9c8b615e3a4ec4242e832640fc8cca
Instruction ID: c4dffd93f36cd01782712e95c4b275317087a9baddbdd760afd2730b46809512
Opcode Fuzzy Hash: be5c45bde68e8aec8688dfd3b7a03dc69b9c8b615e3a4ec4242e832640fc8cca
Instruction Fuzzy Hash: 5F310A7291060DAFDB21DBA4DC85DEEB7BCEF08304F10412AE519E7152EB31AA14CF60

Function 002D1891 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D1898

Strings

%d , xrefs: 002D1957
%0.2f , xrefs: 002D193E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_
String ID: %0.2f $%d
API String ID: 2427045233-2206881125
Opcode ID: f7543404d99ff093ee9b1c6852028626c130a7652227f1de5db89dee6aebdaec
Instruction ID: 006adf00249d8d71fb3bdfa9bc111e7633d5239538e8ed9317b5792087ba5942
Opcode Fuzzy Hash: f7543404d99ff093ee9b1c6852028626c130a7652227f1de5db89dee6aebdaec
Instruction Fuzzy Hash: 162133B1E2020972DB067F84ED1A7DD6B7CBB42780F21464BF180A2691EB766DB14F80

Function 00264874 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026487E

Part of subcall function 002587E5: SendMessageW.USER32(?,0000113E,00000000,?), ref: 00258813

Part of subcall function 002587A6: SendMessageW.USER32(?,00001127,?,0000F000), ref: 002587B8

SendMessageW.USER32(?,0000110B,00000009,?), ref: 00264967

Strings

AiRefreshCost, xrefs: 002648E9

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID: AiRefreshCost
API String ID: 1885053084-1756256600
Opcode ID: 8caaf1841f35dcb751e3e487087747cbe82c97dac2e968dfe8bc53775fdd2baf
Instruction ID: c0c212935a93463e28782f386c3e3038a32d39fd76b6718bd324f23e61a824bd
Opcode Fuzzy Hash: 8caaf1841f35dcb751e3e487087747cbe82c97dac2e968dfe8bc53775fdd2baf
Instruction Fuzzy Hash: B031C371910209AEDF05EFB0CC46EEDBB34EF04300F108559F551A7191DBB15AA5DF90

Function 0028CC20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DD9F
Part of subcall function 0028DD10: _wcslen.LIBCMT ref: 0028DE54

std::_String_base::_Xlen.LIBCPMT ref: 0028CC73

Part of subcall function 002F34E0: __EH_prolog3.LIBCMT ref: 002F34E7
Part of subcall function 002F34E0: __CxxThrowException@8.LIBCMT ref: 002F3512

std::_String_base::_Xlen.LIBCPMT ref: 0028CC84

Strings

SourceDir, xrefs: 0028CC33

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String_base::_Xlen_wcslenstd::_$Exception@8H_prolog3Throw
String ID: SourceDir
API String ID: 3984208072-4083836674
Opcode ID: 26c520758f4c29007a719dce41defb6f464d018e9130300f86d10a7f22e7bc62
Instruction ID: e3f18aaf870d47edf938986899ea9936ab204de78ebd6d5b4210041891656222
Opcode Fuzzy Hash: 26c520758f4c29007a719dce41defb6f464d018e9130300f86d10a7f22e7bc62
Instruction Fuzzy Hash: 902191756257008FC324EF29D98061BB3E5FF99710F200A2FE05AC7690D730A955CBA6

Function 0028CD10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000400,D7557A70,INI,00000000), ref: 0028CD60
_wcslen.LIBCMT ref: 0028CD7E

Strings

INI, xrefs: 0028CD33

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: FileModuleName_wcslen
String ID: INI
API String ID: 2124597325-3790664930
Opcode ID: a51f8f4a6e12d76df6fccb7487adfb4488502366ca9f7f69432513f99659d7de
Instruction ID: 1256ea758e7968e99bee5d19cb63eb4bcc163e3866484c0fdfca4f89e82b4ed1
Opcode Fuzzy Hash: a51f8f4a6e12d76df6fccb7487adfb4488502366ca9f7f69432513f99659d7de
Instruction Fuzzy Hash: F8311BB1518780DFD314EF24C885B5BF7E8FF98708F50492DF18986290EB75A558CB92

Function 002B05ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32(?,-00000048,00000000,?,?,002A6F8C,?,?,?), ref: 002B0607

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Part of subcall function 00272790: __EH_prolog3.LIBCMT ref: 00272797

Strings

<D3, xrefs: 002B0666
SystemDefault LangID=, xrefs: 002B0630

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$DefaultLangSystem
String ID: <D3$SystemDefault LangID=
API String ID: 2694642377-1407358539
Opcode ID: c263fda7ccd1d5ab84cbb4b2b614b90f97c9235995593717f03fe8397c7a533e
Instruction ID: ab758c57b1e3f065c61ac4f14414a396c0d7bafc2a05f6746e60e1188618820e
Opcode Fuzzy Hash: c263fda7ccd1d5ab84cbb4b2b614b90f97c9235995593717f03fe8397c7a533e
Instruction Fuzzy Hash: F7219F75A20205EBCB05FBA4C896AEE77BD9F84340F608469E04193251EF74AF259F60

Function 002E90CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002E90D6

Part of subcall function 002492F4: __EH_prolog3.LIBCMT ref: 002492FB

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Strings

`Action` = ', xrefs: 002E9112
CustomAction, xrefs: 002E90FB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: CustomAction$`Action` = '
API String ID: 431132790-312430549
Opcode ID: c29ce40c2e00d2cfee22813418cab2a1520e6d21fb56196158b3f747efff67c3
Instruction ID: 5981f5e088a0a841d544a91694e215dfa3712705e53b47cca42dffad689b671f
Opcode Fuzzy Hash: c29ce40c2e00d2cfee22813418cab2a1520e6d21fb56196158b3f747efff67c3
Instruction Fuzzy Hash: 2321A0B1D1024DAEDF01EBE4C98AEDDBBB8AF01304F148059F105AB191DB70AB19CF60

Function 0024527D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00245284

Part of subcall function 00246A4E: _memmove_s.LIBCMT ref: 00246B00

Part of subcall function 002D07CA: __EH_prolog3.LIBCMT ref: 002D07D1

Part of subcall function 0024523D: __EH_prolog3.LIBCMT ref: 00245244

Part of subcall function 00249420: __EH_prolog3.LIBCMT ref: 00249427

Part of subcall function 00250FDC: __EH_prolog3.LIBCMT ref: 00250FE3

Part of subcall function 00249344: __EH_prolog3.LIBCMT ref: 0024934B

Part of subcall function 0023BC14: __EH_prolog3.LIBCMT ref: 0023BC1B

Part of subcall function 00248B7B: __EH_prolog3.LIBCMT ref: 00248B82

Part of subcall function 002451FC: __EH_prolog3.LIBCMT ref: 00245203

Part of subcall function 002451C7: __EH_prolog3.LIBCMT ref: 002451CE

Part of subcall function 0024379D: __EH_prolog3.LIBCMT ref: 002437A4

Part of subcall function 002451A7: __EH_prolog3.LIBCMT ref: 002451AE

Strings

po3, xrefs: 0024529E
to3, xrefs: 002452A5

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_memmove_s
String ID: po3$to3
API String ID: 1135529145-1329241623
Opcode ID: a2878467b34f6a1159e3383399e003ea6bf385348c51b389d3f6d60aa99b2fdb
Instruction ID: ed6330fa38be075103fb6cdb2bc172e3b787c605d3b55450990c3203b16345ba
Opcode Fuzzy Hash: a2878467b34f6a1159e3383399e003ea6bf385348c51b389d3f6d60aa99b2fdb
Instruction Fuzzy Hash: 493152B0411B48EEDB12EBB0C5897CEBBE8AF06308F108858F1D597152D7746719DF66

Function 002689C1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002689CB

Strings

False, xrefs: 00268A22, 00268A27
True, xrefs: 00268A1B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: False$True
API String ID: 431132790-1895882422
Opcode ID: 2669d18fa584916554bd181f41897bb19b1907b99a6aa6da0f5bd122e1aa3620
Instruction ID: 309a8dfc0a132bbe0d4d6dff28a692e27071b69271050a3d3db3404f4172bd14
Opcode Fuzzy Hash: 2669d18fa584916554bd181f41897bb19b1907b99a6aa6da0f5bd122e1aa3620
Instruction Fuzzy Hash: B6216DB0910208EFDB10DFA8C995EEDBB74FF14304F648299F5559B291CB70AE94CBA0

Function 002DC4E2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002DC4E9

Part of subcall function 002DE755: __EH_prolog3.LIBCMT ref: 002DE75F

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

Advanced Installer, xrefs: 002DC4EE
ProductName, xrefs: 002DC504

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3_char_traits
String ID: Advanced Installer$ProductName
API String ID: 3685356560-1032157122
Opcode ID: 7828d64a204b63b6a93509df40e4177c3b7f6622d80976e975a4e6c496b11604
Instruction ID: 666cea1a3230bd6d6c7330829d2763f2db263951188cb458d353b40f32d76988
Opcode Fuzzy Hash: 7828d64a204b63b6a93509df40e4177c3b7f6622d80976e975a4e6c496b11604
Instruction Fuzzy Hash: A221C371D64209EECB04EBA8EC92AEDFB74AF14704F648159F011772D1CB705E64CB61

Function 002D8762 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D8769

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 00231665: char_traits.LIBCPMT ref: 002316DF

Strings

REBOOTPROMPT, xrefs: 002D876E
REBOOT, xrefs: 002D87C2

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: char_traits$H_prolog3
String ID: REBOOT$REBOOTPROMPT
API String ID: 3541278812-3166031168
Opcode ID: 7897f1ad476074e838eefed1cd20e4d33557e89ed5a6802202c843cad31ff006
Instruction ID: 1c24bbf318f24ae865d1e775fd7c3ddc6da09d71a420dec425d9504ed7f6d503
Opcode Fuzzy Hash: 7897f1ad476074e838eefed1cd20e4d33557e89ed5a6802202c843cad31ff006
Instruction Fuzzy Hash: E32160B1500208EEDB04EBA4C992EEDB778AF05724F648258F152771D1CBB02F55DB60

Function 002506BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002506C1

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

ComboBox, xrefs: 0025070C
`Property` = ', xrefs: 002506DB

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: ComboBox$`Property` = '
API String ID: 3359205163-2900511900
Opcode ID: dda38547c2c65452dff797525130737588474ff7aef510c5ddcf4256b320af5b
Instruction ID: a17e85d412887b8f10ccc562aee9c02806446eece0f93250a926d1593e384024
Opcode Fuzzy Hash: dda38547c2c65452dff797525130737588474ff7aef510c5ddcf4256b320af5b
Instruction Fuzzy Hash: D911C471950208AFCB11EBA0CC8AEDEFBB8EF55710F588159F111B7281CB709A59CF61

Function 00249813 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(-00000001,tooltips_class32,00000000,00000000,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00249874
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,002480F9,00000088,00247448,?,?,?,?,?), ref: 0024988A

Strings

tooltips_class32, xrefs: 0024986A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Create
String ID: tooltips_class32
API String ID: 870168347-1918224756
Opcode ID: ae7e4baed82c84b223879619d9f8407f5e7aba086f26b313820b0df6013ca5d7
Instruction ID: 3d91906ce9e562662afd2202e28b9ccd4cab081d9ed75572d9b100167f6e7dfe
Opcode Fuzzy Hash: ae7e4baed82c84b223879619d9f8407f5e7aba086f26b313820b0df6013ca5d7
Instruction Fuzzy Hash: 760149E36682593FFB159AB89CC6FBB768CCF063A8F184674F502D7191E1058D914370

Function 002521F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002521FA

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

`Property` = ', xrefs: 0025220D
ListBox, xrefs: 0025223E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: ListBox$`Property` = '
API String ID: 3359205163-2588865096
Opcode ID: 64654c82bbb1305e1de51a887424f063a96f2b3880f842d4fcc0d037984c4bb9
Instruction ID: 73f00ae42b0924a5d7f47015ad12419cf68385582c8740fdbeeef18d1bcd9504
Opcode Fuzzy Hash: 64654c82bbb1305e1de51a887424f063a96f2b3880f842d4fcc0d037984c4bb9
Instruction Fuzzy Hash: 6111E370950208EECB11EBA0C846EDEBBB8EF56710F588159F101B72C1CB709A59CF60

Function 002712CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00234F65: CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00271324
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0027132F

Part of subcall function 00293620: _memset.LIBCMT ref: 0029367D

Part of subcall function 0027117C: __EH_prolog3.LIBCMT ref: 00271183
Part of subcall function 0027117C: LoadLibraryW.KERNEL32(UxTheme.dll,00000000,00271316,00000000,?,SysTreeView32,?,?,?,?,?), ref: 002711A1
Part of subcall function 0027117C: GetProcAddress.KERNEL32(SetWindowTheme,00000000), ref: 002711E4
Part of subcall function 0027117C: SendMessageW.USER32(?,0000112C,00000004,00000004), ref: 00271214

Strings

SysTreeView32, xrefs: 002712F0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$AddressCreateH_prolog3LibraryLoadProcWindow_memset
String ID: SysTreeView32
API String ID: 3723601117-1698111956
Opcode ID: f0df28dd21b4a584c2b8fa95ab8b6982c9ac4e3c63c78d1a342f86b36d4de5a8
Instruction ID: 56b597300eccc4b4699e9dec8bd3308e52681c701620db0fd4f332919e111564
Opcode Fuzzy Hash: f0df28dd21b4a584c2b8fa95ab8b6982c9ac4e3c63c78d1a342f86b36d4de5a8
Instruction Fuzzy Hash: 9E01A7B1210208BFDB15AF59DCC1EAFBBBDEF89750F104059F5049B351CAB19D21DA60

Function 002505E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002505EB

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

CheckBox, xrefs: 00250628
`Property` = ', xrefs: 002505F7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: CheckBox$`Property` = '
API String ID: 3359205163-1623608590
Opcode ID: 85075a029abf5383833feae2d0b1fb96e5b1af25c95bebe8b269f17df4ece61d
Instruction ID: 8117d4f1c5032bc1fc2f3f11bab9056b86bd97b9cb16476aa29579fc6ad85a9a
Opcode Fuzzy Hash: 85075a029abf5383833feae2d0b1fb96e5b1af25c95bebe8b269f17df4ece61d
Instruction Fuzzy Hash: 0A11ACB1950208AECB11EBA4CC8AEDEBF78EF15350F588155F105B7281CBB05A69CBA1

Function 00311612 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000418,00000000,0000012C), ref: 00311686
SendMessageW.USER32(?,00000432,00000000,0000002C), ref: 00311696

Part of subcall function 00310D4F: CreateWindowExW.USER32(00000008,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,?,00000000,00000000,00000000), ref: 00310D6E
Part of subcall function 00310D4F: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00310D80

Strings

,, xrefs: 0031163B

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSendWindow$Create
String ID: ,
API String ID: 2522754981-3772416878
Opcode ID: 571477414009edfff21b23e9fe0e246ffbcb1c4ab7f0d0f8fd85d6faaf028f93
Instruction ID: 1d1ad7dcd4c599b5c52ca87a7f6647ae72e7317057e71dcc66213a72840b3f3e
Opcode Fuzzy Hash: 571477414009edfff21b23e9fe0e246ffbcb1c4ab7f0d0f8fd85d6faaf028f93
Instruction Fuzzy Hash: C111E6B1D00219ABDF05DF99D884ADEFBB5FF44300F10805AEA00AB261C3B5A945CF94

Function 0025214E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00252155

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

`Property` = ', xrefs: 00252163
ListBox, xrefs: 00252194

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$H_prolog3_char_traits
String ID: ListBox$`Property` = '
API String ID: 3359205163-2588865096
Opcode ID: 2b794493d52ae6d5b133673f76d4266f48e3260ae959fecf05a404281e1cf510
Instruction ID: 2e514c2abc8fb8efd741314aa6ca05f4b7c34ff63522c203be9ef43253d2e4b0
Opcode Fuzzy Hash: 2b794493d52ae6d5b133673f76d4266f48e3260ae959fecf05a404281e1cf510
Instruction Fuzzy Hash: 4711E370A50208EFDB01EBA0CC46FDDBBB8AF11711F588154F201BB1D1C7B05A59CB50

Function 00290390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 002903CB
__CxxThrowException@8.LIBCMT ref: 00290438

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

vector<T> too long, xrefs: 002903B6, 002903D4

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow_strlen
String ID: vector<T> too long
API String ID: 3319886796-3788999226
Opcode ID: 3349083cc1dced90bdc824e85789431fcc455536cc94a75814780a1c08d0cab8
Instruction ID: 735ecdf8459d87af2a329847d5d1212703844d504956e715cc361ab1c97273c6
Opcode Fuzzy Hash: 3349083cc1dced90bdc824e85789431fcc455536cc94a75814780a1c08d0cab8
Instruction Fuzzy Hash: 231157B50583C09AC306DFA4D891A9BFFE8AB89B98F140E2CF19057291D7B495488B63

Function 0026DB6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00234F65: CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0026DBAF
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0026DBBA

Strings

BUTTON, xrefs: 0026DB91

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$CreateWindow
String ID: BUTTON
API String ID: 2286652126-3405671355
Opcode ID: 8b96f1cf724964ec6b134c410ccd815ed2a20f4383f92505fd79011c3ce8b118
Instruction ID: 205f0fd9c33862a055314e029e9278efb31c56ab9be952ae2fc1fa6ebcbe7e81
Opcode Fuzzy Hash: 8b96f1cf724964ec6b134c410ccd815ed2a20f4383f92505fd79011c3ce8b118
Instruction Fuzzy Hash: F6014FB1214208BFDB169F5ADC85EAFBFBDEFD9750F01405AF904A7250C6B19E10DA60

Function 0026E074 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00234F65: CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0026E0B6
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0026E0C1

Strings

COMBOBOX, xrefs: 0026E098

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$CreateWindow
String ID: COMBOBOX
API String ID: 2286652126-1136563877
Opcode ID: 19301df203d3002c49f430a872ebe482f09592b6d4c17f2e4fd91f317eb1ae93
Instruction ID: 80b5c8972128d026d81f279d98ac4c81ddee2e2dba7359b5d74279824d3ee6dc
Opcode Fuzzy Hash: 19301df203d3002c49f430a872ebe482f09592b6d4c17f2e4fd91f317eb1ae93
Instruction Fuzzy Hash: 0B018CB1214208BFDB169F5ADC81EAFBBBDEF89350F00401AF804A7250C6B19E10DA60

Function 0026E13C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00234F65: CreateWindowExW.USER32(00000000,5400001C,-00000004,?,?,?,?,?,00000000,002BA60C,00000000,-00000004), ref: 00234FA5

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0026E17E
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 0026E189

Strings

EDIT, xrefs: 0026E160

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageSend$CreateWindow
String ID: EDIT
API String ID: 2286652126-3080729518
Opcode ID: f0d880a28cb6f127f8c5ce755d2408c2f4287d4f2c122ae5196c7f47a1b2fe61
Instruction ID: 7fc4a143efdce3f34a3ff81e86f42466adebc5f5704234a82d49f57270347f07
Opcode Fuzzy Hash: f0d880a28cb6f127f8c5ce755d2408c2f4287d4f2c122ae5196c7f47a1b2fe61
Instruction Fuzzy Hash: BE018CB1204208BFEB169F4ADC81EAFBBBDEF89350F00401AF904A7250C6B19D10DA60

Function 002DDF03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002DDF0D
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 002DDF2F

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Part of subcall function 0024FE5B: __EH_prolog3.LIBCMT ref: 0024FE62

Strings

msiexec.exe, xrefs: 002DDF79

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: DirectoryH_prolog3H_prolog3_Systemchar_traits
String ID: msiexec.exe
API String ID: 3046447001-143751103
Opcode ID: 220b0d0163cb549ec98cca8174e0aaabceb56f1fa3d30dd5f50c09f334e87428
Instruction ID: 9890b64942905197a2adaf18faf6d369c9b1b4f07353d6b7068572b85f5fd11f
Opcode Fuzzy Hash: 220b0d0163cb549ec98cca8174e0aaabceb56f1fa3d30dd5f50c09f334e87428
Instruction Fuzzy Hash: F8115EB496112CAACB24EFA4DDC9BEDB678EF14700F1040E9E20AA7191CB701F94CF40

Function 0026050D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00260514

Part of subcall function 00250F21: _wcslen.LIBCMT ref: 00250F25

Part of subcall function 0023A293: __EH_prolog3.LIBCMT ref: 0023A29A

Part of subcall function 0023DEAD: __EH_prolog3.LIBCMT ref: 0023DEB4

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

Strings

<a>, xrefs: 0026051C, 00260521, 00260535
</a>, xrefs: 0026053F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$_wcslenchar_traits
String ID: </a>$<a>
API String ID: 1744582454-3970591206
Opcode ID: 3f0fde1110a9662bb8a45fc0b35c27a3cc83a341b18e6ec12d57bdc8ed7e5a76
Instruction ID: 8fb9662bfcbf7750db340fa1c8c6de72b87fd8f94200360582b0ef0f7724053c
Opcode Fuzzy Hash: 3f0fde1110a9662bb8a45fc0b35c27a3cc83a341b18e6ec12d57bdc8ed7e5a76
Instruction Fuzzy Hash: 29016DB085020DBADB01EBE4CD82DDEBA2CAF013A4FA44264F5256A1D1CA715F64DBA1

Function 002760E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002760F0

Strings

+7, xrefs: 00276141

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3_catch
String ID: +7
API String ID: 3886170330-721210618
Opcode ID: df56b9f8928daeef7f8a895ae6e26af5324e2a06dcaf535c810b4c7991971c76
Instruction ID: 97ee6ac9c0b768ce0ff00a85d9822252d3afde45f41b6199e84d1a35189c293b
Opcode Fuzzy Hash: df56b9f8928daeef7f8a895ae6e26af5324e2a06dcaf535c810b4c7991971c76
Instruction Fuzzy Hash: ED01AD74810B0ADFCB10CF54C44D7ADFBB0AB00364F60C269D16DA7282C3B49A608B80

Function 002D88BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D88C6

Part of subcall function 0023A6F5: __EH_prolog3.LIBCMT ref: 0023A6FC

__CxxThrowException@8.LIBCMT ref: 002D88FC

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

invalid deque <T> subscript, xrefs: 002D88D6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid deque <T> subscript
API String ID: 1412866469-408164647
Opcode ID: 54b2dda34d2d93774f0616d56e0d09d8cf4d845fc4eee2f0f3e87868fe74d6e6
Instruction ID: 326f3683d1728ffc7a68340886be44780e56f29bd4d3de1d7d1cb17cc78586f3
Opcode Fuzzy Hash: 54b2dda34d2d93774f0616d56e0d09d8cf4d845fc4eee2f0f3e87868fe74d6e6
Instruction Fuzzy Hash: E00128B592061E9BCB04EFA4C9829EDF7B4BF44740F540026E611B7341DB74AEA5CF91

Function 002AD90D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000010,?,00000000,002B2668), ref: 002AD918
SetForegroundWindow.USER32(00000000), ref: 002AD955

Strings

h&+, xrefs: 002AD92B, 002AD940

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ForegroundWindow
String ID: h&+
API String ID: 2020703349-3605477870
Opcode ID: f82f86db659d9e4183d025d35daa4b6d5b72ed564fe16e5a82ca62c0d522ee92
Instruction ID: 859a1e7a83c489905e0953f90f5408eae6cb7aa729cedddf32bc833ae3100c24
Opcode Fuzzy Hash: f82f86db659d9e4183d025d35daa4b6d5b72ed564fe16e5a82ca62c0d522ee92
Instruction Fuzzy Hash: 7FF0BE76BA12125B8701DF7CDC55D9A77ECEB8B3A5B040569F802C7320D622CC158AA1

Function 002FCAAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002FC240: __getptd.LIBCMT ref: 002FC246
Part of subcall function 002FC240: __getptd.LIBCMT ref: 002FC256

__getptd.LIBCMT ref: 002FCABB

Part of subcall function 002F9439: __getptd_noexit.LIBCMT ref: 002F943C
Part of subcall function 002F9439: __amsg_exit.LIBCMT ref: 002F9449

__getptd.LIBCMT ref: 002FCAC9

Strings

csm, xrefs: 002FCAD7

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: b681416de770369c349330041d2f705509cbfeb558787ee71267c3e538c29e0a
Instruction ID: 47562abc923852f74c8a35d49f0bc96dbe342d0cec0c200906c3d40f3df80551
Opcode Fuzzy Hash: b681416de770369c349330041d2f705509cbfeb558787ee71267c3e538c29e0a
Instruction Fuzzy Hash: 1C01283982020E8ACF2A9FA5D642ABCF7B5AF14395F74443AE64096661CB309DA1DF41

Function 002D51BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D51C5

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

CreateEventW.KERNEL32(00000000,00000001,00000001,?,00000001,00000000,_mdl_evt,0000003C,002D4B47,?,?,?,00000000,00281C41,?,0033E2B0), ref: 002D520B

Strings

_mdl_evt, xrefs: 002D51CC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateEventH_prolog3H_prolog3_char_traits
String ID: _mdl_evt
API String ID: 2960566760-1067301196
Opcode ID: e62fe289da317b5f2b2ae9fdba7b397aff894abb517b294d7187d2092c3bd65a
Instruction ID: 6216a79b3d5010c1d60c51c65a2bebb6ddcd2275d5b0e7275afee1f428613a24
Opcode Fuzzy Hash: e62fe289da317b5f2b2ae9fdba7b397aff894abb517b294d7187d2092c3bd65a
Instruction Fuzzy Hash: 43016D7185020DDEEF04EBA4CC86BEDB778AF00395F644125E21277191DBB06E2A8B60

Function 002D5230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D5237

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

CreateEventW.KERNEL32(00000000,00000001,00000001,?,00000001,00000000,_sho_evt,0000003C,002D4B4E,?,?,?,00000000,00281C41,?,0033E2B0), ref: 002D527D

Strings

_sho_evt, xrefs: 002D523E

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateEventH_prolog3H_prolog3_char_traits
String ID: _sho_evt
API String ID: 2960566760-941548660
Opcode ID: 267502d6d030649167aa5f9f387b04b7f31c0b3b37ae42b7bd3bb1a0a7aadee2
Instruction ID: 5d6894a29a1e47a33230987081b9a6247e3398c92801507c13aebb03af6ae819
Opcode Fuzzy Hash: 267502d6d030649167aa5f9f387b04b7f31c0b3b37ae42b7bd3bb1a0a7aadee2
Instruction Fuzzy Hash: D6016D7185020DDEEB00EBA4CC86BEDB738AF00395F648515E21277191DBB06E2A8B60

Function 002D52A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002D52A9

Part of subcall function 002D2173: __EH_prolog3.LIBCMT ref: 002D217A

Part of subcall function 00231774: char_traits.LIBCPMT ref: 00231799

CreateEventW.KERNEL32(00000000,00000001,00000001,?,00000001,00000000,_edlg_evt,0000003C,002D4B55,?,?,?,00000000,00281C41,?,0033E2B0), ref: 002D52EF

Strings

_edlg_evt, xrefs: 002D52B0

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: CreateEventH_prolog3H_prolog3_char_traits
String ID: _edlg_evt
API String ID: 2960566760-189482294
Opcode ID: 4b615307e4e62ae6356660990663e73ffb2f530852d6cb10a2947e3be34a80f9
Instruction ID: ac1da8203cec33f5e370a147b532aa5b263311edd67b4711a5aabb91193b96d8
Opcode Fuzzy Hash: 4b615307e4e62ae6356660990663e73ffb2f530852d6cb10a2947e3be34a80f9
Instruction Fuzzy Hash: B6016D7185020DDEEB00EBA4CC8ABEDB778AF10394F248115E21277291DB706E1A8B60

Function 0026C644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026C64B

Part of subcall function 00235A6E: __EH_prolog3.LIBCMT ref: 00235A75

SendMessageW.USER32(?,00001091,000000FF,00000060), ref: 0026C6A7

Part of subcall function 002335DE: __EH_prolog3.LIBCMT ref: 002335E5

Strings

`, xrefs: 0026C663

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$MessageSend
String ID: `
API String ID: 1994810456-2679148245
Opcode ID: 4ed60fc8b91b553bd9e6904dc1e2fde44a9b9e0eb1a28ebe9d4e02bd830b2aae
Instruction ID: 54db803476b7f30608b970bce54668b25a3b7f4f4c8193674e7f85106a65ae32
Opcode Fuzzy Hash: 4ed60fc8b91b553bd9e6904dc1e2fde44a9b9e0eb1a28ebe9d4e02bd830b2aae
Instruction Fuzzy Hash: 8001047591025D9FDF00DFA4C849BDDB7B4BF04320F208229F524AB291CB758A69CF60

Function 00275B4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00275B55

Part of subcall function 00275AFB: StringFromGUID2.OLE32(?,?,00000040), ref: 00275B1B
Part of subcall function 00275AFB: SysAllocString.OLEAUT32(?), ref: 00275B28

SysFreeString.OLEAUT32(?), ref: 00275B9F

Strings

`<u, xrefs: 00275B9F

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: String$AllocFreeFromH_prolog3
String ID: `<u
API String ID: 2646918158-3367579956
Opcode ID: c24d07ec63ffbefb74f2d8cde8a42cac1c5daf7718044114e1f7b37938a009e2
Instruction ID: 4ba092b05c5b5f28939c0c3eca0d102eb8dc562810eb00542fa45e9e1b62d429
Opcode Fuzzy Hash: c24d07ec63ffbefb74f2d8cde8a42cac1c5daf7718044114e1f7b37938a009e2
Instruction Fuzzy Hash: 0101EF3A50010AAFCB02DF84C949AA9BBB1FF48310F148154FA596B2A1C7729A21EB40

Function 00310D4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,?,00000000,00000000,00000000), ref: 00310D6E
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 00310D80

Strings

tooltips_class32, xrefs: 00310D67

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: Window$Create
String ID: tooltips_class32
API String ID: 870168347-1918224756
Opcode ID: 7464d48b996637e58256e66261bd057fca9554caf1967286cdff1485dc46d992
Instruction ID: 25d8368514c96144ae3030a2eea611489d9f48e0708a73b8588d404d42b0d7aa
Opcode Fuzzy Hash: 7464d48b996637e58256e66261bd057fca9554caf1967286cdff1485dc46d992
Instruction Fuzzy Hash: 2FE067B51446C1BEE7710A6BAC4DF772DBCE7CBF21F10060CBA65E11E5C6605900D630

Function 002D405F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D4066

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002D40A0

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 002D407A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 15b5810bf2a7a5c39aee3f480d42f288c80d0e45a4b771ffc4164b2a4f167800
Instruction ID: 03856cb139f6f79b7553cebef88ca68bf679c7de70f1b8d875b2576576083cce
Opcode Fuzzy Hash: 15b5810bf2a7a5c39aee3f480d42f288c80d0e45a4b771ffc4164b2a4f167800
Instruction Fuzzy Hash: 24E09276A6010C9FCF09EBE4C946AEDB3B8FF28750F601465E201AB145DB74DA5ACB50

Function 00254327 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025432E

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 00254368

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 00254342

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 9c5ea71295c7a4ae04f0bd175b09ff0386d1c45c6237b3fcd5f5be17625bbc48
Instruction ID: b191e8cf4dfca531d9ba8088c19ae3e4c9eb93ecd57b9916a1c4398302e751a6
Opcode Fuzzy Hash: 9c5ea71295c7a4ae04f0bd175b09ff0386d1c45c6237b3fcd5f5be17625bbc48
Instruction Fuzzy Hash: 9CE09272A6010C9ECF05EBE4C946ADDB3F8FF18354F7054A4E202AB145DB74DA5ACB50

Function 0025C4FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025C504

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 0025C53E

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 0025C518

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: a9cbf1b726a8aec8833bd79bb0431af664f4ecd144cfe09afdf2f05dc6454b1c
Instruction ID: 533cca92aff0259ea39e2fcf1a62a2ebcc9a1f255a475e847b0c025c0a1aa2b8
Opcode Fuzzy Hash: a9cbf1b726a8aec8833bd79bb0431af664f4ecd144cfe09afdf2f05dc6454b1c
Instruction Fuzzy Hash: 1BE06571A6010C5FCF05EAE4C945ADD73A8FF18351F701464E201AA145EB74D659CB50

Function 002E868B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002E8692

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002E86CC

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 002E86A6

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 73b32a89f4a8a0215bb38ac407c3a53f2dca38dc1de85fe6cd98252af4dccc7b
Instruction ID: 0c2896264db2a64c0bb589fc9f66c7d15eb4af96b4eed1b167fe431113b53bbd
Opcode Fuzzy Hash: 73b32a89f4a8a0215bb38ac407c3a53f2dca38dc1de85fe6cd98252af4dccc7b
Instruction Fuzzy Hash: 64E09B7196010C5FCF05EBE4C945ADDB378FF18350F605464E201EB545DB74D659CB50

Function 0024C848 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024C84F

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 0024C889

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 0024C863

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 41a497a75b2e4c0275b313fabf2d60d8da8db3c1bbee9a383abe44d0ddc7aca0
Instruction ID: 435cf3872693e4c0ee8520bc4ddfe928471af92fdb3e379dbadc72cecb2aa367
Opcode Fuzzy Hash: 41a497a75b2e4c0275b313fabf2d60d8da8db3c1bbee9a383abe44d0ddc7aca0
Instruction Fuzzy Hash: 14E0ED72A2020C8BCB09EAF4C942ADDB3A8BF18320F701564E201AA085DB749A5ACB10

Function 002788E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002788E8

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 00278922

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 002788FC

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 3463c77418128a7547308b95bebc84736ad8f212c4a8150d5c44c06f8a205635
Instruction ID: 76c4def67f1217ec050b99f8491dbb7672dbc7bd7a8cf56f1152384ee1480241
Opcode Fuzzy Hash: 3463c77418128a7547308b95bebc84736ad8f212c4a8150d5c44c06f8a205635
Instruction Fuzzy Hash: 6EE09272A6010C9ECF05EFE4DA46AEDB3B8FF18350F605464E202EB145DB74DA5ACB52

Function 0024C8FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024C901

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 0024C93B

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 0024C915

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: d64ee7477c5016d799af01da3902bbef5f70de928b070ce73c5d7f9484d8611e
Instruction ID: 5175f3aa6f03f36d64dced7b49c560e2681e6b6d8d542c50ef04a574f13733db
Opcode Fuzzy Hash: d64ee7477c5016d799af01da3902bbef5f70de928b070ce73c5d7f9484d8611e
Instruction Fuzzy Hash: E2E065729601085ACB05EAE4C945ADD7368BF18360F701564E211AA185DB74D656CB54

Function 002D8E3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002D8E42

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 002D8E7C

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 002D8E56

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: 08c8a228076258d4bf95a6b05fc19f75e602a4a06e25e4cc59c61b6be87bc9ee
Instruction ID: 069a0075117a7c406403dea0d119e692581d0e022cfced8b5d00dda81743b768
Opcode Fuzzy Hash: 08c8a228076258d4bf95a6b05fc19f75e602a4a06e25e4cc59c61b6be87bc9ee
Instruction Fuzzy Hash: 22E0EDB2A201089ACF04EAE0C982ADDB3B8FF18310F601064E201AA185CB749A5ACB10

Function 0026CFFF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026D006

Part of subcall function 00233A20: __EH_prolog3.LIBCMT ref: 00233A27

__CxxThrowException@8.LIBCMT ref: 0026D040

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

Strings

list<T> too long, xrefs: 0026D01A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: list<T> too long
API String ID: 1412866469-4027344264
Opcode ID: fdc5a60125902b46896cfd79f570117ed74987f557b7837fcd942d20f1ba20bd
Instruction ID: 0ddaee3a18667292584f9948b1b0c06db9649c81c990ffd0c1b12fada609ddab
Opcode Fuzzy Hash: fdc5a60125902b46896cfd79f570117ed74987f557b7837fcd942d20f1ba20bd
Instruction Fuzzy Hash: 52E09272A6020C9FCF05EBE4C94AAEDB3B8FF18350F701464E201AB185DB74DA5ACB50

Function 00259ED9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00259EF6
SendMessageW.USER32(00000000,0000004E,00000000,?), ref: 00259F05

Strings

, xrefs: 00259EDF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-3916222277
Opcode ID: 11bef58281b735e8b89c8c3921fbaa43ac6dd30a347a301e56f5430c0a06258b
Instruction ID: fd79275fdf5f8a66d093bbb9679768c4e6b8299b3d14767540fd52289603c568
Opcode Fuzzy Hash: 11bef58281b735e8b89c8c3921fbaa43ac6dd30a347a301e56f5430c0a06258b
Instruction Fuzzy Hash: 99E09A70820309EFDF24DF54C88AF697B78EB10301F108244E502AB1E1D7B0D898CBA9

Function 00250C97 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00250C9E

Part of subcall function 00250C68: __EH_prolog3.LIBCMT ref: 00250C6F

Strings

T, xrefs: 00250CBF
T, xrefs: 00250CC3

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID: T$T
API String ID: 1882928916-152709941
Opcode ID: 8ad76175656435cc6b2ac60fa97499c6a0c751d75b291de40cbc09985c60b562
Instruction ID: 8199ce7115b8dd560bf2e904dfeaad8883c58d7745defa7c95d893ca1c2aec02
Opcode Fuzzy Hash: 8ad76175656435cc6b2ac60fa97499c6a0c751d75b291de40cbc09985c60b562
Instruction Fuzzy Hash: C8E0657192034EDBCF00DF94CA816AD77B0BB01362F608665F8219B280C730DA288F41

Function 00259AFE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00259B05

Part of subcall function 00259ACF: __EH_prolog3.LIBCMT ref: 00259AD6

Strings

p, xrefs: 00259B26
p, xrefs: 00259B2A

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID: p$p
API String ID: 1882928916-173875672
Opcode ID: a7899208ab567b39f4cbe81edb6a8809f1a76f162d152ce5ae84b16c9f23ca93
Instruction ID: d4751546183678ea599937a169d99eb539f9879fbe74c39b0af97d05a5465937
Opcode Fuzzy Hash: a7899208ab567b39f4cbe81edb6a8809f1a76f162d152ce5ae84b16c9f23ca93
Instruction Fuzzy Hash: 6AE0E575A2034EEBDF00DFA4D941A9E77B1BF00365F608654F9209A280C7B4EFA49F58

Function 002CE248 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002CE24F

Part of subcall function 002CE16D: __EH_prolog3.LIBCMT ref: 002CE174

Strings

, xrefs: 002CE26F
, xrefs: 002CE273

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID: $
API String ID: 1882928916-227171996
Opcode ID: ff6c7dfa6fb1927928ed8c753861c1b7bf41a0aa3c635c0431cb46cb3f28f18d
Instruction ID: 2273829d74d1d4e8af0fd31d8412ee2a28b4cc6a2954d04279b0b1a75c9edb91
Opcode Fuzzy Hash: ff6c7dfa6fb1927928ed8c753861c1b7bf41a0aa3c635c0431cb46cb3f28f18d
Instruction Fuzzy Hash: 7CE0E57592034EEBDF10EF94C982AAE77B5BB00360F608658F8209A190C7B09E609B51

Function 00269815 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0026981C

Strings

xD7, xrefs: 0026983F
0D7, xrefs: 00269846

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: H_prolog3
String ID: 0D7$xD7
API String ID: 431132790-3957160015
Opcode ID: 5261658394897267ebfcb060ac0e020b25992f9fbc48ec79db7a696be7e20451
Instruction ID: 303715bf5ba941e3312b7c9d58afaf094ec7a7ff9e0ab23a8c1a68a995e34fbd
Opcode Fuzzy Hash: 5261658394897267ebfcb060ac0e020b25992f9fbc48ec79db7a696be7e20451
Instruction Fuzzy Hash: 3DE09AB8500708CBCB21EFA4C20478EBBE0BF08764F20860CE8995B280D770AA11CF50

Function 002E88A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 002E88A6

Part of subcall function 002FBE0C: RaiseException.KERNEL32(?,?,?,?), ref: 002FBE4E

__EH_prolog3.LIBCMT ref: 002E88B3

Strings

InstallLogGenerator, xrefs: 002E88BF

Memory Dump Source

Source File: 00000000.00000002.2421325477.0000000000231000.00000020.00000001.01000000.00000003.sdmp, Offset: 00230000, based on PE: true

Associated: 00000000.00000002.2421305163.0000000000230000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421433407.0000000000331000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421467745.0000000000370000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2421487633.000000000037A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_230000_074kFuPFv8.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: InstallLogGenerator
API String ID: 1961742612-693141883
Opcode ID: aa662902846aea411aa38101f2ad2a47d48ae45a7b1e3bd551aa3cd345b04eeb
Instruction ID: 0cf4a0cd41efd436bfc2f4eac0146fce0f5be904238bbc618fef5c0c998e6ab2
Opcode Fuzzy Hash: aa662902846aea411aa38101f2ad2a47d48ae45a7b1e3bd551aa3cd345b04eeb
Instruction Fuzzy Hash: 20E012B566021C9BDB04EBD0C906BEDB260AF10785F104454FB145E5C1C7F56654CB90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 074kFuPFv8.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$Recycle.Bin\S-1-5-18\desktop.ini

C:\Config.Msi\5d5e3a.rbs

C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe

C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe.config

C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll

C:\Program Files (x86)\CPU Guardian\Helper.dll

C:\Program Files (x86)\CPU Guardian\Helper.dll.config

C:\Program Files (x86)\CPU Guardian\InstAct.exe

C:\Program Files (x86)\CPU Guardian\InstAct.exe.config

C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll

C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll

C:\Program Files (x86)\CPU Guardian\Logging.dll

C:\Program Files (x86)\CPU Guardian\Logging.dll.config

C:\Program Files (x86)\CPU Guardian\Microsoft.Deployment.WindowsInstaller.dll

C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll

C:\Program Files (x86)\CPU Guardian\Setup.dll

C:\Program Files (x86)\CPU Guardian\Setup.dll.config

Windows Analysis Report
074kFuPFv8.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre