Edit tour

Windows Analysis Report
fxsound_setup.exe

Overview

General Information

Sample name:	fxsound_setup.exe
Analysis ID:	1581679
MD5:	d0509ad561d032d6179e95a521b06f10
SHA1:	f7580459ac444fec5e5de1300155a0373f3c9590
SHA256:	7dbc411488e4e653769f98b014f2a24b185b24653cee04fa5ed59b03438da7e7
Tags:	exesounduser-pfw
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	50
Range:	0 - 100

Signatures

Suricata IDS alerts for network traffic

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after checking mutex)

Tries to open files direct via NTFS file id

Uses schtasks.exe or at.exe to add and modify task schedules

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables driver privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check if the current machine is a sandbox (GetTickCount - Sleep)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

fxsound_setup.exe (PID: 4836 cmdline: "C:\Users\user\Desktop\fxsound_setup.exe" MD5: D0509AD561D032D6179E95A521B06F10)

msiexec.exe (PID: 3128 cmdline: "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\fxsound_setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1735396057 " AI_EUIMSI="" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6640 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4268 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 0D5C3D4CB3AC9B2FB9AFABC48B06CDE8 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3716 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 4643268C8F4EAA1123EAEDE165421994 MD5: 9D09DC1EDA745A5F87553048E57620CF)

fxdevcon64.exe (PID: 5972 cmdline: "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX12 MD5: 173973C091A72EBBE73C9578EF5D00B1)

conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DfxSetupDrv.exe (PID: 6300 cmdline: "C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check MD5: 6CC7FD49BEE71A54AA659E30DEA8903D)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fxdevcon64.exe (PID: 2820 cmdline: "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf" MD5: 173973C091A72EBBE73C9578EF5D00B1)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3448 cmdline: schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FxSound.exe (PID: 1988 cmdline: "C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @ MD5: 2EE68BB73020AE85BBFD2CCAC511D97B)

svchost.exe (PID: 6208 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 2172 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.inf" "9" "4143399a7" "0000000000000144" "WinSta0\Default" "000000000000011C" "208" "c:\program files\fxsound llc\fxsound\drivers\win10\x64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 6584 cmdline: DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "0000000000000158" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

updater.exe (PID: 4296 cmdline: "C:\Program Files\FxSound LLC\FxSound\updater.exe" /silent MD5: A4C5E08AFDB48AF64B0A06AFCE16F6E9)

cleanup

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 6640, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 6208, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T15:31:33.798687+0100	2829202	1	A Network Trojan was detected	192.168.2.5	49727	20.233.83.145	443	TCP
2024-12-28T15:31:35.600271+0100	2829202	1	A Network Trojan was detected	192.168.2.5	49737	185.199.109.133	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: fxsound_setup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\updater.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvadntx86.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvadntamd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvadntx86.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\1.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\10.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\11.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\12.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\2.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\3.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\4.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\5.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\6.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\7.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\8.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\9.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Bold.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Medium.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Regular.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Bold.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Medium.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Regular.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\Default.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\updater.ini	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}

Jump to behavior

PE / OLE file has a valid certificate

Source: fxsound_setup.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49737 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: fxsound_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: fxsound_setup.exe, 00000000.00000003.2043964917.0000000009030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\Release\fxdevcon32.pdb" source: fxdevcon32.exe0.2.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\fxsound-app\fxsound\Project\x64\Release\App\FxSound.pdb source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: updater.exe, 00000014.00000000.2301542127.00000000008C2000.00000002.00000001.01000000.0000000E.sdmp, updater.exe, 00000014.00000002.2372303815.00000000008C2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\code32\Mains\DfxSetupDrv\Release\DfxSetupDrv.pdbNN(GCTL source: DfxSetupDrv.exe, 00000009.00000002.2179916811.000000000018A000.00000002.00000001.01000000.0000000A.sdmp, DfxSetupDrv.exe, 00000009.00000000.2165124553.000000000018A000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\Release\fxdevcon32.pdb source: fxdevcon32.exe0.2.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\x64\Release\fxdevcon64.pdb source: fxdevcon64.exe, 00000007.00000000.2163283838.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 00000007.00000002.2164772584.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000000.2182224115.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000002.2268962203.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe0.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr, MSIA13B.tmp.2.dr
Source:	Binary string: wininet.pdbUGP source: fxsound_setup.exe, 00000000.00000003.2043964917.0000000009030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code32\Mains\DfxSetupDrv\Release\DfxSetupDrv.pdb source: DfxSetupDrv.exe, 00000009.00000002.2179916811.000000000018A000.00000002.00000001.01000000.0000000A.sdmp, DfxSetupDrv.exe, 00000009.00000000.2165124553.000000000018A000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Vijay\Documents\Projects\FxSound\fxsound-driver\fxvad\pcmex\x64\Release\fxvad.pdb source: drvinst.exe, 0000000F.00000003.2235465687.000001E2C1801000.00000004.00000020.00020000.00000000.sdmp, fxvad.sys1.2.dr, SETDC9C.tmp.12.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr, MSI9C59.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: fxsound_setup.exe
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\x64\Release\fxdevcon64.pdb source: fxdevcon64.exe, 00000007.00000000.2163283838.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 00000007.00000002.2164772584.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000000.2182224115.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000002.2268962203.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe0.2.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002F4900 FindFirstFileW,GetLastError,FindClose,	0_2_002F4900
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003200C0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_003200C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0031A250 FindFirstFileW,FindClose,	0_2_0031A250
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0032A7C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0032A7C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002D6B30 FindFirstFileW,FindNextFileW,FindClose,	0_2_002D6B30
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00302C10 FindFirstFileW,FindClose,FindClose,	0_2_00302C10
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0032AC40 FindFirstFileW,FindClose,	0_2_0032AC40
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001B4FC0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_001B4FC0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0033DF80 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0033DF80
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002F3FD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_002F3FD0
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897817C0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6897817C0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007EF2B0 FindFirstFileW,GetLastError,FindClose,	20_2_007EF2B0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0089DE70 FindFirstFileExW,	20_2_0089DE70

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_00329410 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00329410

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49737 -> 185.199.109.133:443
Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49727 -> 20.233.83.145:443

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 20.233.83.145 20.233.83.145

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_00813E20 CreateFileW,SetFilePointer,GetLastError,ResetEvent,InternetQueryDataAvailable,GetLastError,GetLastError,WaitForSingleObject,SetEvent,ResetEvent,InternetReadFile,GetLastError,GetLastError,WaitForSingleObject,SetEvent,WriteFile,GetFileSize,GetLastError,CloseHandle,DeleteFileW,MoveFileW,CopyFileW,GetLastError,DeleteFileW,CloseHandle,

20_2_00813E20

Source: global traffic	HTTP traffic detected: GET /fxsound2/fxsound-app/raw/latest/release/updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerHost: github.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fxsound2/fxsound-app/latest/release/updates.txt HTTP/1.1Accept: /User-Agent: AdvancedInstallerConnection: Keep-AliveCache-Control: no-cacheHost: raw.githubusercontent.com

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fxsound_setup.exe, 00000000.00000003.2284385273.0000000004AF1000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284951538.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2287047452.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: FxSound.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxvad.sys1.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: fxsound_setup.exe	String found in binary or memory: http://schemas.micr
Source: fxsound_setup.exe, fxsound.x64.msi.0.dr, fxdevcon32.exe0.2.dr, fxvad.sys1.2.dr, fxdevcon64.exe0.2.dr, FxSound.exe.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: fxdevcon64.exe, 0000000C.00000003.2190911405.000001F48263A000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209577069.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2188459939.000001F482603000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2267084024.000001F482684000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2267084024.000001F482690000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2208962787.000001F482686000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209730003.000001F482683000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209730003.000001F482696000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2203424083.000001F482689000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212475922.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212386592.000001F482685000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212560157.000001F482673000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000002.2268559114.000001F482685000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2229546121.000001E2C146F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2232814582.000001E2C1468000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225371207.000001E2C13DC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2221505302.000001E2C13E3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2224162247.000001E2C13E8000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2222098810.000001E2C13E5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2223933393.000001E2C13F9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2244256218.000001E2C1462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fxsound.com
Source: fxdevcon64.exe, 0000000C.00000003.2267057009.000001F4826B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fxsound.com6d
Source: fxdevcon64.exe, 0000000C.00000003.2267057009.000001F4826B8000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2195865438.000001F482628000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212386592.000001F48267F000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2191006789.000001F482612000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209577069.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2190911405.000001F482640000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2188314667.000001F48260A000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2208962787.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209814017.000001F482673000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2190975887.000001F482647000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2203394404.000001F4826AA000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225181819.000001E2C13FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225416333.000001E2C1406000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2230251275.000001E2C1405000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2236201403.000001E2C14AD000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2236221555.000001E2C145A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2243769065.000001E2C14AC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246897395.000001E2C145A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2223511412.000001E2C1404000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246469609.000001E2C14AC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2221505302.000001E2C13DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fxsound.comd
Source: drvinst.exe, 00000010.00000002.2266111094.0000024DFA91D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.2265191260.0000024DFA91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fxsound.comgmS
Source: drvinst.exe, 0000000F.00000003.2246968450.000001E2C1456000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246494824.000001E2C144B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2243769065.000001E2C144B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: updater.exe, 00000014.00000003.2371762754.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370070906.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2369947901.00000000055EA000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055E2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.fxsound.com/fxsoundlatest
Source: fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2043582324.000000000A2D8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2039676815.0000000004B04000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284219841.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2303025554.0000000007120000.00000004.00000800.00020000.00000000.sdmp, MSIa9cd2.LOG.2.dr	String found in binary or memory: https://download.fxsound.com/updates
Source: updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.fxsound.com/updatester
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://forms.gle/ATx1ayXDWRaMdiR59
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://forms.gle/ATx1ayXDWRaMdiR59Take
Source: MSIa9cd2.LOG.2.dr	String found in binary or memory: https://forum.fxsound.com
Source: fxsound.x64.msi.0.dr	String found in binary or memory: https://forum.fxsound.comARPURLUPDATEINFOhttps://www.fxsound.com/changelogMsiLoggingvpAiFeatIcoMainF
Source: fxsound_setup.exe, 00000000.00000003.2284775353.000000000A2B0000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2285416674.000000000A2B8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2100512147.000000000A2AC000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288227528.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://forum.fxsound.comp
Source: fxsound_setup.exe, 00000000.00000003.2284775353.000000000A2B0000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2285416674.000000000A2B8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2100512147.000000000A2AC000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288227528.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://forum.fxsound.comture
Source: updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/0u
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://github.com/fxsound2/fxsound-app
Source: updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2369947901.00000000055EA000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055E2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exe
Source: updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exel
Source: updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370070906.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055E2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, MSIa9cd2.LOG.2.dr	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt
Source: updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt)Pz
Source: updater.exe, 00000014.00000003.2351977929.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt3Qz
Source: updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt8A
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://github.com/fxsound2/fxsound-appGitHubhttps://www.fxsound.com/changelogClick
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://james722808.typeform.com/to/QfEP5QrP
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://james722808.typeform.com/to/QfEP5QrPhttps://www.fxsound.com/learning-centerhttps://www.fxsou
Source: FxSound.exe.2.dr	String found in binary or memory: https://juce.com
Source: updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/N
Source: updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/T
Source: updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/f
Source: updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txt
Source: updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtA
Source: updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtL
Source: updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtt
Source: FxSound.exe.2.dr	String found in binary or memory: https://sketch.com
Source: fxvad.sys1.2.dr, fxvadntx86.cat0.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: fxsound_setup.exe, 00000000.00000002.2287946076.000000000A274000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284306395.000000000A274000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284158640.000000000A273000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/blog/fxsound-is-now-completely-free
Source: fxsound_setup.exe, 00000000.00000003.2284385273.0000000004AF1000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284951538.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2287047452.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/blog/fxsound-is-now-completely-freex
Source: MSIa9cd2.LOG.2.dr	String found in binary or memory: https://www.fxsound.com/changelog
Source: fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/changelogLAYd:
Source: fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288109809.000000000A2A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/changelogbebe
Source: fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/changelogbebex
Source: MSIa9cd2.LOG.2.dr	String found in binary or memory: https://www.fxsound.com/learning-center
Source: FxSound.exe, 00000013.00000002.3277982536.0000020BA581A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/learning-center/installation-troubleshooting
Source: FxSound.exe.2.dr	String found in binary or memory: https://www.fxsound.com/learning-center/no-sound-with-fxsound-realtek
Source: fxsound.x64.msi.0.dr	String found in binary or memory: https://www.fxsound.com/learning-centerButtonText_BrowseBr&owse...AI_REQUIRED_WINDOWS_INSTALLER_VERS
Source: fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/learning-centerD
Source: fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/learning-centerc
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://www.fxsound.com/presets
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://www.fxsound.com/presetsp
Source: FxSound.exe, 00000013.00000002.3277982536.0000020BA57F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fxsound.com/support
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://www.fxsound.com/supporthttps://www.fxsound.com/learning-center/installation-troubleshooting
Source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	String found in binary or memory: https://www.paypal.com/donate/?hosted_button_id=JVNQGYXCQ2GPG

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49737 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	File created: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvadNTAMD64.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvadNTAMD64.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE2C4.tmp	Jump to dropped file
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	File created: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC0D.tmp	Jump to dropped file

System Summary

Contains functionality to call native functions

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00340180 NtdllDefWindowProc_W,	0_2_00340180
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001CE1A0 NtdllDefWindowProc_W,	0_2_001CE1A0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001A82C0 SysFreeString,SysAllocString,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,SysFreeString,	0_2_001A82C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001BA430 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection,	0_2_001BA430
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001A8970 NtdllDefWindowProc_W,	0_2_001A8970
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001B2A80 NtdllDefWindowProc_W,	0_2_001B2A80
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001AAB70 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow,	0_2_001AAB70
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001B2BF0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_001B2BF0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0028CE20 NtdllDefWindowProc_W,	0_2_0028CE20
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00223140 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	0_2_00223140
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001AB360 NtdllDefWindowProc_W,	0_2_001AB360
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001AB9C0 NtdllDefWindowProc_W,	0_2_001AB9C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001A7AF0 GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,NtdllDefWindowProc_W,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W,	0_2_001A7AF0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001BFE20 NtdllDefWindowProc_W,	0_2_001BFE20

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a9dfb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F91.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA01F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA05E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0EC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA13B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1B9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA237.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA313.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B78F934D-616A-4FFD-9D5A-B870EF9423C2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB2A4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\dfx11.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\fxsound.ico	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}\fxsound.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a9dfe.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3a9dfe.msi	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	File created: C:\Windows\INF\c_media.PNF	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\fxvad.inf_amd64_a75d87b3871a94a9
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9F91.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D40E0	0_2_001D40E0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002FC2F0	0_2_002FC2F0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C0AB0	0_2_001C0AB0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0030AB60	0_2_0030AB60
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0030EC40	0_2_0030EC40
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00351690	0_2_00351690
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00337E70	0_2_00337E70
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00355FB0	0_2_00355FB0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003200C0	0_2_003200C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C61C0	0_2_001C61C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003C82D0	0_2_003C82D0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003A8320	0_2_003A8320
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00356420	0_2_00356420
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001BC450	0_2_001BC450
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C0540	0_2_001C0540
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003D85CE	0_2_003D85CE
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003C865E	0_2_003C865E
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00197B50	0_2_00197B50
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0034E9B0	0_2_0034E9B0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D0AF0	0_2_001D0AF0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00362D30	0_2_00362D30
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002F8E90	0_2_002F8E90
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001B3130	0_2_001B3130
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002D1110	0_2_002D1110
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00357230	0_2_00357230
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003E3271	0_2_003E3271
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C1310	0_2_001C1310
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D9330	0_2_001D9330
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003D1430	0_2_003D1430
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00191490	0_2_00191490
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00193530	0_2_00193530
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D7530	0_2_001D7530
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0035F6E0	0_2_0035F6E0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003A1700	0_2_003A1700
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0034D890	0_2_0034D890
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001CF8B0	0_2_001CF8B0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C7990	0_2_001C7990
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C3AF3	0_2_001C3AF3
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003DDBA0	0_2_003DDBA0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001DDC20	0_2_001DDC20
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00227DB0	0_2_00227DB0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00341F60	0_2_00341F60
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689774B10	7_2_00007FF689774B10
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897831F8	7_2_00007FF6897831F8
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689765950	7_2_00007FF689765950
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897794BC	7_2_00007FF6897794BC
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF68977EBEC	7_2_00007FF68977EBEC
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689780B3C	7_2_00007FF689780B3C
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689762340	7_2_00007FF689762340
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689761370	7_2_00007FF689761370
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689784728	7_2_00007FF689784728
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689765630	7_2_00007FF689765630
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897758FA	7_2_00007FF6897758FA
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689780078	7_2_00007FF689780078
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897817C0	7_2_00007FF6897817C0
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689774FEC	7_2_00007FF689774FEC
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF68977A794	7_2_00007FF68977A794
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_001839B0	9_2_001839B0
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_00186350	9_2_00186350
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00821AB0	20_2_00821AB0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00842720	20_2_00842720
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0084E9B0	20_2_0084E9B0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00822C10	20_2_00822C10
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008677A0	20_2_008677A0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00827FF8	20_2_00827FF8
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007F40C0	20_2_007F40C0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007F4220	20_2_007F4220
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0089C323	20_2_0089C323
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007FC460	20_2_007FC460
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007F4460	20_2_007F4460
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008A04D0	20_2_008A04D0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008A84F9	20_2_008A84F9
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007F0660	20_2_007F0660
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008908E0	20_2_008908E0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00808F10	20_2_00808F10
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008858A0	20_2_008858A0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00831B60	20_2_00831B60
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008A1C2F	20_2_008A1C2F
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00856140	20_2_00856140
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0081A152	20_2_0081A152
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0088A630	20_2_0088A630
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0088A9BE	20_2_0088A9BE
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0088E932	20_2_0088E932
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00892A18	20_2_00892A18
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0080EA50	20_2_0080EA50
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00832D40	20_2_00832D40
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008430C0	20_2_008430C0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008A7740	20_2_008A7740
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007F7930	20_2_007F7930
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008979F3	20_2_008979F3
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0081BCC0	20_2_0081BCC0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007EFC10	20_2_007EFC10

Enables driver privileges

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

Process token adjusted: Load Driver

Jump to behavior

Enables security privileges

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 00198880 appears 56 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 0019A920 appears 58 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 0019AF60 appears 67 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 002E6FE0 appears 32 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 003BFE84 appears 37 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 001993B0 appears 122 times
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: String function: 001A35D0 appears 36 times
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: String function: 00181DE0 appears 54 times
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: String function: 00186330 appears 117 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 007E3890 appears 201 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 00882054 appears 39 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 00882843 appears 96 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 00882BB0 appears 57 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 007E3700 appears 189 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 007E46F0 appears 33 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 00882876 appears 72 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 007E25B0 appears 157 times
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: String function: 007E8D80 appears 37 times

Sample file is different than original file name gathered from version info

Source: fxsound_setup.exe	Binary or memory string: OriginalFileName vs fxsound_setup.exe
Source: fxsound_setup.exe, 00000000.00000003.2099934913.000000000A2C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs fxsound_setup.exe
Source: fxsound_setup.exe, 00000000.00000003.2043964917.0000000009030000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewininet.dllD vs fxsound_setup.exe
Source: fxsound_setup.exe, 00000000.00000003.2285064597.000000000A2C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs fxsound_setup.exe
Source: fxsound_setup.exe, 00000000.00000002.2288287172.000000000A2D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrereq.dllF vs fxsound_setup.exe
Source: fxsound_setup.exe	Binary or memory string: OriginalFilenameviewer.exeF vs fxsound_setup.exe
Source: fxsound_setup.exe	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs fxsound_setup.exe
Source: fxsound_setup.exe	Binary or memory string: OriginalFilenameAICustAct.dllF vs fxsound_setup.exe
Source: fxsound_setup.exe	Binary or memory string: OriginalFilenamePrereq.dllF vs fxsound_setup.exe

Uses 32bit PE files

Source: fxsound_setup.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.evad.winEXE@28/123@2/2

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_002F7B80 FormatMessageW,GetLastError,

0_2_002F7B80

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_0032BC10 GetDiskFreeSpaceExW,

0_2_0032BC10

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_008615A0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,

20_2_008615A0

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_003448B0 CoCreateInstance,

0_2_003448B0

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_0019A7E0 LoadResource,LockResource,SizeofResource,

0_2_0019A7E0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\FxSound LLC

Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe

File created: C:\Users\user\AppData\Roaming\FxSound LLC

Jump to behavior

Source: C:\Windows\System32\drvinst.exe	Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{E498B5A6-FA64-40c6-9327-9E6F15FF6546}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\juceAppLock_FxSound
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03

Source: C:\Users\user\Desktop\fxsound_setup.exe

File created: C:\Users\user\AppData\Local\Temp\MSI9996.tmp

Jump to behavior

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Command line argument: RICHED20.DLL

20_2_0085A670

Source: fxsound_setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fxsound_setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fxsound_setup.exe, 00000000.00000003.2284385273.0000000004AF1000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'AI_DETECT_WINTHEME'%D;

Source: updater.exe	String found in binary or memory: -startminimized
Source: updater.exe	String found in binary or memory: -startappfirst
Source: updater.exe	String found in binary or memory: /install
Source: updater.exe	String found in binary or memory: /installservice
Source: updater.exe	String found in binary or memory: -installready
Source: fxsound_setup.exe	String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade``Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'SET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADEValuePropertyNoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SHAI_STARTMENU_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderStartupFolderAI_SH_DI

Source: C:\Users\user\Desktop\fxsound_setup.exe

File read: C:\Users\user\Desktop\fxsound_setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fxsound_setup.exe "C:\Users\user\Desktop\fxsound_setup.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0D5C3D4CB3AC9B2FB9AFABC48B06CDE8 C
Source: C:\Users\user\Desktop\fxsound_setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\fxsound_setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1735396057 " AI_EUIMSI=""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4643268C8F4EAA1123EAEDE165421994
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX12
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe "C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.inf" "9" "4143399a7" "0000000000000144" "WinSta0\Default" "000000000000011C" "208" "c:\program files\fxsound llc\fxsound\drivers\win10\x64"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "0000000000000158"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe "C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @
Source: unknown	Process created: C:\Program Files\FxSound LLC\FxSound\updater.exe "C:\Program Files\FxSound LLC\FxSound\updater.exe" /silent
Source: C:\Users\user\Desktop\fxsound_setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\fxsound_setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1735396057 " AI_EUIMSI=""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 0D5C3D4CB3AC9B2FB9AFABC48B06CDE8 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4643268C8F4EAA1123EAEDE165421994	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe "C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX12	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe "C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.inf" "9" "4143399a7" "0000000000000144" "WinSta0\Default" "000000000000011C" "208" "c:\program files\fxsound llc\fxsound\drivers\win10\x64"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "0000000000000158"	Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: lpk.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: newdev.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: apphelp.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wininet.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: winmm.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: opengl32.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: glu32.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wldp.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: profapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: winsta.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: d3d11.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: dcomp.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: dxgi.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: mmdevapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: devobj.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wintypes.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wintypes.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: wintypes.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: mscms.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: userenv.dll
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Section loaded: coloradapterclient.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: msi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: usp10.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: msls31.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: version.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: mpr.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: profapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: userenv.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: davhlpr.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: msimg32.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: wininet.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: urlmon.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: iertutil.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: srvcli.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: netutils.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: cabinet.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: propsys.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: apphelp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: msasn1.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: lpk.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: msihnd.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: secur32.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: samcli.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: netapi32.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: wkscli.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: riched20.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: sspicli.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: wldp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: winhttp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: mswsock.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: winnsi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: schannel.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: dpapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: gpapi.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Section loaded: ntmarta.dll

Source: C:\Users\user\Desktop\fxsound_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: FxSound.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\FxSound LLC\FxSound\FxSound.exe
Source: Check for FxSound updates.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\FxSound LLC\FxSound\updater.exe
Source: FxSound.lnk0.2.dr	LNK file: ..\..\..\..\..\..\Program Files\FxSound LLC\FxSound\FxSound.exe
Source: FxSound.lnk1.2.dr	LNK file: ..\..\..\Program Files\FxSound LLC\FxSound\FxSound.exe

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files\FxSound LLC\FxSound\updater.ini

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\updater.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvadntx86.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvadntamd64.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.inf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvadntx86.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\1.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\10.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\11.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\12.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\2.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\3.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\4.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\5.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\6.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\7.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\8.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\9.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Bold.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Medium.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Regular.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Bold.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Medium.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Regular.otf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\Factsoft\Default.fac	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Bold.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Medium.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Regular.ttf	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\FxSound LLC\FxSound\updater.ini	Jump to behavior

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}

Jump to behavior

PE / OLE file has a valid certificate

Source: fxsound_setup.exe

Static PE information: certificate valid

PE file has a big code size

Source: fxsound_setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: fxsound_setup.exe

Static file information: File size 72388192 > 1048576

PE file has a big raw section

Source: fxsound_setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c2200

PE file contains a mix of data directories often seen in goodware

Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: fxsound_setup.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: fxsound_setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: fxsound_setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: wininet.pdb source: fxsound_setup.exe, 00000000.00000003.2043964917.0000000009030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\Release\fxdevcon32.pdb" source: fxdevcon32.exe0.2.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\fxsound-app\fxsound\Project\x64\Release\App\FxSound.pdb source: FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: updater.exe, 00000014.00000000.2301542127.00000000008C2000.00000002.00000001.01000000.0000000E.sdmp, updater.exe, 00000014.00000002.2372303815.00000000008C2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\code32\Mains\DfxSetupDrv\Release\DfxSetupDrv.pdbNN(GCTL source: DfxSetupDrv.exe, 00000009.00000002.2179916811.000000000018A000.00000002.00000001.01000000.0000000A.sdmp, DfxSetupDrv.exe, 00000009.00000000.2165124553.000000000018A000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\Release\fxdevcon32.pdb source: fxdevcon32.exe0.2.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\x64\Release\fxdevcon64.pdb source: fxdevcon64.exe, 00000007.00000000.2163283838.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 00000007.00000002.2164772584.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000000.2182224115.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000002.2268962203.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe0.2.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr, MSIA13B.tmp.2.dr
Source:	Binary string: wininet.pdbUGP source: fxsound_setup.exe, 00000000.00000003.2043964917.0000000009030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code32\Mains\DfxSetupDrv\Release\DfxSetupDrv.pdb source: DfxSetupDrv.exe, 00000009.00000002.2179916811.000000000018A000.00000002.00000001.01000000.0000000A.sdmp, DfxSetupDrv.exe, 00000009.00000000.2165124553.000000000018A000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\Vijay\Documents\Projects\FxSound\fxsound-driver\fxvad\pcmex\x64\Release\fxvad.pdb source: drvinst.exe, 0000000F.00000003.2235465687.000001E2C1801000.00000004.00000020.00020000.00000000.sdmp, fxvad.sys1.2.dr, SETDC9C.tmp.12.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr, MSI9C59.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: fxsound_setup.exe
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: fxsound_setup.exe, fxsound.x64.msi.0.dr
Source:	Binary string: C:\Users\vijay\Documents\Projects\FxSound\repo\fxsound\FxSound\Installer\DfxInstall\x64\Release\fxdevcon64.pdb source: fxdevcon64.exe, 00000007.00000000.2163283838.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 00000007.00000002.2164772584.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000000.2182224115.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe, 0000000C.00000002.2268962203.00007FF689789000.00000002.00000001.01000000.00000009.sdmp, fxdevcon64.exe0.2.dr

PE file contains a valid data directory to section mapping

Source: fxsound_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: fxsound_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: fxsound_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: fxsound_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: fxsound_setup.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: shi9AFE.tmp.0.dr

Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_0030AB60 SHGetFolderPathW,GetSystemDirectoryW,GetWindowsDirectoryW,GetWindowsDirectoryW,GetModuleFileNameW,SHGetSpecialFolderLocation,LoadLibraryW,GetProcAddress,GetEnvironmentVariableW,SHGetPathFromIDListW,SHGetMalloc,

0_2_0030AB60

PE file contains an invalid checksum

Source: updater.exe.2.dr

Static PE information: real checksum: 0x13d272 should be: 0x144309

PE file contains sections with non-standard names

Source: fxsound_setup.exe	Static PE information: section name: .didat
Source: shi9AFE.tmp.0.dr	Static PE information: section name: .wpp_sf
Source: shi9AFE.tmp.0.dr	Static PE information: section name: .didat
Source: MSI9C79.tmp.0.dr	Static PE information: section name: .didat
Source: updater.exe.2.dr	Static PE information: section name: .didat
Source: fxdevcon64.exe.2.dr	Static PE information: section name: _RDATA
Source: fxdevcon64.exe0.2.dr	Static PE information: section name: _RDATA
Source: MSIA13B.tmp.2.dr	Static PE information: section name: .didat
Source: MSIA313.tmp.2.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003C069E push ecx; ret	0_2_003C06B1
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001C2BB6 push cs; iretd	0_2_001C2BB7
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001AF8A0 push ecx; mov dword ptr [esp], ecx	0_2_001AF8A1
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002D1A70 push ecx; mov dword ptr [esp], 3F800000h	0_2_002D1BCF
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D1CFC push 8BFFFFFEh; iretd	0_2_001D1D0C
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_00189276 push ecx; ret	9_2_00189289
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00882820 push ecx; ret	20_2_00882833

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA13B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	Jump to dropped file
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	File created: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9C59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9B9B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA05E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA01F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F91.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9C19.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9C79.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA313.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA237.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE343.tmp	Jump to dropped file
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	File created: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC9C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	File created: C:\Users\user\AppData\Local\Temp\shi9AFE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0EC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA13B.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA313.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA237.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE343.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA05E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9F91.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA01F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA0EC.tmp	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FxSound.lnk

Jump to behavior

Creates or modifies windows services

Source: C:\Windows\System32\drvinst.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FXVAD

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FxSound.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound\Check for FxSound updates.lnk	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound\FxSound.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Tries to open files direct via NTFS file id

Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL
Source: C:\Windows\System32\drvinst.exe	File opened: NULL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\fxsound_setup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\FxSound LLC\FxSound\FxSound.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_00801B70

20_2_00801B70

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Contains functionality to read device registry values (via SetupAPI)

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

Code function: 7_2_00007FF689768C60 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,SetupDiRemoveDevice,SetupDiDestroyDeviceInfoList,

7_2_00007FF689768C60

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA13B.tmp	Jump to dropped file
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.sys (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9C59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1B9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9B9B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA05E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9C19.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9F91.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA01F.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9C79.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA313.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA237.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE343.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe	Jump to dropped file
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC9C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys	Jump to dropped file
Source: C:\Users\user\Desktop\fxsound_setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi9AFE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA0EC.tmp	Jump to dropped file

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\fxsound_setup.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-65449

Found large amount of non-executed APIs

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	API coverage: 5.1 %
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	API coverage: 5.3 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_00801B70

20_2_00801B70

Source: C:\Users\user\Desktop\fxsound_setup.exe	File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	File Volume queried: C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	File Volume queried: C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fxsound_setup.exe	File Volume queried: C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002F4900 FindFirstFileW,GetLastError,FindClose,	0_2_002F4900
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003200C0 FindFirstFileW,FindClose,CloseHandle,CloseHandle,	0_2_003200C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0031A250 FindFirstFileW,FindClose,	0_2_0031A250
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0032A7C0 FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0032A7C0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002D6B30 FindFirstFileW,FindNextFileW,FindClose,	0_2_002D6B30
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_00302C10 FindFirstFileW,FindClose,FindClose,	0_2_00302C10
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0032AC40 FindFirstFileW,FindClose,	0_2_0032AC40
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001B4FC0 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,	0_2_001B4FC0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_0033DF80 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,	0_2_0033DF80
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_002F3FD0 FindFirstFileW,FindFirstFileW,FindClose,FindClose,	0_2_002F3FD0
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF6897817C0 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	7_2_00007FF6897817C0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_007EF2B0 FindFirstFileW,GetLastError,FindClose,	20_2_007EF2B0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0089DE70 FindFirstFileExW,	20_2_0089DE70

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_00329410 GetLogicalDriveStringsW,GetDriveTypeW,Wow64DisableWow64FsRedirection,Wow64RevertWow64FsRedirection,

0_2_00329410

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_003BC4A7 VirtualQuery,GetSystemInfo,

0_2_003BC4A7

Source: updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_003C4C03 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_003C4C03

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_002EE400 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,OutputDebugStringW,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,

0_2_002EE400

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\fxsound_setup.exe

0_2_0030AB60

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003DA0AA mov eax, dword ptr fs:[00000030h]	0_2_003DA0AA
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003CCB0C mov ecx, dword ptr fs:[00000030h]	0_2_003CCB0C
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003BF57D mov esi, dword ptr fs:[00000030h]	0_2_003BF57D
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0089C969 mov eax, dword ptr fs:[00000030h]	20_2_0089C969
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_0086A843 mov esi, dword ptr fs:[00000030h]	20_2_0086A843
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00893660 mov ecx, dword ptr fs:[00000030h]	20_2_00893660

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_003BF5E9 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

0_2_003BF5E9

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files\FxSound LLC\FxSound\FxSound.exe "C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @

Jump to behavior

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001D38E0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_001D38E0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003C006E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_003C006E
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_001E01D0 __set_se_translator,SetUnhandledExceptionFilter,	0_2_001E01D0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: 0_2_003C4C03 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_003C4C03
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF689772AA8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF689772AA8
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF68976D168 SetUnhandledExceptionFilter,	7_2_00007FF68976D168
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF68976C4D8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00007FF68976C4D8
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: 7_2_00007FF68976CFC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00007FF68976CFC0
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_00188C17 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00188C17
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_00189074 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00189074
Source: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	Code function: 9_2_001891D6 SetUnhandledExceptionFilter,	9_2_001891D6
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008820A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_008820A0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_008829A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_008829A8
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00882B35 SetUnhandledExceptionFilter,	20_2_00882B35
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: 20_2_00886E63 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00886E63

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX12	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe "C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\fxsound_setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fxsound llc\fxsound 1.1.27.0\install\fxsound.x64.msi" ai_setupexepath=c:\users\user\desktop\fxsound_setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1735396057 " ai_euimsi=""
Source: C:\Users\user\Desktop\fxsound_setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "c:\windows\system32\msiexec.exe" /i "c:\users\user\appdata\roaming\fxsound llc\fxsound 1.1.27.0\install\fxsound.x64.msi" ai_setupexepath=c:\users\user\desktop\fxsound_setup.exe setupexedir=c:\users\user\desktop\ exe_cmd_line="/exenoupdates /forcecleanup /wintime 1735396057 " ai_euimsi=""			Jump to behavior

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_00854900 GetLastError,LocalAlloc,GetLastError,LocalFree,LocalFree,GetLastError,LocalFree,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,GetLastError,LocalFree,SetSecurityDescriptorDacl,GetLastError,LocalFree,

20_2_00854900

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_002EF600 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle,

0_2_002EF600

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

Code function: 7_2_00007FF6897811E0 cpuid

7_2_00007FF6897811E0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_003E205F
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,	0_2_003E2260
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: EnumSystemLocalesW,	0_2_003E2307
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: EnumSystemLocalesW,	0_2_003E2352
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: EnumSystemLocalesW,	0_2_003E23ED
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	0_2_003224B0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_003E2480
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,	0_2_003E26E0
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_003E2809
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,	0_2_003E290F
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_003E29DE
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: EnumSystemLocalesW,	0_2_003D978D
Source: C:\Users\user\Desktop\fxsound_setup.exe	Code function: GetLocaleInfoW,	0_2_003D9D4A
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00007FF689785180
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00007FF689784CCC
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00007FF689785524
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: GetLocaleInfoW,	7_2_00007FF6897853CC
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: GetLocaleInfoW,	7_2_00007FF68977C430
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00007FF689785700
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: GetLocaleInfoW,	7_2_00007FF6897855D4
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF6897850E8
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF68977BFF0
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Code function: EnumSystemLocalesW,	7_2_00007FF689785018
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,	20_2_007EC6D0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	20_2_008A0A1F
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: EnumSystemLocalesW,	20_2_008A0CC7
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: EnumSystemLocalesW,	20_2_008A0DAD
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: EnumSystemLocalesW,	20_2_008A0D12
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_008A0E40
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,	20_2_008A10A0
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_008A11C9
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,	20_2_008A12CF
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_008A139E
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoEx,	20_2_00881BFD
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: EnumSystemLocalesW,	20_2_0089AC5D
Source: C:\Program Files\FxSound LLC\FxSound\updater.exe	Code function: GetLocaleInfoW,	20_2_0089B1DA

Queries device information via Setup API

Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

7_2_00007FF689768C60

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\fxsound_setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	Queries volume information: C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvadNTAMD64.cat VolumeInformation

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_003394F0 CreateNamedPipeW,CreateFileW,

0_2_003394F0

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_002EE310 GetLocalTime,

0_2_002EE310

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_00337E70 GetUserNameW,GetLastError,GetUserNameW,GetEnvironmentVariableW,GetEnvironmentVariableW,RegDeleteValueW,RegCloseKey,RegQueryInfoKeyW,RegCloseKey,RegCloseKey,RegDeleteKeyW,RegCloseKey,RegDeleteValueW,RegCloseKey,

0_2_00337E70

Source: C:\Program Files\FxSound LLC\FxSound\updater.exe

Code function: 20_2_0089BA84 GetTimeZoneInformation,

20_2_0089BA84

Source: C:\Users\user\Desktop\fxsound_setup.exe

Code function: 0_2_00197B50 GetVersionExW,GetVersionExW,IsProcessorFeaturePresent,

0_2_00197B50

Source: C:\Users\user\Desktop\fxsound_setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 LSASS Driver	1 LSASS Driver	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	13 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	21 Windows Service	21 Windows Service	2 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	12 Process Injection	1 Timestomp	NTDS	4 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	47 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 File Deletion	Cached Domain Credentials	2 Query Registry	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	33 Masquerading	DCSync	141 Security Software Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fxsound_setup.exe	0%	ReversingLabs
fxsound_setup.exe	1%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\FxSound.exe	0%	ReversingLabs
C:\Program Files\FxSound LLC\FxSound\updater.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9B9B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9C19.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9C59.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9C79.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi9AFE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC9C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.sys (copy)	0%	ReversingLabs
C:\Windows\Installer\MSI9F91.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA01F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA05E.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA0EC.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA13B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA1B9.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA237.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA313.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE343.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.sys (copy)	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://forum.fxsound.com	0%	Avira URL Cloud	safe
https://forum.fxsound.comARPURLUPDATEINFOhttps://www.fxsound.com/changelogMsiLoggingvpAiFeatIcoMainF	0%	Avira URL Cloud	safe
https://james722808.typeform.com/to/QfEP5QrPhttps://www.fxsound.com/learning-centerhttps://www.fxsou	0%	Avira URL Cloud	safe
http://www.fxsound.com6d	0%	Avira URL Cloud	safe
https://james722808.typeform.com/to/QfEP5QrP	0%	Avira URL Cloud	safe
https://download.fxsound.com/fxsoundlatest	0%	Avira URL Cloud	safe
https://download.fxsound.com/updates	0%	Avira URL Cloud	safe
https://forum.fxsound.comp	0%	Avira URL Cloud	safe
http://www.fxsound.comgmS	0%	Avira URL Cloud	safe
https://download.fxsound.com/updatester	0%	Avira URL Cloud	safe
https://forum.fxsound.comture	0%	Avira URL Cloud	safe
http://www.fxsound.comd	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	20.233.83.145	true	false		high
raw.githubusercontent.com	185.199.109.133	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt	false		high
https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt8A	updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/learning-center	MSIa9cd2.LOG.2.dr	false		high
http://www.fxsound.com	fxdevcon64.exe, 0000000C.00000003.2190911405.000001F48263A000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209577069.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2188459939.000001F482603000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2267084024.000001F482684000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2267084024.000001F482690000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2208962787.000001F482686000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209730003.000001F482683000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209730003.000001F482696000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2203424083.000001F482689000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212475922.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212386592.000001F482685000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212560157.000001F482673000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000002.2268559114.000001F482685000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2229546121.000001E2C146F000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2232814582.000001E2C1468000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225371207.000001E2C13DC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2221505302.000001E2C13E3000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2224162247.000001E2C13E8000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2222098810.000001E2C13E5000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2223933393.000001E2C13F9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2244256218.000001E2C1462000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/f	updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://forms.gle/ATx1ayXDWRaMdiR59Take	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://www.fxsound.com/learning-centerButtonText_BrowseBr&owse...AI_REQUIRED_WINDOWS_INSTALLER_VERS	fxsound.x64.msi.0.dr	false		high
https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt)Pz	updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.microsoft.co	drvinst.exe, 0000000F.00000003.2246968450.000001E2C1456000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246494824.000001E2C144B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2243769065.000001E2C144B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketch.com	FxSound.exe.2.dr	false		high
https://www.fxsound.com/changelogbebe	fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288109809.000000000A2A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://forum.fxsound.comARPURLUPDATEINFOhttps://www.fxsound.com/changelogMsiLoggingvpAiFeatIcoMainF	fxsound.x64.msi.0.dr	false	Avira URL Cloud: safe	unknown
https://www.fxsound.com/presets	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://github.com/fxsound2/fxsound-app	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://www.fxsound.com/learning-center/no-sound-with-fxsound-realtek	FxSound.exe.2.dr	false		high
https://www.fxsound.com/learning-centerc	fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exel	updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/presetsp	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://github.com/fxsound2/fxsound-appGitHubhttps://www.fxsound.com/changelogClick	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt3Qz	updater.exe, 00000014.00000003.2351977929.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fxsound.comgmS	drvinst.exe, 00000010.00000002.2266111094.0000024DFA91D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000010.00000003.2265191260.0000024DFA91C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/	updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/blog/fxsound-is-now-completely-freex	fxsound_setup.exe, 00000000.00000003.2284385273.0000000004AF1000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284951538.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2287047452.0000000004AF7000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/support	FxSound.exe, 00000013.00000002.3277982536.0000020BA57F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://james722808.typeform.com/to/QfEP5QrP	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtt	updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.paypal.com/donate/?hosted_button_id=JVNQGYXCQ2GPG	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://james722808.typeform.com/to/QfEP5QrPhttps://www.fxsound.com/learning-centerhttps://www.fxsou	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.fxsound.com6d	fxdevcon64.exe, 0000000C.00000003.2267057009.000001F4826B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fxsound.com/blog/fxsound-is-now-completely-free	fxsound_setup.exe, 00000000.00000002.2287946076.000000000A274000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284306395.000000000A274000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284158640.000000000A273000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.fxsound.com/updatester	updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://forum.fxsound.com	MSIa9cd2.LOG.2.dr	false	Avira URL Cloud: safe	unknown
https://www.fxsound.com/learning-centerD	fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://forum.fxsound.comp	fxsound_setup.exe, 00000000.00000003.2284775353.000000000A2B0000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2285416674.000000000A2B8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2100512147.000000000A2AC000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288227528.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.fxsound.com/fxsoundlatest	updater.exe, 00000014.00000003.2371762754.0000000007CE0000.00000004.00000800.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370070906.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2369947901.00000000055EA000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055E2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://forms.gle/ATx1ayXDWRaMdiR59	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://download.fxsound.com/updates	fxsound_setup.exe, 00000000.00000003.2098741736.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2043582324.000000000A2D8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2039676815.0000000004B04000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2284219841.0000000004B3F000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283804568.0000000004AE2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2303025554.0000000007120000.00000004.00000800.00020000.00000000.sdmp, MSIa9cd2.LOG.2.dr	false	Avira URL Cloud: safe	unknown
https://forum.fxsound.comture	fxsound_setup.exe, 00000000.00000003.2284775353.000000000A2B0000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2285416674.000000000A2B8000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2100512147.000000000A2AC000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000002.2288227528.000000000A2B9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fxsound.com/changelogbebex	fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micr	fxsound_setup.exe	false		high
https://www.fxsound.com/changelog	MSIa9cd2.LOG.2.dr	false		high
https://raw.githubusercontent.com/	updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exe	updater.exe, 00000014.00000002.2372600001.0000000005594000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2369947901.00000000055EA000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000002.2372767310.00000000055E2000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/changelogLAYd:	fxsound_setup.exe, 00000000.00000003.2285344952.000000000A2A5000.00000004.00000020.00020000.00000000.sdmp, fxsound_setup.exe, 00000000.00000003.2283943266.000000000A29D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fxsound.comd	fxdevcon64.exe, 0000000C.00000003.2267057009.000001F4826B8000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2195865438.000001F482628000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2212386592.000001F48267F000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2191006789.000001F482612000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209577069.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2190911405.000001F482640000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2188314667.000001F48260A000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2208962787.000001F482654000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2209814017.000001F482673000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2190975887.000001F482647000.00000004.00000020.00020000.00000000.sdmp, fxdevcon64.exe, 0000000C.00000003.2203394404.000001F4826AA000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225181819.000001E2C13FC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2225416333.000001E2C1406000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2230251275.000001E2C1405000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2236201403.000001E2C14AD000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2236221555.000001E2C145A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2243769065.000001E2C14AC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246897395.000001E2C145A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2223511412.000001E2C1404000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2246469609.000001E2C14AC000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000F.00000003.2221505302.000001E2C13DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/N	updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/T	updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/learning-center/installation-troubleshooting	FxSound.exe, 00000013.00000002.3277982536.0000020BA581A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/0u	updater.exe, 00000014.00000002.2372600001.0000000005527000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.fxsound.com/supporthttps://www.fxsound.com/learning-center/installation-troubleshooting	FxSound.exe, 00000013.00000002.3278409126.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe, 00000013.00000000.2280937602.00007FF79AA3A000.00000002.00000001.01000000.0000000B.sdmp, FxSound.exe.2.dr	false		high
https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtL	updater.exe, 00000014.00000002.2372600001.0000000005571000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txtA	updater.exe, 00000014.00000002.2372767310.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2351901944.00000000055A4000.00000004.00000020.00020000.00000000.sdmp, updater.exe, 00000014.00000003.2370029254.00000000055A4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://juce.com	FxSound.exe.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.109.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false
20.233.83.145	github.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581679
Start date and time:	2024-12-28 15:30:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fxsound_setup.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@28/123@2/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target FxSound.exe, PID 1988 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:31:27	Task Scheduler	Run new task: Update path: "C:\Program Files\FxSound LLC\FxSound\updater.exe" s>/silent

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.109.133	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gabe.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
20.233.83.145	Y5kEUsYDFr.exe	Get hash	malicious	Unknown	Browse	github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	8lOT1rXZp5.exe	Get hash	malicious	RedLine	Browse	185.199.111.133
	Purchase Order No. G02873362-Docx.vbs	Get hash	malicious	LodaRAT, XRed	Browse	185.199.108.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.199.110.133
	Navan - Itinerary.pdf.scr.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	BigProject.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	Set-up!.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	185.199.108.133
github.com	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	185.199.111.133
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	20.233.83.145
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	YYjRtxS70h.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	20.233.83.145
	ORDER-241221K6890PF57682456POC7893789097393.j.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	20.233.83.145
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	20.233.83.145

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	Hwacaj.exe	Get hash	malicious	Darkbot	Browse	151.101.66.137
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	151.101.1.229
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	185.199.111.133
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.199.109.133
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	185.199.108.133
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	151.101.129.229
MICROSOFT-CORP-MSN-AS-BLOCKUS	phish_alert_iocp_v1.4.48 - 2024-12-27T140703.193.eml	Get hash	malicious	Unknown	Browse	52.109.76.243
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	104.47.55.156
	https://greensofttech1-my.sharepoint.com/:f:/g/personal/stella_huang_greensofttech1_onmicrosoft_com/EuOSopXBEUpFhaHAwqFRDM8BeWLY-Gsl0U9Az2fOy4x80A?e=GhPegT&xsdata=MDV8MDJ8TVB1Z2FAaHljaXRlLmNvbXxjMDM5NmJhZjcxOTM0YzBkMTc3ZDA4ZGQxMzcwNWQ3MnxmYzVjNjhmNjk3ZjM0ZWZlYjY4OWViNWMxMjM0ZjgyMXwwfDB8NjM4Njg4MDk1NTQ0NTA0NzA2fFVua25vd258VFdGcGJHWnNiM2Q4ZXlKRmJYQjBlVTFoY0draU9uUnlkV1VzSWxZaU9pSXdMakF1TURBd01DSXNJbEFpT2lKWGFXNHpNaUlzSWtGT0lqb2lUV0ZwYkNJc0lsZFVJam95ZlE9PXwwfHx8&sdata=SVpsejJNYUlwY213VjNreGxSNU1LaFJXcnpXS3pwWjhYR2k5ZUthLzlsMD0%3d	Get hash	malicious	HTMLPhisher	Browse	104.47.55.156
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	20.233.83.145
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	204.79.197.219
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	20.233.83.145
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	20.233.83.145
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	20.189.173.22
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	204.79.197.219
	installer.bat	Get hash	malicious	Vidar	Browse	20.42.73.30

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	185.199.109.133 20.233.83.145
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	185.199.109.133 20.233.83.145
	solara-executor.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	Setup.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	Setup.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	setup.msi	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	search.hta	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	TrdIE26br9.msi	Get hash	malicious	Unknown	Browse	185.199.109.133 20.233.83.145
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	185.199.109.133 20.233.83.145

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	fxsound_setup.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe	fxsound_setup.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	fxsound_setup.exe	Get hash	malicious	Unknown	Browse
C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe	fxsound_setup.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\3a9dfd.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	18858
Entropy (8bit):	5.770484749167906
Encrypted:	false
SSDEEP:	384:whsjYmdfTIp+yKcHZbjylkjIJnjIJd9a32:wOjldfTIpbIijYnjYr42
MD5:	12A45B07B30905458FF7AC14355A4823
SHA1:	519770F7D73068BD7F408A8A8C6D44FA2011D31F
SHA-256:	E731D8690F62B1D8D0BB577F6DB0754640A06A5784C866FB1105BD95A2B9A12B
SHA-512:	B42BC9F6A8D958B955881537D7A127D39941844FF0AB166AA76A89D7E35D113DEB778DC142220AA81F66C627E68C3B7A2794D7DAA678AB0D5FDA9E1D88C7099B
Malicious:	false
Preview:	...@IXOS.@.....@.K.Y.@.....@.....@.....@.....@.....@......&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}..FxSound..fxsound.x64.msi.@.....@.....@.....@......fxsound.exe..&.{F8899042-579C-4B39-839E-F6772D559DC5}.....@.....@.....@.....@.......@.....@.....@.......@......FxSound......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{215927B7-6543-4106-B941-F33B96B65E3B}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{82E872A6-8D59-4785-92C3-8BBFF79EB0E4}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{E6F40D13-6200-4931-A7A2-6142F7821778}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{EE536E27-12E6-4F20-A3E7-6A073AED85CB}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{FF4D6223-08FD-4830-A07F-C3307A8FA1B5}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{F8459A73-F385-4ED6-809A-50204A74B04F}&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}.@......&.{D56B8D69-2366-40AF-BA27-0E50E5434C55}&.{B78F934D-616A-4F

C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	128920
Entropy (8bit):	6.532897442626184
Encrypted:	false
SSDEEP:	3072:t2XK2Ncn8sLtc666YCM/QVMmFbeN/dor5jwMLhynD3:QcttcyYP4tEor2ehynb
MD5:	ADEC0DFB1782E399A2E0E21BB2A52DC3
SHA1:	C7067BE7B766EE137F7A622728EE895BF74533CE
SHA-256:	6371F096E3E9324F3C559CDF504168490AE049BA30E790471F9904E97BB5847C
SHA-512:	7895D1E6C05B9214A336A4656FA455071F2A0BFBDE35C755B095156601A56965752D3643A8E7521BB1CD9962FB211A9EA14719EF06A1AFA584EBCCAE08658AB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................>......>......>........................................e..................Rich...........PE..L......e...........!...$.4...................P............................... .......2....@....................................x........................)..............p...........................H...@............P...............................text...\|3.......4.................. ..`.rdata...q...P...r...8..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66968
Entropy (8bit):	6.422276836597039
Encrypted:	false
SSDEEP:	1536:p9XQDo3evkZGiX4WU5LraxxpHC2F6oDE6496io2lcefUKIto2qfAF0EaFY2yOFaN:TXWo3e8wiX4WU5LraTpHC2F6oDR491ov
MD5:	6CC7FD49BEE71A54AA659E30DEA8903D
SHA1:	1EF81F57626E6516A46EA8E69F1AE83FCE6C5CFE
SHA-256:	EBC764A3B96C31A34F1CD9BA94DEE8CD107AA7A8B45030FCDBBCEEE0EAFB4E25
SHA-512:	8D0F8F1B2BDA0E734F6A3D85551FF94DFE0C466C57E973057851EBAC1D9EB559FDCDCAC2F82C53B40FE808CAA31C5B3BCE84802242FF4DCFC4E722FAFF60056F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'.j.t.j.t.j.t../t.j.t.4.u.j.t.4.u.j.t.4.u.j.t.4.u.j.t\4.u.j.t...u.j.t...u.j.t...u.j.t.j.tEj.t\4.u.j.t\4Ct.j.t\4.u.j.tRich.j.t........................PE..L.....&`....................."......S.............@.................................J.....@.....................................@........................)..........`...p...............................@............................................text............................... ..`.rdata...=.......>..................@..@.data...x...........................@....gfids..P...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	209896
Entropy (8bit):	6.180609423723243
Encrypted:	false
SSDEEP:	3072:+ug+dP/Gc/vj7lxXdE/WgetVLFWPLFKmTRY81WVdSWRWiBQ:+6P/BzzC+getVLFWPZQlc
MD5:	B94BDE258AFA7DA0A9CD3FEB22A64EDD
SHA1:	D3867CEF5939CF4F73EAEC32EBD72D354C40B534
SHA-256:	3C44390B0C3CA51707EB977373788C155AF5F8197E3CE6D61F2775AF5B204FFF
SHA-512:	A74B6754544C6A188D59A24449271DF2519A7E54AD88F55F7CBDC50D8B7F2FE24297D0E84A39AA6E6CB3607926D9C49293B0F4092E3158E2353AE4C308EEBB8C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fxsound_setup.exe, Detection: malicious, Browse Filename: fxsound_setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.w...w...w..Q....w..Q...{w..Q....w......w......w......w......w..8.(..w...w..Aw......w......w...wt..w...*...w..Rich.w..........................PE..L......^.............................G............@..................................u....@..................................7..x........................#...`.......(..p............................)..@............................................text............................... ..`.rdata..............................@..@.data...03...P.......8..............@....gfids...............D..............@..@.rsrc................F..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	239592
Entropy (8bit):	6.003536434480152
Encrypted:	false
SSDEEP:	3072:fWGh+NCEVePaUS11HF7isSN1W1q7KZXB/W5Sho8VRnK/qZWRWf:+tNCOrUS17VSNwqOnK/du
MD5:	4EAC440540483593DB5EDE2F7203417B
SHA1:	9C09D1CF19C6B7AED59D263EC560460475AEAA5D
SHA-256:	0DC27FF7BFB0D75FC6FCE439BC1AF557E68A18DED441DDEA8705DB6BF8DF9A4F
SHA-512:	874FD7A73226D74D5EE664FEAFBF29BB0DDF474891D43BB8CBE397CF9751A53CFECC1A981D3E39E25DA7228E0089B28170E603F14DE6455F9FFFFF0B4729CD68
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: fxsound_setup.exe, Detection: malicious, Browse Filename: fxsound_setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=v^.S%^.S%^.S%.~.%[.S%.~.%..S%.~.%S.S%=.P$V.S%=.V$x.S%=.W$K.S%0.V$U.S%...%Q.S%^.R%..S%0.Z$V.S%0..%_.S%^..%_.S%0.Q$_.S%Rich^.S%................PE..d..."..^.........."..................N.........@....................................L.....`.....................................................x....0...................#..............p...........................0................................................text............................... ..`.rdata..\|...........................@..@.data....=..........................@....pdata..............................@..@.gfids....... ......................@..@.rsrc........0......................@..@.reloc...............\|..............@..B........................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269720
Entropy (8bit):	6.338088287409019
Encrypted:	false
SSDEEP:	6144:trRV8AjsaX6xJMmp/LyFEJ3tI8TD9BTzxlKohK4z+5AtX:h/OTMuTyeJGI9Bpso8KX
MD5:	173973C091A72EBBE73C9578EF5D00B1
SHA1:	D92045A9DAF39606B71BCFC75C4E8E0830845D78
SHA-256:	F15415185611C7FB5AC97E00EA3452BC7EFB0C32953DEFE27C5C5D5987F3E256
SHA-512:	50AF7169071840F366A7594BF72B2FC5273821AC54800955BE6B290B703D192A12CAEC60388ED7000061E74B916FCEB2C87A2BC1E39019955A570C65C4B5F839
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n............}......}.....w.....w......w.....}.b...}.......A..Hv....Hv....Hv=....Hv.....Rich...........................PE..d.....b.........."......\|..........D..........@.............................P......h.....`.........................................................0..........4#.......)...@.......o..p...........................Pn..@............................................text....z.......\|.................. ..`.rdata...........0..................@..@.data....*..........................@....pdata..4#.......$..................@..@_RDATA..\.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326656
Entropy (8bit):	2.91036654915667
Encrypted:	false
SSDEEP:	768:3Ft4aLqpAogNTiqwu2CvcCjikibqqqqqqqqqqqqqqqqqqqaFgNj////////////l:T45A/N8Cfjik6scccoFtr
MD5:	EAF913C1DE47C2421669B662EDAA5A6A
SHA1:	53524526E1898A90FA98AE02E662B9C0E6DC2848
SHA-256:	425629B6309000013E8CD1A9B827BEE365D21C9F743873AADD0C3BC96A999D2A
SHA-512:	BB674FEB73751172A1ACE65AAB89C5EBF952A07F7AF0F3EC1DADF357FF693230CF08910AE273E8335EEC35E5827DA6405272D05C161987DF679199935AF21A76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................X.......X.R.....X.......Rich....................PE..d....@R`.........."......6..........0..........@............................. ......cM....`A....................................................<........\|...@...........$..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	10590
Entropy (8bit):	7.254430659006022
Encrypted:	false
SSDEEP:	192:1OgjZ7OPJCbngEw9JPgXkhYCClQBcA5E8qnajEzHbC:18UuLh3Cl+x5E8l4zu
MD5:	ACDAAE5D1219E7703285C42F774BE54D
SHA1:	47DF82D8C843BF1ADC098A26E9E3E27217B3104D
SHA-256:	25C8DAE186155D20F74FEEDEFB4F84161E4215925B8FD0C898F68F3E50EBCD7D
SHA-512:	83B663222FB22B1760EA8551D19557F3F2905BFAC205B380B23DD7F2A65A37B851A3C3C345E4A768B76700BB891B97C96A0DBBB58D81358993293AD1EB3E300A
Malicious:	false
Preview:	0.)Z...H........)K0.)G...1.0...`.H.e......0.....+.....7......0...0...+.....7.....7.M&...A.f..B....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... Kt=..].....&...m.ng..,.....Q...\|1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Kt=..].....&...m.ng..,.....Q...\|0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.....w7=-{x\|<....8....O.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......C0..?0....+.....7......0.....S.u.

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	216472
Entropy (8bit):	6.586896090803042
Encrypted:	false
SSDEEP:	6144:O0BoIohQyb1eSbUPWU7jTufjAOena7kWcoy3:AIsQybqWU7yjJpy3
MD5:	97507887426DBF2B0D2463E652C15EEA
SHA1:	C86DEA4F2DD6A0DD67D1B15326B95DE382C39F55
SHA-256:	A018CF271F4AC6AF83E035DB3A975BA3936DA9E97CBD62194091915F1ADB3CF1
SHA-512:	36F27045E2DEC820B4633B14C51F8C97C907EF4D8A9018302659EE9093D2EB65620736E585B27C08D1245A091E9C5B73DC7149B14A79DB234F0E5E31F2826C8B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.C...-...-...-.......-...)...-.q.)...-.q.....-.q.(.B.-...(..-...,...-...,..-..$...-..-...-......-../...-.Rich..-.........................PE..L.....b............................q........0....@..........................`......C.....@.........................p.......H........0...............$...)...@......p...p...............................@............0...............................text...,........................... ..`.rdata.......0......................@..@.data...............................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	322560
Entropy (8bit):	2.8824956385159206
Encrypted:	false
SSDEEP:	768:mwrXoME2X1k56OBvZTwJikibqqqqqqqqqqqqqqqqqqqaFgNj///////////////y:VfE2X1Ng2ik6sccco3tq
MD5:	C05A2F8F443C7D756F594B583D7C820F
SHA1:	0DA76FA1BA7CF5E631C8AC25E9A3C3BA105C5381
SHA-256:	7BA582F2B468502E7DFF903069A7A5E177479C92B483EB9EDBF683A85B423CB9
SHA-512:	5069C8D568D463324CF426D9CD14994D3E4912EA7921D4F9EAE3F3BFA6C6022AA4D9BD6834690A97C74DDBDA1ADFFE6F587FD631251ED53E663BC3E54A2238BF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..q...q...q...e..p...e..t...q...o...e..u.......{....._.p.......p...Richq...................PE..L....@R`.................2..........0p....... ....@.................................Z.....@E................................`p..<........\|...............$...........&..8............................'............... ...............................text............................... ..h.rdata..X.... ......................@..H.data........0......................@...PAGE..... ...@..."... .............. ..`INIT....h....p.......B.............. ..b.rsrc....\|.......~...F..............@..B.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvadntx86.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	10581
Entropy (8bit):	7.255569051169796
Encrypted:	false
SSDEEP:	192:OOggMgObJC+ngEw9JPgXkhYCVyLHIMvN/qnajyCRe:OdNuLh3k/lmCo
MD5:	CC51E0BF07678A35F8CE058E2A674B18
SHA1:	F44CF566246C83C37177403439E8C203A672B543
SHA-256:	15D3EB929843C1A3D5AEAFC6D93E673906ABBB95208DF95009BA8962AC6AD11C
SHA-512:	EFD4A37255F375278B9AC9E9B1FE86A0B198B90E9F8E9494AD2D49A060B6C99905C69B7773439ED80CF48A673F3B6349B5657602D4456D50A2DC49118133139C
Malicious:	false
Preview:	0.)Q...H........)B0.)>...1.0...`.H.e......0.....+.....7......0...0...+.....7.....9lN.A..H. ..>.....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... HYu.dQ...a.....s:1'm. .}X..+xi1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... HYu.dQ...a.....s:1'm. .}X..+xi0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.......d\-.u......];...u1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......!0...0....+.....7......0.....S.u.

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	269720
Entropy (8bit):	6.337918508188188
Encrypted:	false
SSDEEP:	6144:frRV8AjsaX6xJMmp/LyFEJ3tI8TD9BTzxlKohK4z+5At/:D/OTMuTyeJGI9Bpso8K/
MD5:	95622C09D216DC69E1B8968D04F7678E
SHA1:	9C39F4E017764FD87D5D0F4D8A6C8A76B4B6E7FF
SHA-256:	6ACEE42BE1BD7A7ED6A3CD3E3502990E39AA4C8E776581225993E4C8E8F53A73
SHA-512:	607F2B96BD4E31A96ECC48B80D73A63B3F07CB65350C0D6D2240DB9365C094C40E8FB5FBD015C76049D8C9ACE2CA9F76F729DA0E8320A57F9451118CC1CDB8C5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n............}......}.....w.....w......w.....}.b...}.......A..Hv....Hv....Hv=....Hv.....Rich...........................PE..d.....b.........."......\|..........D..........@.............................P......u.....`.........................................................0..........4#.......)...@.......o..p...........................Pn..@............................................text....z.......\|.................. ..`.rdata...........0..................@..@.data....*..........................@....pdata..4#.......$..................@..@_RDATA..\.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628596767870037
Encrypted:	false
SSDEEP:	96:3quSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3quSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	82D8CBA970FF0CF924F8C750E4470873
SHA1:	F2EDC8BD8FCAF38976DC8E718D5D3ACE3BE82792
SHA-256:	042C6B79DFF1FDA007776F7EA14CAF4E7665F0A2A3F00644966EFDA6478B4939
SHA-512:	02B2E5FD829DE9C0C7841319376ABF2F2B89064CE59AEE8EC6B8F886DB25D7ADE4F05E1B5B3BBC76F0DE660F91C9799314B85A418DEBBB5A66ABE928A31C9B54
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/22/2021,14.2.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326120
Entropy (8bit):	2.895336145016568
Encrypted:	false
SSDEEP:	768:pAm4aLqpAogNTiqwu2CvcijikibqqqqqqqqqqqqqqqqqqqaFgNj////////////9:P45A/N8C/jik6scccR
MD5:	36F645D44476652DD078287D05499BC5
SHA1:	287A7AD815F60691942B0BF533B39C20AD43300D
SHA-256:	DAB6F4A9A68821FE8CC4B11AF19CC5FDE71E67FB9275E39E2ABDA680E477446B
SHA-512:	4CC4F625661EE755B44D94B8F4C91F7FFDB6DAF6DA39CD6147C5465C7448EB9620A0E71BAC6414AE2BBB99CE8CD379B03A98D70863CC384BE83F70BA00254FF5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..!...!...!...5.. ...5..$...!...9...5..#...5..".....+....u. ..... ...Rich!...................PE..d...L.X`.........."......6..........0..........@............................. .......6....`A....................................................<........\|...@...........!..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvadntamd64.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9568
Entropy (8bit):	7.231189475826073
Encrypted:	false
SSDEEP:	192:VrIMfdZubhlYZputZscF8Bd1LoZo6wTBZHklE8:nFZQYZCZsHLoilht8
MD5:	381CF31B9363FB10C0E4DD4FA3847A74
SHA1:	8B360D53A6D63E1A32A650BD7326EFED17BEBEA5
SHA-256:	82EC9E6E7EC723052CB1D608A39DC41D501818027837730D0D9F3B42DBE750C8
SHA-512:	8DCBB28C2A35BE40B984F614B094B29E27F41AC0F679CD74BC39BDB3DEDAE129A53EBB95069D62B12FC355A2088FF74D643AE5E3CB7E1B216FB89CFFAB8EEE77
Malicious:	false
Preview:	0.%\...H........%M0.%I...1.0...`.H.e......0.....+.....7......0...0...+.....7.......L.7F.E..i...cY..210322123238Z0...+.....7.....0...0..w.RB.5.2.0.9.5.B.A.D.2.A.4.7.9.4.8.0.A.E.1.9.8.C.3.C.7.4.A.6.F.C.9.E.9.1.E.E.6.1.6...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...1...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+......... ...yH....Jo.....0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0..o.RF.2.E.D.C.8.B.D.8.F.C.A.F.3.8.9.7.6.D.C.8.E.7.1.8.D.5.D.3.A.C.E.3.B.E.8.2.7.9.2...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...1...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+..............v.q.]:.;.'.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0(..+.....7.....0....O.S........7.X.6.4...00..+.....7...."0 ...H.W.I.D.2........f.x.v.a.d...0:..+.....7....,0.

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	216472
Entropy (8bit):	6.587026441380212
Encrypted:	false
SSDEEP:	6144:60BoIohQyb1eSbUPWU7jTufjAOena7kWcoyS:UIsQybqWU7yjJpyS
MD5:	89CC98BEE76BA8634A7371BD1769A6A1
SHA1:	2BA2A7E91BDAED0A692A1FC345C7AFDBD8430180
SHA-256:	B63CD31445311D8B5E42F0401AC051ADDD7492393B601EC1DD875CFC9F15CDF0
SHA-512:	6433D38DC915B9FCE15083B4C9CE4A8DCDECFB2F8EC9D9B9278F9E523BAFCB7090DE27406D3A91DD7107DE21ACE81FA3C6F85A4DA0D26933A4EC7D0B953E175F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.C...-...-...-.......-...)...-.q.)...-.q.....-.q.(.B.-...(..-...,...-...,..-..$...-..-...-......-../...-.Rich..-.........................PE..L.....b............................q........0....@..........................`............@.........................p.......H........0...............$...)...@......p...p...............................@............0...............................text...,........................... ..`.rdata.......0......................@..@.data...............................@....rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628596767870037
Encrypted:	false
SSDEEP:	96:3quSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3quSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	82D8CBA970FF0CF924F8C750E4470873
SHA1:	F2EDC8BD8FCAF38976DC8E718D5D3ACE3BE82792
SHA-256:	042C6B79DFF1FDA007776F7EA14CAF4E7665F0A2A3F00644966EFDA6478B4939
SHA-512:	02B2E5FD829DE9C0C7841319376ABF2F2B89064CE59AEE8EC6B8F886DB25D7ADE4F05E1B5B3BBC76F0DE660F91C9799314B85A418DEBBB5A66ABE928A31C9B54
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/22/2021,14.2.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.sys

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (native) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	322024
Entropy (8bit):	2.869696033678278
Encrypted:	false
SSDEEP:	768:foXmL+F+U1Da96r9rWikibqqqqqqqqqqqqqqqqqqqaFgNj/////////////////b:w/YU1D34ik6scccR
MD5:	31B1A479F995A4A3EFF6E11BACC34400
SHA1:	11587B7105E94891470273D35C77EBC3ECAF1EBC
SHA-256:	A507119631F73432B9E98D8D33815FFED90156C3BFB7E5E81666591D46CE460F
SHA-512:	8AAF5E0919370163691B38F5B754C9391DEE12AFB8157CACE51ECE19503B20D96D220948D8ACE262778FD4EB98C48D5FF5B247C53E831CB793FACECAFEBE73C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5..ql..ql..ql..e...pl..e...tl..ql..ll..e...ul......{l...._.pl......pl..Richql..........PE..L...b.X`.................2..........0p....... ....@.................................2.....@E................................xp..<........\|...............!...........&..8............................'..@............ ..\|............................text...g........................... ..h.rdata..X.... ......................@..H.data........0......................@...PAGE..... ...@..."... .............. ..`INIT....r....p.......B.............. ..b.rsrc....\|.......~...F..............@..B.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvadntx86.cat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	9569
Entropy (8bit):	7.230532185757443
Encrypted:	false
SSDEEP:	192:9fIMbdZubhlYZputZscF8Bd1LciivWBZHkWDVjO:ThZQYZCZsHLcDshFjO
MD5:	94015CF4A09898205476CEE29F2B75FA
SHA1:	9F847A10277C4CAF45A83FA0F53F5D525302AE39
SHA-256:	1A453865D234167FBE486F62D632373107994C634D9619E6D310C1DD3B5037E5
SHA-512:	A4B34E39DEB20BE3C1F27B3913EEC1B15454D5437EA41DB1C745CA9DAE35765588849FC05957CA27F2D1DDC309C023EC5013F7F7E8D08750003BE6AE299F59D4
Malicious:	false
Preview:	0.%]...H........%N0.%J...1.0...`.H.e......0.....+.....7......0...0...+.....7...... iX..xG..P.>D9...210322123242Z0...+.....7.....0...0..w.R3.3.3.B.F.5.C.F.4.B.0.B.4.A.8.3.4.9.0.1.F.9.3.F.A.2.0.9.4.9.F.F.7.6.3.5.C.A.7.0...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...1...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........3;..K.J.I..?..I.v5.p0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0..o.RF.2.E.D.C.8.B.D.8.F.C.A.F.3.8.9.7.6.D.C.8.E.7.1.8.D.5.D.3.A.C.E.3.B.E.8.2.7.9.2...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...1...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+..............v.q.]:.;.'.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0(..+.....7.....0....O.S........7.X.8.6...00..+.....7...."0 ...H.W.I.D.2........f.x.v.a.d...0:..+.....7....,0.

C:\Program Files\FxSound LLC\FxSound\Factsoft\1.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	944
Entropy (8bit):	4.77740089112828
Encrypted:	false
SSDEEP:	24:qElw1IoJ3RVyGt5djvBp0HOAppzttw5kuUBwDR:CKiyG5djzUtCt
MD5:	F27EA21512686DA8E8C90E0A4D0F5616
SHA1:	3231A236C4D517197E28413EED3F5AC74D557CD7
SHA-256:	B9FF4BAD7F89D0FDB9032B6AEA475A04FAC8C1EEC39020FA00DB3CD72B91E1FB
SHA-512:	45911C28BC677C223BAAF46B6CF1E12EDCE56BF9584FC3317535D8B3BE1AE0F402847C7DDD2D1E7E6DFC01C4C24D04965DC475B9419A85D7A703685335559DB9
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..General..0: Double Params Flag..1: Total number of elements..50: Main 0..20: Main 1..0: Main 2..0: Main 3..60: Main 4..60: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..0: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115: CF.. 0: Boost/Cut..Band 3.. 250: CF.. 1: Boost/Cut..Band 4.. 450: CF.. 2: Boost/Cut..Band 5.. 630: CF.. 0: Boost/Cut..Band 6.. 1250: CF.. -1: Boost/Cut..Band 7.. 2700: CF.. 0: Boost/Cut..Band 8.. 5300: CF.. -1: Boost/Cut..Band 9.. 7500: CF.. -2: Boost/Cut..Band 10.. 13000: CF.. 0: Boost/Cut

C:\Program Files\FxSound LLC\FxSound\Factsoft\10.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.8567723479487075
Encrypted:	false
SSDEEP:	24:q/vw1IcJOhRVyWWt5djvBp0TOAwUCJaSSOpNBlpA:coKryb5djzcL
MD5:	10A1B6C5A17F64D377394251C816FD73
SHA1:	3A54DBCB969269F9B4B63A0A72FEC51F9C1F2FD7
SHA-256:	5DA7F6318249417A1EDF02D133ED5543334389CE42E75CB904A311C680EF0D33
SHA-512:	DC32487CC4488F114C03605702F496AFF597797D1469FC246561F6C9055A4691B5E3AF6D1BCFFCAD6344310B1C1FEA27F70473D2C7A1F6BE6711D37047227C41
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Movies..0: Double Params Flag..1: Total number of elements..60: Main 0..50: Main 1..0: Main 2..0: Main 3..85: Main 4..35: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. 0: Boost/Cut..Band 3.. 250: CF.. 2: Boost/Cut..Band 4.. 396.85: CF.. 0: Boost/Cut..Band 5.. 734.867: CF.. 2: Boost/Cut..Band 6.. 1360.79: CF.. 2: Boost/Cut..Band 7.. 2519.84: CF.. 1: Boost/Cut..Band 8.. 5350: CF.. -1: Boost/Cut..Band 9.. 8640.48: CF.. 0: Boost/Cut..Band 10.. 13800: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\11.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	961
Entropy (8bit):	4.855292559830285
Encrypted:	false
SSDEEP:	24:q+w1IZBSRVyWWt5djvBp0TOAppUCJnpQSOpNBNpA:oKIyb5djzMl
MD5:	038E70D0B0223598B6F11890C7A39DA1
SHA1:	E790CA1456F895C6EF3A112BCEA575FC1F3A1006
SHA-256:	D05ED165422959C5F6B4C2B25FBE84B3BB0AA9BBDB72A6B0123BCB7CC2FB3CEA
SHA-512:	02BF6CD53AE7D2F1B9DE9868454A8937D72A787227496FE2D07F75AA296AA3FE71464E0ED610EF974E73C0F3E8B51939CE43C6563F2CDA958B7A7964DF42FBF9
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..TV..0: Double Params Flag..1: Total number of elements..50: Main 0..50: Main 1..0: Main 2..20: Main 3..60: Main 4..45: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. 0: Boost/Cut..Band 3.. 250: CF.. 1: Boost/Cut..Band 4.. 396.85: CF.. 0: Boost/Cut..Band 5.. 734.867: CF.. 1: Boost/Cut..Band 6.. 1360.79: CF.. 0: Boost/Cut..Band 7.. 2519.84: CF.. 1: Boost/Cut..Band 8.. 5350: CF.. -1: Boost/Cut..Band 9.. 8640.48: CF.. -1: Boost/Cut..Band 10.. 13800: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\12.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	955
Entropy (8bit):	4.810538314108478
Encrypted:	false
SSDEEP:	24:qCw1ImJqRVyXt5djvBp0qOA14/7Woh5fMBjfA:2KZyd5djzSSwx3
MD5:	EEC389C321A0F4E18D568D9EB52D4A4A
SHA1:	46555A411D1DBE75B4994B0D9C44C21B72243EDD
SHA-256:	33E8695F8DEDD7E7F4ED640C8F6412C1898D2A06489AAD41C09F0326BDC08DB7
SHA-512:	B61D04D025CF4CC2B1FE8CB5881F57BB0C2DD0B3FAB2F47548D433D6EE2B2419838379DAF115FDD9F0C797C9DE8366C21A6DBA1BAB7C6F1E5CC9F2AFA656BBB4
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Transcription..0: Double Params Flag..1: Total number of elements..100: Main 0..0: Main 1..0: Main 2..0: Main 3..115: Main 4..75: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..0: Integer[1]..0: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 86: CF.. -12: Boost/Cut..Band 3.. 250: CF.. 7: Boost/Cut..Band 4.. 293: CF.. 2: Boost/Cut..Band 5.. 615: CF.. -1: Boost/Cut..Band 6.. 1320: CF.. 7: Boost/Cut..Band 7.. 3430: CF.. 0: Boost/Cut..Band 8.. 4630: CF.. 10: Boost/Cut..Band 9.. 6360: CF.. 3: Boost/Cut..Band 10.. 11770: CF.. -12: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\2.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	959
Entropy (8bit):	4.801168282589878
Encrypted:	false
SSDEEP:	24:q3vw1IyvjRVyWWt5djvBp0COASiepELDYB0iA:JKUyb5djzV
MD5:	EE618C4C177068C08DACDFC8411D5610
SHA1:	726B0F02F137361D658EE0A45FE4C8AD64F83C87
SHA-256:	690ED5C16C33B8EFD0ED7C7AEF90F71E6DF3F20C2A44114E98CF8CF7355DBED8
SHA-512:	D1C6652D14ED28DC5D71D0017CE975F57F247E5134033384B50B0FF094C407CDB11E0AF4518A900025E4B56131F25AAC300E8702F4D6E7E267FDA44B93B8985F
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Music..0: Double Params Flag..1: Total number of elements..50: Main 0..35: Main 1..0: Main 2..35: Main 3..20: Main 4..60: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 110.0: CF.. 2: Boost/Cut..Band 3.. 250.0: CF.. 2: Boost/Cut..Band 4.. 370.0: CF.. 1: Boost/Cut..Band 5.. 650.0: CF.. 0: Boost/Cut..Band 6.. 1200.0: CF.. 0: Boost/Cut..Band 7.. 2130.0: CF.. 0: Boost/Cut..Band 8.. 4550.0: CF.. -1: Boost/Cut..Band 9.. 6850.0: CF.. 0: Boost/Cut..Band 10.. 16000: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\3.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	965
Entropy (8bit):	4.861329835911262
Encrypted:	false
SSDEEP:	24:qYnw1IcEmJNPRVyXedjvBp0qOAOUAJtGJ7KxBr7cA:rwKcLLyudjzg
MD5:	8A3BB2B9767A3FD8397C2783F3EE1A65
SHA1:	8802B8F2FB027A8AF228548BA70D577138057EED
SHA-256:	77720ED67150B2C854A36F2F8002913E98788A9634BE0FC1540A19CA1423BFB6
SHA-512:	50184F85557C1CFAAAB4DC37693FB6AA854EE22E7D1061CA1780F16BDD57912F9726891A060AD74934E08DE4199BBD6B7E94914E42DD05BED9194012BF85DDBD
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Voice..0: Double Params Flag..1: Total number of elements..72: Main 0..0: Main 1..0: Main 2..0: Main 3..95: Main 4..0: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..0: Integer[1]..0: Integer[2]..1: Integer[3]..0: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. -4: Boost/Cut..Band 3.. 214.311: CF.. -2: Boost/Cut..Band 4.. 396.85: CF.. 2: Boost/Cut..Band 5.. 734.867: CF.. 4: Boost/Cut..Band 6.. 1360.79: CF.. 5: Boost/Cut..Band 7.. 3430.8: CF.. 3: Boost/Cut..Band 8.. 5250.0: CF.. 3: Boost/Cut..Band 9.. 6300: CF.. 5: Boost/Cut..Band 10.. 11770: CF.. -11: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\4.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	963
Entropy (8bit):	4.827256471188213
Encrypted:	false
SSDEEP:	24:qBJw1IsJzlLRVyWWt5djvBp0rOAbUAJ4QSOpApBEiA:COKayb5djzhu
MD5:	54307B58B9FD001E1910F98FDB25D966
SHA1:	1DBDBE2906679A4C97FE294D90BBBAEB4EB4019E
SHA-256:	FC6CD10E51D33A70E74091A662054989D97CDE5AE705475C8D80F681708FF07F
SHA-512:	15D185CD1B740DC726AE9A77F0F650DE05E0C74F76DBF10E5BACA4124CDADDD30636D814CE051B4B0D3979CB4ED493C00925AE52B505FEBA9CEFAA528FAFD8CD
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Volume Boost..0: Double Params Flag..1: Total number of elements..32: Main 0..20: Main 1..0: Main 2..0: Main 3..103: Main 4..35: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 101: CF.. 3: Boost/Cut..Band 3.. 240: CF.. 2: Boost/Cut..Band 4.. 396.85: CF.. 2: Boost/Cut..Band 5.. 734.867: CF.. 0: Boost/Cut..Band 6.. 1360.79: CF.. 0: Boost/Cut..Band 7.. 2519.84: CF.. 1: Boost/Cut..Band 8.. 4670: CF.. 1: Boost/Cut..Band 9.. 11760: CF.. 2: Boost/Cut..Band 10.. 16000: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\5.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	966
Entropy (8bit):	4.857342274064095
Encrypted:	false
SSDEEP:	24:qpRw1IRJOhRVyXt5djvBp0d5OAhHWiQSHvEGBaqA:kmKSyd5djzYL87
MD5:	471670C3295D3BBFED92E693981C30E1
SHA1:	23274FA49B6CCA00CA92CFF619B04EE657E4D97B
SHA-256:	F961856C2FEF99BCC9ABDA07BF3B1F19C9B16685208EA0E28CD4ED3F39778418
SHA-512:	54A54D9B8FFBE2B22F6151445D9F50941C738F112678DEDD5114D14503E4088CE77DF2D6428DB6E95DB6031A78E4F6444D8F8BA8ECEC360408EBEF9771D002E3
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Gaming..0: Double Params Flag..1: Total number of elements..35: Main 0..0: Main 1..0: Main 2..0: Main 3..85: Main 4..35: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..0: Integer[1]..0: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 128.75: CF.. 0: Boost/Cut..Band 3.. 238.311: CF.. 2: Boost/Cut..Band 4.. 444.0: CF.. 2: Boost/Cut..Band 5.. 805.0: CF.. 2: Boost/Cut..Band 6.. 1360.79: CF.. 0: Boost/Cut..Band 7.. 2519.84: CF.. -1: Boost/Cut..Band 8.. 4400.12: CF.. -1: Boost/Cut..Band 9.. 7930.48: CF.. 2: Boost/Cut..Band 10.. 12570: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\6.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	982
Entropy (8bit):	4.857216071020656
Encrypted:	false
SSDEEP:	24:qAZIRw1IDluRVyWWt5djvBp0TOAVUCJ4QS7TBlOA:DimKSyb5djzRT
MD5:	3817D6E5582793099881320401DFDDD7
SHA1:	AC6CDB82AE160EB3E6A55B338A7332B8CAC3DD1D
SHA-256:	59024B05F345CBB6332A581C916676D685913F0EBD1A8D0D8ECAD395D9D11E3B
SHA-512:	DF55BEEA1F116F5B6996DFE0212A115582CDAE1B110726D94462F4D3D1E20FE0D1400591A9CCB966B2865A0EFCEF913FE03048C7BD60A974B6074FBF492B9403
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Classic Processing..0: Double Params Flag..1: Total number of elements..60: Main 0..35: Main 1..0: Main 2..60: Main 3..60: Main 4..70: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. 0: Boost/Cut..Band 3.. 214.311: CF.. 0: Boost/Cut..Band 4.. 396.85: CF.. 0: Boost/Cut..Band 5.. 734.867: CF.. 0: Boost/Cut..Band 6.. 1360.79: CF.. 0: Boost/Cut..Band 7.. 2519.84: CF.. 0: Boost/Cut..Band 8.. 4666.12: CF.. 0: Boost/Cut..Band 9.. 8640.48: CF.. 0: Boost/Cut..Band 10.. 13500: CF.. 0: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\7.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	984
Entropy (8bit):	4.890210143884036
Encrypted:	false
SSDEEP:	24:qIZIRw1IIvxtCRVyZWt5djvBp0fOAQpU5pJeWSEfBNMvpA:/imKDyo5djz91i
MD5:	16F49CF8417B0E368FAEB40CB70F3239
SHA1:	CE95736E467389C60F5C23BEA0DFFCCE547D529D
SHA-256:	0CC4E260945485F45D2BEEAEC9D7FF8F8EAE92FBD7C094AED4B39ABCDFBA07B3
SHA-512:	08BFC9B87D9C28DB55EBFCEF8D00748B7F351538AB224A03F97E263928079CAB6C0755B4740F1F6481AB547103557148C4AA607969A25FD97E0E86CE039D4AA8
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Light Processing..0: Double Params Flag..1: Total number of elements..25: Main 0..0: Main 1..0: Main 2..35: Main 3..5: Main 4..20: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..0: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. -1: Boost/Cut..Band 3.. 214.311: CF.. 1: Boost/Cut..Band 4.. 396.85: CF.. 1: Boost/Cut..Band 5.. 734.867: CF.. -1: Boost/Cut..Band 6.. 1360.79: CF.. -1: Boost/Cut..Band 7.. 2519.84: CF.. -2: Boost/Cut..Band 8.. 4666.12: CF.. -1: Boost/Cut..Band 9.. 8640.48: CF.. -1: Boost/Cut..Band 10.. 13600: CF.. 1: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\8.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	971
Entropy (8bit):	4.857752267847404
Encrypted:	false
SSDEEP:	24:qXwJw1I4v5RVyWWt5djvBp0d8O8wtZpFSHfBNpVA:TOK8yb5djztRO
MD5:	C4EF8C129665163D28601E229493892A
SHA1:	3737A43F1A503166E063A44DEF48152C5DEF1EFF
SHA-256:	4A22A50C3AA77F6E887CD9E30DE1D381BEF900D5391EC84AD3154546FD1399A8
SHA-512:	3257A8A3EACA06AA89FB4A26139F5908DAACFEC34C6613D94F78B458184BF41E52561F99A9B0CA6580DC8D7EB845F47EC30033C72C3CCF9F4410E2331C514466
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Bass Boost..0: Double Params Flag..1: Total number of elements..30: Main 0..35: Main 1..0: Main 2..35: Main 3..20: Main 4..75: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 98.0: CF.. 3: Boost/Cut..Band 3.. 158.3: CF.. 3: Boost/Cut..Band 4.. 345.0: CF.. 2: Boost/Cut..Band 5.. 541.867: CF.. 1: Boost/Cut..Band 6.. 1170.0: CF.. -1: Boost/Cut..Band 7.. 2519.84: CF.. -1: Boost/Cut..Band 8.. 4666.12: CF.. -1: Boost/Cut..Band 9.. 8640.48: CF.. -1: Boost/Cut..Band 10.. 14650: CF.. 0: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\9.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	978
Entropy (8bit):	4.8615388361461545
Encrypted:	false
SSDEEP:	24:qjw1I9JaRVyGt5djvBp0TOAVUCJnpfpSOpHBlpA:pKcyG5djzr1
MD5:	D6712E9A03F84CA656BCB54815D11287
SHA1:	73D3CCD471460C24465597985329BC864B52C29A
SHA-256:	FBF25A50A996204B8F732E43ADF5ED8DB4FF6EAE6AA19C5832461B96AC71A016
SHA-512:	85DA0E65B9B0C18469165391343396DA5A3E9E153793FD6CCCF979F427C097A38DA5A439A7B10CBD5481A10E5435C1117BACEDFFB7B44F6C6872E40BCDE92483
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Streaming Video..0: Double Params Flag..1: Total number of elements..35: Main 0..35: Main 1..0: Main 2..0: Main 3..54: Main 4..35: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..0: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 115.734: CF.. 0: Boost/Cut..Band 3.. 214.311: CF.. 0: Boost/Cut..Band 4.. 396.85: CF.. 0: Boost/Cut..Band 5.. 734.867: CF.. 1: Boost/Cut..Band 6.. 1360.79: CF.. 1: Boost/Cut..Band 7.. 2519.84: CF.. 1: Boost/Cut..Band 8.. 5350.0: CF.. -1: Boost/Cut..Band 9.. 8640.48: CF.. 0: Boost/Cut..Band 10.. 13800: CF.. 2: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\Factsoft\Default.fac

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	945
Entropy (8bit):	4.793563479975623
Encrypted:	false
SSDEEP:	24:qcow1IGuJGaRVyWWt5djvBp0EgOAywCcEVcBAVWA:bKuMyb5djz7D
MD5:	AA004A42A81D8FA758B8054F94A9EE48
SHA1:	27A95002B2B47853015F50BF83A1D7AF8B132097
SHA-256:	98A1218AAF829717E9761667C63CD6FE3BCD8232999D9A10E9E844B36C4E0AA5
SHA-512:	CD27FEB5FBC48696C91B16BE18476A77F50C4749F238F487C7AA6B4605DBC3429F007CE4F959AD8C9FB41389FAE9250D27A80FC74F2E16CAF7688EF05C2AB4F2
Malicious:	false
Preview:	CLASS1 : Effect Type..9: Version..Default..0: Double Params Flag..1: Total number of elements..0: Main 0..0: Main 1..0: Main 2..0: Main 3..0: Main 4..0: Main 5..0: Element Number.. 0: Param 0.. 0: Param 1.. 0: Param 2.. 0: Param 3.. 0: Param 4.. 0: Param 5.. 0: Param 6..7: Number of Application Dependent Integers..0: Number of Application Dependent Reals..0: Number of Application Dependent Strings..1: Integer[0]..1: Integer[1]..1: Integer[2]..1: Integer[3]..1: Integer[4]..0: Integer[5]..2: Integer[6]..10: Number of EQ Bands..1: On/Off Flag..Band 1.. 62.5: CF.. 0: Boost/Cut..Band 2.. 121.5: CF.. 0: Boost/Cut..Band 3.. 225: CF.. 0: Boost/Cut..Band 4.. 416.5: CF.. 0: Boost/Cut..Band 5.. 770.5: CF.. 0: Boost/Cut..Band 6.. 1425: CF.. 0: Boost/Cut..Band 7.. 2645: CF.. 0: Boost/Cut..Band 8.. 4895: CF.. 0: Boost/Cut..Band 9.. 9060: CF.. 0: Boost/Cut..Band 10.. 13885: CF.. 0: Boost/Cut..

C:\Program Files\FxSound LLC\FxSound\FxSound.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4684696
Entropy (8bit):	6.547210483727717
Encrypted:	false
SSDEEP:	98304:adnBRA4FUQRBBBBBBBBBBBBBBBBBBBBBBBBU2UjTjaZ75T:a/RAdQRBBBBBBBBBBBBBBBBBBBBBBBBt
MD5:	2EE68BB73020AE85BBFD2CCAC511D97B
SHA1:	6E05149E11CEE654D8A41154D7E0A0EB19A19FCB
SHA-256:	23BCFB48D1F2033EBB1F8C31DDA7B4889C2F617D0F7FB964C17664BC173C7BC4
SHA-512:	674FDCE2F10B5F2E275B9908014F9A9CF240459F557CAFCBE43DBA99B98271F143ECC58FD6E10D6CD3CBB0D77B3038E3A3B9AED85E5DC1D2A5742EAF82A3F467
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......k.../n./n./n.d...5n.?.>..n.?...#n.?..;n.?..Ln.g.. n.g..un.d...n.d...n.d...n.d...n./n..m.g...n.g.<..n./nT..n.g....n.Rich/n.........PE..d......f.........."....)..+..$.................@..............................H.......G...`...................................................A.T.....F.......D......RG..)...`H..\|...p;.T....................r;.(....n;.@.............+..............................text...h.+.......+................. ..`.rdata..f.....+.......+.............@..@.data....s...@B......$B.............@....pdata........D......@C.............@..@.rsrc.........F......DE.............@..@.reloc...\|...`H..~....F.............@..B................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Bold.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 21 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	236272
Entropy (8bit):	6.1893993750149505
Encrypted:	false
SSDEEP:	3072:3mrHKVy66pjM8vhKwNWuGpFquVWb+AERebhvvVBm79Qlyhvjeva130GzgYED1iq:3mrH7prvhKwNG+ucb+AEjKjiq
MD5:	3B112E6AA65695F31FA1E1A8FB0589A9
SHA1:	CB04C8D7DEA87049B9DE13524547BBA6336DAFCC
SHA-256:	863A038C6AFE94EC626BC5BFB94CE37F26196C1F1D50289F4F7C88E339B0AA41
SHA-512:	477BD2ED50F8A385EF123869D641477A9B79C8715B64D2BED1ABC28EB7D783D9D34F069E20CEF978578E0F0DEA02FEACA5B8095B9A792FE2A0CCB501B339CD00
Malicious:	false
Preview:	............GDEF......l....GPOS"......t..y.GSUB..z^..QX...DOS/2...........`cmap?P..........cvt ...........Vfpgm.Y.7...`...sgasp...!........glyf..\|...3...gmhead4o.'...p...6hhea"."3...L...$hmtx.`\........Lloca..)...7....Pmaxp.......,... name.3.....(....post..."..o...J.prep.P.@...............................C.............................=.a...................................As..._.<............................h...............Z.D.f.H.b.u.T.l.L.8./...J...........l.P.T.F.@.d.........8...I...q...............b.................X...K...X...^.d.;.............. c...{........IBM .......=.a...h.Y ..A........... .....,K...PX....Y......D......_^-..., EiD..`-...,...!-..., F..%FRX#Y . .Id. F had..%F hadRX#e.Y/ ..SXi ..TX!.@Y.i ..TX!.@eYY:-..., F..%FRX#.Y F jad..%F jadRX#.Y/.-...,K ..&PXQX..D..@DY.!! E..PX..D.!YY-..., EiD..` E}i.D..`-...,...-...,K ..&SX.@...Y.. ..&SX#!......#Y ..&SX#!.......#Y ..&SX#!.......#Y ..&SX#!..@....#Y ...&SX..%E...PX#!...#!...%E#!#!Y.!YD-...,KSXED.!!Y-....+........+.......

C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Medium.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 23 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	231888
Entropy (8bit):	6.211087159549943
Encrypted:	false
SSDEEP:	3072:lduMa8A6vA6+A+xWjXSbzr5rNs7h2MciNLImzgl4lWtOG6GmZx+VbSklB2xMl03U:lYMabEd+xDzrMftzP8B2xiYNGrHkwf
MD5:	5FB42FDBAF9DB9218CD8B43C4F53CAE1
SHA1:	739029BF018CB24106B885D6F17FB404DD658910
SHA-256:	5F220108D9FC890453E157CDA6D5ED4936E2CCD62FAB3B16F06EA34C7975D0ED
SHA-512:	FAD1DDCE210E964CA415B85CCF476B06C66880A8CF49E4D5488C4626F1AB6482ABBA0FB9FDD85F8C1FF574AD4BB141F98DE56CBC71347BAC5377503B24F34E85
Malicious:	false
Preview:	............GDEF......,....GPOSE......h....GSUB..z^..QL...DOS/2.S.........`cmap?P..........cvt ...........Rfpgm.Y.7...\...sgasp...!........glyfO.Q...:@..O.head3Y.....p...6hhea!.!G...L...$hmtx}.w........Lloca..N...6....Pmaxp.......,... name...........post......o...J.prep..i........Z.......................K.............................=.a.....#...c.........................A..#._.<......................#...c.=...............M.T.S.=.O.[.F.l.K.2.(...>.d.q.}.h.r.f.^.G.?.m.[.....8...I...q...............`.................X...K...X...^.M.8.............. c...{........IBM .......=.a...h.Y ..A........... .....,K...PX....Y......D......_^-..., EiD..`-...,...!-..., F..%FRX#Y . .Id. F had..%F hadRX#e.Y/ ..SXi ..TX!.@Y.i ..TX!.@eYY:-..., F..%FRX#.Y F jad..%F jadRX#.Y/.-...,K ..&PXQX..D..@DY.!! E..PX..D.!YY-..., EiD..` E}i.D..`-...,...-...,K ..&SX.@...Y.. ..&SX#!......#Y ..&SX#!.......#Y ..&SX#!.......#Y ..&SX#!..@....#Y ...&SX..%E...PX#!...#!...%E#!#!Y.!YD-...,KSXED.!!Y-....+........+........+..

C:\Program Files\FxSound LLC\FxSound\IBMPlexSansArabic-Regular.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 21 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	226004
Entropy (8bit):	6.184469546167808
Encrypted:	false
SSDEEP:	3072:fhg4eS6N+b593EMczS666YYa2x8zZrpAo7wZE9dUcVIMdTuFv:fIN+bHQ66YEx8zZnUcSMdkv
MD5:	BF7497338196D1ED6C36EA4D010F12A8
SHA1:	1FBB97720FA14853A4E2CB276638D792B0C5F251
SHA-256:	1118A402B5EABDA347C416E49391BDC156836ABFC0ACA93AE9F1FBDDFAB2AF28
SHA-512:	834334D45FBB9EF2EDDD4FE80E2E78024A5E8FAA617B0545383E9110EB6AA425A4BA6C0A8EF86E38196E737A13ACCF75359DD15DA5C10656D5BB0157F1279A7F
Malicious:	false
Preview:	............GDEF............GPOSe.` ......x.GSUB..z...Q\...DOS/2..........`cmap?..W........cvt ...........Rfpgm.Y.7...\...sgasp...!........glyfj.x...3...?>head2......p...6hhea . ....L...$hmtx...n.......`loca...[..6....dmaxp.......,... name..D........post2.....o...K9prep..........B.......................S.............................=.a.....5.............................A...._.<......................5.....3...............C.`.@.6.G.<.l.K...$...2.J.R.b.L.b.d.M.@.:.D.P.V.....8...I...q...............^.......x.........X...K...X...^.<.5.............. c...{........IBM .......=.a...h.Y ..A........... .....,K...PX....Y......D......_^-..., EiD..`-...,...!-..., F..%FRX#Y . .Id. F had..%F hadRX#e.Y/ ..SXi ..TX!.@Y.i ..TX!.@eYY:-..., F..%FRX#.Y F jad..%F jadRX#.Y/.-...,K ..&PXQX..D..@DY.!! E..PX..D.!YY-..., EiD..` E}i.D..`-...,...-...,K ..&SX.@...Y.. ..&SX#!......#Y ..&SX#!.......#Y ..&SX#!.......#Y ..&SX#!..@....#Y ...&SX..%E...PX#!...#!...%E#!#!Y.!YD-...,KSXED.!!Y-....+........+........+..

C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Bold.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 13 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	201148
Entropy (8bit):	6.077443346933577
Encrypted:	false
SSDEEP:	3072:bbUD3Sp234i3viK7ldlrTft7yEeVfvVF1wSlCfzMV4lzCO0aMbVKgdIxfBEP:b4Di81v3ftneVfb1wXMizCtjzdIg
MD5:	DEC15F4454DA4C3DCDBA85A36C9F9A37
SHA1:	EE2C78FD0AF8AA895F15A93F9A61E13A960C17F3
SHA-256:	4A204F20F82129D09196FA3F16F2340B9CBBE2FC5E27038E0E57F76E03D96E38
SHA-512:	2FAAF11B8C6B5F487E8D563C8BA05F8CD34FA595AC2AD3CB9B1BFF29283DB7BE33D9345DFD9C19BD3EB058BBB8F45C32649F4B18E35F33CA300B35A516AEAB33
Malicious:	false
Preview:	............GDEF............GPOS.}.7...<...\|GSUB.$+...C... "OS/2V.B.......`cmap.<..........cvt 3...........fpgmM$.\|.......mgasp............glyf...........head.M.:...h...6hhea...i...D...$hmtx\|. ...-P....loca.#.9.......Pmaxp...J...$... named..G........post......d...9,prep.K.........................N...R.....(.:.......m...................1.s........................33.7"._.<............F......x......s.4.........................X...K...X...^.2.B............ ...............ULA .............U.. .............. ...K...RX....Y.......cp...B@..k[K;.'.....B@.p.`.P.@.4.,........B@.r.h.X.H.:.0.%......BA..@.@.@.@.@.@.........BA..@.@.@.@.@.@.@.......D.$..QX.@.X..dD.&..QX......@.cTX...DYYYY@.r.b.R.B.6... .............D..d..DD............................................................................>....."...6.........?...J...........?.?.....J.J.......................>......."...6.........;.........>.C....."...>...........G.......>......."...6.............4............."...$.5...7.:...<.=...B.\

C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Medium.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 15 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	199912
Entropy (8bit):	6.096339699160351
Encrypted:	false
SSDEEP:	3072:1DmsP234i3vSKmaHeqI9vOogmrctL7CzXjvfEZgczCLy5Bw9upmnJ0:1Dmse1v3He7Hh3zcBOupmnJ0
MD5:	4C61E408402414F36F5C3A06ECC5915B
SHA1:	F3C1C9E778680061C35EC512C918F1A630868872
SHA-256:	02CF88921629EEBFB25FBBCF5D46D0EF5BB307BB0D8AF482F47A65BB6620B088
SHA-512:	8F98065BD0B2FDA1A658FCCF9166BB4387A279D3471FFA8BE43B78FF874EE62735350390157270BC73A9AD84B7AC2DF81FC0538E3B5B569965C3D1BA55C47B92
Malicious:	false
Preview:	............GDEF............GPOS...6...t...GSUB.$+...D$.. "OS/2V..J.......`cmap.<..........cvt 0...........fpgmM$.\|.. ....mgasp............glyf.@........\|.head.8.!...h...6hhea...A...D...$hmtx+Bn...-.....locaKc.........Pmaxp...T...$... nameg5.........post......dH..9,prep.K.........................L...P.....6.H.......m...............R...B.5........................33)..w_.<............F......x......5...........................X...K...X...^.2.>............ ...............ULA .............U.. .............. ...K...RX....Y.......cp...B@..k[K;.'.....B@.p.`.P.@.4.,........B@.r.h.X.H.:.0.%......BA..@.@.@.@.@.@.........BA..@.@.@.@.@.@.@.......D.$..QX.@.X..dD.&..QX......@.cTX...DYYYY@.r.b.R.B.6... ...*..........D..d..DD............................................................a.a.T.T.........>.........8.b.b.T.T.8...@...b.b.T.T.8.8.....@.@.....a.a.T.T...........>...........8.a.a.T.T.;.........>.@.........>.a.a.T.T...G.......>...........8.............4............."...$.5...7.:...<.=...B.\

C:\Program Files\FxSound LLC\FxSound\MontserratAlternates-Regular.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 17 tables, 1st "GDEF", 13 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	201976
Entropy (8bit):	6.085964601621602
Encrypted:	false
SSDEEP:	3072:N5ZPg234i3vgm8LjbRWJrqi+Z5qefAMTvP/fXJGeqNE5Hv:Nrb1v18LjbwN/KAMTvPHXgZN4v
MD5:	AED416691BA9AFB1590D9DDF220F5996
SHA1:	8A441A013BB65EDB42D747EFC85CABA6D4149464
SHA-256:	720187E6F1FEC0D3510A9407BFDF8B952DC61BD990EDEBAA477FBD72F66775C5
SHA-512:	06B7933D35247259EA58271C6EDADB1DC7CAE80A158A47A4F41192773876C08F3DC0B31D5E11948936CFA6F696DAB1F6B10B9B5A697DBC7ACD06BCB49EFC44EC
Malicious:	false
Preview:	............GDEF............GPOS..f>...T....GSUB.$+...D... "OS/2U..?.......`cmap.<..........cvt /2..........fpgmM$.\|.......mgasp............glyfQ.....8....head./.....h...6hhea...0...D...$hmtx......-h....locaqO.9.......Pmaxp...V...$... namef.1........post......d(..9,prep.K.........................L...R.....6.H.......m...............;...H..........................33.k.._.<............F......x........................\|.........X...K...X...^.2.;............ ...............ULA .............U.. .............. ...K...RX....Y.......cp...B@..k[K;.'.....B@.p.`.P.@.4.,........B@.r.h.X.H.:.0.%......BA..@.@.@.@.@.@.........BA..@.@.@.@.@.@.@.......D.$..QX.@.X..dD.&..QX......@.cTX...DYYYY@.r.b.R.B.6... .............D..d..DD............................................................H.H.>.>.........>.........9.H.H.>.>.5...<...H.H.>.>.5.5.....<.<.....H.H.>.>...........>...........9.H.H.>.>.;.........>.?.........>.H.H.>.>...G.......>...........9.............4............."...$.5...7.:...<.=...B.\

C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Bold.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 26 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	5727828
Entropy (8bit):	6.8435928849337495
Encrypted:	false
SSDEEP:	98304:EJ68s7xmufmuJgIckCZhAsHdEM4gFFUfYi8Iz1uWoZFPe4N:R8s7BdsfEMRF6Yi8IhuWoZHN
MD5:	4AEC04FD98881DB5FBC79075428727EF
SHA1:	2C104EA6EE8CBC919F3338210F361F05F4882DD2
SHA-256:	778214C61DEEC84CE9F74164F1BE5756807A9895FEAC2D7A553FDD7D410070D4
SHA-512:	CD87B434EDFEF3466D745F57C53440C2753668E5BC327C453ADBDFCD8E353AE43C92F9BCFBD2AAFE3DEF1EE846E5A0F199242354C17E5E004A604A3148132CF0
Malicious:	false
Preview:	........... GDEF.......\|..."GPOS......X`....GSUB..U.......M.OS/2.......L...`STATy.kI.......cmap.qGX..N4....gasp.......4....glyfJ.)...H..Q.nhead"..E.......6hhea..M........$hmtx8..^..!....@loca.....7....DmaxpE......<... nameL..........2post...2...\... preph......,....vhea.j[K.......$vmtx.&..............................E....T.................................2.........................................................................n................E................>.n................DI....................wght..............................Is_.<.........."......cD.....n...........................X...K...X...^.2.E............ ....<.........ADBO. . ...p....... `.............. .......>...........X...........@...........8.........:..........."...........j.r...........T................................... .....................4..........."...........4.............x...........l...........l...........d...........P...........F...........8...........,.......................8......................

C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Medium.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 28 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	5729332
Entropy (8bit):	6.8159941205138805
Encrypted:	false
SSDEEP:	49152:Oi7/LBcP8JrdDMLDgAU0Z8J5CcIYsEfWLhM4zja/gomukguQYwQLWOPhK7TK:nbmkDKBc5CcRIC4aozukrwUWOuK
MD5:	818EEFFF2FA0B989124D9BA3A84F073C
SHA1:	07CE11B5F8C64155D30FCDBF849B82E3840CB53C
SHA-256:	FDB4044741BC68F30EA8B92C1AEFD920530A2D044F8753A6148148ABDEB33958
SHA-512:	96483C07AFD1A7B6177F00BA3794A2E6BA321BA7AA4AC57B491482308A106D0FD08F8735E2B5E9241CD13AB140702015678401875DE574A0793364B5DBE19E67
Malicious:	false
Preview:	........... GDEF.......\|..."GPOS..J...X.....GSUB..U.......M.OS/2.O.....L...`STATy.j........cmap.qGX..>.....gasp.......4....glyf{C.f..9H.Q2.head"..E.......6hhea..M........$hmtx..K........@loca......(T...DmaxpE......<... name.vt........Vpost...2...\... preph......,....vhea..[\.......$vmtx.F.....`........................E....T.................................2.........................................................................o................E.............. .O.o................DI....................wght..............................._.<.........."......cD.....o...........................X...K...X...^.2.E............ ....<.........ADBO.@. ...p....... `.............. .......V...........d.........&.>...........0.........>...........&.>.........j...........".f...................................2...........(.........4..........."...........4.........................z...........f...........Z...........Z...........R...........>...........4...........0...........z...........$..........

C:\Program Files\FxSound LLC\FxSound\NotoSansJP-Regular.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 18 tables, 1st "GDEF", 26 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	5732824
Entropy (8bit):	6.7835793981487065
Encrypted:	false
SSDEEP:	98304:uviyc7iEp2yRSAVjEiaqXFSH9Rlo3uicF1t9FD1RpGdn0FsqvOVDwnh:+iyc7iEp2yRSAVjEiaqXFSHuuicF1x17
MD5:	022F32ABF24D5534496095E04AA739B3
SHA1:	6030F4E7D59B356D0EAF26F1BCA370A999335058
SHA-256:	FB3DF01B4182734D021D79EC5BAC17903BB681E926A059C59ED81A373D612241
SHA-512:	52C5231EFE966A5EE4069A5BACABBF561D6A840BCB51822316F3B84C1B0FE6A4331A17CE002358F4DE15D8A9BD36E4CD51880DBCD3FC572176F7F3D08D96F1A3
Malicious:	false
Preview:	........... GDEF.......\|..."GPOS.U(..Xt....GSUB..U.......M.OS/2.......P...`STATx.l.........cmap.qGX..>.....gasp.......4....glyf..}{..98.Q@.head"..E.......6hhea..N........$hmtx..s........@loca.k....(D...DmaxpE......<... name..lt.......Dpost...2...\... preph......,....vhea..[h.......$vmtx...L...P........................E....T.................................2.........................................................................p................E..............6.[.p................DI....................wght.................................y.k_.<.........."......cD.....p...........................X...K...X...^.2.E............ ...*.<.........ADBO.@. ...p....... `.............. .......>...........j...........R...........D.........@...........(...........j.r.........$.N.........................................................4..........."...........4.............r...........f...........f...........^...........J...........@...........D...........4...........$..............................

C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Bold.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	4909668
Entropy (8bit):	7.368899402965331
Encrypted:	false
SSDEEP:	98304:enEug8DH6ILVsFG88XJb2kRAOpEa3m5L4IlSyHApLmSi72TJiqvYg5Ka6xQQ3L:eu6dAl8ZTRAOpl30c6ELWmiqvY6yrL
MD5:	E2406FF1791C401BC93E73D9E44E6D2B
SHA1:	49E50DE244558C4C21F43D85B7404CABB970B30B
SHA-256:	E7BE1CDB169344A75BDF09F8563DCF5E662194BE3064873B6B4CA57E0BA0774F
SHA-512:	2A386A33F204FA5D07DA0DA4BB45590DDECA669235B77471FCA2E5405F749C9AD35289D439F48F2340377E27EE85725644C6F051D6DEEA10ED9C49B837B845FA
Malicious:	false
Preview:	OTTO.......pCFF .......\|.E..GDEF............GPOS\.._..x<....GSUB..0.......j4OS/2...........`VORG....... ....cmap......%h....head.!4g.......6hhea..iv...@...$hmtx............maxpa%P.........name..H........:post...2... ... vhea.jv....d...$vmtx..Rc..........P.a%.........................................2.....................................n................a%...............>.n................_............j_.<...........x.......x......n...........................X...K...X...^.2.E............0...+.<.........GOOG. . ...p....... `.............. .......p.....f...k...k...z...........g...`.......{...g...g...g...g...g...g...g...g...g...g...g...g...g...................................................W...^...^...W...W...^...W...^...^...^...W...^...^...W...W...^...W...^...^...^...d...d...k.$...%...&.a.'.h...b...a...............b.......g.......g...v...g...g...g.......g...................g...v...g...g...g...................}...................v...................................-...O...a...a...g........

C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Medium.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	4768768
Entropy (8bit):	7.457467785730833
Encrypted:	false
SSDEEP:	98304:ZyEuezzWZAAjDyfnbWfANGPj89xGXE5D6fUdeujQlae22ljN1PSTl/EsqoCXpmU9:ZlzyZAAnyvbWY/9MODkKQl92YjeTls1L
MD5:	32666AE307200B0BCAB5553590672BB1
SHA1:	A4CDC5C494D118E231A32DDA98373E7835AC9DD8
SHA-256:	256BB06B91D974DDBC0E3C063C85522CDA6187CC638F0C6AE5D752EFA63FE093
SHA-512:	EB1459B024346ECB2A2014A481202C76988F2757C1287908295ECBF71E51CE1FDB886CC07C28B49D86FAEDD59FBFC7C017D5C5B797D03447314F882184E76847
Malicious:	false
Preview:	OTTO.......pCFF ...o.....B..GDEF............GPOS.....xx....GSUB..0....D..j4OS/2.G.........`VORG....... ....cmap......$.....head.'3........6hhea..i....@...$hmtx.i.....P....maxpa%P.........name..R........ppost...2... ... vhea..v....d...$vmtx..o....H......P.a%.........................................2.....................................o................a%............. .O.o................_............y_.<...........w.......w......o...........................X...K...X...^.2.E............0...+.<.........GOOG... ...p....... `.............. .......p.....d...g...g...v...........d...k...].......x...e...d...d...d...d...d...d...d...d...d...d...d...d...................................................T...[...[...T...T...[...T...[...[...[...T...[...[...T...T...[...T...[...[...[...d...d.$...%...&._.'.e..._..._..............._.......e.......e...u...e...e...e.......e...................e...u...e...e...e...................\|...................u...................................*...O..._..._...e........

C:\Program Files\FxSound LLC\FxSound\NotoSansKR-Regular.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	4744692
Entropy (8bit):	7.421579840888723
Encrypted:	false
SSDEEP:	98304:WREu/Kcw9VIXKPq8fCupfDdcCMjfe3NmletiwzaSs3ItjgB7v2bGPzraG69s9U59:WzbW+XKPPKqrd18f9MScGPXaVIU5YBQ
MD5:	210989664066C01D8FFDBDF56BB773CD
SHA1:	5F533D0D5CAF3847AFA2D78301E7B87B3485ECBC
SHA-256:	29445948E432137E0DE104DEC389E956D72633AA0E4CB04CA572BB8E378E3D35
SHA-512:	86AB46CE5F441AB7ADE525B0ACE1347D0B26A77303CDE9F11C68C772431E9CE181F50847C9D4D31026752F6230E66549692108DF9F1197F99C42FB5525C42ADC
Malicious:	false
Preview:	OTTO.......pCFF ...=....B.YGDEF............GPOS......x.....GSUB..0.......j4OS/2...........`VORG....... ....cmap......$.....head.-3}.......6hhea..i....@...$hmtx............maxpa%P.........name..Hy.......*post...2... ... vhea..v....d...$vmtx...j..........P.a%.........................................2.....................................p................a%.............6.[.p................_...........7h_.<...........w.......w......p...........................X...K...X...^.2.E............0...+.<.........GOOG.@. ...p....... `.............. .......p.....c...d...k...d...........b...i...[.......u...c...b...b...b...b...b...b...b...b...b...b...b...b...w...w...w...w.......w...w...w...w.......w...w...R...Y...Y...R...R...Y...R...Y...Y...Y...R...Y...Y...R...R...Y...R...Y...Y...Y...d...d.$...%...&.].'.c...]...]...............].......c.......c...c...c...c.......c...................c...c...c...c... ...............{...................................................'...N...]...]...c....................

C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Bold.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	8716392
Entropy (8bit):	7.495261473238618
Encrypted:	false
SSDEEP:	196608:tYotfY/gXxDZWgpU9Gt1Bzo5UO86DT2O/Hq8ADWmAp5G9r+4wNQ/+W:xtg/+DEx9RU0T2O/UW1p5G9lk+
MD5:	9C8CB849CB0041912EC77C9C59725A2A
SHA1:	60A514FD2A07CA63EBD7F5484951E50CB03F4FC2
SHA-256:	D1961BE1161EA1BE08496C920862D06EA5C23A757628F4FD69368DE1D9F51BED
SHA-512:	2C89324DCC21D9AAA44258BF96A295115F19B8264AB125250E20AB5BE0A7C1A55754BD754B569D938C7145FB431FCAFDA75900CD461F6A3FADD2D38728D13931
Malicious:	false
Preview:	OTTO.......pCFF G8j........fGDEF............GPOS.7"e..\|....^GSUB..2.......)`OS/2...........`VORG#)..... ....cmap].....7h..E#head.!4{.......6hhea.......@...$hmtx.^K^...0....maxpx.P.........name..H........:post...2... ... vhea.j.o...d...$vmtx..yr.......B..P.x..........................................2.....................................n................x................>.n................wm........D..E_.<...........x.......x......n...........................X...K...X...^.2.E............ ...*.<.........GOOG. . ...p....... `.............. .......p.....f...k...k...z...........g...`.......{...g...g...g...g...g...g...g...g...g...g...g...g...g...................................................W...^...^...W...W...^...W...^...^...^...W...^...^...W...W...^...W...^...^...^...d...d...k...........a...h...b...a...............b.......g.......g...v...g...g...g.......g...................g...v...g...g...g...................}...................v...................................-...O...a...a...g........

C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Medium.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	8508580
Entropy (8bit):	7.531997873570796
Encrypted:	false
SSDEEP:	196608:jhk120oT4Q8zL13Y0kv11hkQzvL9+fWdJMEtr9HYMiOA5dZARxZsa2Hl9:9OQTD8zL1DkdzZL9+eJT4MjMKRbp2z
MD5:	34D4F8EE5AD2748A4CF36D3D414B49AF
SHA1:	57F0F560DF654BC8E322A44C947672AE92CD2FAD
SHA-256:	9C62CEB174D7529AE4A7F2071F6531991CFADBC2F1897910B48BA951A580AC57
SHA-512:	63D2E90007C7D26203E5010291478A431701018F6A75107C2365DCF3B968CE38086CED05E31C57505B5C2564E22A32E63410E5B143D57F7ED914276967096788
Malicious:	false
Preview:	OTTO.......pCFF ...q...x.\|.,GDEF............GPOSN.....\|.....GSUB..2....D..)`OS/2.G.........`VORG....... ....cmap].....7...E#head.'4........6hhea.......@...$hmtx..\.........maxpx.P.........name.eR........ppost...2... ... vhea.......d...$vmtx.......d...B..P.x..........................................2.....................................o................x.............. .O.o................wm..........._.<...........w.......w......o...........................X...K...X...^.2.E............ ....<.........GOOG... ...p....... `.............. .......p.....d...g...g...v...........d...k...].......x...e...d...d...d...d...d...d...d...d...d...d...d...d...................................................T...[...[...T...T...[...T...[...[...[...T...[...[...T...T...[...T...[...[...[...d...d..........._...e..._..._..............._.......e.......e...u...e...e...e.......e...................e...u...e...e...e...................\|...................u......................................O..._..._...e........

C:\Program Files\FxSound LLC\FxSound\NotoSansSC-Regular.otf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	OpenType font data
Category:	dropped
Size (bytes):	8482020
Entropy (8bit):	7.490491055703114
Encrypted:	false
SSDEEP:	196608:V7zc85mwwTUbsFIpaGu97lX6vf6LzkROpDYBFSvjL/0jbGQH2YQylFW:i85mzTDGu97gEzkRNrS3/NC29ynW
MD5:	E3AE561F7B8052D9AA9F2B0B09C33EA1
SHA1:	7FB779EA2A8D83D7F80D4A2865D1EBB5E3CF1257
SHA-256:	A2B93E6C2DB05D6BBBF6F27D413EC73269735B7B679019C8A5AA9670FF0FFBF2
SHA-512:	32B1F305AEC14A5EA7C1166F76C5BA7DCD1D4FCF513902EA1E2811EC1F2B72CC73EFB6CAE4369FD877619EE66EAABD014C6ED0FF7C9D9B5E7F1C5FF3DCC8E8AD
Malicious:	false
Preview:	OTTO.......pCFF .^.......\|..GDEF............GPOSS`.8..\|h....GSUB..2.......)`OS/2...........`VORGb...... ....cmap].....7D..E#head.-3........6hhea...&...@...$hmtx...H...H....maxpx.P.........name..Hz.......post...2... ... vhea.......d...$vmtx...........B..P.x..........................................2.....................................p................x..............6.[.p................wm..........._.<...........w.......w......p...........................X...K...X...^.2.E............ ....<.........GOOG.@. ...p....... `.............. .......p.....c...d...k...d...........b...i...[.......u...c...b...b...b...b...b...b...b...b...b...b...b...b...w...w...w...w.......w...w...w...w.......w...w...R...Y...Y...R...R...Y...R...Y...Y...Y...R...Y...Y...R...R...Y...R...Y...Y...Y...d...d...........]...c...]...]...............].......c.......c...c...c...c.......c...................c...c...c...c... ...............{...................................................'...N...]...]...c....................

C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Bold.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 19 tables, 1st "BASE", 26 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	7105548
Entropy (8bit):	6.830190126179585
Encrypted:	false
SSDEEP:	98304:3kx7lyIypcUNF+wHwAJ9YkwrONScmOTnT0UvaP:Ux7yRF+LAJHwyvnQz
MD5:	8A5B2818BD2B3D898405D5D22FFFA3DA
SHA1:	E2083B57F19A3807ECF79BE548E672EDDCFC8A98
SHA-256:	D6748BF86E76740D592FF143AF61D0C80B453F5F8544C2C71CDFC52EA0DC0F30
SHA-512:	87AD202505DB5D2C0964288789662F8F32598064CB616ECB329CA02E942FFDF8A5997CD4B6CE9DACDAA092F817FBE991CF103EA89F85450C58A46ACEF31ED9E3
Malicious:	false
Preview:	...........0BASE.Wj.........GDEF.......L....GPOSu....5.....GSUB.o........):OS/2.......T...`STATy.kI.......cmap............gasp.......D....glyf......3..f8head"."........6hhea..Y........$hmtx..cm..)`..E0loca.q...n...E4maxpQ......h... nameK..3.......2post...2....... preph......<....vhea.jg........$vmtx..........B.................................................QL...W.................................2.....................................n................QL...............>.n................P.....................wght.............................#._.<..........%.............n...........................X...K...X...^.2.E............ ...*.<.........ADBO. . ...p....... `.............. .......j............DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........(.".\|.................j.....x.....n... .h.h....DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........,.&."...............................P................icfbicftideoromn.....>...........X...........@...........8.........:..........."...........j.r..

C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Medium.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 19 tables, 1st "BASE", 28 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	7106884
Entropy (8bit):	6.800176318406519
Encrypted:	false
SSDEEP:	98304:GqbyX/gAuQ9eEFUi2t2ZMp06WRWWzfiWvz36JzEEILyT:Bt8e7x1ajoEbW
MD5:	77BB826EA1EACFCD234608D3DEDD1E2D
SHA1:	0207E8E9DDE26122D25E4880CC340AC9FDEA5A9A
SHA-256:	6DAB5509DA393017701282DA4F8373731FF5471BDEAB05C08CF06BE2A2738B1E
SHA-512:	C63711F90771A1DFDE7F6328AD63AD2AC72F768FEA2BCC0719F3DF2E127A178711C083C17E8FCAE00B08AC4411ED9768FE38FBE542BF43CC1EF91F9D4CC6A482
Malicious:	false
Preview:	...........0BASE.Wj.........GDEF.......L....GPOS.L....5,....GSUB.o........):OS/2.O.....T...`STATy.j........cmap.......,....gasp.......D....glyf.....$H.fL.head"."........6hhea..Y........$hmtx..M_......E0loca.fT6..^...E4maxpQ......h... name..t\|.......Vpost...2....... preph......<....vhea..g........$vmtx.......(..B.................................................QL...W.................................2.....................................o................QL............. .O.o................P.....................wght..............................._.<..........%.............o...........................X...K...X...^.2.E............ ....<.........ADBO.@. ...p....... `.............. .......j............DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........(.".\|.................j.....x.....n...&.h.h....DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........,.&."...............................J................icfbicftideoromn.....V...........d.........&.>...........0.........>...........&.>.........j....

C:\Program Files\FxSound LLC\FxSound\NotoSansTC-Regular.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 19 tables, 1st "BASE", 26 names, Microsoft, language 0x409
Category:	dropped
Size (bytes):	7110796
Entropy (8bit):	6.76468064756037
Encrypted:	false
SSDEEP:	196608:SGyc7iEp2yRSAVjEiaqXFSHi5iBknbXHH6zV4:xjHHC6
MD5:	A136A9B3ED5E7705532A0B09BAE2B5FA
SHA1:	6665A06380F6228B5FA1F902B9303643788788A5
SHA-256:	F78E4152BF5364F8B7F503BD339A18F3ECA55300587E105E5FE5E267ACD125F4
SHA-512:	D3D56AB1B80D1DD4E4803A1B3E842EAC3A063DC2C93A17C297AAAEFBF872CB677BBD5DF94C58A497F0CC40ACA9ECD8C9A26B74E815947D7D020B24A4BF224DCE
Malicious:	false
Preview:	...........0BASE.Wj.........GDEF.......L....GPOS.[.n..5.....GSUB.o........):OS/2.......X...`STATx.l.........cmap............gasp.......D....glyf......$8.f\Shead".".... ...6hhea..Y........$hmtx.........E0loca..8..^...E4maxpQ......h... name..la.......Dpost...2....... preph......<....vhea..g".......$vmtx...W......B.................................................QL...W.................................2.....................................p................QL.............6.[.p................P.....................wght..................................$j_.<..........%.............p...........................X...K...X...^.2.E............ ....<.........ADBO.@. ...p....... `.............. .......j............DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........(.".\|.................j.....x.....n....h.h....DFLT.8cyrl.&grek.&hani.8kana.8latn.&...........,.&."...............................F................icfbicftideoromn.....>...........j...........R...........D.........@...........(...........j

C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Medium.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 16 tables, 1st "GDEF", 14 names, Microsoft, language 0x409, Copyright 2022 The Noto Project Authors (https://github.com/notofonts/thai)Noto Sans Thai Medium
Category:	dropped
Size (bytes):	46448
Entropy (8bit):	6.342108991808269
Encrypted:	false
SSDEEP:	768:mK81vBz2gZztejCF0T0y/bGxWBraFRP+PTleQBJ/vmjpJIuzXrlay+Jv8iqK5:mKMZzrE0tFRKTl1/vmxBay+Jv8iqK5
MD5:	B26FBAE4345B2CD98CF41FCA34206B56
SHA1:	A4075B2CFEAE20A076B0303622F3EC7A4A558480
SHA-256:	6ACDBF858F40BCC0FA57B3971B1C5FE904C46B38DF8E4073556BD51F22FED358
SHA-512:	E560A762DB0E95D5C85A7392C7E7622DA101DDADCCC3AC90C2ED09668FFD5AC4662EAB4EAC1A9486F599ABF0F321C3783D62838D48DD0046489B3BC26F486E0A
Malicious:	false
Preview:	............GDEF...\........GPOS.`.....p....GSUB>.C....@....OS/2...........`STAT.[.W...0...@cmap..TL........gasp.......\|....glyfm.......w.head..<...\|....6hhea.5.....h...$hmtx......}....`loca%.....y.....maxp......x.... name>.cL.......xpost..v;...p....preph..............^............3.!.%!.!^.....5.....63.d.............3....7..#"&&54632...&&#"....326553.3.3..#"&'7..326553..H..Y?6U0SJ.$..... +3363k...'<#.0.....39k..Z.C='P;KV..K..(,099....f,:...C..<:x.....K...........#.'..7.32............#'32654&##532654&##..3.K.{y@;(A&7eF..K;>NzvH7DGjQ@$..JU8K..."?1:R+V=-,7V0,-).w.2.....N.....$....."&5.3...3265.3....2zjk;>><kk.ph.W..?>>?.Z..hp...&...../....35#53.326654&&#"..56632......#.G..)8.!H:1V&.c;]p30n[.L.'UDFW'..`..B~[X{A...3.....+.=..."&554676654&#"..'6632.............326554&##5326653............dk...........9.'0........00 $..& .k.,...e.^\7/9..".....H.../ #0..,%50./..#&?%6.7L... )..T[...O...../.#..."&&553...326554&&#"..56632....#'#....8Q,i54@H%E01\(.j?Vk2U...Y.&P@.{58REV<B...`..6hM..Q'4...?...B

C:\Program Files\FxSound LLC\FxSound\NotoSansThai-Regular.ttf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	TrueType Font data, 16 tables, 1st "GDEF", 12 names, Microsoft, language 0x409, Copyright 2022 The Noto Project Authors (https://github.com/notofonts/thai)Noto Sans ThaiRegular
Category:	dropped
Size (bytes):	46380
Entropy (8bit):	6.332636311465189
Encrypted:	false
SSDEEP:	768:tKC1+LWAHjb4oBQ4TETj4oaNGrHmcsa3cGr2yxzQqaf2KVvbd+9MzXrlaKn8iqK8:tKo4400XHDsa39/x8qevBBaKn8iqK8
MD5:	DB4FA9CBA5C3BED6D99A608207F5240B
SHA1:	65AF553B1091B015CAFEA3A1498C9F8E36997864
SHA-256:	2166DDD8DD7650AC7A7D81FD229CACBE99C06CF559D93DB3B37D356312DEB405
SHA-512:	BD81A38A4ADB1849D19393D6476719C13E93EA418DCF369E38872D0FF59325FD8058AC683B514EE3B6663FD8F88BABDA0CFD065CC5E0F7ED9E1858B5893F031F
Malicious:	false
Preview:	............GDEF...\...`....GPOS...#...L....GSUB>.C.........OS/2._.........`STAT...V.......Dcmap..TL........gasp.......X....glyf.#.......w.head..<...\|....6hhea.5.....`...$hmtxw.....}....`loca#..b..y.....maxp......x.... name9][........Zpost..v;...L....preph..............^............3.!.%!.!^.....5.....63.d.............3....7..#"&&54632...&&#"....326553.3.3..#"&'7..326553..L..Z?7U/RH.#.....#/87;7Y...)>#.......7<Y..a.F=(O:JU..C..,/14>>....l-;...:..?=w.....O...........#.'..7.32............#'32654&##532654&##..3.O.{\|@<)B'8eF..RADVzvP;JNiY=$..IV9J..."?2:Q+LA1/;M301+.n.2.....Q.....$....."&5.3...3265.3....-vfY@CDAYg.ld.^..CBBC._..dl...&..........35#53.326654&&#"..56632......#.L..-<.!I>/W(.b9[m0/iX.F.(ZJJ\..S..C~ZW{A...6.....*.=..."&554676654&#"..'6632.............326554&##5326653............_g...........5.%-......2.24"&..)".Y.....`.[[=2:..".....@...-.%0...%;.2./1.%'9&7.5J...!)..MW...Q.......#..."&&553...326554&&#"..56632....#'#....8S-X::GN'H30[+.g=Uj1I...[.'Q@..7=YIZBH...S..6hM..Q(3...B...9

C:\Program Files\FxSound LLC\FxSound\updater.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1268120
Entropy (8bit):	6.434876572659063
Encrypted:	false
SSDEEP:	24576:T8TT5mMPkXpnKLPuNiS1uw13LJhLEThRCe05E50REidWZXSMzPQbQZ:T8TT5mM8IL2gjw13LJhLET+l5E58oXSQ
MD5:	A4C5E08AFDB48AF64B0A06AFCE16F6E9
SHA1:	7F82BEA7F758B02BB3A4178EC0EF278E869797E7
SHA-256:	0B0B415E2D87AD8137C577051CC47BFCDD9EA61E37555D200BB469219769551A
SHA-512:	B73DFABC3F22B6BB8C3537E0111668568A8C411BADFE48E3A8FDF848F5F67BC7ECAABDEED20FE2F816B9CF134536E4DAB8A8013A184AFCA7BB39B01A3E6AA442
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.H.].H.].H.]..^.F.]..X..]..Y.\.]..^.P.]..X...]..Y.S.]..[.I.]..\._.].H.\.]..T..]....I.].._.I.].RichH.].................PE..L......f.........."....'.....$.......&....... ....@.................................r.....@..................................-.......................0...)......<.......p............................d..@............ .......".. ....................text............................... ..`.rdata...)... ...*..................@..@.data...T3...P.......6..............@....didat..H............T..............@....rsrc................V..............@..@.reloc..<............`..............@..B........................................................................................................................................................................................................................................................

C:\Program Files\FxSound LLC\FxSound\updater.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	485
Entropy (8bit):	5.418822249596731
Encrypted:	false
SSDEEP:	12:1CGbPmi+BUpvtAB8zu3VyXWCECFbSt7Mecsi1VIHY3Al:1nn+01zAV6g7MeI1V+YQl
MD5:	A8F411FE6956A38F637DE9416D1C50AF
SHA1:	D2B7608C37B371E5D82EDAE5FACDF993DEC79AC2
SHA-256:	F622914127718C138B2C5519FC0756D81E2923FB980E72891BB8515111E7AB7E
SHA-512:	CDFECB1D04EFB7F6A19ACE90EFE3F8CA2205D99F036DBF153C8644F63900B303F458818FFAEEB2A06FB24A82201926E3E96C80795A806327070111C736A9398A
Malicious:	false
Preview:	[General]..AppDir=C:\Program Files\FxSound LLC\FxSound\..ApplicationName=FxSound..CompanyName=FxSound LLC..ApplicationVersion=1.1.27.0..DefaultCommandLine=/silent..URL1=https://download.fxsound.com/updates..CheckFrequency=2..DownloadsFolder=C:\ProgramData\FxSound LLC\FxSound\updates\..Flags=NoDisableAutoCheck\|PerMachine\|VerifyDigitalSignature\|NoUpdaterInstallGUI..ID={1CA2081B-0D5A-41DF-86E8-2788204CE340}..URL=https://github.com/fxsound2/fxsound-app/raw/latest/release/updates.txt..

C:\ProgramData\FxSound LLC\FxSound\updates\updates.aiu (copy)

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\updater.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	500
Entropy (8bit):	5.534247082373317
Encrypted:	false
SSDEEP:	12:tfa2i1VIHY3GFf5B8u1bW9q2kyhVOYXxcK7XF/K0W0fBm:t01V+YWCu1bmkyhV3XnX3JfBm
MD5:	782C01FE11372BF97ACAB0C01E3AE324
SHA1:	77162083D157F4C08849E8266D0C9FBFD033BDBA
SHA-256:	108F237FCDA38890D8D2875216262E3F5C8BF7AAE609E4DD2223AA999549704D
SHA-512:	8E2E438C2CE5427F004817CEE3DBAFF158987F153562DBF16F9AD1ACC4AFC197FF10DA30B1F1ADE348CCF66350DECD2844EEDB2AC84F2D4620266F24F238BCA0
Malicious:	false
Preview:	;aiu;..[Update].Name = FxSound.ProductVersion = 1.1.27.0.URL = https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exe.URL1 = https://download.fxsound.com/fxsoundlatest.Size = 72388192.SHA256 = 7DBC411488E4E653769F98B014F2A24B185B24653CEE04FA5ED59B03438DA7E7.MD5 = d0509ad561d032d6179e95a521b06f10.ServerFileName = fxsound_setup.exe.Flags = SilentInstall\|Sys64.RegistryKey = HKUD\Software\FxSound LLC\FxSound\Version.Version = 1.1.27.0.AutoCloseApplication = [APPDIR]FxSound.exe.

C:\ProgramData\FxSound LLC\FxSound\updates\updates.aiu.part

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\updater.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	500
Entropy (8bit):	5.534247082373317
Encrypted:	false
SSDEEP:	12:tfa2i1VIHY3GFf5B8u1bW9q2kyhVOYXxcK7XF/K0W0fBm:t01V+YWCu1bmkyhV3XnX3JfBm
MD5:	782C01FE11372BF97ACAB0C01E3AE324
SHA1:	77162083D157F4C08849E8266D0C9FBFD033BDBA
SHA-256:	108F237FCDA38890D8D2875216262E3F5C8BF7AAE609E4DD2223AA999549704D
SHA-512:	8E2E438C2CE5427F004817CEE3DBAFF158987F153562DBF16F9AD1ACC4AFC197FF10DA30B1F1ADE348CCF66350DECD2844EEDB2AC84F2D4620266F24F238BCA0
Malicious:	false
Preview:	;aiu;..[Update].Name = FxSound.ProductVersion = 1.1.27.0.URL = https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exe.URL1 = https://download.fxsound.com/fxsoundlatest.Size = 72388192.SHA256 = 7DBC411488E4E653769F98B014F2A24B185B24653CEE04FA5ED59B03438DA7E7.MD5 = d0509ad561d032d6179e95a521b06f10.ServerFileName = fxsound_setup.exe.Flags = SilentInstall\|Sys64.RegistryKey = HKUD\Software\FxSound LLC\FxSound\Version.Version = 1.1.27.0.AutoCloseApplication = [APPDIR]FxSound.exe.

C:\ProgramData\FxSound\FxSound.settings

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	415
Entropy (8bit):	5.214548037731569
Encrypted:	false
SSDEEP:	6:TMVBd/1qFPM+/QOQlvqrJVQqLSvq/FkWttmIAFptcWFLIA7g:TMHdkFjQngJ3Ll/Fk0OBZI8g
MD5:	74727EA454AF89C1CF3E95F891F2B1DE
SHA1:	C9AF8F60F2F131AAB4934E3D56EAA53D5E1D5BA7
SHA-256:	4347A99E0A128052BC3A99811B9AAB78A2E51ABB147E705D13D844A300F79E4F
SHA-512:	62737761AE8A6B5A5200ECE3407E4EBBCDE781236AE1BD5BFD9CC833EA13D2E512DA0EB4F809E3183ED22F109649F689D9ADB1F88EC9D94CE7DF4B6F4302077D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<PROPERTIES>.. <VALUE name="power" val="1"/>.. <VALUE name="hotkeys" val="1"/>.. <VALUE name="preset" val="General"/>.. <VALUE name="cmd_on_off" val="393297"/>.. <VALUE name="cmd_open_close" val="393285"/>.. <VALUE name="cmd_next_preset" val="393281"/>.. <VALUE name="cmd_previous_preset" val="393306"/>.. <VALUE name="cmd_change_output" val="393303"/>..</PROPERTIES>

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound\Check for FxSound updates.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 02:32:52 2024, mtime=Sat Dec 28 13:31:08 2024, atime=Thu Aug 22 02:32:52 2024, length=1268120, window=hide
Category:	dropped
Size (bytes):	2074
Entropy (8bit):	3.6637303934365075
Encrypted:	false
SSDEEP:	24:8wxXdPKZlUARE6d0VVd0VPb+MgP/S7d4WgPkJnBpTEyfm:8wxXdeBd0VVd0Vz5gnS7CWgu
MD5:	90F3D36E9DF78BAA3A71F858C43FBC26
SHA1:	847F89A0E2EA34F4CD60C02207604C2C6953FAB8
SHA-256:	F7F1E3E477AA37CDAED2C5D054C776CFAD22A219D19A7F83D4E9DB82B404DE55
SHA-512:	A01FE2D20064844E1FE9A264548C12F7E2849359579784D471F6D4D8B0AA07CF151AA599791CD44FD141E1CECCFC5CABE3BB67F279B66B714ABC21F10A113302
Malicious:	false
Preview:	L..................F.@.. .......C...v."5Y......C....Y...........................P.O. .:i.....+00.../C:\.....................1......Y.s..PROGRA~1..t......O.I.Y.s....B...............J....../..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....`.1......Y.s..FXSOUN~1..H......Y.s.Y.s....H....................../..F.x.S.o.u.n.d. .L.L.C.....V.1......Y.s..FxSound.@......Y.s.Y.s....I.....................q...F.x.S.o.u.n.d.....b.2..Y...Y.. .updater.exe.H.......Y...Y.s..............................u.p.d.a.t.e.r...e.x.e......._...............-.......^............SJ......C:\Program Files\FxSound LLC\FxSound\updater.exe..?.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.u.p.d.a.t.e.r...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.../.c.h.e.c.k.n.o.w.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.B.7.8.F.9.3.4.D.-.6.1.6.A.-.4.F.F.D.-.9.D.5.A.-.B.8.7.0.E.F.9.4.2.3.C.2.}.\.f.x.s.o.u.n.d.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FxSound\FxSound.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Aug 22 02:25:22 2024, mtime=Sat Dec 28 13:31:12 2024, atime=Thu Aug 22 02:25:22 2024, length=4684696, window=hide
Category:	dropped
Size (bytes):	2054
Entropy (8bit):	3.643892118012825
Encrypted:	false
SSDEEP:	24:8F1XdPKqvlARPk6d0VsKd0Vd+MgP/S7d4WgPkJnBXlEyfm:8F1Xd7vO1d0VsKd0Vd5gnS7CWg6
MD5:	EB6E500652A45276C527FA9A89CF00C6
SHA1:	8CC34F01544EF76931506E28D7F439F6DA7088E4
SHA-256:	A768F4DFE88CC0144192EE30B0B737D5804FDD4B98300C2C28BDF49902FB8DCD
SHA-512:	80910705D8DC7E1C8369D6C6A704D8594FE6F61728D81B46F39F14E589ECAEFE4B62BB46671A1CFF4660832B4DE0B9212AC2B30D23DAE0ACA8BE244E68FE6E38
Malicious:	false
Preview:	L..................F.@.. ....=..B......$5Y...=..B....{G..........................P.O. .:i.....+00.../C:\.....................1......Y.s..PROGRA~1..t......O.I.Y.s....B...............J....../..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....`.1......Y.s..FXSOUN~1..H......Y.s.Y.s....H....................../..F.x.S.o.u.n.d. .L.L.C.....V.1......Y.s..FxSound.@......Y.s.Y.s....I.....................q...F.x.S.o.u.n.d.....b.2..{G..Y+. .FxSound.exe.H.......Y+..Y.s....L.........................F.x.S.o.u.n.d...e.x.e......._...............-.......^............SJ......C:\Program Files\FxSound LLC\FxSound\FxSound.exe..?.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.F.x.S.o.u.n.d...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.B.7.8.F.9.3.4.D.-.6.1.6.A.-.4.F.F.D.-.9.D.5.A.-.B.8.7.0.E.F.9.4.2.3.C.2.}.\.f.x.s.o.u.n.d...e.x.e.........%Sys

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FxSound.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Aug 22 02:25:22 2024, mtime=Sat Dec 28 13:31:08 2024, atime=Thu Aug 22 02:25:22 2024, length=4684696, window=hide
Category:	dropped
Size (bytes):	2054
Entropy (8bit):	3.633056918863135
Encrypted:	false
SSDEEP:	24:8F1XdPxhCuvlARPk6d0VsKd0Vd+MgP/S7d4WgPkJnBXlEyfm:8F1XdWuvO1d0VsKd0Vd5gnS7CWg6
MD5:	EB901D844ED7565E49B6D836AFE0E00C
SHA1:	A0339C2CBC5CFFA9D8FF1E94D8B8C277770D2BCC
SHA-256:	BF5E3A22976425513D8F1674F9D889F59D760CE4E9C1C5A91DB35235FEEE2F97
SHA-512:	41DAE1C8773653CD2526DB234A69F24E163B6338203BED5A3F6C3F3D18EBE9767A69C4DAC760F480FE0A9E45A43695775546DF0BC99DC6C361506E0C5298E138
Malicious:	false
Preview:	L..................F.@.. ....=..B.....x"5Y...=..B....{G..........................P.O. .:i.....+00.../C:\.....................1......Y.s..PROGRA~1..t......O.I.Y.s....B...............J....../..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....`.1......Y.s..FXSOUN~1..H......Y.s.Y.s....H....................../..F.x.S.o.u.n.d. .L.L.C.....V.1......Y.s..FxSound.@......Y.s.Y.s....I.........................F.x.S.o.u.n.d.....b.2..{G..Y+. .FxSound.exe.H.......Y+..Y.s....L.........................F.x.S.o.u.n.d...e.x.e......._...............-.......^............SJ......C:\Program Files\FxSound LLC\FxSound\FxSound.exe..?.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.F.x.S.o.u.n.d...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.B.7.8.F.9.3.4.D.-.6.1.6.A.-.4.F.F.D.-.9.D.5.A.-.B.8.7.0.E.F.9.4.2.3.C.2.}.\.f.x.s.o.u.n.d...e.x.e.........%Sys

C:\Users\Public\Desktop\FxSound.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Aug 22 02:25:22 2024, mtime=Sat Dec 28 13:31:12 2024, atime=Thu Aug 22 02:25:22 2024, length=4684696, window=hide
Category:	dropped
Size (bytes):	2036
Entropy (8bit):	3.641204139183693
Encrypted:	false
SSDEEP:	24:861XdPKqvlARP+d0VsKd0Vd+MgP/S7d4WgPkJnBXlEyfm:861Xd7vOId0VsKd0Vd5gnS7CWg6
MD5:	F3D4ACF128F9F15B76133342DCED8240
SHA1:	71E178054A3F58291BB82F112DEC10FE509377F6
SHA-256:	9D5FAE38F8E2C4A49D1C1374BEB62867722E26F24DA874FBA4DB7C93910B53FC
SHA-512:	02985A99EFCEB912551848E15D9B1E94AB76160F3FEF65E0D99D2F5B6DC291038F40422A145F34C960FC0F41F46A223E38293B3DA42398AF828353D8046AF9FA
Malicious:	false
Preview:	L..................F.@.. ....=..B......$5Y...=..B....{G..........................P.O. .:i.....+00.../C:\.....................1......Y.s..PROGRA~1..t......O.I.Y.s....B...............J....../..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....`.1......Y.s..FXSOUN~1..H......Y.s.Y.s....H....................../..F.x.S.o.u.n.d. .L.L.C.....V.1......Y.s..FxSound.@......Y.s.Y.s....I.....................q...F.x.S.o.u.n.d.....b.2..{G..Y+. .FxSound.exe.H.......Y+..Y.s....L.........................F.x.S.o.u.n.d...e.x.e......._...............-.......^............SJ......C:\Program Files\FxSound LLC\FxSound\FxSound.exe..6.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.F.x.S.o.u.n.d...e.x.e.%.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d.\.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.B.7.8.F.9.3.4.D.-.6.1.6.A.-.4.F.F.D.-.9.D.5.A.-.B.8.7.0.E.F.9.4.2.3.C.2.}.\.f.x.s.o.u.n.d...e.x.e.........%SystemRoot%\Installer

C:\Users\user\AppData\Local\Temp\MSI9996.LOG

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (507), with CRLF line terminators
Category:	dropped
Size (bytes):	32368
Entropy (8bit):	3.7960631862102083
Encrypted:	false
SSDEEP:	768:/2ESkvqxICEGZdKp4YEITcFBKl6Ka4kJ6KFsvqDKAOglTuaq4KKTml0+ESunYXYa:dzE6G2y7g1C6LthvnRpevzaKfsixOzOw
MD5:	94CA39043F092C82C88A52FFD6A401AB
SHA1:	4E02090E61B6AA10005E5C3437D8FDD4494143AD
SHA-256:	7DA33D9059F19B3361E7E1C07600FF7F312B7A8FA66F23FBEB80176C2661279A
SHA-512:	A0888FDB381698EEA8DD4B9E080D88F9A83266891AF03040E4D97C6FA1457D35744F94A8451E21F87D6A439D8008A1B600078A25B1065BDBC2C08D9208AD3D54
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.8./.1.2./.2.0.2.4. . .0.9.:.3.1.:.0.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.f.x.s.o.u.n.d._.s.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.4.:.F.4.). .[.0.9.:.3.1.:.0.1.:.6.0.4.].:. .S.O.F.T.W.A.R.E. .R.E.S.T.R.I.C.T.I.O.N. .P.O.L.I.C.Y.:. .V.e.r.i.f.y.i.n.g. .p.a.c.k.a.g.e. .-.-.>. .'.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d. .1...1...2.7...0.\.i.n.s.t.a.l.l.\.f.x.s.o.u.n.d...x.6.4...m.s.i.'. .a.g.a.i.n.s.t. .s.o.f.t.w.a.r.e. .r.e.s.t.r.i.c.t.i.o.n. .p.o.l.i.c.y.....M.S.I. .(.c.). .(.E.4.:.F.4.). .[.0.9.:.3.1.:.0.1.:.6.0.4.].:. .S.O.F.T.W.A.R.E. .R.E.S.T.R.I.C.T.I.O.N. .P.O.L.I.C.Y.:. .C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.F.x.S.o.u.n.d. .L.L.C.\.F.x.S.o.u.n.d. .1...1...2.7...0.\.i.n.s.t.a.l.l.\.f.x.s.o.u.n.d.

C:\Users\user\AppData\Local\Temp\MSI9B9B.tmp

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9C19.tmp

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9C59.tmp

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI9C79.tmp

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	898912
Entropy (8bit):	6.596353619858583
Encrypted:	false
SSDEEP:	24576:y//vq14OUaH0yxgC91E1h0lhSMXldU5Fr2CB6b0Wk6:y/Y02gCQsG592CB6b0Wk6
MD5:	A67ACB81551A030E01CDA17FA4732580
SHA1:	9F6B54919EE967FDDF20E74714049B8C13640083
SHA-256:	107FD7EE1EAF17C27B4ED25990ACACE2CB51F8D39F4DFC8EF5A3DF03D02E1D34
SHA-512:	30CC0870797220E23AF40D5F50A9CE823C1120FBA821FF15E057587C2A91C7247058E9A8479088047B9DC908C5176793E6F3CCD066DA30BD80E1179649B2F346
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v+V..xV..xV..x...y]..x...y...x.9.yD..x.9.yN..x...yO..x.9.y7..x...yW..x...yA..xV..x>..x.:.y...x.:.yW..x.:.xW..xV..xW..x.:.yW..xRichV..x................PE..L...J..f.........."!...'.............G...............................................}....@A................................X........0..h............z..`=...@..$......p...............................@.......................@....................text...j........................... ..`.rdata........... ..................@..@.data... '..........................@....didat..H.... ......................@....rsrc...h....0......................@..@.reloc..$....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIa9cd2.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (507), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	304504
Entropy (8bit):	3.8330779566987547
Encrypted:	false
SSDEEP:	3072:iEjmSRWLYibLmILSc4v1eT+ZFYd24N8Uypoitqm+JNE2soXtWgHD1ge2xaRIxP+E:hjt9
MD5:	EEB40DAA346BA880FF58A6DC9D1BA9BC
SHA1:	6845580345D78948CE658D8B080945DBB3B8EBA3
SHA-256:	22E1285BC32B789AF375533BC50111ABABF5E5568F70A3A6F3CC2D2B33455EED
SHA-512:	71AFAEF836150F9F5A3FC3E40769E8A98D4839A47A87E61DE878AC17AD820899FD454423F65CC9AB4EA2A207BEBBE5C8A9170AE48433311E911FACB39B2CD682
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .2.8./.1.2./.2.0.2.4. . .0.9.:.3.1.:.0.2. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.8.:.9.0.). .[.0.9.:.3.1.:.0.2.:.4.7.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.8.:.9.0.). .[.0.9.:.3.1.:.0.2.:.4.7.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.8.:.6.8.). .[.0.9.:.3.1.:.0.2.:.5.0.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.8.:.6.8.). .[.0.9.:.3.1.:.0.2.:.5.0.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .

C:\Users\user\AppData\Local\Temp\shi9AFE.tmp

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5038592
Entropy (8bit):	6.043058205786219
Encrypted:	false
SSDEEP:	49152:vVkDvLSkqdbEsuV+ebMh8w+/H8pF/bmlEyGjWvcP1xQ+X7TqVAMPLfQyim8kznsY:2Ll+Mn0WHl9VA2ic/
MD5:	11F7419009AF2874C4B0E4505D185D79
SHA1:	451D8D0470CEDB268619BA1E7AE78ADAE0EBA692
SHA-256:	AC24CCE72F82C3EBBE9E7E9B80004163B9EED54D30467ECE6157EE4061BEAC95
SHA-512:	1EABBBFDF579A93BBB055B973AA3321FC8DC8DA1A36FDE2BA9A4D58E5751DC106A4A1BBC4AD1F425C082702D6FBB821AA1078BC5ADC6B2AD1B5CE12A68058805
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.D!...!...!...(.V.C...5..."...5...&...5...)...!......5...:...5... ...5...R...5.:. ...5... ...Rich!...................PE..d...p............." .........D...............................................`M.....'.M...`A........................................@.H.L&....I......@K.H.....I..............@M.....`J:.p.......................(....%..............@.......$.H......................text...4B.......D.................. ..`.wpp_sf.....`.......H.............. ..`.rdata...L......N.................@..@.data...hD...PI......*I.............@....pdata........I......2I.............@..@.didat.......0K.......J.............@....rsrc...H....@K.......J.............@..@.reloc.......@M.. ....L.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC0D.tmp

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	data
Category:	dropped
Size (bytes):	10590
Entropy (8bit):	7.254430659006022
Encrypted:	false
SSDEEP:	192:1OgjZ7OPJCbngEw9JPgXkhYCClQBcA5E8qnajEzHbC:18UuLh3Cl+x5E8l4zu
MD5:	ACDAAE5D1219E7703285C42F774BE54D
SHA1:	47DF82D8C843BF1ADC098A26E9E3E27217B3104D
SHA-256:	25C8DAE186155D20F74FEEDEFB4F84161E4215925B8FD0C898F68F3E50EBCD7D
SHA-512:	83B663222FB22B1760EA8551D19557F3F2905BFAC205B380B23DD7F2A65A37B851A3C3C345E4A768B76700BB891B97C96A0DBBB58D81358993293AD1EB3E300A
Malicious:	false
Preview:	0.)Z...H........)K0.)G...1.0...`.H.e......0.....+.....7......0...0...+.....7.....7.M&...A.f..B....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... Kt=..].....&...m.ng..,.....Q...\|1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Kt=..].....&...m.ng..,.....Q...\|0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.....w7=-{x\|<....8....O.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......C0..?0....+.....7......0.....S.u.

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC5D.tmp

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\SETDC9C.tmp

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326656
Entropy (8bit):	2.91036654915667
Encrypted:	false
SSDEEP:	768:3Ft4aLqpAogNTiqwu2CvcCjikibqqqqqqqqqqqqqqqqqqqaFgNj////////////l:T45A/N8Cfjik6scccoFtr
MD5:	EAF913C1DE47C2421669B662EDAA5A6A
SHA1:	53524526E1898A90FA98AE02E662B9C0E6DC2848
SHA-256:	425629B6309000013E8CD1A9B827BEE365D21C9F743873AADD0C3BC96A999D2A
SHA-512:	BB674FEB73751172A1ACE65AAB89C5EBF952A07F7AF0F3EC1DADF357FF693230CF08910AE273E8335EEC35E5827DA6405272D05C161987DF679199935AF21A76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................X.......X.R.....X.......Rich....................PE..d....@R`.........."......6..........0..........@............................. ......cM....`A....................................................<........\|...@...........$..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.inf (copy)

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.sys (copy)

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326656
Entropy (8bit):	2.91036654915667
Encrypted:	false
SSDEEP:	768:3Ft4aLqpAogNTiqwu2CvcCjikibqqqqqqqqqqqqqqqqqqqaFgNj////////////l:T45A/N8Cfjik6scccoFtr
MD5:	EAF913C1DE47C2421669B662EDAA5A6A
SHA1:	53524526E1898A90FA98AE02E662B9C0E6DC2848
SHA-256:	425629B6309000013E8CD1A9B827BEE365D21C9F743873AADD0C3BC96A999D2A
SHA-512:	BB674FEB73751172A1ACE65AAB89C5EBF952A07F7AF0F3EC1DADF357FF693230CF08910AE273E8335EEC35E5827DA6405272D05C161987DF679199935AF21A76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................X.......X.R.....X.......Rich....................PE..d....@R`.........."......6..........0..........@............................. ......cM....`A....................................................<........\|...@...........$..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvadNTAMD64.cat (copy)

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	data
Category:	dropped
Size (bytes):	10590
Entropy (8bit):	7.254430659006022
Encrypted:	false
SSDEEP:	192:1OgjZ7OPJCbngEw9JPgXkhYCClQBcA5E8qnajEzHbC:18UuLh3Cl+x5E8l4zu
MD5:	ACDAAE5D1219E7703285C42F774BE54D
SHA1:	47DF82D8C843BF1ADC098A26E9E3E27217B3104D
SHA-256:	25C8DAE186155D20F74FEEDEFB4F84161E4215925B8FD0C898F68F3E50EBCD7D
SHA-512:	83B663222FB22B1760EA8551D19557F3F2905BFAC205B380B23DD7F2A65A37B851A3C3C345E4A768B76700BB891B97C96A0DBBB58D81358993293AD1EB3E300A
Malicious:	false
Preview:	0.)Z...H........)K0.)G...1.0...`.H.e......0.....+.....7......0...0...+.....7.....7.M&...A.f..B....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... Kt=..].....&...m.ng..,.....Q...\|1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Kt=..].....&...m.ng..,.....Q...\|0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.....w7=-{x\|<....8....O.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......C0..?0....+.....7......0.....S.u.

C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.msi

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {A7E896E1-9393-483B-B753-100B2D89D4A7}, Number of Words: 2, Subject: FxSound, Author: FxSound LLC, Name of Creating Application: FxSound, Template: ;1033, Comments: This installer database contains the logic and data required to install FxSound., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Aug 21 18:03:42 2024, Last Saved Time/Date: Wed Aug 21 18:03:42 2024, Last Printed: Wed Aug 21 18:03:42 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2848256
Entropy (8bit):	6.612274500186357
Encrypted:	false
SSDEEP:	49152:Dgrc/f9r84jEHYDgE5e7v6P5Ferq7I5RJK5k1q/Y02gCQsG592CB6b0WkYV:uVHYDgp+xFex02b
MD5:	E36969AE68750FC6BECD0CA461647787
SHA1:	C38FA30E02DE8229B01461C848EE2FC653CA6D90
SHA-256:	76FCEB988ACB9B537E7ADF1FCD1B9676EB4B9405DEFEE0E3126C3C28A9B0D9A1
SHA-512:	FE0FB59D92AA8F29FDF6E98CA3FA4ED73BFE98F56C51053FA5C8AF39A0D2672E84D436A3612F49A9C8ED1F8ED16DF80F1F74FFD0FB44C6CED3098CF5792D5AB8
Malicious:	false
Preview:	......................>...................,...................................T.......m.......Z...[...\...]...^..._...`.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...............................................................`.......................................................................................................................................................................................................................................................................................................:...,....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...8...9......./...0...1...2...3...4...5...6...7.......;...A...M...<...=...>...?...@...C...B...I...D...E...F...G...H...L...J...K...........N...O...P...Q...R...S...........V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F8899042-579C-4B39-839E-F6772D559DC5}, Number of Words: 2, Subject: FxSound, Author: FxSound LLC, Name of Creating Application: FxSound, Template: x64;1033, Comments: This installer database contains the logic and data required to install FxSound., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Aug 21 18:03:44 2024, Last Saved Time/Date: Wed Aug 21 18:03:44 2024, Last Printed: Wed Aug 21 18:03:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2847744
Entropy (8bit):	6.612196510791418
Encrypted:	false
SSDEEP:	49152:Oscc/f9r84jEHYDgE5e7v6P5Ferq7I5RJK5k1v/Y02gCQsG592CB6b0WkYy:qVHYDgp+xFeO02b
MD5:	5190B141F86D93919FB271398EA3BDA8
SHA1:	121B1D6AC6A73A3DC6A4B96A774911C54D5BC1E8
SHA-256:	56F77E41FD6CC44B7C4C2C37B085882B449AE50F11409C44D1016225771D9077
SHA-512:	392A4BE1D7D212C5C194F829FDE86C8DDD7ADE3E584B4756749340E67561061424F3D531C526A16BF7EF030F6B8B41B7DD5C6CBD61438EC670A3CA98357C70BE
Malicious:	false
Preview:	......................>...................,...................................T.......m.......Z...[...\...]...^..._...`.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...............................................................`.......................................................................................................................................................................................................................................................................................................:...,....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...8...9......./...0...1...2...3...4...5...6...7.......;...A...L...<...=...>...?...@...C...B...I...D...E...F...G...H...M...J...K.......N.......O...P...Q...R...S...........V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound1.cab

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	Microsoft Cabinet archive data, many, 62617274 bytes, 59 files, at 0x44 +A "FxSound.exe" +A "FxSound.settings", flags 0x4, ID 1234, number 1, extra bytes 20 in head, 2840 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62627978
Entropy (8bit):	7.998804528886566
Encrypted:	true
SSDEEP:	1572864:Yoc2oDvaoDPtYJDhV1CA2CJ42PzSNHl8SLUb9M/r8JZs/:lc2eNPUJp2jWzSNH6PJMga
MD5:	BD6F0EB816D744C129BFD2BC157484D5
SHA1:	7338A8828488BEE31159BD9D73C808D45342B04B
SHA-256:	B8C334DDDE05BD2CF0EBA892ED8AE1FB7026C1EFBD4418F710B7441BDDB73F8E
SHA-512:	6EE916F9A7E6B02B0F1B175A8E9A85707089B492EE867CC140607B2C96890C1F033ED4073227B75C2DCEA2616DAC10FF2C8C25B2229D88FCF8B6864472D5EC55
Malicious:	false
Preview:	MSCF.....v......D...........;................v...)...................{G........Y+. .FxSound.exe......{G....X. .FxSound.settings..a=.7}G....Y.. .FxSound.exe_2..3........X. .ptdevcon32.exe...........X. .ptdevcon64.exe............X. .DfxSetupDrv.exe....7......X. .dfx.ico..Y...A.....Y.. .updater.exe............X. .DfxInstall.dll..N..C......X. .fxsound.ico...........X. .fxdevcon64.exe............X. .fxvad.inf.....e......X. .fxvad.sys.^)..e......X. .fxvadntamd64.cat..M...8.....X. .fxdevcon32.exe.....[......X. .fxvad.inf_1.....1......X. .fxvad.sys_1.U)..1......X. .fxvadntx86.cat............X. .fxdevcon64.exe_1...........X. .fxvad.inf_2...........X. .fxvad.sys_2.`%........X. .fxvadntamd64.cat_1..M..<......X. .fxdevcon32.exe_1......O.....X. .fxvad.inf_3......d.....X. .fxvad.sys_3.a%...N.....X. .fxvadntx86.cat_1......s.....X. .fac......w.....X. .fac_1.....f{.....X. .fac_2.....'......X. .fac_3...........X. .fac_4............X. .fac_5.....f......X. .fac_6.....

C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\holder0.aiph

Download File

Process:	C:\Users\user\Desktop\fxsound_setup.exe
File Type:	data
Category:	dropped
Size (bytes):	62627978
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	3AFA18EC311D3F8E0813A813F7179701
SHA1:	703A02028E267EF17C80D52C94DA050C48CEAC74
SHA-256:	6C79453F7286675342E4F1E6EFCDF8275BE788F7146476393CD26A51D35976A4
SHA-512:	E90624E75B798E18F859C974CB4272265B71C930B551DDAA87C257EF97F2D958B96B1C19FB33904D5C2D54008B97FD528D0EAA78919EC4DA9A663D04410D1CB3
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\FxSound\FxSound.settings (copy)

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\FxSound.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	156
Entropy (8bit):	5.196563559513039
Encrypted:	false
SSDEEP:	3:vFWWMNHU8LdgCf3q1iXvFjz9sWAuQHyFIJqFquRz9sQCQriF0qCH92qqBXvn:TMVBd/+qFPv7QHyFIMLeVdn
MD5:	9FDD71DDDC9B5D88193A22445EB09CE0
SHA1:	29C74D2065EEB0EB5A850FBA4FA9BC26D87D7ECD
SHA-256:	DC41D73705855779FF77402D5D27031DBF260896C9CC9B2371650EECB1DF98F7
SHA-512:	F644ACC2BF1BA058F310A893F34EA4663E1D85E82D6D3A66D23434B46C39BED21793366EE587B26AF381CB938D50826973B256E0DD84BAE74E248C2E01EF78A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>....<PROPERTIES>.. <VALUE name="max_user_presets" val="20"/>.. <VALUE name="language" val="en-GB"/>..</PROPERTIES>..

C:\Users\user\AppData\Roaming\FxSound\FxSound_temp1385bbf1.settings

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\FxSound.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	156
Entropy (8bit):	5.196563559513039
Encrypted:	false
SSDEEP:	3:vFWWMNHU8LdgCf3q1iXvFjz9sWAuQHyFIJqFquRz9sQCQriF0qCH92qqBXvn:TMVBd/+qFPv7QHyFIMLeVdn
MD5:	9FDD71DDDC9B5D88193A22445EB09CE0
SHA1:	29C74D2065EEB0EB5A850FBA4FA9BC26D87D7ECD
SHA-256:	DC41D73705855779FF77402D5D27031DBF260896C9CC9B2371650EECB1DF98F7
SHA-512:	F644ACC2BF1BA058F310A893F34EA4663E1D85E82D6D3A66D23434B46C39BED21793366EE587B26AF381CB938D50826973B256E0DD84BAE74E248C2E01EF78A8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>....<PROPERTIES>.. <VALUE name="max_user_presets" val="20"/>.. <VALUE name="language" val="en-GB"/>..</PROPERTIES>..

C:\Users\user\AppData\Roaming\FxSound\fxsound.log

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\FxSound.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	143
Entropy (8bit):	3.7783793951055187
Encrypted:	false
SSDEEP:	3:+/3PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPovhCW6KGDC:+ovJ5trVBuqUfLVO7
MD5:	7B4B399F1D79EBBFFBB897BCB825E6FE
SHA1:	9806E84C5FC74390B5F283AA24D089E77D58F73A
SHA-256:	CB7BE65279E3D0A7C5E904E0585891F6173B2122B526F4CF8980DA10C05514AA
SHA-512:	C3948C61E9B319DA6681A32B2F524A9152CDDDA34CF873EA769A6D6F1E824B138DB13B38CA37DA0BDE3A1508908958CBE92E4C7EBA95DEDD7689C447DA176D57
Malicious:	false
Preview:	..**********************************************************..FxSound logs..Log started: 28 Dec 2024 10:32:02am....v1.1.27.0..Windows 10..x64..

C:\Windows\INF\c_media.PNF

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x2108 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
Category:	dropped
Size (bytes):	13156
Entropy (8bit):	3.6250477571032174
Encrypted:	false
SSDEEP:	96:cJOzh59k3f3WSkEFRcpXyY3q0xPOQlf88GcNy1/HC3T6gYq2hwyvVATCG5qylmqG:7Qf3woapXQXQ1HNogE3lJSZmXx7p
MD5:	60B2EF95F0A811CC6FD2E163338A7294
SHA1:	0006F7466FDAA96BA0F306EBA5B8D65312806D1B
SHA-256:	F059676DE05CEB7116BCB5DC6C3F390B056BB2798DF3B70A3F76EF34F7DB2EA9
SHA-512:	C924E5CC4E55EF5238FFBA082C747D941062FD8D6615805924DC6528D8B7A39BCAD49EFB4176BB3F220C12C80FE65F0B97A8669C5C738D199C923A5CCEBD0B0C
Malicious:	false
Preview:	.....................!..h.......L..........x ......."......."..,... '......@-..h...............`3......C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B...................................................................................................................................L...h...............X.......................................................................L...........................................D...........................................8.......0.......................................................................................................................D....................... ...............................................................L...................................................d.......................................................................T.......\|.......................t...................t...............................................................................................................................................................

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	59293
Entropy (8bit):	5.210455404392318
Encrypted:	false
SSDEEP:	384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwrP3UQGSE254l9DBVFXd2ivkjyTG:Own95cdyYloiwTyz25s9VFJkuTJY
MD5:	7EE2A027079789034E2FDCCAED2FABBA
SHA1:	D5B350BD9E537B163554A22E0C2A5C1320B66C60
SHA-256:	D63D2989913F17AAD3223ED307F9C020105D2110953FC44464CDA5001FB83481
SHA-512:	C7F91408A3E27F499B92FE551AC6EC60E8DDDE72DEE7FFDCF7DC722663D6E3C85F3C5AE53260967B3229B03B6A783B9CC5D17EC0131D9B63DA58BB20FA1A8EEB
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\Installer\3a9dfb.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F8899042-579C-4B39-839E-F6772D559DC5}, Number of Words: 2, Subject: FxSound, Author: FxSound LLC, Name of Creating Application: FxSound, Template: x64;1033, Comments: This installer database contains the logic and data required to install FxSound., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Aug 21 18:03:44 2024, Last Saved Time/Date: Wed Aug 21 18:03:44 2024, Last Printed: Wed Aug 21 18:03:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2847744
Entropy (8bit):	6.612196510791418
Encrypted:	false
SSDEEP:	49152:Oscc/f9r84jEHYDgE5e7v6P5Ferq7I5RJK5k1v/Y02gCQsG592CB6b0WkYy:qVHYDgp+xFeO02b
MD5:	5190B141F86D93919FB271398EA3BDA8
SHA1:	121B1D6AC6A73A3DC6A4B96A774911C54D5BC1E8
SHA-256:	56F77E41FD6CC44B7C4C2C37B085882B449AE50F11409C44D1016225771D9077
SHA-512:	392A4BE1D7D212C5C194F829FDE86C8DDD7ADE3E584B4756749340E67561061424F3D531C526A16BF7EF030F6B8B41B7DD5C6CBD61438EC670A3CA98357C70BE
Malicious:	false
Preview:	......................>...................,...................................T.......m.......Z...[...\...]...^..._...`.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...............................................................`.......................................................................................................................................................................................................................................................................................................:...,....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...8...9......./...0...1...2...3...4...5...6...7.......;...A...L...<...=...>...?...@...C...B...I...D...E...F...G...H...M...J...K.......N.......O...P...Q...R...S...........V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\3a9dfe.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {F8899042-579C-4B39-839E-F6772D559DC5}, Number of Words: 2, Subject: FxSound, Author: FxSound LLC, Name of Creating Application: FxSound, Template: x64;1033, Comments: This installer database contains the logic and data required to install FxSound., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Aug 21 18:03:44 2024, Last Saved Time/Date: Wed Aug 21 18:03:44 2024, Last Printed: Wed Aug 21 18:03:44 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	2847744
Entropy (8bit):	6.612196510791418
Encrypted:	false
SSDEEP:	49152:Oscc/f9r84jEHYDgE5e7v6P5Ferq7I5RJK5k1v/Y02gCQsG592CB6b0WkYy:qVHYDgp+xFeO02b
MD5:	5190B141F86D93919FB271398EA3BDA8
SHA1:	121B1D6AC6A73A3DC6A4B96A774911C54D5BC1E8
SHA-256:	56F77E41FD6CC44B7C4C2C37B085882B449AE50F11409C44D1016225771D9077
SHA-512:	392A4BE1D7D212C5C194F829FDE86C8DDD7ADE3E584B4756749340E67561061424F3D531C526A16BF7EF030F6B8B41B7DD5C6CBD61438EC670A3CA98357C70BE
Malicious:	false
Preview:	......................>...................,...................................T.......m.......Z...[...\...]...^..._...`.......h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...............................................................`.......................................................................................................................................................................................................................................................................................................:...,....................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...8...9......./...0...1...2...3...4...5...6...7.......;...A...L...<...=...>...?...@...C...B...I...D...E...F...G...H...M...J...K.......N.......O...P...Q...R...S...........V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI9F91.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA01F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA05E.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA0EC.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA13B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	898912
Entropy (8bit):	6.596353619858583
Encrypted:	false
SSDEEP:	24576:y//vq14OUaH0yxgC91E1h0lhSMXldU5Fr2CB6b0Wk6:y/Y02gCQsG592CB6b0Wk6
MD5:	A67ACB81551A030E01CDA17FA4732580
SHA1:	9F6B54919EE967FDDF20E74714049B8C13640083
SHA-256:	107FD7EE1EAF17C27B4ED25990ACACE2CB51F8D39F4DFC8EF5A3DF03D02E1D34
SHA-512:	30CC0870797220E23AF40D5F50A9CE823C1120FBA821FF15E057587C2A91C7247058E9A8479088047B9DC908C5176793E6F3CCD066DA30BD80E1179649B2F346
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v+V..xV..xV..x...y]..x...y...x.9.yD..x.9.yN..x...yO..x.9.y7..x...yW..x...yA..xV..x>..x.:.y...x.:.yW..x.:.xW..xV..xW..x.:.yW..xRichV..x................PE..L...J..f.........."!...'.............G...............................................}....@A................................X........0..h............z..`=...@..$......p...............................@.......................@....................text...j........................... ..`.rdata........... ..................@..@.data... '..........................@....didat..H.... ......................@....rsrc...h....0......................@..@.reloc..$....@......................@..B........................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA1B9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA237.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	925800
Entropy (8bit):	6.5962529078695535
Encrypted:	false
SSDEEP:	24576:fuPYAGxUherZNh0lhSMXlrI5s2JK5kmwE:2P5Ferq7I5RJK5k1E
MD5:	421643EE7BB89E6DF092BC4B18A40FF8
SHA1:	E801582A6DD358060A699C9C5CDE31CD07EE49AB
SHA-256:	D6B89FD5A95071E7B144D8BEDCB09B694E9CD14BFBFAFB782B17CF8413EAC6DA
SHA-512:	D59C4EC7690E535DA84F94BEF2BE7F94D6BFD0B2908FA9A67D0897ABE8A2825FD52354C495EA1A7F133F727C2EE356869CC80BACF5557864D535A72D8C396023
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........u....i..i..i.zfj..i.zfl...i.k.m..i.k.j..i.k.l...i.zfm..i.zfo..i.zfh..i..h.n.i.Z.`...i.Z.i..i.Z....i.....i.Z.k..i.Rich..i.........................PE..L......f.........."!...'.....&......p0.......................................0.......p....@A.........................&......./..,.......................h:..............p...........................0...@............................................text...Z........................... ..`.rdata...[.......\..................@..@.data....(...P.......2..............@....rsrc................F..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA313.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	898912
Entropy (8bit):	6.596353619858583
Encrypted:	false
SSDEEP:	24576:y//vq14OUaH0yxgC91E1h0lhSMXldU5Fr2CB6b0Wk6:y/Y02gCQsG592CB6b0Wk6
MD5:	A67ACB81551A030E01CDA17FA4732580
SHA1:	9F6B54919EE967FDDF20E74714049B8C13640083
SHA-256:	107FD7EE1EAF17C27B4ED25990ACACE2CB51F8D39F4DFC8EF5A3DF03D02E1D34
SHA-512:	30CC0870797220E23AF40D5F50A9CE823C1120FBA821FF15E057587C2A91C7247058E9A8479088047B9DC908C5176793E6F3CCD066DA30BD80E1179649B2F346
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v+V..xV..xV..x...y]..x...y...x.9.yD..x.9.yN..x...yO..x.9.y7..x...yW..x...yA..xV..x>..x.:.y...x.:.yW..x.:.xW..xV..xW..x.:.yW..xRichV..x................PE..L...J..f.........."!...'.............G...............................................}....@A................................X........0..h............z..`=...@..$......p...............................@.......................@....................text...j........................... ..`.rdata........... ..................@..@.data... '..........................@....didat..H.... ......................@....rsrc...h....0......................@..@.reloc..$....@......................@..B........................................................................................................................................................................................................................................

C:\Windows\Installer\MSIB2A4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	39663
Entropy (8bit):	5.271494769644881
Encrypted:	false
SSDEEP:	384:B6J0lep1kj5jXqoREwIhX/11uVxqwQ1eq9ad:B4t1kjtXRRE1X/z/HU
MD5:	0C20F943DF7173BDFB1D81952800B59A
SHA1:	547E8EAAE85C14CC6201BB7FBC9F2574B6ABE9BB
SHA-256:	921485947C7EC4EED8C04574A18D26AD822F23CC335772C700F0FF382C81E827
SHA-512:	37413A590ED5AD0393C369BA76DED562EA9B5B30A2805D5C177C46E9D665C9E30D6B7C95E26B3705192F7CC4BD089ABD51E46455AC763491F07BF521DA3086B7
Malicious:	false
Preview:	...@IXOS.@.....@.K.Y.@.....@.....@.....@.....@.....@......&.{B78F934D-616A-4FFD-9D5A-B870EF9423C2}..FxSound..fxsound.x64.msi.@.....@.....@.....@......fxsound.exe..&.{F8899042-579C-4B39-839E-F6772D559DC5}.....@.....@.....@.....@.......@.....@.....@.......@......FxSound......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{215927B7-6543-4106-B941-F33B96B65E3B}%.C:\Program Files\FxSound LLC\FxSound\.@.......@.....@.....@......&.{82E872A6-8D59-4785-92C3-8BBFF79EB0E4}0.C:\Program Files\FxSound LLC\FxSound\FxSound.exe.@.......@.....@.....@......&.{E6F40D13-6200-4931-A7A2-6142F7821778}9.C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe.@.......@.....@.....@......&.{EE536E27-12E6-4F20-A3E7-6A073AED85CB};.C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe.@.......@.....@.....@......&.{FF4D6223-08FD-4830-A07F-C3307A8FA1B5};.C:\Program Files\FxSound LLC

C:\Windows\Installer\SourceHash{B78F934D-616A-4FFD-9D5A-B870EF9423C2}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.2033150480085975
Encrypted:	false
SSDEEP:	12:JSbX72FjHjXAlfLIlHuRpzhG7777777777777777777777777ZDHFlEKBzBaPep6:JpUIwqj1Qep7FtUVF
MD5:	DF1E18C6D1AFBA48C1C75B808276C255
SHA1:	04F71C6C762CB3BE61333DE0A34472491E4BC25A
SHA-256:	5EE6EC0051FE0C7EE30139DD5440869161A58EEDE458E9E27CBB6274F454BCDE
SHA-512:	556BD504333A10ED9BACA27006FB513B80C0AD3CC51CDDC5220A79099905D44C7783F76AF59CF352BA4B2594B85FA28D594E3D4FEBD5CB922AE76377C80FBBF1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6975885299965723
Encrypted:	false
SSDEEP:	48:Q8Ph5uRc06WX46jT5VVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:/h51KjT1bTRC5qVgDV7RCUo
MD5:	EF74A6ED508EAC240A4BFB91E8643307
SHA1:	C119A8C569EF5B801783C439B5398BABA43398AB
SHA-256:	D2D8938A92EF4EEC5AACC368EEF9E3A4A149814F62484FA3DA8DEE55C79BF920
SHA-512:	862B424840E8AB8E4805A85A65F4168AADFA444BD3B33FE45C64F6D1AEAE6DB072B7712FF019D08A11B03621B721A4EB77923DFF079D70E385DC6EF1637E9A85
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{B78F934D-616A-4FFD-9D5A-B870EF9423C2}\fxsound.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	dropped
Size (bytes):	20148
Entropy (8bit):	3.4443300682245748
Encrypted:	false
SSDEEP:	192:zoREdWIhX/1gXPE35DvgAXXfABH3FxNswjM:zoREwIhX/11uVxqwY
MD5:	7769C64158D212252387732102B604AA
SHA1:	2BFE000B2759071A4F5189DDD43E149A6769CCB0
SHA-256:	474A8FD7F30AB7787932160974C4B05DFC62C464C779CE638CAB3DB4D66147B7
SHA-512:	4DBCFC4951E0DB129FACE695AB9B326C9A24FA94B616B65FC5E68353CD0248FF5BDC21A707B8AB056CF9321CC97E953F75369FE1518393590E89A8EF2EF22F0C
Malicious:	false
Preview:	............ .h...V......... ......... .... .....F...00.... ..%............ ......D..(....... ..... ............................'...........................................................'............................................................................................................................................................................................................TTT.===.....###.zzz.zzz.###.....===.TTT.................'''.........ppp.....KKK.........KKK.....ppp.........'''.........'''.........ppp.....LLL.........LLL.....ppp.........'''.................MMM.ppp.....LLL.........LLL.....ppp.KKK.............................rrr.....LLL.........LLL.....rrr.................................mmm.....HHH.........HHH.....mmm.................................###.```.................aaa.###.............................................................................................................\|\|\|.\|\|\|.......................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.3654950184075165
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau5:zTtbmkExhMJCIpEC
MD5:	2AA898707F560B0411FCB83B76647C61
SHA1:	35EB68AD24590E8F1C9FB766C7782B7DE0B7E643
SHA-256:	F253E31C2AB9F163C7B3B44EFEAAC43DDF1CBB7232C974B5C478CB4F60582BA0
SHA-512:	82F2C2E1A73E75285CE151F7A1522B7E08A168B7A0F7A2913E322F2BCF466498572AD99137755F76489F35213AD0EA8ACA94700D76B650CDA386BF8FF10E8458
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\SysWOW64\dfx11.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 4 icons, 64x64, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	32988
Entropy (8bit):	2.0838482936133116
Encrypted:	false
SSDEEP:	96:ziLVjzfTmM5JJJjY4vCYYYRImnyRRjiacLqzD8:YrTp5JJJjYMCYYYRImnyRRWacLq
MD5:	648D3F5E7778CA1F7983B246C264B0C9
SHA1:	86E382BE934A39AACC78F4CA3AB82CCF1E5E6E4F
SHA-256:	28F31663D6EA3161943737E0235EAC93D8DBDA241C925AD0FD72727F491274A0
SHA-512:	3772C9DF9494AFBBC8CACE58E98446B913739395FD1DA005DCE09D3E806C772D6DEDD9C654083C64E3AA0D5450836708C65969B763D129DBB8BE33F213A31FBB
Malicious:	false
Preview:	......@@.... .(@..F... .... .(...n@........ .(....P........ .(....Y..(...@......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\fxsound.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
Category:	dropped
Size (bytes):	20148
Entropy (8bit):	3.4443300682245748
Encrypted:	false
SSDEEP:	192:zoREdWIhX/1gXPE35DvgAXXfABH3FxNswjM:zoREwIhX/11uVxqwY
MD5:	7769C64158D212252387732102B604AA
SHA1:	2BFE000B2759071A4F5189DDD43E149A6769CCB0
SHA-256:	474A8FD7F30AB7787932160974C4B05DFC62C464C779CE638CAB3DB4D66147B7
SHA-512:	4DBCFC4951E0DB129FACE695AB9B326C9A24FA94B616B65FC5E68353CD0248FF5BDC21A707B8AB056CF9321CC97E953F75369FE1518393590E89A8EF2EF22F0C
Malicious:	false
Preview:	............ .h...V......... ......... .... .....F...00.... ..%............ ......D..(....... ..... ............................'...........................................................'............................................................................................................................................................................................................TTT.===.....###.zzz.zzz.###.....===.TTT.................'''.........ppp.....KKK.........KKK.....ppp.........'''.........'''.........ppp.....LLL.........LLL.....ppp.........'''.................MMM.ppp.....LLL.........LLL.....ppp.KKK.............................rrr.....LLL.........LLL.....rrr.................................mmm.....HHH.........HHH.....mmm.................................###.```.................aaa.###.............................................................................................................\|\|\|.\|\|\|.......................................................................

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE2C4.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	10590
Entropy (8bit):	7.254430659006022
Encrypted:	false
SSDEEP:	192:1OgjZ7OPJCbngEw9JPgXkhYCClQBcA5E8qnajEzHbC:18UuLh3Cl+x5E8l4zu
MD5:	ACDAAE5D1219E7703285C42F774BE54D
SHA1:	47DF82D8C843BF1ADC098A26E9E3E27217B3104D
SHA-256:	25C8DAE186155D20F74FEEDEFB4F84161E4215925B8FD0C898F68F3E50EBCD7D
SHA-512:	83B663222FB22B1760EA8551D19557F3F2905BFAC205B380B23DD7F2A65A37B851A3C3C345E4A768B76700BB891B97C96A0DBBB58D81358993293AD1EB3E300A
Malicious:	false
Preview:	0.)Z...H........)K0.)G...1.0...`.H.e......0.....+.....7......0...0...+.....7.....7.M&...A.f..B....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... Kt=..].....&...m.ng..,.....Q...\|1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Kt=..].....&...m.ng..,.....Q...\|0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.....w7=-{x\|<....8....O.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......C0..?0....+.....7......0.....S.u.

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE313.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\SETE343.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326656
Entropy (8bit):	2.91036654915667
Encrypted:	false
SSDEEP:	768:3Ft4aLqpAogNTiqwu2CvcCjikibqqqqqqqqqqqqqqqqqqqaFgNj////////////l:T45A/N8Cfjik6scccoFtr
MD5:	EAF913C1DE47C2421669B662EDAA5A6A
SHA1:	53524526E1898A90FA98AE02E662B9C0E6DC2848
SHA-256:	425629B6309000013E8CD1A9B827BEE365D21C9F743873AADD0C3BC96A999D2A
SHA-512:	BB674FEB73751172A1ACE65AAB89C5EBF952A07F7AF0F3EC1DADF357FF693230CF08910AE273E8335EEC35E5827DA6405272D05C161987DF679199935AF21A76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................X.......X.R.....X.......Rich....................PE..d....@R`.........."......6..........0..........@............................. ......cM....`A....................................................<........\|...@...........$..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5334
Entropy (8bit):	5.628759224235533
Encrypted:	false
SSDEEP:	96:3q9BSSyjoh9OnLhtuGUdDrG9E/6uYqZpd7SY5MFgWC2i8/ENYZS:3qzSSyjoG17UprGEiuYqZpd7Se8eYENp
MD5:	328087CAF99B50D988A304BEEEA3FCE8
SHA1:	23FFEF913679537BB049008F5E6F8E517BB24192
SHA-256:	BA175CFDDD91B87BDDA3F1DF2A70249E1742E846B843381EB0438B70F91A110A
SHA-512:	D006E8DE0F9258A3EE75723E458D635586040702C1357630F199CF5740C7E29D87FEFD4B869A897BDD26B67FAD134E6BF35A2C01C3A00ACC8BF20181D7DA1AA3
Malicious:	false
Preview:	;..;fxvad.inf..;....[Version]..Signature="$CHICAGO$"..Class=MEDIA..Provider=%FXMN%..ClassGUID={4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 03/17/2021,14.1.0.0..CatalogFile.NTx86=fxvadNTx86.cat..CatalogFile.NTAMD64=fxvadNTAMD64.cat..PnpLockDown=1....[Manufacturer]..%MfgName%=DFX,NTamd64,NTx86....[DFX.NTx86]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....[DFX.NTamd64]..%DFX_Device.DeviceDesc%=DFX_Device,Root\%DEV_NAME%,%DEV_NAME%....;-----------------------------------------------------------------------------..;..; 2k+ Installation..;..;-----------------------------------------------------------------------------..[DFX_Device.NT]..Include=ks.inf,wdmaudio.inf..Needs=KS.Registration, WDMAUDIO.Registration..CopyFiles=DFX_Device.CopyList..AddReg=DFX_Device.AddReg..AddProperty=DFX_1AddPropertySection....[DFX_Device.NT.Interfaces]..AddInterface=%KSCATEGORY_AUDIO%,%KSNAME_Wave%,DFX_Device.I.Wave..AddInterface=%KSCATEGORY_RENDER%,%KSNAME_Wave%,DFX_Device.I.Wave..;Add

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvad.sys (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	326656
Entropy (8bit):	2.91036654915667
Encrypted:	false
SSDEEP:	768:3Ft4aLqpAogNTiqwu2CvcCjikibqqqqqqqqqqqqqqqqqqqaFgNj////////////l:T45A/N8Cfjik6scccoFtr
MD5:	EAF913C1DE47C2421669B662EDAA5A6A
SHA1:	53524526E1898A90FA98AE02E662B9C0E6DC2848
SHA-256:	425629B6309000013E8CD1A9B827BEE365D21C9F743873AADD0C3BC96A999D2A
SHA-512:	BB674FEB73751172A1ACE65AAB89C5EBF952A07F7AF0F3EC1DADF357FF693230CF08910AE273E8335EEC35E5827DA6405272D05C161987DF679199935AF21A76
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................X.......X.R.....X.......Rich....................PE..d....@R`.........."......6..........0..........@............................. ......cM....`A....................................................<........\|...@...........$..........8)..8...........................p)............... ...............................text...)........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@.......(..............@..HPAGE....J'...P...(...,.............. ..`INIT.................T.............. ..b.rsrc....\|.......~...X..............@..B.reloc..............................@..B........................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{a9706f53-a644-174a-a57d-685566a0fbfc}\fxvadNTAMD64.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	10590
Entropy (8bit):	7.254430659006022
Encrypted:	false
SSDEEP:	192:1OgjZ7OPJCbngEw9JPgXkhYCClQBcA5E8qnajEzHbC:18UuLh3Cl+x5E8l4zu
MD5:	ACDAAE5D1219E7703285C42F774BE54D
SHA1:	47DF82D8C843BF1ADC098A26E9E3E27217B3104D
SHA-256:	25C8DAE186155D20F74FEEDEFB4F84161E4215925B8FD0C898F68F3E50EBCD7D
SHA-512:	83B663222FB22B1760EA8551D19557F3F2905BFAC205B380B23DD7F2A65A37B851A3C3C345E4A768B76700BB891B97C96A0DBBB58D81358993293AD1EB3E300A
Malicious:	false
Preview:	0.)Z...H........)K0.)G...1.0...`.H.e......0.....+.....7......0...0...+.....7.....7.M&...A.f..B....210319161347Z0...+.....7.....0..?0....#..6yS{.I..^o.Q{.A.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0.... Kt=..].....&...m.ng..,.....Q...\|1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Kt=..].....&...m.ng..,.....Q...\|0... ..\...{...p$..B.F.C8..C.p....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..\...{...*p$..B.F.C8..C.p....0.....w7=-{x\|<....8....O.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........f.x.v.a.d...s.y.s......C0..?0....+.....7......0.....S.u.

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	3474
Entropy (8bit):	5.366588435754502
Encrypted:	false
SSDEEP:	96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3YpgpNE:QO00eO00erMwmkB1kAC
MD5:	4AA4B755A365FDE43577787A2643C7E3
SHA1:	459873CC158CC93D5A80268CD5B3C503B5CBC6FB
SHA-256:	A6312EF0CA7A368320B996BF81A1458FCCF326AB8DFF7DDA38B553AEE8C56DAF
SHA-512:	2843BCF849D5BF19C0CF2258D96778B15D3C7093A6B8B66C4EC5094AC27FF443E8B6DCA3BA072AD5D81D707D3D98412D1B6F68671595CFA50BD3E398F7FE605A
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

C:\Windows\Temp\~DF0D128CC2FEC62905.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09982075586496067
Encrypted:	false
SSDEEP:	12:50i8n0itFzDHFlEKBzBaPep7Jr5i8U9rdw:mF0mlj1Qep7FtU
MD5:	5C5CE10E7578C5B2B53693B1DBBE4E31
SHA1:	3C5D3B949EE912F4252F6660F0370AE654A55DCE
SHA-256:	881F3D0FD9837ADA9C0E60230835AD83C3A09398F660190723B9098DD6E08116
SHA-512:	795CD0F802F787B6A794D6C7FF5CDB89DF5FD9D92E629E3C0D2EDE83B8A3CF1DAB539512CBE8ED53C51EC749AD13656EDAEA409ACB7706088302CE5CCFBBF0F4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF165E71268DC94604.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.350118091099497
Encrypted:	false
SSDEEP:	48:+8Bu/rhPIFX4NT53qWVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:bBWIOT59bTRC5qVgDV7RCUo
MD5:	385D13FA6B95283EEA39A58858D79CCC
SHA1:	AA09CE6D085B1420683560FE5112A12BDF695356
SHA-256:	282EFB593806F8C6D3FFF8A9833EEFB5D2B1B1C22CCED3B636A47B78E94DED11
SHA-512:	FB4376D71FD0CE5C507B4370CADF1EBC62EB66679A7A204CBC4A4D6B75285AE51161FA63A1EA96FF469649E70782AEC0F9D60AECD31AD1BADA8C449EC59527D0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1DC86B7C62821A92.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2E35EC54279E3727.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.350118091099497
Encrypted:	false
SSDEEP:	48:+8Bu/rhPIFX4NT53qWVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:bBWIOT59bTRC5qVgDV7RCUo
MD5:	385D13FA6B95283EEA39A58858D79CCC
SHA1:	AA09CE6D085B1420683560FE5112A12BDF695356
SHA-256:	282EFB593806F8C6D3FFF8A9833EEFB5D2B1B1C22CCED3B636A47B78E94DED11
SHA-512:	FB4376D71FD0CE5C507B4370CADF1EBC62EB66679A7A204CBC4A4D6B75285AE51161FA63A1EA96FF469649E70782AEC0F9D60AECD31AD1BADA8C449EC59527D0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF309DC9CF1BBD423F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF31CFF27ED63EB1A4.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF36AE1AAC7C926D88.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6975885299965723
Encrypted:	false
SSDEEP:	48:Q8Ph5uRc06WX46jT5VVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:/h51KjT1bTRC5qVgDV7RCUo
MD5:	EF74A6ED508EAC240A4BFB91E8643307
SHA1:	C119A8C569EF5B801783C439B5398BABA43398AB
SHA-256:	D2D8938A92EF4EEC5AACC368EEF9E3A4A149814F62484FA3DA8DEE55C79BF920
SHA-512:	862B424840E8AB8E4805A85A65F4168AADFA444BD3B33FE45C64F6D1AEAE6DB072B7712FF019D08A11B03621B721A4EB77923DFF079D70E385DC6EF1637E9A85
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF39A4E7119D86213F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.6975885299965723
Encrypted:	false
SSDEEP:	48:Q8Ph5uRc06WX46jT5VVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:/h51KjT1bTRC5qVgDV7RCUo
MD5:	EF74A6ED508EAC240A4BFB91E8643307
SHA1:	C119A8C569EF5B801783C439B5398BABA43398AB
SHA-256:	D2D8938A92EF4EEC5AACC368EEF9E3A4A149814F62484FA3DA8DEE55C79BF920
SHA-512:	862B424840E8AB8E4805A85A65F4168AADFA444BD3B33FE45C64F6D1AEAE6DB072B7712FF019D08A11B03621B721A4EB77923DFF079D70E385DC6EF1637E9A85
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9B575517E10197DD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBAA4916B7FF0C3FC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.350118091099497
Encrypted:	false
SSDEEP:	48:+8Bu/rhPIFX4NT53qWVzbYd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4bd0V2AEkrs:bBWIOT59bTRC5qVgDV7RCUo
MD5:	385D13FA6B95283EEA39A58858D79CCC
SHA1:	AA09CE6D085B1420683560FE5112A12BDF695356
SHA-256:	282EFB593806F8C6D3FFF8A9833EEFB5D2B1B1C22CCED3B636A47B78E94DED11
SHA-512:	FB4376D71FD0CE5C507B4370CADF1EBC62EB66679A7A204CBC4A4D6B75285AE51161FA63A1EA96FF469649E70782AEC0F9D60AECD31AD1BADA8C449EC59527D0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCAF5BCB4CB030302.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFA19CE7D8211F957.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.18719646643241072
Encrypted:	false
SSDEEP:	48:hBk9d0V2AEkrCyAsSkd0Vxd0V2AEkrCyABMpBMpWSkd0VxxdvysFD4SF6V:hTRCULRC5qVgDVPF
MD5:	56A75E92635F8ADA14B5230A84347FC7
SHA1:	23C9292EA1864563E12ED5C46CE7F4E4E9286F6C
SHA-256:	148551A89575EC0B87FDB244ACAC571346FF484A41697B0A9EB8457B5067A745
SHA-512:	32DD8FD5F8B9E1E0AC819E5B54E856324C3E1140FAC1B722378DFFB06F569806F5AA39AD9CC0363C7EB2D1E9480705D11C0CA8EC8C5AD280CBE89D63C1FF86E5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9393593713785044
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fxsound_setup.exe
File size:	72'388'192 bytes
MD5:	d0509ad561d032d6179e95a521b06f10
SHA1:	f7580459ac444fec5e5de1300155a0373f3c9590
SHA256:	7dbc411488e4e653769f98b014f2a24b185b24653cee04fa5ed59b03438da7e7
SHA512:	f70f24149c8296e1ae8837f14a0ff0fb32c9075ea6ac772ec6059831b1fa9ebdef1b0ec9c628405629ca1da45b47ed7a9d9385ebaad372787e0dbc0c0d9d59c5
SSDEEP:	1572864:ANVjchuWARziOixoc2oDvaoDPtYJDhV1CA2CJ42PzSNHl8SLUb9M/r8JZsS:eR93c2eNPUJp2jWzSNH6PJMg/
TLSH:	D2F72231728AC427E56D11B16A3DEA7A512CBD770B7148C7B3DC7D1E2A748C22632E27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................3...!...3.......".......".......".......3.......3.......3.......3...................k.....A.......)............

File Icon


Icon Hash:	45927168a2920045

Static PE Info

General

Entrypoint:	0x6304c0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x668514B7 [Wed Jul 3 09:07:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	63ed59597dad42eeec3f01fae0ba2a2e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	05/07/2024 02:00:00 08/05/2025 01:59:59
Subject Chain	CN="FxSound, LLC", O="FxSound, LLC", L=Mill Valley, S=California, C=US, SERIALNUMBER=201721910237, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	1D2A0DF10F2C39D806BE4E2AE9BA464E
Thumbprint SHA-1:	4BFE2FEB31D00B184E85A59E1F2B77B7F3443852
Thumbprint SHA-256:	CDD6EF3914F4B65EF59569ADDA4F7C90D2E8622BCB1D2A8B98857DCAF3D016C7
Serial:	06B7BF9AA36A07D57801FB46211C0C18

Entrypoint Preview

Instruction
call 00007F8FB8B58A9Bh
jmp 00007F8FB8B5825Dh
push ebp
mov ebp, esp
and dword ptr [00782D64h], 00000000h
sub esp, 24h
or dword ptr [0077F068h], 01h
push 0000000Ah
call dword ptr [006C427Ch]
test eax, eax
je 00007F8FB8B58592h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007F8FB8B58425h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F8FB8B58405h
cmp eax, 00020660h
je 00007F8FB8B583FEh
cmp eax, 00020670h
je 00007F8FB8B583F7h
cmp eax, 00030650h
je 00007F8FB8B583F0h
cmp eax, 00030660h
je 00007F8FB8B583E9h
cmp eax, 00030670h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x37d530	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38e000	0x2c2b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45064c8	0x2998
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3bb000	0x3044c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x31af10	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x31af80	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea370	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2c4000	0x330	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x37a9c4	0x240	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c20ca	0x2c2200	042606883bbe454179c666121867c101	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c4000	0xba7ea	0xba800	8e7e192631d735706bd90c5ec7ebb8ff	False	0.325677048424933	COM executable for DOS	5.063852383845187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x37f000	0xd9e0	0x3600	f46f36e383a3f3bf9a58345b24d6210f	False	0.2349537037037037	DOS executable (block device driver)	4.432010951512356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x38d000	0x70c	0x800	637bc060cb55bba6626d2340b61e20f4	False	0.40673828125	data	4.5534805519457455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38e000	0x2c2b8	0x2c400	e0decc79e32127fa9b2d3131afd30ea9	False	0.13033523128531074	data	5.0730422363876135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3bb000	0x3044c	0x30600	e2cf7c6f40fc212f2af60f7ee3e79c43	False	0.4783945009689923	data	6.5707642836361435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x38e910	0x13e	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 5 important colors	English	United States	0.25471698113207547
RT_BITMAP	0x38ea50	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.03017241379310345
RT_BITMAP	0x38f278	0x48a8	Device independent bitmap graphic, 290 x 16 x 32, image size 0	English	United States	0.11881720430107527
RT_BITMAP	0x393b20	0xa6a	Device independent bitmap graphic, 320 x 16 x 4, image size 2562, resolution 2834 x 2834 px/m	English	United States	0.21680420105026257
RT_BITMAP	0x39458c	0x152	Device independent bitmap graphic, 32 x 16 x 4, image size 258, resolution 2834 x 2834 px/m, 10 important colors	English	United States	0.5295857988165681
RT_BITMAP	0x3946e0	0x828	Device independent bitmap graphic, 32 x 16 x 32, image size 0	English	United States	0.4875478927203065
RT_ICON	0x394f08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.2579787234042553
RT_ICON	0x395370	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2834 x 2834 px/m	English	United States	0.18278688524590164
RT_ICON	0x395cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.11890243902439024
RT_ICON	0x396da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.07811203319502075
RT_ICON	0x399348	0xa1e	PNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced	English	United States	0.894980694980695
RT_DIALOG	0x399d68	0xac	data	English	United States	0.7151162790697675
RT_DIALOG	0x399e14	0xcc	data	English	United States	0.6911764705882353
RT_DIALOG	0x399ee0	0x1b4	data	English	United States	0.5458715596330275
RT_DIALOG	0x39a094	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x39a1cc	0x4c	data	English	United States	0.8289473684210527
RT_STRING	0x39a218	0x234	data	English	United States	0.4645390070921986
RT_STRING	0x39a44c	0x182	data	English	United States	0.5103626943005182
RT_STRING	0x39a5d0	0x50	data	English	United States	0.7375
RT_STRING	0x39a620	0x9a	data	English	United States	0.37662337662337664
RT_STRING	0x39a6bc	0x2f6	data	English	United States	0.449868073878628
RT_STRING	0x39a9b4	0x5c0	data	English	United States	0.3498641304347826
RT_STRING	0x39af74	0x434	data	English	United States	0.32899628252788105
RT_STRING	0x39b3a8	0x100	data	English	United States	0.5703125
RT_STRING	0x39b4a8	0x484	data	English	United States	0.39186851211072665
RT_STRING	0x39b92c	0x1ea	data	English	United States	0.44081632653061226
RT_STRING	0x39bb18	0x18a	data	English	United States	0.5228426395939086
RT_STRING	0x39bca4	0x216	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.46254681647940077
RT_STRING	0x39bebc	0x624	data	English	United States	0.3575063613231552
RT_STRING	0x39c4e0	0x660	data	English	United States	0.3474264705882353
RT_STRING	0x39cb40	0x41a	data	English	United States	0.38095238095238093
RT_GROUP_ICON	0x39cf5c	0x4c	data	English	United States	0.7763157894736842
RT_VERSION	0x39cfa8	0x2e8	data	English	United States	0.45564516129032256
RT_HTML	0x39d290	0x3835	ASCII text, with very long lines (443), with CRLF line terminators	English	United States	0.08298005420807561
RT_HTML	0x3a0ac8	0x1316	ASCII text, with CRLF line terminators	English	United States	0.18399508800654932
RT_HTML	0x3a1de0	0x8c77	HTML document, ASCII text, with CRLF line terminators	English	United States	0.08081426068578103
RT_HTML	0x3aaa58	0x6acd	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10679931238798873
RT_HTML	0x3b1528	0x679	HTML document, ASCII text, with CRLF line terminators	English	United States	0.34339167169583584
RT_HTML	0x3b1ba4	0x104a	HTML document, ASCII text, with CRLF line terminators	English	United States	0.2170263788968825
RT_HTML	0x3b2bf0	0x15b1	HTML document, ASCII text, with CRLF line terminators	English	United States	0.17612101566720692
RT_HTML	0x3b41a4	0x2099	exported SGML document, ASCII text, with very long lines (659), with CRLF line terminators	English	United States	0.13732774116237267
RT_HTML	0x3b6240	0x368d	HTML document, ASCII text, with CRLF line terminators	English	United States	0.10834228428213391
RT_HTML	0x3b98d0	0x1d7	ASCII text, with CRLF line terminators	English	United States	0.6008492569002123
RT_MANIFEST	0x3b9aa8	0x80f	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.40814348036839554

Imports

DLL

Import

KERNEL32.dll

WriteFile, DeleteFileW, HeapDestroy, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetProcessHeap, SizeofResource, LockResource, LoadResource, FindResourceW, FindResourceExW, CreateEventExW, WaitForSingleObject, CreateProcessW, GetLastError, GetExitCodeProcess, SetEvent, RemoveDirectoryW, GetProcAddress, GetModuleHandleW, GetWindowsDirectoryW, CreateDirectoryW, GetTempPathW, GetTempFileNameW, MoveFileW, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, GetCurrentThreadId, RaiseException, SetLastError, GlobalUnlock, GlobalLock, GlobalAlloc, MulDiv, lstrcmpW, CreateEventW, FindClose, FindFirstFileW, GetFullPathNameW, InitializeCriticalSection, lstrcpynW, CreateThread, GetLogicalDriveStringsW, GetDriveTypeW, GetDiskFreeSpaceExW, Sleep, LoadLibraryExW, FreeLibrary, GetCurrentProcess, WideCharToMultiByte, GetSystemDirectoryW, GetCurrentProcessId, DecodePointer, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, CreateNamedPipeW, GetExitCodeThread, lstrlenW, VerifyVersionInfoW, VerSetConditionMask, lstrcmpiW, LoadLibraryW, CompareStringW, FindNextFileW, GetFileSize, GetFileAttributesW, GetShortPathNameW, GetFinalPathNameByHandleW, SetFileAttributesW, GetFileTime, CopyFileW, ReadFile, SetFilePointer, SetFileTime, SystemTimeToFileTime, MultiByteToWideChar, GetSystemInfo, WaitForMultipleObjects, GetVersionExW, CreateSemaphoreW, ReleaseSemaphore, GlobalMemoryStatus, GetModuleHandleA, GetProcessAffinityMask, VirtualProtect, VirtualQuery, LoadLibraryExA, GetStringTypeW, OutputDebugStringW, GetLocalTime, FlushFileBuffers, LocalFree, LocalAlloc, SetUnhandledExceptionFilter, FileTimeToSystemTime, GetEnvironmentVariableW, GetSystemTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FormatMessageW, ConnectNamedPipe, CloseHandle, InitializeCriticalSectionEx, LoadLibraryA, GetModuleFileNameA, GetCurrentThread, GetConsoleOutputCP, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, IsWow64Process, SetConsoleTextAttribute, GetStdHandle, GetConsoleScreenBufferInfo, GetTickCount, GetCommandLineW, SetCurrentDirectoryW, SetEndOfFile, EnumResourceLanguagesW, GetSystemDefaultLangID, GetUserDefaultLangID, ResetEvent, GlobalFree, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, TerminateThread, CompareFileTime, CopyFileExW, OpenEventW, PeekNamedPipe, WaitForSingleObjectEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, FormatMessageA, GetLocaleInfoEx, FindFirstFileExW, MoveFileExW, QueryPerformanceCounter, QueryPerformanceFrequency, WakeAllConditionVariable, SleepConditionVariableSRW, EncodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, GetSystemTimeAsFileTime, IsDebuggerPresent, InitializeSListHead, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, IsProcessorFeaturePresent, VirtualAlloc, VirtualFree, UnhandledExceptionFilter, TerminateProcess, GetStartupInfoW, RtlUnwind, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, ExitProcess, GetFileType, LCMapStringW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetConsoleMode, SetFilePointerEx, GetFileSizeEx, ReadConsoleW, GetTimeZoneInformation, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW, GetEnvironmentStringsW, CreateFileW

imagehlp.dll

SymGetModuleBase, SymFunctionTableAccess, SymGetLineFromAddr, SymSetSearchPath, SymCleanup, SymInitialize, SymSetOptions, StackWalk

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T15:31:33.798687+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.5	49727	20.233.83.145	443	TCP
2024-12-28T15:31:35.600271+0100	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.5	49737	185.199.109.133	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 15:31:29.202929020 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:29.202961922 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:29.203071117 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:29.214973927 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:29.214988947 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:30.891621113 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:30.891752958 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:31.754070044 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:31.754092932 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:31.754334927 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:31.754390955 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:31.757529974 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:31.799360037 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:33.798732042 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:33.798809052 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:33.798846006 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:33.798906088 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:33.798942089 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:33.798966885 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:33.802251101 CET	49727	443	192.168.2.5	20.233.83.145
Dec 28, 2024 15:31:33.802279949 CET	443	49727	20.233.83.145	192.168.2.5
Dec 28, 2024 15:31:33.952658892 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:33.952713013 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:33.952894926 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:33.953124046 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:33.953135967 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.164359093 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.164836884 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.171308041 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.171324968 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.171550989 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.171653032 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.171977043 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.219333887 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.600301027 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.600452900 CET	443	49737	185.199.109.133	192.168.2.5
Dec 28, 2024 15:31:35.600475073 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.600527048 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.602632999 CET	49737	443	192.168.2.5	185.199.109.133
Dec 28, 2024 15:31:35.602641106 CET	443	49737	185.199.109.133	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 15:31:29.059201002 CET	55848	53	192.168.2.5	1.1.1.1
Dec 28, 2024 15:31:29.196921110 CET	53	55848	1.1.1.1	192.168.2.5
Dec 28, 2024 15:31:33.814920902 CET	62583	53	192.168.2.5	1.1.1.1
Dec 28, 2024 15:31:33.951756001 CET	53	62583	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 15:31:29.059201002 CET	192.168.2.5	1.1.1.1	0xc599	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 15:31:33.814920902 CET	192.168.2.5	1.1.1.1	0xc2e1	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 15:31:29.196921110 CET	1.1.1.1	192.168.2.5	0xc599	No error (0)	github.com	20.233.83.145	A (IP address)	IN (0x0001)	false
Dec 28, 2024 15:31:33.951756001 CET	1.1.1.1	192.168.2.5	0xc2e1	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 28, 2024 15:31:33.951756001 CET	1.1.1.1	192.168.2.5	0xc2e1	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 28, 2024 15:31:33.951756001 CET	1.1.1.1	192.168.2.5	0xc2e1	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 28, 2024 15:31:33.951756001 CET	1.1.1.1	192.168.2.5	0xc2e1	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49727	20.233.83.145	443	4296	C:\Program Files\FxSound LLC\FxSound\updater.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 14:31:31 UTC	180	OUT	GET /fxsound2/fxsound-app/raw/latest/release/updates.txt HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Host: github.com Connection: Keep-Alive Cache-Control: no-cache
2024-12-28 14:31:33 UTC	562	IN	HTTP/1.1 302 Found Server: GitHub.com Date: Sat, 28 Dec 2024 14:31:33 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Access-Control-Allow-Origin: Location: https://raw.githubusercontent.com/fxsound2/fxsound-app/latest/release/updates.txt Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: no-referrer-when-downgrade
2024-12-28 14:31:33 UTC	3380	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49737	185.199.109.133	443	4296	C:\Program Files\FxSound LLC\FxSound\updater.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 14:31:35 UTC	191	OUT	GET /fxsound2/fxsound-app/latest/release/updates.txt HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Connection: Keep-Alive Cache-Control: no-cache Host: raw.githubusercontent.com
2024-12-28 14:31:35 UTC	896	IN	HTTP/1.1 200 OK Connection: close Content-Length: 500 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "36ee5e3ab6937a879a9635497a91ef7280e399de16b828253c275554383db947" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 5EC4:2EFBF:17CC65:1AC56B:676FEA84 Accept-Ranges: bytes Date: Sat, 28 Dec 2024 14:31:35 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740030-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1735396295.433893,VS0,VE8 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 5bef91af28718d34f38a7376b3518c9e084fc4fd Expires: Sat, 28 Dec 2024 14:36:35 GMT Source-Age: 0
2024-12-28 14:31:35 UTC	500	IN	Data Raw: 3b 61 69 75 3b 0a 0a 5b 55 70 64 61 74 65 5d 0a 4e 61 6d 65 20 3d 20 46 78 53 6f 75 6e 64 0a 50 72 6f 64 75 63 74 56 65 72 73 69 6f 6e 20 3d 20 31 2e 31 2e 32 37 2e 30 0a 55 52 4c 20 3d 20 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 66 78 73 6f 75 6e 64 32 2f 66 78 73 6f 75 6e 64 2d 61 70 70 2f 72 61 77 2f 6c 61 74 65 73 74 2f 72 65 6c 65 61 73 65 2f 66 78 73 6f 75 6e 64 5f 73 65 74 75 70 2e 65 78 65 0a 55 52 4c 31 20 3d 20 68 74 74 70 73 3a 2f 2f 64 6f 77 6e 6c 6f 61 64 2e 66 78 73 6f 75 6e 64 2e 63 6f 6d 2f 66 78 73 6f 75 6e 64 6c 61 74 65 73 74 0a 53 69 7a 65 20 3d 20 37 32 33 38 38 31 39 32 0a 53 48 41 32 35 36 20 3d 20 37 44 42 43 34 31 31 34 38 38 45 34 45 36 35 33 37 36 39 46 39 38 42 30 31 34 46 32 41 32 34 42 31 38 35 42 32 34 36 35 Data Ascii: ;aiu;[Update]Name = FxSoundProductVersion = 1.1.27.0URL = https://github.com/fxsound2/fxsound-app/raw/latest/release/fxsound_setup.exeURL1 = https://download.fxsound.com/fxsoundlatestSize = 72388192SHA256 = 7DBC411488E4E653769F98B014F2A24B185B2465

Target ID:	0
Start time:	09:30:59
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\fxsound_setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fxsound_setup.exe"
Imagebase:	0x190000
File size:	72'388'192 bytes
MD5 hash:	D0509AD561D032D6179E95A521B06F10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:31:01
Start date:	28/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7efbc0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:31:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 0D5C3D4CB3AC9B2FB9AFABC48B06CDE8 C
Imagebase:	0x3c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:31:02
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\FxSound LLC\FxSound 1.1.27.0\install\fxsound.x64.msi" AI_SETUPEXEPATH=C:\Users\user\Desktop\fxsound_setup.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1735396057 " AI_EUIMSI=""
Imagebase:	0x3c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:31:03
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 4643268C8F4EAA1123EAEDE165421994
Imagebase:	0x3c0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:31:13
Start date:	28/12/2024
Path:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" remove *DFX12
Imagebase:	0x7ff689760000
File size:	269'720 bytes
MD5 hash:	173973C091A72EBBE73C9578EF5D00B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:31:13
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:31:14
Start date:	28/12/2024
Path:	C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe" check
Imagebase:	0x180000
File size:	66'968 bytes
MD5 hash:	6CC7FD49BEE71A54AA659E30DEA8903D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:31:14
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:31:15
Start date:	28/12/2024
Path:	C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe" install "C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf"
Imagebase:	0x7ff689760000
File size:	269'720 bytes
MD5 hash:	173973C091A72EBBE73C9578EF5D00B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:31:15
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:31:19
Start date:	28/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:31:19
Start date:	28/12/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{eea20620-008f-314f-bc1c-741b5c573f1e}\fxvad.inf" "9" "4143399a7" "0000000000000144" "WinSta0\Default" "000000000000011C" "208" "c:\program files\fxsound llc\fxsound\drivers\win10\x64"
Imagebase:	0x7ff702530000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:31:22
Start date:	28/12/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:ed86ca115cc2c934:DFX_Device:14.1.0.0:root\fxvad," "4143399a7" "0000000000000158"
Imagebase:	0x7ff702530000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:31:25
Start date:	28/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc daily /tn FxSound\Update /tr "'C:\Program Files\FxSound LLC\FxSound\updater.exe' /silent" /st 10:00 /f
Imagebase:	0x1f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:31:25
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:31:25
Start date:	28/12/2024
Path:	C:\Program Files\FxSound LLC\FxSound\FxSound.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\FxSound LLC\FxSound\\FxSound.exe" @
Imagebase:	0x7ff79a780000
File size:	4'684'696 bytes
MD5 hash:	2EE68BB73020AE85BBFD2CCAC511D97B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:31:27
Start date:	28/12/2024
Path:	C:\Program Files\FxSound LLC\FxSound\updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\FxSound LLC\FxSound\updater.exe" /silent
Imagebase:	0x7e0000
File size:	1'268'120 bytes
MD5 hash:	A4C5E08AFDB48AF64B0A06AFCE16F6E9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.6%
Total number of Nodes:	1042
Total number of Limit Nodes:	28

Executed Functions

Function 0030AB60 Relevance: 51.6, APIs: 11, Strings: 18, Instructions: 819libraryloaderCOMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?,SystemFolder,0000000C), ref: 0030ADA0
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0030AE8A
GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsFolder,0000000D), ref: 0030AFAF

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

GetWindowsDirectoryW.KERNEL32(?,00000104,WindowsVolume,0000000D), ref: 0030B0B6

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

GetModuleFileNameW.KERNEL32(00000000,?,00000104,WindowsVolume,0000000D), ref: 0030B1F1
SHGetSpecialFolderLocation.SHELL32(00000000,?,WindowsVolume,0000000D), ref: 0030B2D2
LoadLibraryW.KERNEL32(shfolder.dll), ref: 0030B362
GetProcAddress.KERNEL32(?,SHGetFolderPathW), ref: 0030B3A2

Part of subcall function 002FED10: LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0030B47B,?), ref: 002FED2F
Part of subcall function 002FED10: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 002FED45
Part of subcall function 002FED10: FreeLibrary.KERNEL32(00000000), ref: 002FED88

GetEnvironmentVariableW.KERNEL32(APPDATA,?,00000104), ref: 0030B5C0
SHGetPathFromIDListW.SHELL32(?,?), ref: 0030B639
SHGetMalloc.SHELL32(00000000), ref: 0030B652

Strings

Shlwapi.dll, xrefs: 0030B471
PROGRAMFILES, xrefs: 0030B59D
SETUPEXEDIR, xrefs: 0030B19E
ProgramFiles, xrefs: 0030B515
System32Folder, xrefs: 0030ADFE, 0030AE13, 0030AE1D
WindowsVolume, xrefs: 0030B02F, 0030B044, 0030B04E
SHGetFolderPathW, xrefs: 0030B39C
APPDATA, xrefs: 0030B5B7, 0030B5BF
shfolder.dll, xrefs: 0030B35D
SystemFolder, xrefs: 0030AD01, 0030AD16, 0030AD20
ProgramFilesFolder, xrefs: 0030B4E1
AppDataFolder, xrefs: 0030B527, 0030B565
WindowsFolder, xrefs: 0030AF23, 0030AF38, 0030AF42
ProgramW6432, xrefs: 0030ABF4
TempFolder, xrefs: 0030B0E2
ProgramFiles64Folder, xrefs: 0030AB98
Shell32.dll, xrefs: 0030B49D
p6Q, xrefs: 0030B1D8, 0030B24C, 0030B256

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DirectoryLibrary$AddressFolderLoadPathProcWindows$EnvironmentFileFindFreeFromHeapListLocationMallocModuleNameProcessResourceSpecialSystemVariable
String ID: APPDATA$AppDataFolder$PROGRAMFILES$ProgramFiles$ProgramFiles64Folder$ProgramFilesFolder$ProgramW6432$SETUPEXEDIR$SHGetFolderPathW$Shell32.dll$Shlwapi.dll$System32Folder$SystemFolder$TempFolder$WindowsFolder$WindowsVolume$p6Q$shfolder.dll
API String ID: 2967964373-3193755122
Opcode ID: fbd52115dd59c74b68117813907a584a893886a6077ef61c15722268a2eb9fc5
Instruction ID: 512e07135c68ab701f78978db08233237039a23b2563357f81aaa37a7f62c57e
Opcode Fuzzy Hash: fbd52115dd59c74b68117813907a584a893886a6077ef61c15722268a2eb9fc5
Instruction Fuzzy Hash: 7E621430A016198BDF15DF24CC64BBEB376EFA4314F1546A8E8069B3D1DB329E85CB90

Function 0030EC40 Relevance: 39.8, APIs: 15, Strings: 7, Instructions: 1346libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

LoadLibraryExW.KERNEL32(00000000,00000000,00000001,00437546,00000000,00000000,00437546,00000000,?,?,00437546,000000FF), ref: 0030EDD0

Strings

Full command line:, xrefs: 0030F438
" ====, xrefs: 0030EECE
Advinst_, xrefs: 0030F7C5, 0030F7D7, 0030F7E1
p6Q, xrefs: 0030EF14
====== Starting logging of ", xrefs: 0030EE8A, 0030EE9C, 0030EEA6
Command line to pass to MSI:, xrefs: 0030F4EB
p6Q, xrefs: 0030F28F, 0030F2CA, 0030F2F2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: HeapLibraryLoadProcess
String ID: ====== Starting logging of "$" ====$Advinst_$Command line to pass to MSI:$Full command line:$p6Q$p6Q
API String ID: 3872204244-2797795154
Opcode ID: f40b7509ba00dd07da9de0c2075670e5db94b1e9e67f90ffd14f13475e60bb6f
Instruction ID: f1eaa09e7936b9018cf3490664d21a5564f57b0a01d5e58d7eb5fb1e679333b2
Opcode Fuzzy Hash: f40b7509ba00dd07da9de0c2075670e5db94b1e9e67f90ffd14f13475e60bb6f
Instruction Fuzzy Hash: 28B2F231A012088FDF16DFA8D8657AEBBB5FF48314F144269E816AB3D2DB349D45CB90

Function 00337E70 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00337EEB
GetLastError.KERNEL32 ref: 00337EF5
GetUserNameW.ADVAPI32(?,?), ref: 00337F3D
GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00337F77
GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00337FC2
RegDeleteValueW.KERNEL32(?,?,00000000,80000001,00000001,00000000,081DA4CA), ref: 00338178
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000,081DA4CA), ref: 003381A8
RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,081DA4CA,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003382ED
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 0033832F
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 00338378
RegDeleteKeyW.ADVAPI32(?,00000000), ref: 0033839E
RegCloseKey.ADVAPI32(?,?,00000000,80000001,00000001,00000000), ref: 003383DA
RegDeleteValueW.KERNEL32(?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 003384D2
RegCloseKey.ADVAPI32(?,?,?,?,80000001,00000001,00000000,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000031,?,00000000,80000001,00000001,00000000), ref: 00338514

Strings

UserDomain, xrefs: 00337F72, 00337FBD
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 003383F3
Software, xrefs: 003381C8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Close$Delete$EnvironmentNameUserValueVariable$ErrorInfoLastQuery
String ID: Software$Software\Microsoft\Windows\CurrentVersion\RunOnce$UserDomain
API String ID: 1615433478-4079418357
Opcode ID: dd6225c5ca4cfe19e3d39a9ce8d8be7b78dc1d71918c74ae83b8807fda9818ee
Instruction ID: 9f3cf23cd2610b0347c99bfbce4e3b66477b1e7fafe73a9b1947703203bf9fe5
Opcode Fuzzy Hash: dd6225c5ca4cfe19e3d39a9ce8d8be7b78dc1d71918c74ae83b8807fda9818ee
Instruction Fuzzy Hash: CF226B70D00248DFDF25DFA4C899BEEBBB4EF14704F204559E505B7281DB746A88CBA1

Function 002EF600 Relevance: 16.6, APIs: 11, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 002EF652
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002EF65F
GetLastError.KERNEL32 ref: 002EF669
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 002EF68D
GetLastError.KERNEL32 ref: 002EF697
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,?,?,?), ref: 002EF6BD
AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000012,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002EF6F4
EqualSid.ADVAPI32(00000000,?), ref: 002EF703
FreeSid.ADVAPI32(?), ref: 002EF712
CloseHandle.KERNEL32(00000000), ref: 002EF74C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Token$ErrorInformationLastProcess$AllocateCloseCurrentEqualFreeHandleInitializeOpen
String ID:
API String ID: 695978879-0
Opcode ID: dc481fc547b7221971ec2465dd2ef5ffb1fb0cd608d3c1895ed6b047f496437e
Instruction ID: 90ba2d95bb113ba1148ded8c372379af32cd0d25544e791b7e9391a8d9c56ea9
Opcode Fuzzy Hash: dc481fc547b7221971ec2465dd2ef5ffb1fb0cd608d3c1895ed6b047f496437e
Instruction Fuzzy Hash: 6F418C71940259EFDF109FA1DD48BEEBBB8FF08714F504025E511B7290D7799908DBA4

Function 002FC2F0 Relevance: 9.4, APIs: 6, Instructions: 357memoryCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,?,00000100), ref: 002FC3F3
LoadStringW.USER32(?,?,?,00000001), ref: 002FC513
CLSIDFromString.COMBASE(00000000,?), ref: 002FC69A
SysFreeString.OLEAUT32(00000000), ref: 002FC6AE
SysAllocStringLen.OLEAUT32(?,?), ref: 002FC6D5
LocalFree.KERNEL32(00000000,081DA4CA,?,?,00000000,00433F3D,000000FF,?,80070057,081DA4CA), ref: 002FC738

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: String$FreeLoad$AllocFromLocal
String ID:
API String ID: 633247902-0
Opcode ID: 3bc8a7bb4d1b603bc926805189bc60858bf1918169f806964557f2cc27556148
Instruction ID: fbdf2bab8412c6089829b2870210804c23b41cacafd48026ac51348098ddb793
Opcode Fuzzy Hash: 3bc8a7bb4d1b603bc926805189bc60858bf1918169f806964557f2cc27556148
Instruction Fuzzy Hash: EBD18E71D1424D9FDB14CFA8C944BEEFBB5FF48304F24822AE515A7280EB74AA54CB90

Function 001C0AB0 Relevance: 9.3, Strings: 7, Instructions: 569COMMON

Download Yara Rule

Strings

AI_EXIST_INSTANCES, xrefs: 001C0D33
MultipleInstances, xrefs: 001C0B16
`HH, xrefs: 001C1078, 001C1109, 001C110F
PropertyValue, xrefs: 001C1158
MultipleInstancesProps, xrefs: 001C0BE0, 001C104E
TIH, xrefs: 001C0B68
AI_EXIST_NEW_INSTANCES, xrefs: 001C0E99

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: AI_EXIST_INSTANCES$AI_EXIST_NEW_INSTANCES$MultipleInstances$MultipleInstancesProps$PropertyValue$TIH$`HH
API String ID: 0-3133439666
Opcode ID: 53445a37d9a3e63f11d8fb97479de33a258b256e19b8a927b3a02efa75ba2348
Instruction ID: 6f609e40cf4a647863193847cae5f095df71918ea416a1afc1dfc6e2f2361f02
Opcode Fuzzy Hash: 53445a37d9a3e63f11d8fb97479de33a258b256e19b8a927b3a02efa75ba2348
Instruction Fuzzy Hash: 6432E270E00248DFDF09DFA4CC99BEEBBB1AF59304F24415DE105AB291DB74AA84CB91

Function 0032BC10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0032BCEA

Strings

\, xrefs: 0032BC64
\, xrefs: 0032BC8E
\, xrefs: 0032BC6C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DiskFreeSpace
String ID: \$\$\
API String ID: 1705453755-3791832595
Opcode ID: 6ea3497c700021b0ed42bcab4be078b49ff7aa6473bce12ff1e9399958ce6c2d
Instruction ID: ae59d5b0bbd6ad85234b8d718dfff00810a9350158e3b1757a421a1c5e601df0
Opcode Fuzzy Hash: 6ea3497c700021b0ed42bcab4be078b49ff7aa6473bce12ff1e9399958ce6c2d
Instruction Fuzzy Hash: B841D372E10275CACB319F24A4416ABF3F8FF95354F164A2EE8D897140E73089888386

Function 001D40E0 Relevance: 5.5, Strings: 4, Instructions: 542COMMON

Download Yara Rule

Strings

Intel64, xrefs: 001D4594
x64, xrefs: 001D45E8
Arm64, xrefs: 001D4674
Intel, xrefs: 001D4631

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: Arm64$Intel$Intel64$x64
API String ID: 0-2017237515
Opcode ID: 796d5a8227a4e309f4fa12f6ec817914afe8c6e2239ffb06fb7f0b2851278898
Instruction ID: ca41fb8bc33aa6db7e86344baf236766946ff8024ca86385f3b63eecc6fff6e0
Opcode Fuzzy Hash: 796d5a8227a4e309f4fa12f6ec817914afe8c6e2239ffb06fb7f0b2851278898
Instruction Fuzzy Hash: AC129D71E002199FDB24DFA8C954BBEBBF1FF59304F14825AE456AB380D774A944CBA0

Function 003BF5E9 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,00322A61,?,?,?), ref: 003BF5EE
HeapAlloc.KERNEL32(00000000,?,?,?), ref: 003BF5F5
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?), ref: 003BF63B
HeapFree.KERNEL32(00000000,?,?,?), ref: 003BF642

Part of subcall function 003BF487: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,003BF631,?,?,?,?), ref: 003BF4AB
Part of subcall function 003BF487: HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 003BF4B2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: bfb965555f94cf814db08d9792938d19c0e9fc07e3ec7c826ae6b768df84b3a2
Instruction ID: 7b52904cae068857d50ad7e3fddc71a74965732dacaaea60c23d3c685222c5d6
Opcode Fuzzy Hash: bfb965555f94cf814db08d9792938d19c0e9fc07e3ec7c826ae6b768df84b3a2
Instruction Fuzzy Hash: 61F0B1735047115BC7322BB87C0CADB3A645FC0B6A7126034FB45CA565DF20C8419764

Function 002F4900 Relevance: 4.6, APIs: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000000), ref: 002F499F
FindClose.KERNEL32(00000000), ref: 002F49FE

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID:
API String ID: 1673784098-0
Opcode ID: 058c83ed1c6af47c3610e256d668e34d1c9c70a4189b8021b72e3741bdf8c4f4
Instruction ID: e11104d1b5fd126c1c70c05b87f5c7a3b1f54ad8ff5a0dfa6493aac81b38d5c5
Opcode Fuzzy Hash: 058c83ed1c6af47c3610e256d668e34d1c9c70a4189b8021b72e3741bdf8c4f4
Instruction Fuzzy Hash: 2231E031A142189BDB24EF04C858B7BF7B4EB84754F208279EA19A7380E7B15D54CF84

Function 00351690 Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

{Binary Data}, xrefs: 003519E2
Name, xrefs: 00351AAD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: Name${Binary Data}
API String ID: 0-874704490
Opcode ID: a4328008c4f2b42965d5b06e3f4b53ae633c0ce26d5e735da4e034b914fcd652
Instruction ID: 109108e2d4ef129a566798c337e957b30a354eb9c1278047f6323845fa1fb6be
Opcode Fuzzy Hash: a4328008c4f2b42965d5b06e3f4b53ae633c0ce26d5e735da4e034b914fcd652
Instruction Fuzzy Hash: AC424A70D00259DFDB25CF68CC95BEDB7B5AF58304F1086A9E809A7291DB70AA88CF50

Function 003394F0 Relevance: 3.1, APIs: 2, Instructions: 92filepipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00007F90,00007F90,00001388,00000000,?,00000000,081DA4CA,?,?,00000000), ref: 0033957B
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,081DA4CA,?,?,00000000), ref: 003395A1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Create$FileNamedPipe
String ID:
API String ID: 1328467360-0
Opcode ID: 4817e32436fa7296f885fd188e22bdf26e9fe75b509c6801f0268674a2ec0684
Instruction ID: 45e479579a7e950866289abcbd5369cac692fd529a67ba391365a8402ab5b69f
Opcode Fuzzy Hash: 4817e32436fa7296f885fd188e22bdf26e9fe75b509c6801f0268674a2ec0684
Instruction Fuzzy Hash: E4313831A48746AFE722CF24DC41B59FBA5FB05720F10866EF965A73D0CB75A940CB44

Function 001D38E0 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 001D38F8
SetUnhandledExceptionFilter.KERNEL32(002F2890), ref: 001D390E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: 8b4d314e3d5147523ed8001af438e5392978b5c5b4b9217e8447833bd5a5f2bc
Instruction ID: 200a65200be5577733312c3568c26f3f609b257f9b46edcb59101dfe2893bb31
Opcode Fuzzy Hash: 8b4d314e3d5147523ed8001af438e5392978b5c5b4b9217e8447833bd5a5f2bc
Instruction Fuzzy Hash: EAE0D835A10200BFC711D354AC5DF89BF649BE3B55F08806AF641A7162C6B088888772

Function 00355FB0 Relevance: 1.7, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

0e+00, xrefs: 0035621D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: 0e+00
API String ID: 0-2793203700
Opcode ID: 84939f71317aa97f57254a26c7653db4e3b192b40b5729c5ecc971f7603cb62d
Instruction ID: d6daf76f76ea2397aa18830c3540e792b7077699768b7b08de9609dbba7afe09
Opcode Fuzzy Hash: 84939f71317aa97f57254a26c7653db4e3b192b40b5729c5ecc971f7603cb62d
Instruction Fuzzy Hash: 30D1B072E042058FCB09DF6DD882A6EF7E5BB88350F54423DE819D73A1E7709A488B91

Function 003448B0 Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0047FD98,00000000,00000001,004A01AC,000000B0), ref: 00344937

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: a0767fdb352868092482d07afd9dda644ff975311973ccb1c4e9fefd51ffa8b0
Instruction ID: bb79cda25a309fb511ae1a69efb000500f8caf2f01c23df59d5b4b98ee01d625
Opcode Fuzzy Hash: a0767fdb352868092482d07afd9dda644ff975311973ccb1c4e9fefd51ffa8b0
Instruction Fuzzy Hash: 93117CB1604704AFEB24CF49DC44B9AFBF8FB45B24F10426AE8159B7D0C7B96804CB90

Function 00340180 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

x=H, xrefs: 003401DD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateHeapInstanceProcess
String ID: x=H
API String ID: 776714826-3075236326
Opcode ID: 7afe8a3877f49e9a6b7988aec92c0c4075f71e1c7d3d08ae0cfb22a2b4e0321c
Instruction ID: 6259d641af95e617fc692cb42322605953af8d94d6324ecc66badbd27ef45cc7
Opcode Fuzzy Hash: 7afe8a3877f49e9a6b7988aec92c0c4075f71e1c7d3d08ae0cfb22a2b4e0321c
Instruction Fuzzy Hash: BC716970A00749AFDB05CF64C49439ABBF0BF05308F14816ED9159B782DBBAA919CFC1

Function 002FA4D0 Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 223
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,SYSTEM\CurrentControlSet\Control\ProductOptions,00000000,00020119,00000000), ref: 002FA54A
RegQueryValueExW.KERNEL32(00000000,ProductType,00000000,00000000,?,?), ref: 002FA57F
RegQueryValueExW.KERNEL32(00000000,ProductSuite,00000000,00000000,?,?), ref: 002FA5FE
RegCloseKey.KERNEL32(00000000), ref: 002FA7DE

Strings

Personal, xrefs: 002FA709
Small Business(Restricted), xrefs: 002FA6BD
Terminal Server, xrefs: 002FA6A4
CommunicationServer, xrefs: 002FA68B
DataCenter, xrefs: 002FA6EF
Small Business, xrefs: 002FA640
Storage Server, xrefs: 002FA765
Blade, xrefs: 002FA720
Enterprise, xrefs: 002FA659
ServerNT, xrefs: 002FA5AC
Embedded(Restricted), xrefs: 002FA737
EmbeddedNT, xrefs: 002FA6D6
ProductSuite, xrefs: 002FA5F3
WinNT, xrefs: 002FA589
SYSTEM\CurrentControlSet\Control\ProductOptions, xrefs: 002FA540
BackOffice, xrefs: 002FA672
Security Appliance, xrefs: 002FA74E
Compute Server, xrefs: 002FA77C
ProductType, xrefs: 002FA574

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: BackOffice$Blade$CommunicationServer$Compute Server$DataCenter$Embedded(Restricted)$EmbeddedNT$Enterprise$Personal$ProductSuite$ProductType$SYSTEM\CurrentControlSet\Control\ProductOptions$Security Appliance$ServerNT$Small Business$Small Business(Restricted)$Storage Server$Terminal Server$WinNT
API String ID: 1586453840-3149529848
Opcode ID: 6258e20c4970b0b6d095a08213c59b3e6fe1c06ba4c95865476b273c4981a9ea
Instruction ID: 08d9c5578eea79aa9e0123133645e129fc5d58d3c3b515fb691e728c8aee8631
Opcode Fuzzy Hash: 6258e20c4970b0b6d095a08213c59b3e6fe1c06ba4c95865476b273c4981a9ea
Instruction Fuzzy Hash: 2F71E47472030D9ADF20AF209D54BBEF775EB84780F104176DB0A9B681EB38CD559B86

Function 002FA120 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 227
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,00020119,00000000), ref: 002FA198
RegQueryValueExW.KERNEL32(00000000,CurrentMajorVersionNumber,00000000,00000000,?,?), ref: 002FA1D9
RegQueryValueExW.KERNEL32(00000000,CurrentMinorVersionNumber,00000000,00000000,?,00000004), ref: 002FA1FC
RegQueryValueExW.ADVAPI32(00000000,CurrentVersion,00000000,00000000,?,?), ref: 002FA22F
RegQueryValueExW.KERNEL32(00000000,CurrentBuildNumber,00000000,00000000,?,?), ref: 002FA2A8
RegQueryValueExW.KERNEL32(00000000,ReleaseId,00000000,00000000,?,?), ref: 002FA31F
RegQueryValueExW.KERNEL32(00000000,CSDVersion,00000000,00000000,?,?), ref: 002FA375
GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 002FA413
GetProcAddress.KERNEL32(00000000), ref: 002FA41A
GetCurrentProcess.KERNEL32(?), ref: 002FA451
RegCloseKey.ADVAPI32(00000000), ref: 002FA49A

Strings

CurrentMajorVersionNumber, xrefs: 002FA1CE
ReleaseId, xrefs: 002FA314
CurrentBuildNumber, xrefs: 002FA29D
CurrentVersion, xrefs: 002FA224
CurrentMinorVersionNumber, xrefs: 002FA1F1
Software\Microsoft\Windows NT\CurrentVersion, xrefs: 002FA18E
kernel32, xrefs: 002FA40E
IsWow64Process, xrefs: 002FA409
CSDVersion, xrefs: 002FA36A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: QueryValue$AddressCloseCurrentHandleModuleOpenProcProcess
String ID: CSDVersion$CurrentBuildNumber$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$IsWow64Process$ReleaseId$Software\Microsoft\Windows NT\CurrentVersion$kernel32
API String ID: 3667490055-3583743485
Opcode ID: bcf82602695a284f3a13b6bd3cf77aa7a5398b13d1ac16bbcc6cc9650bc240d0
Instruction ID: af9269e2d9d58fdafe641ce01fdcdb418ba3cc10ca7d50784177b9079c8b47a5
Opcode Fuzzy Hash: bcf82602695a284f3a13b6bd3cf77aa7a5398b13d1ac16bbcc6cc9650bc240d0
Instruction Fuzzy Hash: BFA1BEB09012189FEF20CF20DC49BE9B7B5FB54711F0042E6E909A7290E7769AA8DF55

Function 00311F70 Relevance: 28.4, APIs: 3, Strings: 13, Instructions: 378
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00312056
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0031208A

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Strings

A valid language was received from commnad line. This is:, xrefs: 00312D1D
%hu, xrefs: 00312D57
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00312EF4
AI_BOOTSTRAPPERLANGS, xrefs: 00313A8F, 00313AA1, 00313AAB
Code returned to Windows by setup:, xrefs: 00312B17
Language of a related product is:, xrefs: 00312F70
y>, xrefs: 00312EC7, 00312F25
Software\Caphyon\Advanced Installer\, xrefs: 00312EE0
|:H, xrefs: 0031328D
Language selected programatically for UI:, xrefs: 00313047
Languages of setup:, xrefs: 00313D6A
Advinst_Extract_, xrefs: 00311FED, 00312002, 0031200C
Language used for UI:, xrefs: 003130DE

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiWide$FindHeapProcessResource
String ID: y>$%hu$A valid language was received from commnad line. This is:$AI_BOOTSTRAPPERLANGS$Advinst_Extract_$Code returned to Windows by setup:$Language of a related product is:$Language selected programatically for UI:$Language used for UI:$Languages of setup:$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$Software\Caphyon\Advanced Installer\$|:H
API String ID: 2083075878-2676660388
Opcode ID: fa1e255e719fa6ff23883bb928c875758615a185e33717481ffb549c512326a0
Instruction ID: 764e2bb521306da41ae828074c067250bb63a406580ed8970f43d2f8febb3559
Opcode Fuzzy Hash: fa1e255e719fa6ff23883bb928c875758615a185e33717481ffb549c512326a0
Instruction Fuzzy Hash: 3BE10431A012589FCB15DB28CC44BEEBBB5EF48324F154299E819AB3D2DB309E51CF91

Function 00311BB0 Relevance: 23.9, APIs: 10, Strings: 3, Instructions: 1176threadCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00311DC4
SetLastError.KERNEL32(0000000E), ref: 00311DE1
GetCurrentThreadId.KERNEL32 ref: 00311DF9
EnterCriticalSection.KERNEL32(005196CC), ref: 00311E16
LeaveCriticalSection.KERNEL32(005196CC), ref: 00311E39
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000010), ref: 00312056
SetEvent.KERNEL32(?,?,00000000,?,00000001,?,?), ref: 003122E3

Part of subcall function 00339600: CloseHandle.KERNEL32(?,081DA4CA,?,00000010,?,00000000,0043F203,000000FF,?,00316572,00000000,00000000,00000000,00000001,?,0000000D), ref: 0033963A

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 0031208A

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Part of subcall function 002DB6A0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00514380,002EED48,?), ref: 002DB6B8
Part of subcall function 002DB6A0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002DB6EA

DialogBoxParamW.USER32(000007D0,00000000,002295C0,00000000), ref: 00311E56

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

Advinst_Extract_, xrefs: 00311FED, 00312002, 0031200C
Code returned to Windows by setup:, xrefs: 00312B17
FILES.7z, xrefs: 003125DF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalHeapSection$ActiveAllocateCloseCurrentDialogEnterErrorEventFindHandleLastLeaveParamProcessResourceThreadWindow
String ID: Advinst_Extract_$Code returned to Windows by setup:$FILES.7z
API String ID: 1122345507-2771609608
Opcode ID: c1fff198f0e51fe73b845c34b279cc2899494df01e3529e6692132a21b4e0d97
Instruction ID: aea5d37132ebec952b6a0375192becbd9b0a20db42c9aeb8f08db1aca9c77f69
Opcode Fuzzy Hash: c1fff198f0e51fe73b845c34b279cc2899494df01e3529e6692132a21b4e0d97
Instruction Fuzzy Hash: 0BA2CE31A01248DFDB16DB68CC54BEEBBB5BF48314F144199E415AB3A2DB34AE85CF90

Function 00338EF0 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 375
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

SetWindowTextW.USER32(00000000,?), ref: 00339162
GetDlgItem.USER32(00000000,000007D1), ref: 00339179
SendMessageW.USER32(00000000,000000D2,00000000,00000000), ref: 0033918B
GetDlgItem.USER32(00000000,000007D1), ref: 003391D4
GetDlgItem.USER32(00000000,0000042D), ref: 003391E4
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003391F4
SendMessageW.USER32(00000000,000000CC,?,00000000), ref: 00339210
EndDialog.USER32(00000000,00000002), ref: 0033923D
GetDlgItem.USER32(00000000,000007D1), ref: 0033926F
EndDialog.USER32(00000000,00000001), ref: 003392FC

Strings

PackageCode, xrefs: 0033901A
Ex>, xrefs: 00339022

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Item$MessageSend$Dialog$HeapProcessTextWindow
String ID: Ex>$PackageCode
API String ID: 374704001-541333928
Opcode ID: 9a713aea0653fa8f7bea8a2f81a342b36e154896c53bf4e1f66905d463a94720
Instruction ID: 26df4cf11f428114b8b1e2b4a9c32336e8b307db6ed8df4ce3d4f1f8fe400f9b
Opcode Fuzzy Hash: 9a713aea0653fa8f7bea8a2f81a342b36e154896c53bf4e1f66905d463a94720
Instruction Fuzzy Hash: 88C1F171A00606EFDB059F68DC89BAEB7B5FF54310F11452AF915AB2E0DBB5AC00CB90

Function 001A3870 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 263
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 001A3967
GetProcAddress.KERNEL32(00000000), ref: 001A396E
GetWindowsDirectoryW.KERNEL32(?,00000104,081DA4CA,?,?), ref: 001A39B4
PathFileExistsW.SHLWAPI(?), ref: 001A39DC
CreateDirectoryW.KERNEL32(?,?,S-1-5-32-544,10000000,00000001,S-1-5-18,10000000,00000001), ref: 001A3A67

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

GetTempPathW.KERNEL32(00000104,?,081DA4CA,?,?), ref: 001A3A8A

Part of subcall function 003BFEC4: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFECE
Part of subcall function 003BFEC4: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFF01
Part of subcall function 003BFEC4: WakeAllConditionVariable.KERNEL32(00512A3C,?,?,0019B597,00513654,00451520), ref: 003BFF0C

Strings

Kernel32.dll, xrefs: 001A3962
GetTempPath2W, xrefs: 001A395D
\SystemTemp\, xrefs: 001A39BA
S-1-5-32-544, xrefs: 001A3A1A
S-1-5-18, xrefs: 001A3A09

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireDirectoryPathRelease$AddressConditionCreateExistsFileHandleModuleProcTempVariableWakeWindows
String ID: GetTempPath2W$Kernel32.dll$S-1-5-18$S-1-5-32-544$\SystemTemp\
API String ID: 3143601600-595641723
Opcode ID: c050a0ef7e52fd2547203c1e9f77d11f36c0cc8c16cde993682f7046a97f48bc
Instruction ID: b67986d559d0704664b6d2e421b5ffd0cdeee09ff4a8ec936e812c0aaca1b6ea
Opcode Fuzzy Hash: c050a0ef7e52fd2547203c1e9f77d11f36c0cc8c16cde993682f7046a97f48bc
Instruction Fuzzy Hash: C4A1F2B1D00218AFDB20EFA4DD49BDDB7B4EB44314F1042A9E919A7281DB745F48CF91

Function 003229F0 Relevance: 18.2, APIs: 12, Instructions: 190
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 00322A2D
SetLastError.KERNEL32(0000000E,?,?,?), ref: 00322A6A
GetCurrentThreadId.KERNEL32 ref: 00322AF5
SetWindowTextW.USER32(?,00000000), ref: 00322B84
GetDlgItem.USER32(?,000003E9), ref: 00322B92
SetWindowTextW.USER32(00000000,?), ref: 00322B9E

Part of subcall function 00318DF0: GetDlgItem.USER32(?,00000002), ref: 00318E0D
Part of subcall function 00318DF0: GetWindowRect.USER32(00000000,?), ref: 00318E23
Part of subcall function 00318DF0: ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00322A4D), ref: 00318E38
Part of subcall function 00318DF0: InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00322A4D), ref: 00318E43
Part of subcall function 00318DF0: GetDlgItem.USER32(?,000003E9), ref: 00318E51
Part of subcall function 00318DF0: GetWindowRect.USER32(00000000,?), ref: 00318E67
Part of subcall function 00318DF0: SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00318EA6

GetDlgItem.USER32(?,00000002), ref: 00322C2E
SetWindowTextW.USER32(00000000,00000000), ref: 00322C36

Part of subcall function 001AC140: RaiseException.KERNEL32(C0000005,C0000005,00000000,00000000,00322C4A,C0000005,00000001,?,00000000,00000000,?,?,?), ref: 001AC14C

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Item$RectText$ActiveAllocateCurrentErrorExceptionHeapInvalidateLastRaiseShowThread
String ID:
API String ID: 1085195845-0
Opcode ID: 0786ba8c154a90fe544c35d3b055d8b237b57e3b76e8ee162999719281196c42
Instruction ID: b31d1aae774365459defb61ee383dd198cd3a7150870e06772f70f44e0a1a0ff
Opcode Fuzzy Hash: 0786ba8c154a90fe544c35d3b055d8b237b57e3b76e8ee162999719281196c42
Instruction Fuzzy Hash: 3F71AC70900615EFDB12DF68EC48B9EBBB4FF18714F148629E525A72E1CB74A944CF90

Function 003BF37B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,003BF6C1,005129FC,?,?,?,0033942D,?,?,?,00000001,?), ref: 003BF38D
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,003BF6C1,005129FC,?,?,?,0033942D,?,?,?,00000001), ref: 003BF3A2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 003BF41E

Strings

AtlThunk_DataToCode, xrefs: 003BF3E1
atlthunk.dll, xrefs: 003BF39D
AtlThunk_AllocateData, xrefs: 003BF3B3
AtlThunk_InitData, xrefs: 003BF3CA
AtlThunk_FreeData, xrefs: 003BF3F8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 8da66afb862deca0d35265a3c11f5857446c2e508c23d03fd20d3feb1aee3f13
Instruction ID: bd195c230d56dd73a82af8415188de5e8b579197db7a893d0c82e139061e4f62
Opcode Fuzzy Hash: 8da66afb862deca0d35265a3c11f5857446c2e508c23d03fd20d3feb1aee3f13
Instruction Fuzzy Hash: F6012631E543107FCB12AB259C06BDF3F44AF0174CF149070FE056A6D3DB99C6A8928A

Function 00316D60 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 304
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetExitCodeThread.KERNEL32(?,?,081DA4CA,00000000,00000000,?,?,?,00000000,00438D05,000000FF,?,0030FB92,?,000000DC,00000000), ref: 00316DA6

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00316E5B
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00316E85

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Part of subcall function 002DB6A0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00514380,002EED48,?), ref: 002DB6B8
Part of subcall function 002DB6A0: MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002DB6EA

WriteFile.KERNEL32(?,000000DC,?,000000FF,00000000,CLOSE,00000005), ref: 0031700A
FlushFileBuffers.KERNEL32(?), ref: 00317013

Part of subcall function 00339600: CloseHandle.KERNEL32(?,081DA4CA,?,00000010,?,00000000,0043F203,000000FF,?,00316572,00000000,00000000,00000000,00000001,?,0000000D), ref: 0033963A

Strings

CLOSE, xrefs: 00316FCD, 00316FDF, 00316FE9
Advinst_Estimate_, xrefs: 00316DF2, 00316E04, 00316E0E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiWide$File$BuffersCloseCodeExitFindFlushHandleHeapProcessResourceThreadWrite
String ID: Advinst_Estimate_$CLOSE
API String ID: 1271795120-755230127
Opcode ID: a02d783d323dc930dc35ac920a3ff5d0394153f118b8b0348fbc68a772a0d5d9
Instruction ID: 561f6c3956102163102529776788075c899c541c3ea1583a974dcda0e3746983
Opcode Fuzzy Hash: a02d783d323dc930dc35ac920a3ff5d0394153f118b8b0348fbc68a772a0d5d9
Instruction Fuzzy Hash: BAB1E331A003089BDF05DBA8DC95BAEBBB4EF48324F194168F815AB3D2DB349D45CB91

Function 002FE8C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 291
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,081DA4CA,00000000,00000000,?), ref: 002FE91B
GetTempFileNameW.KERNEL32(?,shim_clone,00000000,?,?,00000000,00000000), ref: 002FEABD
Wow64DisableWow64FsRedirection.KERNEL32(00000000,?,?,00000000,00000000), ref: 002FEB5F
CopyFileW.KERNEL32(?,?,00000000,?,?,00000000,00000000), ref: 002FEB87
Wow64RevertWow64FsRedirection.KERNEL32(00000000,?,?,00000000), ref: 002FEBB3

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

DeleteFileW.KERNEL32(?,081DA4CA,?,00000000,003E8970,000000FF,?,80070057,80004005,?), ref: 002FEC6D

Strings

shim_clone, xrefs: 002FEAB7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Wow64$File$Redirection$AllocateCopyDeleteDisableFolderHeapNamePathRevertTemp
String ID: shim_clone
API String ID: 4011074531-3944563459
Opcode ID: d52329720e768ac2fe7875d3f058b6b10462e95775a25c0325da89c9121e7a9f
Instruction ID: 3ab538f5cc10084415797fe579be7c2adaf69473ca539dcc09aa9c673e31faa1
Opcode Fuzzy Hash: d52329720e768ac2fe7875d3f058b6b10462e95775a25c0325da89c9121e7a9f
Instruction Fuzzy Hash: E1B1F070A106598FDF26DF24CC45BBAB7B5EF44304F1540B9EA06A72A2EB70AE44CB54

Function 00320AB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 248
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,?), ref: 00320CAE
SetFilePointer.KERNEL32(?,7FFFFFFF,00000000,00000000,?), ref: 00320D10
SetEndOfFile.KERNEL32(?), ref: 00320D19
CloseHandle.KERNEL32(?), ref: 00320D32

Strings

Not enough disk space to extract file:, xrefs: 00320B8B
%sholder%d.aiph, xrefs: 00320C8A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseCreateHandlePointer
String ID: %sholder%d.aiph$Not enough disk space to extract file:
API String ID: 22866420-929304071
Opcode ID: 5bda9234a6ac380ffee2239b48416722bf6a8cc0e8a3493b38fb2af580f1e25c
Instruction ID: dc4126060cd542e0c0c05a258439b0530d91f8fbc4b7f36152848c4f4d0d8fbe
Opcode Fuzzy Hash: 5bda9234a6ac380ffee2239b48416722bf6a8cc0e8a3493b38fb2af580f1e25c
Instruction Fuzzy Hash: 5F91F575A002199FCF15DF68DC44BAEBBB5FF48324F254619E821AB391DB31AD05CB90

Function 002F10B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,081DA4CA), ref: 002F12F4
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002F1304
RegCloseKey.ADVAPI32(00000000), ref: 002F1357

Strings

RegOpenKeyTransactedW, xrefs: 002F12FE
Advapi32.dll, xrefs: 002F12EF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 4190037839-3913318428
Opcode ID: ac93deb5d51f4d23a1d877a32ec7232fdc374f522703c6d5a42b20950bc26140
Instruction ID: 7c90624f8bbd14fb1ec8e5e1d1ceb38879ae4f014776c0dac3a4a610ac857373
Opcode Fuzzy Hash: ac93deb5d51f4d23a1d877a32ec7232fdc374f522703c6d5a42b20950bc26140
Instruction Fuzzy Hash: 74A169B0D10309DFDB14CFA8C958BAEFBF4BF55304F204269E919AB291D774AA14CB90

Function 0033DA40 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(000000FF,-00000400,?,00000002,00000400,081DA4CA,?,?,?), ref: 0033DAE6
GetLastError.KERNEL32(?,?,?), ref: 0033DAF4
ReadFile.KERNEL32(000000FF,00000000,00000400,?,00000000,?,?,?), ref: 0033DB0F

Strings

ADVINSTSFX, xrefs: 0033DB43, 0033DBFE

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$ErrorLastPointerRead
String ID: ADVINSTSFX
API String ID: 64821003-4038163286
Opcode ID: b77379e635179d8f0e79dd1c3092b5a53f4e7c60ef64765e41a79bb230309947
Instruction ID: 3c2f94f27574898fa3eca7befb340b0210b1124abee1021fa571e274b7c804df
Opcode Fuzzy Hash: b77379e635179d8f0e79dd1c3092b5a53f4e7c60ef64765e41a79bb230309947
Instruction Fuzzy Hash: F161E171A002099BCB16CF68E9C4BBEFBB5FF45324F254269E502AB381D7349D45CBA4

Function 001ABF51 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 001ABFFF
GetWindowLongW.USER32(?,000000FC), ref: 001AC00E
CallWindowProcW.USER32(?,?,00000082,?,?), ref: 001AC029
GetWindowLongW.USER32(?,000000FC), ref: 001AC043
SetWindowLongW.USER32(?,000000FC,?), ref: 001AC055

Strings

$, xrefs: 001ABF81

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 0aab276ff3de2f872739d5ec5f9c933791dac4c04b22cc5696b811a8d2aa2217
Instruction ID: c38e1b5f497befd301ec9a0064a0486fe330537e576531d99b038dd6d209ffe2
Opcode Fuzzy Hash: 0aab276ff3de2f872739d5ec5f9c933791dac4c04b22cc5696b811a8d2aa2217
Instruction Fuzzy Hash: 5A4137B5204706AFC700CF19D984A5AFBF5FB89320F108A19F9A4836A0C772E954CFD1

Function 002DD600 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,081DA4CA,00000000), ref: 002DD645
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 002DD66E
RegCreateKeyExW.KERNEL32(?,002F13DF,00000000,00000000,00000000,00000000,00000000,00000000,?,081DA4CA,00000000), ref: 002DD6C7
RegCloseKey.ADVAPI32(00000000), ref: 002DD6DA

Strings

Advapi32.dll, xrefs: 002DD640
RegCreateKeyTransactedW, xrefs: 002DD668

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressCloseCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1765684683-2994018265
Opcode ID: a7fbe89e6f21832367dc5567eeebf0e8dddc5a8af5467636ee5d53b9c670e7c5
Instruction ID: 2cec1fdbbbb54dc69cde39fd9b62d2d86b942e3d788e9431172398ff2bbcd1a1
Opcode Fuzzy Hash: a7fbe89e6f21832367dc5567eeebf0e8dddc5a8af5467636ee5d53b9c670e7c5
Instruction Fuzzy Hash: C6317071A44605AFDB108F59EC45FAABBB8FB48B10F20412AF919E63D0D775EC14CAD4

Function 002F7D30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ComCtl32.dll,081DA4CA,?), ref: 002F7D6A
GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002F7D90
FreeLibrary.KERNEL32(00000000), ref: 002F7E19

Strings

ComCtl32.dll, xrefs: 002F7D5E
LoadIconMetric, xrefs: 002F7D8A
d;I, xrefs: 002F7E0D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ComCtl32.dll$LoadIconMetric$d;I
API String ID: 145871493-2524327503
Opcode ID: f5b8317ed7f112c9c269f2843743c1b98b485b97d3b1803a7549e005687e094c
Instruction ID: fa83360228cbad64dc881d1138e0aeea0712df72f3eddea473c6826914e11e0c
Opcode Fuzzy Hash: f5b8317ed7f112c9c269f2843743c1b98b485b97d3b1803a7549e005687e094c
Instruction Fuzzy Hash: 3431AE71A00219ABCF118F94DC08BBFBBB8FF44755F10422AE915A3290D7799D048BA4

Function 00318DF0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000002), ref: 00318E0D
GetWindowRect.USER32(00000000,?), ref: 00318E23
ShowWindow.USER32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00322A4D), ref: 00318E38
InvalidateRect.USER32(00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00322A4D), ref: 00318E43
GetDlgItem.USER32(?,000003E9), ref: 00318E51
GetWindowRect.USER32(00000000,?), ref: 00318E67
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000206,?,00000000), ref: 00318EA6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Rect$Item$InvalidateShow
String ID:
API String ID: 2147159307-0
Opcode ID: 513b4a3f4b24fab8abf1d380a7b04aecf286495f29bc03886b359b00bd4f3a4e
Instruction ID: d35c65699bacc93cac333bc21d0967577d6c4eed281cd0fc319d0d2c02d7950e
Opcode Fuzzy Hash: 513b4a3f4b24fab8abf1d380a7b04aecf286495f29bc03886b359b00bd4f3a4e
Instruction Fuzzy Hash: 9D216D71614601AFD310DF34DD49AAABBE8EF9D700F008629F955D2690E770AD548BA2

Function 0031D620 Relevance: 9.4, APIs: 6, Instructions: 447fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,081DA4CA,00000000), ref: 0031D687
GetLastError.KERNEL32 ref: 0031D9BA
GetLastError.KERNEL32 ref: 0031DA4A
GetLastError.KERNEL32 ref: 0031D696

Part of subcall function 002F7B80: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,081DA4CA,?,00000000), ref: 002F7BCB
Part of subcall function 002F7B80: GetLastError.KERNEL32(?,00000000), ref: 002F7BD5

ReadFile.KERNEL32(?,00000000,00000018,?,00000000), ref: 0031D7A9
ReadFile.KERNEL32(?,?,00000000,00000000,00000000,00000001), ref: 0031D800

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: d70c75d874bf94743912cd271c88fc8639ca5096c56e804f3ad2a1ae552ae9f3
Instruction ID: fede5c9a6694b82ceb014ee56c2f0a84e7d0d3778959f37a967d1358f2300b3f
Opcode Fuzzy Hash: d70c75d874bf94743912cd271c88fc8639ca5096c56e804f3ad2a1ae552ae9f3
Instruction Fuzzy Hash: EC02AF71E006099FDB05DFA8C844BEEBBB5FF49324F244269E815EB391DB74A941CB90

Function 00310E10 Relevance: 9.4, APIs: 3, Strings: 2, Instructions: 615COMMON

Download Yara Rule

Strings

/i , xrefs: 00311427
\\?\, xrefs: 0031135A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FindResource
String ID: /i $\\?\
API String ID: 1635176832-3071488798
Opcode ID: 555a04a96365500d9f8deed5e0ad85332cced596f90862715106886b46990650
Instruction ID: 46703b397a881ca4d4e9af44f1e7dbe969081afaa615088bb8000fa4286058ca
Opcode Fuzzy Hash: 555a04a96365500d9f8deed5e0ad85332cced596f90862715106886b46990650
Instruction Fuzzy Hash: B832BF30A00609DFDB09DFA8C854BEDB7B5FF48314F154259E926AB291DB74AD86CF80

Function 0031DB70 Relevance: 9.4, APIs: 6, Instructions: 364fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000,081DA4CA,0031B15A,?,00000007), ref: 0031DBC7
GetLastError.KERNEL32(?,00000007), ref: 0031DE85
GetLastError.KERNEL32(?,00000007), ref: 0031DF46
GetLastError.KERNEL32(?,00000007,?,?,?,?,?,?,?,?,00000000,00439FD2,000000FF,?,0031C8BA), ref: 0031DBD6

Part of subcall function 002F7B80: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,081DA4CA,?,00000000), ref: 002F7BCB
Part of subcall function 002F7B80: GetLastError.KERNEL32(?,00000000), ref: 002F7BD5

ReadFile.KERNEL32(?,00000000,00000008,?,00000000,?,00000007), ref: 0031DC9A
ReadFile.KERNEL32(?,80070057,00000000,00000000,00000000,00000001,?,00000007), ref: 0031DD29

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$File$Read$FormatMessagePointer
String ID:
API String ID: 3903527278-0
Opcode ID: 52970e896ddcf8474a78ea8b86d84cebd66130e7e06d7c3439ba892038dd215e
Instruction ID: 49f00b9861b76021e0d81b681c57ae52f51c4f138ee6c3dae3f4a3c65b7ca2bb
Opcode Fuzzy Hash: 52970e896ddcf8474a78ea8b86d84cebd66130e7e06d7c3439ba892038dd215e
Instruction Fuzzy Hash: AAE1CE70A00209DFDB05DF68D894BEEB7B5FF49314F144168E811AB392DB74AE46CB90

Function 00322C60 Relevance: 9.1, APIs: 6, Instructions: 69threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0033FED0,004A006C,00000000,?), ref: 00322CDD
GetLastError.KERNEL32 ref: 00322CEA
WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00322D13
GetExitCodeThread.KERNEL32(00000000,?), ref: 00322D2D
TerminateThread.KERNEL32(00000000,00000000), ref: 00322D45
CloseHandle.KERNEL32(00000000), ref: 00322D4E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Thread$CloseCodeCreateErrorExitHandleLastObjectSingleTerminateWait
String ID:
API String ID: 1566822279-0
Opcode ID: 4095875a540c916b67bcf797a5e68061c9ed3116c23a4baabe09a71456f72193
Instruction ID: 143121cc5fdb6f0bcef5669f1dc14c20165daae44b138425ef10baf7cc08a29c
Opcode Fuzzy Hash: 4095875a540c916b67bcf797a5e68061c9ed3116c23a4baabe09a71456f72193
Instruction Fuzzy Hash: 7C31F971900219EFDB10CF94DD49BEEBBF4FB08725F200269E920B62E0D7759A44CB68

Function 003104C0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00337E70: GetUserNameW.ADVAPI32(?,?), ref: 00337EEB
Part of subcall function 00337E70: GetLastError.KERNEL32 ref: 00337EF5
Part of subcall function 00337E70: GetUserNameW.ADVAPI32(?,?), ref: 00337F3D
Part of subcall function 00337E70: GetEnvironmentVariableW.KERNEL32(UserDomain,00000000,00000000), ref: 00337F77
Part of subcall function 00337E70: GetEnvironmentVariableW.KERNEL32(UserDomain,?,00000000,-00000001,00000000), ref: 00337FC2

GetCurrentProcess.KERNEL32(00000008,?,?,?,?), ref: 003107D5
OpenProcessToken.ADVAPI32(00000000), ref: 003107DC
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0031080B
CloseHandle.KERNEL32(00000000), ref: 00310820

Strings

\/:*?"<>|, xrefs: 003105A1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: EnvironmentNameProcessTokenUserVariable$CloseCurrentErrorHandleInformationLastOpen
String ID: \/:*?"<>|
API String ID: 3139386598-3830478854
Opcode ID: 06d40284817814f78a35444a147ae80be2d04c5d9bc7497f44808cb3f0a67ce0
Instruction ID: 4c044dfe40a21f3eead02e0aec1d4cae6f57e1440213ae248c4e63cba00f2e29
Opcode Fuzzy Hash: 06d40284817814f78a35444a147ae80be2d04c5d9bc7497f44808cb3f0a67ce0
Instruction Fuzzy Hash: 1AC1F031D00358DFCB1ADFA4C8547EDBBB1FF59308F254269E405AB291DBB46A84CB91

Function 002FEF10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(80004005,003F6D45,081DA4CA,?,?,00000000,00000000,?,00000000,003F6D45,000000FF,?,80004005,081DA4CA,?,00000000), ref: 002FEF75
GetFileVersionInfoW.KERNELBASE(80004005,?,00000000,000000FF,00000000,?,?,00000000,00000000,?,00000000,003F6D45,000000FF,?,80004005,081DA4CA), ref: 002FEFC3

Strings

\StringFileInfo\%04x%04x\%s, xrefs: 002FF03B
ProductName, xrefs: 002FF031
\VarFileInfo\Translation, xrefs: 002FF005

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FileInfoVersion$Size
String ID: ProductName$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
API String ID: 2104008232-2149928195
Opcode ID: d2460b87657713494ba6b27b39b9d976efde92b7f1b3eac49669b5f26763d1b0
Instruction ID: b3519e11d76861ba07b8177eeae1b10c974bf517128cff00b277d875122f3d0d
Opcode Fuzzy Hash: d2460b87657713494ba6b27b39b9d976efde92b7f1b3eac49669b5f26763d1b0
Instruction Fuzzy Hash: 72719F71A0020ADFCF04DFA8C995ABEFBB8EF05314F144179E616A7292DB359D05CBA1

Function 0033EFF0 Relevance: 7.7, APIs: 5, Instructions: 175threadsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,081DA4CA,00000000,?), ref: 0033F030
CreateThread.KERNEL32(00000000,00000000,0033F400,?,00000000,?), ref: 0033F080
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0033F1A6
GetExitCodeThread.KERNEL32(00000000,?), ref: 0033F1B1
CloseHandle.KERNEL32(00000000), ref: 0033F1D1

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateThread$AllocateCloseCodeEventExitHandleHeapObjectSingleWait
String ID:
API String ID: 978852114-0
Opcode ID: 2485948b9bff694e2b864975484619a39018c4624a4e41850efd19bac45d799e
Instruction ID: 6c37036647ff749052cd9021f8224770df47b1005d3b52a559b9d68fdb0b939c
Opcode Fuzzy Hash: 2485948b9bff694e2b864975484619a39018c4624a4e41850efd19bac45d799e
Instruction Fuzzy Hash: 9B611575E00218DFCF15CF58D984BADBBB5FF88714F2942A9E905AB391D730A841CBA4

Function 002F5850 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjectsEx.USER32(00000001,000000FF,000000FF,000005FF,00000004), ref: 002F5867
PeekMessageW.USER32(?,00000000), ref: 002F5898
TranslateMessage.USER32(00000000), ref: 002F58A7
DispatchMessageW.USER32(00000000), ref: 002F58B2
MsgWaitForMultipleObjectsEx.USER32(00000001,00000000,000000FF,000005FF,00000004), ref: 002F58C8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Message$MultipleObjectsWait$DispatchPeekTranslate
String ID:
API String ID: 4084795276-0
Opcode ID: c127bd60ab8540e891d8bb31ca3a7280db78fdb8423ffdb3b3d3dc5ea92a932e
Instruction ID: e9137027618d190ddd05c15aef391b0bffc75a26f9eb3885bfacd34b5cc7f622
Opcode Fuzzy Hash: c127bd60ab8540e891d8bb31ca3a7280db78fdb8423ffdb3b3d3dc5ea92a932e
Instruction Fuzzy Hash: 6501B170A443067BE7108F508C45FBAB7ECEF58B90F548A29B724D10D0E774D5889B22

Function 00319AA0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 388COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(00000010,081DA4CA,?,00000010,?), ref: 00319DDE

Part of subcall function 002EF600: GetCurrentProcess.KERNEL32 ref: 002EF652
Part of subcall function 002EF600: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002EF65F
Part of subcall function 002EF600: GetLastError.KERNEL32 ref: 002EF669
Part of subcall function 002EF600: CloseHandle.KERNEL32(00000000), ref: 002EF74C

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Strings

\\?\, xrefs: 00319DEB
[WindowsVolume], xrefs: 00319B3C, 00319B4E, 00319B58
Extraction path set to:, xrefs: 00319E41

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Process$CloseCurrentErrorFindHandleHeapLastOpenPathResourceToken
String ID: Extraction path set to:$[WindowsVolume]$\\?\
API String ID: 1971330335-3538578949
Opcode ID: 2c9264b1bee329a4f12908f2b27b3979c7bb33d99f416fff4ffae18ba0059750
Instruction ID: 9b1bcac0b9ee2735f83c20a30e5490ac401c202c2e3ef4dc1264287f5adf4f7c
Opcode Fuzzy Hash: 2c9264b1bee329a4f12908f2b27b3979c7bb33d99f416fff4ffae18ba0059750
Instruction Fuzzy Hash: 14D1E630A00605DFCB09DF68C8A47ADB7B5FF58324F254259E921AB3D1DB34AE45CB91

Function 001A3C70 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,00000000,00000000,?,081DA4CA,?,00000004), ref: 001A3CCB
DeleteFileW.KERNEL32(?,?,00000004), ref: 001A3D0F
CreateDirectoryW.KERNEL32(?,00000000,?,00000004), ref: 001A3D1E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CreateDeleteDirectoryNameTemp
String ID:
API String ID: 2411147693-0
Opcode ID: 00fb5e658f5989cd7804b978b3a5964b566d2bb1a3d2c821950b23ddc45dbcfd
Instruction ID: 1a8de5fae61319f46eb7cae2e9f180f2545482e63e6a6c78141b95c9972d8e40
Opcode Fuzzy Hash: 00fb5e658f5989cd7804b978b3a5964b566d2bb1a3d2c821950b23ddc45dbcfd
Instruction Fuzzy Hash: 01D18A70D142489FDB14DF68C8897EEFBB4FF55304F20429AE819A7291EB746A84CF90

Function 00319730 Relevance: 6.2, APIs: 4, Instructions: 160fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,081DA4CA), ref: 0031980D
GetLastError.KERNEL32 ref: 00319815
RemoveDirectoryW.KERNEL32(?,081DA4CA), ref: 0031987D
GetLastError.KERNEL32 ref: 00319885

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$DeleteDirectoryFileRemove
String ID:
API String ID: 50330452-0
Opcode ID: 5003f6f2655411df3f4cfcc68a98bcff175dce8fd9627247c78ec3099c6d1062
Instruction ID: 0a24dd52cfbc7674bff43732676ae4b9870a134e5e1d8d539de49a2f16e0eefb
Opcode Fuzzy Hash: 5003f6f2655411df3f4cfcc68a98bcff175dce8fd9627247c78ec3099c6d1062
Instruction Fuzzy Hash: 1A518331900219CFCF16DFA4C8A8BEEB7B4FF09304F15406ED915AB255D735A989CB91

Function 0030FD30 Relevance: 6.2, APIs: 4, Instructions: 159fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,081DA4CA,?,00000010,?,003142A0,000000FF), ref: 0030FD96
SetFilePointer.KERNEL32(00000000,?,00000010,00000000), ref: 0030FDDF
ReadFile.KERNEL32(00000000,081DA4CA,?,000000FF,00000000,00000078,?), ref: 0030FE21
CloseHandle.KERNEL32(00000000), ref: 0030FEB8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseCreateHandlePointerRead
String ID:
API String ID: 4133201480-0
Opcode ID: 1a3519a4e9f55b9fda4a91da61103522de7c397a5875acf448897568dc8712c6
Instruction ID: 219829db84aa786b5996d34478149fb8f620ab30b136b0b935ebada52c976e5b
Opcode Fuzzy Hash: 1a3519a4e9f55b9fda4a91da61103522de7c397a5875acf448897568dc8712c6
Instruction Fuzzy Hash: 3F51B471A016099FDB11CFA8CC58BAEB7B8FF44324F244269F911AB2D2C774AD05CB94

Function 002FEE00 Relevance: 6.1, APIs: 4, Instructions: 96fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002FE8C0: SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000000,?,081DA4CA,00000000,00000000,?), ref: 002FE91B

GetFileVersionInfoSizeW.KERNELBASE(?,00000000,?,081DA4CA,00000000,?,?,?,?,00000000,004344C5,000000FF,00000000,002FEDB6,?), ref: 002FEE4D
GetFileVersionInfoW.KERNELBASE(?,00000000,004344C5,00000000,00000000,?,?,00000000,004344C5,000000FF,00000000,002FEDB6,?), ref: 002FEE79
GetLastError.KERNEL32(?,?,00000000,004344C5,000000FF,00000000,002FEDB6,?), ref: 002FEEBE
DeleteFileW.KERNEL32(?), ref: 002FEED1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$InfoVersion$DeleteErrorFolderLastPathSize
String ID:
API String ID: 2825328469-0
Opcode ID: 8f18d5ead13c3d3c7949e8c674c2389834e228f3169321caf155e3dc5c81dfe0
Instruction ID: ba298bb72640f3abc99509d4d4afabd7b8ea8dd6f54458a9e08c23301da901e3
Opcode Fuzzy Hash: 8f18d5ead13c3d3c7949e8c674c2389834e228f3169321caf155e3dc5c81dfe0
Instruction Fuzzy Hash: 5531707191120EEBDF12CFA5D944BEFFBB8EF08760F144129E906A3291D7749904CBA0

Function 002F4B00 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

PathIsUNCW.SHLWAPI(?,?), ref: 002F4CCD

Strings

\\?\, xrefs: 002F4CAF, 002F4CB5
\\?\UNC\, xrefs: 002F4BA9, 002F4C31, 002F4C37

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: HeapPathProcess
String ID: \\?\$\\?\UNC\
API String ID: 300331711-3019864461
Opcode ID: 07723576e7b00dee371dbdd88e3a5984cd4e15bcc3cacd6c19c1407f77178850
Instruction ID: d674f93482df35515f46c51700cd3db488e7634e5b63acd65cf5cbbba3daca43
Opcode Fuzzy Hash: 07723576e7b00dee371dbdd88e3a5984cd4e15bcc3cacd6c19c1407f77178850
Instruction Fuzzy Hash: 8FD1C371A106099BDB00DBA8CC94BAEF7B9FF48324F144269E621E73D1DB749D05CB90

Function 003404E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00340532
EndDialog.USER32(00000000,00000001), ref: 00340541

Strings

x=H, xrefs: 00340680

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DialogWindow
String ID: x=H
API String ID: 2634769047-3075236326
Opcode ID: 60eb96bf7ccf4ba7a5406e4fd0a0597c43cae4da6ba6290962b0999604694ef2
Instruction ID: 616055fe2247beee7a0ed0a205c5debfdc2732574a2b78bbcb5a0e25f02d7047
Opcode Fuzzy Hash: 60eb96bf7ccf4ba7a5406e4fd0a0597c43cae4da6ba6290962b0999604694ef2
Instruction Fuzzy Hash: EC61BB30A01644DFCB05CF68C94875CBBF4FF49324F2582A9E915AB3A2C734AE01CB91

Function 00319F30 Relevance: 4.7, APIs: 3, Instructions: 196fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,081DA4CA,00000000,00000010,?,00000010,?), ref: 00319FCB
GetLastError.KERNEL32 ref: 0031A00D
GetLastError.KERNEL32(?), ref: 0031A0B1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID:
API String ID: 1722934493-0
Opcode ID: 52be4ff410fba4db68fd7075905ab923198c51ced7830b675e07581f1f5aa0aa
Instruction ID: a2b8eadd146e6d9cae855b1a652f19f864fceab2ef67a8b070554154a22d556d
Opcode Fuzzy Hash: 52be4ff410fba4db68fd7075905ab923198c51ced7830b675e07581f1f5aa0aa
Instruction Fuzzy Hash: 7A610131A00A06AFDB19DF28D855BAAF3B4FF48321F144269E826973D1DB30B951CB90

Function 00350D20 Relevance: 4.7, APIs: 3, Instructions: 185fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00351D21,40000000,00000001,00000000,00000002,00000080,00000000,081DA4CA,?,?), ref: 00350D82
WriteFile.KERNEL32(00000000,?,0000C800,0000C800,00000000,?,0000C800), ref: 00350E28
CloseHandle.KERNEL32(00000000,?,0000C800), ref: 00350E9C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 6775bfedac90d782ccb91faeb8af51b7ad35ca8312212d40164caec89b04d68b
Instruction ID: 2bffb5b13f324850087ac71a84287a404802c7bd481bed5f6e45aa67030555c4
Opcode Fuzzy Hash: 6775bfedac90d782ccb91faeb8af51b7ad35ca8312212d40164caec89b04d68b
Instruction Fuzzy Hash: 82519E71A01208AFDB15DFA8D945FEEBBF9EF48315F204559F800AB290D775AE04CBA4

Function 002F4F10 Relevance: 4.7, APIs: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,081DA4CA,00000000,?,?,?,?,?,00432E55,000000FF,?,0030847C,00000000,?,?), ref: 002F4F5B
CreateDirectoryW.KERNEL32(00432E55,00000000,?,00000000,00490C24,00000001), ref: 002F501A
GetLastError.KERNEL32 ref: 002F5028

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLastPath
String ID:
API String ID: 953296794-0
Opcode ID: b46b0e936f251219d645d34fc321e6dbb8ccd5208746aed9e051df90f92644ed
Instruction ID: dc1429fe776ddf5e5cf7e1b1a76f1cb20b0ecd10ce7ad22bdce2ad036516cf11
Opcode Fuzzy Hash: b46b0e936f251219d645d34fc321e6dbb8ccd5208746aed9e051df90f92644ed
Instruction Fuzzy Hash: 9761DE30A106098FCB04DFA8C899BAEF7F0FF18354F244569E625A7291DB35A909CF91

Function 00320DA0 Relevance: 4.6, APIs: 3, Instructions: 91fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,00000000,80004005,?,?,?,?,?,?), ref: 00320DC5
CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,00000080,00000000,081DA4CA,00000000,00000000,80004005,?,?,?,?,?), ref: 00320E3D
CloseHandle.KERNEL32(?,?,00480010), ref: 00320EA6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseCreateDeleteHandle
String ID:
API String ID: 3273607511-0
Opcode ID: 4977834d96a41ff842e9655634905a4c27c7ef3ca5c3aa19d4c29f3ac8090ac7
Instruction ID: 2ca296a6d74398bc56e1d03e668e607d0affd2fdc582efaa698842838589f36b
Opcode Fuzzy Hash: 4977834d96a41ff842e9655634905a4c27c7ef3ca5c3aa19d4c29f3ac8090ac7
Instruction Fuzzy Hash: 7B310731500714DBCB25CF64ED85BDE77B4FB04710F218A29E956AB281D7706949CB90

Function 00318D80 Relevance: 4.5, APIs: 3, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00318D89
DestroyWindow.USER32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00437E80), ref: 00318D98
IsWindow.USER32(?), ref: 00318DC3

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$CurrentDestroyThread
String ID:
API String ID: 2303547079-0
Opcode ID: b0ba1a65f505f78b1b62bc828f8e6ef0748146438a4c0d8ca544581f1b9af32f
Instruction ID: eb73b4c28b44cc0a2396808ac79c603f0567f740ac964af1803e4b7a0a340517
Opcode Fuzzy Hash: b0ba1a65f505f78b1b62bc828f8e6ef0748146438a4c0d8ca544581f1b9af32f
Instruction Fuzzy Hash: 7EF08C300027509FD3759B24FE48B93BBE4BB29B05F159D4CE1969A9D0CBB4E884DB28

Function 003CCA98 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,003CCA92,?,003C4C02,?,?,081DA4CA,003C4C02,?), ref: 003CCAA9
TerminateProcess.KERNEL32(00000000,?,003CCA92,?,003C4C02,?,?,081DA4CA,003C4C02,?), ref: 003CCAB0
ExitProcess.KERNEL32 ref: 003CCAC2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f028cf56833b49f177e2dcc6d22dbf8d7e66e3fb198188dfc35a2937f70d165c
Instruction ID: 89e5c808be84324003fc0a85175430b78ee85e56496d378f4c1a18f6723fb8ec
Opcode Fuzzy Hash: f028cf56833b49f177e2dcc6d22dbf8d7e66e3fb198188dfc35a2937f70d165c
Instruction Fuzzy Hash: 07D06731410208ABCF566FA1DD0EE493F29EB80396B105064F9098E072CB31DD91EB84

Function 002F5390 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,081DA4CA,00000000,00000010,00000010), ref: 002F5552

Part of subcall function 002F5630: GetEnvironmentVariableW.KERNEL32(00000000,00000000,00000000,?,00000010,00000000,80004005), ref: 002F563D

Strings

USERPROFILE, xrefs: 002F53EA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: EnvironmentFolderHeapPathProcessSpecialVariable
String ID: USERPROFILE
API String ID: 2976596683-2419442777
Opcode ID: 4ffda4a8052a1ac4943f9ada1890b87a63689f97c062c1799814b4ffc8361245
Instruction ID: 191a2aa859854e6fb2db0e28fcd5869b8e7d42384ce3bc5cea71547641178226
Opcode Fuzzy Hash: 4ffda4a8052a1ac4943f9ada1890b87a63689f97c062c1799814b4ffc8361245
Instruction Fuzzy Hash: 0C71D171A106199FCB14DF68C899BBEB7B5FF84720F144269EA169B381DB309D04CB91

Function 0031D2D0 Relevance: 3.2, APIs: 2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61b8dbab37ffb1a01d4b7edcacf415e20ee8650b8d5e17a728d2f31e6f8662
Instruction ID: 752ebbbf9c97a5ec4ef5d08bdf52b7849f005dd309e0463feb26a0eb22fe3cd3
Opcode Fuzzy Hash: 2c61b8dbab37ffb1a01d4b7edcacf415e20ee8650b8d5e17a728d2f31e6f8662
Instruction Fuzzy Hash: E161BE309005098BCF2ADF69C8947EEB7B1FF4E314F194529E826DB295DF30A985CB91

Function 001A4197 Relevance: 3.2, APIs: 2, Instructions: 168fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(?,00000000), ref: 001A42ED
DeleteFileW.KERNEL32(?), ref: 001A4337

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$DeleteMove
String ID:
API String ID: 2145525214-0
Opcode ID: 6f1de6500f1e177f30622418394ee11c4433034dd6062c8ab43f78f6900bf15f
Instruction ID: 00315704e3726c1c0a5bd65af3759beb3dabc15a9456f0d2b74fd5fb97b66817
Opcode Fuzzy Hash: 6f1de6500f1e177f30622418394ee11c4433034dd6062c8ab43f78f6900bf15f
Instruction Fuzzy Hash: 7F716875D102688BCB28DB28CC987EDB7B1BF95304F1442D9E409A7691EB74AB85CF90

Function 002755B0 Relevance: 3.1, APIs: 2, Instructions: 130libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002755F2

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

LoadLibraryExW.KERNEL32(?,00000000,00000000,-00000010), ref: 002756C9

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DirectoryFindHeapLibraryLoadProcessResourceSystem
String ID:
API String ID: 2891229163-0
Opcode ID: 2c454710252ecb4ccc7b664e3cf341631eb8baaeee3439c197a8f8081ca9ef6c
Instruction ID: f1694a616e92cd2782f2436a072dc3ef86b69486d5eeeb3beac1fa2220c96327
Opcode Fuzzy Hash: 2c454710252ecb4ccc7b664e3cf341631eb8baaeee3439c197a8f8081ca9ef6c
Instruction Fuzzy Hash: CB410675A106199FCB18DF68CC55BFEB3A8FF44710F54852DE91A9B2C0EBB0AA14CB50

Function 00318B80 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(003184D6), ref: 00318B80
DestroyWindow.USER32(00000000,00000000), ref: 00318C37

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: effe3ecd8b49559803d0b7dcd7d6005ed3a286d0426d7473f919d7e684441c15
Instruction ID: 640faad82d6bd017bfe7c36ad52df1c774cfe10a7623df96e672d8d06667097f
Opcode Fuzzy Hash: effe3ecd8b49559803d0b7dcd7d6005ed3a286d0426d7473f919d7e684441c15
Instruction Fuzzy Hash: 9D213AB17001095BDB119F08EC417EA7754EB58320F004226FD14C7291DB75DCA4DBF5

Function 002F85E0 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F7D30: LoadLibraryW.KERNEL32(ComCtl32.dll,081DA4CA,?), ref: 002F7D6A
Part of subcall function 002F7D30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002F7D90
Part of subcall function 002F7D30: FreeLibrary.KERNEL32(00000000), ref: 002F7E19

SendMessageW.USER32(?,00000080,00000001,00000000), ref: 002F861E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002F862D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: LibraryMessageSend$AddressFreeLoadProc
String ID:
API String ID: 3032493519-0
Opcode ID: cf299e43d9e377820eaaa5d14eef48176d45bf33a32e649fefed903cc35c9d22
Instruction ID: 845e01af8b7bdb0390d1730d12149079e3945c6d6d440409ddaa8ba6c6a9f030
Opcode Fuzzy Hash: cf299e43d9e377820eaaa5d14eef48176d45bf33a32e649fefed903cc35c9d22
Instruction Fuzzy Hash: 9AF0A07279032433F22012695C0BFA7E54DDB80B61F104624FBA4AB2D1ECEAAC0402E8

Function 003D8441 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,003DA134,00000000,003D601B,00000000,?,003C9DBC,00000000,003D601B,?,?,?,?,003D5E15), ref: 003D8457
GetLastError.KERNEL32(?,?,003DA134,00000000,003D601B,00000000,?,003C9DBC,00000000,003D601B,?,?,?,?,003D5E15), ref: 003D8462

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b1a62b49eb85f3055cdcef6bf42511335771e73fb50a2d95a11fb2731bb9179a
Instruction ID: 51cde17080ee91d8b6e2861d350f73fb761250c7f1d2e9c6c0a9e7d1150c6161
Opcode Fuzzy Hash: b1a62b49eb85f3055cdcef6bf42511335771e73fb50a2d95a11fb2731bb9179a
Instruction Fuzzy Hash: 4CE0E63210061477CB122FB5FC09B993A68AB80756F154025F608DA1A2DA399D90D7D4

Function 002DB6A0 Relevance: 2.6, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,00000000,00000000,00000000,?,00514380,002EED48,?), ref: 002DB6B8
MultiByteToWideChar.KERNEL32(00000003,00000000,80000004,000000FF,?,-00000001), ref: 002DB6EA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 5239dc5d65b6ce6d74980a855c4ad60cc6a9d0efdf4ff4290411387c0cac2870
Instruction ID: 5630b3b57df8890a7fb38abd6e09df901c062fa3cf267a4bd96362ef2790ebdf
Opcode Fuzzy Hash: 5239dc5d65b6ce6d74980a855c4ad60cc6a9d0efdf4ff4290411387c0cac2870
Instruction Fuzzy Hash: FE419B72600606DFEB11DF68D899B5AF7A9FF84721F20422EE5259B390DB30AD10CB90

Function 00322340 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

EnumResourceLanguagesW.KERNEL32(?,00000010,00000001,00322480,?), ref: 0032238B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: EnumLanguagesResource
String ID:
API String ID: 4141015960-0
Opcode ID: 34d12307139c60b0b72599f517252edc24c59dbc1f2e7aaa06a1be7f763945a9
Instruction ID: 43c280e3a932cfd6f108b7bd97dd5240920e4dac83cf6abf117fcf9f7cc8115c
Opcode Fuzzy Hash: 34d12307139c60b0b72599f517252edc24c59dbc1f2e7aaa06a1be7f763945a9
Instruction Fuzzy Hash: CD41D27190020AABDB11EF95D985BDFFBF4FF04314F10426AE850BB281DB75AA45CBA0

Function 00339ED0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,?,00000000,081DA4CA,00000000,081DA4CA), ref: 00339F66

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 7da5555a4dc7876b25b017c19bf405ca138c1062674f629bca9d8a2c461fd4b0
Instruction ID: c9b3a26a622601e68aecbd904d4a21b96d19b89731b47b2a9901f31b43df7d6f
Opcode Fuzzy Hash: 7da5555a4dc7876b25b017c19bf405ca138c1062674f629bca9d8a2c461fd4b0
Instruction Fuzzy Hash: 78F0AF31A00614AFCB10CF19CC44F9BB7ACEB49724F104226F825E72D0D7B4A90486A0

Function 0019B0F0 Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C1761: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,00000000,80004005,081DA4CA,?), ref: 003C17C1

RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AllocateExceptionHeapRaise
String ID:
API String ID: 3789339297-0
Opcode ID: e0928c0c2af611baa22c4ba75ef9031ce78b86e43396f1bc8edc71f3c888a2ed
Instruction ID: 720d1eff573977147c4f9916e539b0ec817751068e4f932dd26655d1f2c01123
Opcode Fuzzy Hash: e0928c0c2af611baa22c4ba75ef9031ce78b86e43396f1bc8edc71f3c888a2ed
Instruction Fuzzy Hash: 93F0E271904248BFCB11CF00EC06F5ABBA8F704B10F108629F81586691DB35A8049B44

Function 003D847B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,003D601B,?,003DA123,?,00000000,?,003C9DBC,00000000,003D601B,?,?,?,?,003D5E15), ref: 003D84AD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca8955486ae613cc2d732745c4d38e0f0f4c4664554e27deed385f64f7e26caf
Instruction ID: 3f1a2b4ae7218f90abbf4e2b60dec5d0d435b524f8215929c20db8b13bf949aa
Opcode Fuzzy Hash: ca8955486ae613cc2d732745c4d38e0f0f4c4664554e27deed385f64f7e26caf
Instruction Fuzzy Hash: 17E0E53720062356DA23272BFC01BAA3A6CAF417B0F164023AD04DA3C1EF24FC4091E1

Function 003D5F83 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003D5F8A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 893817388e9c7a40b71c96f3c9fb63f2a32d411c6c1b81bffd6441bbbdaba448
Instruction ID: d6a91bca43869eca42d0e8a4b818082324c7a3fd9f987c947fcd5a7c7d70c785
Opcode Fuzzy Hash: 893817388e9c7a40b71c96f3c9fb63f2a32d411c6c1b81bffd6441bbbdaba448
Instruction Fuzzy Hash: 5AE09A76C0120D9ADB01DFE4C452FEFB7B8EB04714F504027A205EB141EB7857548BE1

Function 003BC1BE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC1A1

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 223ab2ccd024eae83e9a1d61e3e7b51a549901056bdf61f0a81d802582a26bb1
Instruction ID: 992543d418f86540eca289392d7bd2f970c8e6350b4aac434c09947ce16695b5
Opcode Fuzzy Hash: 223ab2ccd024eae83e9a1d61e3e7b51a549901056bdf61f0a81d802582a26bb1
Instruction Fuzzy Hash: CEB012C53781016F3155A1185D0BFFA076CE1CCF14730622BB505C88C1E4900C430036

Function 003BC1B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC1A1

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 4fbcbde28c448f7782b8b5943bc73df5a50cd21e5e0770b31a41f44e44dc3d60
Instruction ID: cd9dc5bc51fcab6a71848a34eb97a9beb06df6a86837fc87e95066227bea389c
Opcode Fuzzy Hash: 4fbcbde28c448f7782b8b5943bc73df5a50cd21e5e0770b31a41f44e44dc3d60
Instruction Fuzzy Hash: D0B012C1378201AF311551191D47EFA0B5CD1CCF14730A02AB905C58C1E4900C434036

Function 003BC1FA Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC1A1

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: d7e890989fb709a9e27cd2b2bc9f411ead9f33316a4fe188a90b2c1fdafb78b9
Instruction ID: 2b94d62d2eee4342cc2ab2991beddedc70e7b70057c8256baecd25a9729d339e
Opcode Fuzzy Hash: d7e890989fb709a9e27cd2b2bc9f411ead9f33316a4fe188a90b2c1fdafb78b9
Instruction Fuzzy Hash: 5DB012C13782016F321551183D07EFA075CD1CCF14730612AB505C48C1E4940C870032

Function 003BC1F0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC1A1

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 3e8d7c07ab7eb7bb0c59d42f28318d15c2753c4fd6ff63d48a87707004d3bc34
Instruction ID: 0dc00754f77795ba25172b31803229a7ada65602affe143444a8fbc4babc5ba5
Opcode Fuzzy Hash: 3e8d7c07ab7eb7bb0c59d42f28318d15c2753c4fd6ff63d48a87707004d3bc34
Instruction Fuzzy Hash: 07B012C13781016F311551181E07EFA0B5CD1CCF14730A02EB605C48C1E4904C430032

Function 003BC23D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC22A

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: ea53d7187597cb964fe644aa884ae21a0c7ee7d4354016b472c3efbae1b5ea7c
Instruction ID: e99ddfc63953c753695a5e95a98f7a3d33a1383c72b893dd3db0253c48b8e6d0
Opcode Fuzzy Hash: ea53d7187597cb964fe644aa884ae21a0c7ee7d4354016b472c3efbae1b5ea7c
Instruction Fuzzy Hash: A2B012D27B82017D711961542F42DFA066CD1C5F25330A42EF500CC8C0D4800C414032

Function 003BC272 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC269

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: fc01cccb4160ceb1231ea5ee62073bdf2751b745900c162c04f83ce27804d687
Instruction ID: 7e521cd884410674bcd03d62d199f555a7f52199a9ae96a0243742abd069da7f
Opcode Fuzzy Hash: fc01cccb4160ceb1231ea5ee62073bdf2751b745900c162c04f83ce27804d687
Instruction Fuzzy Hash: 72B012C137D2026D311551845D02DFA175CE1C4F14330653AB104C88C0D4481C814032

Function 003BC247 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC22A

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0b3a3069bd6b91398099513fcd5d437d45ebe855c4f931d3d600f7d3a0fa604a
Instruction ID: f4ad48a776ccc2bef3159f7b07a997fe87d68a3d5c4873fe789f1fd33e4b303a
Opcode Fuzzy Hash: 0b3a3069bd6b91398099513fcd5d437d45ebe855c4f931d3d600f7d3a0fa604a
Instruction Fuzzy Hash: 6DB012927B83017D715961442F42DFA066CD1C4F25330652AB500CC8C0D4440C814032

Function 003BC296 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC269

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 00fc9ce04680fc18bcc296b8e55671deee067d671f25d667eb806499b84fccd5
Instruction ID: 05846861378429fcabfbfee8beb50bd1d1fae7f4726f7a1bb62bf3b4b0bde54a
Opcode Fuzzy Hash: 00fc9ce04680fc18bcc296b8e55671deee067d671f25d667eb806499b84fccd5
Instruction Fuzzy Hash: 80B012C137C1026D311591C45D02DFA175CD1C4F14331A43BB504C88C0D4401C814032

Function 003BC2D2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC269

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 329f26688e0327ecccf24f1d26ce0459d96e7f20b1a113ac3a9ec5340c2df862
Instruction ID: c96a62fdfcd3cf83dbf9b5e6f0239f78b0ac6d8603ac7f192ae2c4bf26d41a12
Opcode Fuzzy Hash: 329f26688e0327ecccf24f1d26ce0459d96e7f20b1a113ac3a9ec5340c2df862
Instruction Fuzzy Hash: 9CB0128537C1026E311551846E02DFB175CD1C4F14330643AB104C88C0D8402C424232

Function 003BC2C8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC269

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 0e4a67311535dd9d1ffdcd3cc1978ce01a2f08626c5fe75d044f652957f9b004
Instruction ID: 660867221bf62eedde736689af38dfd571ccbcdc348a6cd97f9c3b90f86d9c45
Opcode Fuzzy Hash: 0e4a67311535dd9d1ffdcd3cc1978ce01a2f08626c5fe75d044f652957f9b004
Instruction Fuzzy Hash: 8CB0128537D2026E311561846D06DFB175CD1C4F14330653AB208C88C0D8441C818132

Function 003BC369 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BC322

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: c34c4827019e581419dea7570e996aabe9b847ea7284911193ec211d65ac33d5
Instruction ID: 794058167c34e53ffc6ecc9441ebf340a976cd7938aebd65fb1a38805b49b452
Opcode Fuzzy Hash: c34c4827019e581419dea7570e996aabe9b847ea7284911193ec211d65ac33d5
Instruction Fuzzy Hash: 72B012893B82017D311551045D42DFB1ADCD9C4F15330E02AB505C58C0D5C40C418033

Function 003BF77D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BF74C

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: cf1cb8f8b6121a2f250d57b65e99dba974d8408a7999c9215c5d763550dbef35
Instruction ID: 939939d8991eb037ae58c8cb7ac3e9b77d3041a04fe7527ef45e64e382d2893e
Opcode Fuzzy Hash: cf1cb8f8b6121a2f250d57b65e99dba974d8408a7999c9215c5d763550dbef35
Instruction Fuzzy Hash: C7B012813A86017D714661041D17DFA065CD1C4F54338613BB900C48C0D8440CC15036

Function 003BF787 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BF74C

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 189061e4eb4b44d36c18481c1425c4ba2aab2e4e07c34a62edd1e743c48aefd7
Instruction ID: 5160c5c2a6e95ec962a22d7906db8b98a799b48a6f9d27648feef6b5b793f412
Opcode Fuzzy Hash: 189061e4eb4b44d36c18481c1425c4ba2aab2e4e07c34a62edd1e743c48aefd7
Instruction Fuzzy Hash: 36B012853A8D01BD710561041D1BDFB065CD1C8F14338A43ABD00C48C0DC400C415136

Function 003BB7EE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BB7BC

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: e22281a7e45aecef8cf1d47e80ba5f42e0f3a3883d2859edc9bc66510870971f
Instruction ID: bd2301c122d121ace6fb2fc4d6087d994d1a4d2b0eec04579f6c5776396c18c6
Opcode Fuzzy Hash: e22281a7e45aecef8cf1d47e80ba5f42e0f3a3883d2859edc9bc66510870971f
Instruction Fuzzy Hash: DDB012813686016CB11561041D17EFA0B5CD5C0F14331542EB104C48C0DC801C420132

Function 003BBB35 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BBB47

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: f0f3cf9c2e49f7fa28fb925a6c066f65a3cd8bf3d5f8aba0e927b6a583a5426d
Instruction ID: e221b588bab63f506ae4b54b9175a9e7c1947b8463d33d93d06bd119739e8be8
Opcode Fuzzy Hash: f0f3cf9c2e49f7fa28fb925a6c066f65a3cd8bf3d5f8aba0e927b6a583a5426d
Instruction Fuzzy Hash: 28B012913681017D710552051E42CFA171CE1C0F14330542AB200C48C498C00D420033

Function 003BBB50 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BBB47

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 2927b5f6c33dc519a93d82bf5c172b75a0d8d55f1b4520ff8ae05b76e9ed0fa4
Instruction ID: 8cdf6cbdd23b59a7d4cbf7fff6106f6cae6201159f2292ac2d00d15945fb0f94
Opcode Fuzzy Hash: 2927b5f6c33dc519a93d82bf5c172b75a0d8d55f1b4520ff8ae05b76e9ed0fa4
Instruction Fuzzy Hash: C8B012853681016D710592042D42DFA475CF1C4F14330942AB610C5CC0D8C44C411032

Function 003BBBA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BBB47

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 49aa7de8baefdea1110245fd71aa54521dc7843e9e1450582f767777b1c73764
Instruction ID: 00098bce16ee5db0f036a5d3c14264be0decf7934000486e2e7174e8e9619b94
Opcode Fuzzy Hash: 49aa7de8baefdea1110245fd71aa54521dc7843e9e1450582f767777b1c73764
Instruction Fuzzy Hash: 8BB01289368101AD710592042D02DFB075CE1C8F14330902ABA10C58C0DCC04C411132

Function 003BBBC8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 003BBB47

Part of subcall function 003BC661: DloadAcquireSectionWriteAccess.DELAYIMP ref: 003BC66C
Part of subcall function 003BC661: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003BC6D4
Part of subcall function 003BC661: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003BC6E5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
String ID:
API String ID: 697777088-0
Opcode ID: 6685c131f9cc7f65b2f66174e81ee2084cd6add1ef954ad654a8a439eac5cfb1
Instruction ID: 2aba330686139d82aea34ef9cadfebd031e1b7f41f6bbcea10c95390ee59ebf5
Opcode Fuzzy Hash: 6685c131f9cc7f65b2f66174e81ee2084cd6add1ef954ad654a8a439eac5cfb1
Instruction Fuzzy Hash: 24B012813681016D711592041D02DFA075CF1C4F2C330543AB200C48C0D8C02C410032

Function 00339600 Relevance: 1.3, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,081DA4CA,?,00000010,?,00000000,0043F203,000000FF,?,00316572,00000000,00000000,00000000,00000001,?,0000000D), ref: 0033963A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e95498d6b85142edb7f023244110753d4737aea7235de7ac5635b08d13ea70b9
Instruction ID: 8c304dd8065ef80b22aa6489bdff4236c8333a25e4aa22b7fc875ffce9c9f986
Opcode Fuzzy Hash: e95498d6b85142edb7f023244110753d4737aea7235de7ac5635b08d13ea70b9
Instruction Fuzzy Hash: B3116A71900A48DFD711CF68D808B5ABBF8FB49334F24876AE825D77D0D775A9058B84

Non-executed Functions

Function 00193530 Relevance: 438.2, Strings: 348, Instructions: 3218COMMON

Download Yara Rule

Strings

AI_DefaultActionCost, xrefs: 00197981
CostInitialize, xrefs: 001937B3
xWQ, xrefs: 00195E31
PIQ, xrefs: 00193FF4
pcQ, xrefs: 00196BCD
H]Q, xrefs: 0019666C
DuplicateFile, xrefs: 001958ED, 00196311
0rQ, xrefs: 00197835
XWQ, xrefs: 00195DFE
IQ, xrefs: 0019413A
UQ, xrefs: 00195AE5
AI_GxUninstall, xrefs: 0019750A
MsiUnpublishAssemblies, xrefs: 00193DD5
RemoveODBC, xrefs: 001946B3, 001947F9, 0019493F
PublishFeatures, xrefs: 00196E8D
@DQ, xrefs: 00193574
xjQ, xrefs: 001971CA
hoQ, xrefs: 001975EC
AI_ProcessTasks, xrefs: 001976FE
pFQ, xrefs: 001939F9
UnregisterComPlus, xrefs: 00194427
HpQ, xrefs: 001976A2
(sQ, xrefs: 00197912
Patch, xrefs: 001961CB
(bQ, xrefs: 00196AA3
(WQ, xrefs: 00195D98
`^Q, xrefs: 00196762
RemoveShortcuts, xrefs: 001955FB
0LQ, xrefs: 0019460B
0TQ, xrefs: 00195746
xhQ, xrefs: 00197012
@jQ, xrefs: 001971A4
@NQ, xrefs: 00194A8A
8ZQ, xrefs: 001963DF
@kQ, xrefs: 00197281
UnregisterExtensionInfo, xrefs: 00194FB8
MsiPublishAssemblies, xrefs: 00196E0B
8000, xrefs: 001945BB, 00194AB8, 00196873, 00196B08
HQ, xrefs: 00193F1B
8\Q, xrefs: 0019658D
AI_UserAccounts, xrefs: 001973B9, 001976A7
UnregisterClassInfo, xrefs: 00194E57
CreateFolder, xrefs: 00195CB3, 00195DF9
XcQ, xrefs: 00196BA6
(OQ, xrefs: 00194C73
MsiConfigureServices, xrefs: 00196C7E, 00196CA4
MoveFiles, xrefs: 00195ED9
AI_XmlUninstall, xrefs: 0019777B, 00197801
(MQ, xrefs: 00194831
PRQ, xrefs: 00195341
AI_XmlAttribute, xrefs: 001972BF, 00197827
mQ, xrefs: 001974AE
LQ, xrefs: 00194798
Environment, xrefs: 001957A7, 00196800
HgQ, xrefs: 00196F18
hnQ, xrefs: 00197518
StopServices, xrefs: 0019419B, 001942E1
hRQ, xrefs: 00195374
PSQ, xrefs: 00195553
Feature, xrefs: 001940BB, 00196EB3
0UQ, xrefs: 0019596C
@`Q, xrefs: 001968FE
InstallServices, xrefs: 00196BF8
`UQ, xrefs: 001959D2
H_Q, xrefs: 00196835
x_Q, xrefs: 0019685B
xrQ, xrefs: 00197882
@MQ, xrefs: 00194864
AI_UninstallAccounts, xrefs: 00197393
0_Q, xrefs: 0019680E
oQ, xrefs: 00197656
(tQ, xrefs: 001979E6
xVQ, xrefs: 00195C1F
FileCost, xrefs: 001938ED
RegisterProgIdInfo, xrefs: 001965CE
XYQ, xrefs: 0019624A
WriteRegistryValues, xrefs: 001966CE
mQ, xrefs: 0019740B
x^Q, xrefs: 0019677A
PatchFiles, xrefs: 00196165
ProcessComponents, xrefs: 00193C9B
TQ, xrefs: 001958BF
(aQ, xrefs: 001969D1
RemoveRegistry, xrefs: 00194D77
[Q, xrefs: 0019654C
XEQ, xrefs: 001937B8
PHQ, xrefs: 00193DDA
8oQ, xrefs: 001975C3
MsiAssembly, xrefs: 00196E36
PQQ, xrefs: 0019511B
15000, xrefs: 001941CE, 00194314, 00195F0C, 001962DE, 00196C91, 00196EA0
pZQ, xrefs: 0019640D
pQ, xrefs: 0019771F
@XQ, xrefs: 00195FF1
`iQ, xrefs: 001970E5
SQ, xrefs: 00195699
pEQ, xrefs: 001937EB
gQ, xrefs: 00196F95
[Q, xrefs: 001964A9
xKQ, xrefs: 00194492
AI_PreRequisite, xrefs: 0019702A, 001970B0, 00197136, 001971BC
@sQ, xrefs: 00197925
hSQ, xrefs: 0019559A
pXQ, xrefs: 00196057
RemoveFile, xrefs: 00195B79
AI_XmlElement, xrefs: 00197242, 001977A1
(XQ, xrefs: 00195FBE
XjQ, xrefs: 001971B7
WriteIniValues, xrefs: 00196754
AI_InstallPostPrerequisite, xrefs: 00197196
PfQ, xrefs: 00196E4C
paQ, xrefs: 00196A0A
hIQ, xrefs: 00194027
0^Q, xrefs: 0019673C
5000, xrefs: 001963E4
RemoveIniValues, xrefs: 0019536F, 001954B5
0hQ, xrefs: 00196FD9
RegisterComPlus, xrefs: 00196B72
@lQ, xrefs: 00197352
hHQ, xrefs: 00193E0D
InstallFinalize, xrefs: 00196F87
AI_InstallPrerequisite, xrefs: 00197110
3000000, xrefs: 001967ED
`gQ, xrefs: 00196F2B
SelfRegModules, xrefs: 00196AF5
1800, xrefs: 0019722F, 0019778E
qQ, xrefs: 001977FC
XbQ, xrefs: 00196ADD
8nQ, xrefs: 001974F2
0qQ, xrefs: 00197763
rQ, xrefs: 001978D9
`VQ, xrefs: 00195BEC
AI_Game, xrefs: 0019733C, 00197530
TypeLib, xrefs: 00196A95
(EQ, xrefs: 00193752
dQ, xrefs: 00196C66
pGQ, xrefs: 00193BFF
Location, xrefs: 00197064, 001970EA
@bQ, xrefs: 00196ACA
100000, xrefs: 00196F9A
ODBCTranslator, xrefs: 0019485F, 00196989
RemoveRegistryValues, xrefs: 00194BCB, 00194D11
@OQ, xrefs: 00194CB0
PnQ, xrefs: 00197505
pYQ, xrefs: 0019627D
`LQ, xrefs: 00194685
8dQ, xrefs: 00196C79
ODBCDataSource, xrefs: 00194719, 00196903
500, xrefs: 00197595
ZQ, xrefs: 0019646F
HUQ, xrefs: 001959BA
RemoveFolders, xrefs: 00195C4D
RegisterMIMEInfo, xrefs: 0019664B
x`Q, xrefs: 00196938
0gQ, xrefs: 00196F05
xMQ, xrefs: 001948DE
CreateShortcuts, xrefs: 0019644E
8cQ, xrefs: 00196B93
hfQ, xrefs: 00196E62
AI_ScheduledTasks, xrefs: 00197724
h\Q, xrefs: 001965B6
IniFile, xrefs: 0019551B, 00196775
cQ, xrefs: 00196B80
UnregisterFonts, xrefs: 00194A85
MIME, xrefs: 0019528F, 00196671
150, xrefs: 00196564
120000, xrefs: 0019562E
RegisterExtensionInfo, xrefs: 00196551
`hQ, xrefs: 00196FFF
1500, xrefs: 00193CCE, 001953A2, 001954E8, 001972AC, 00197814
8PQ, xrefs: 00194EC2
(iQ, xrefs: 001970AB
FQ, xrefs: 00193958
ZQ, xrefs: 001963CC
6000, xrefs: 001966E1
pmQ, xrefs: 0019744C
plQ, xrefs: 0019737B
HKQ, xrefs: 0019442C
ProgId, xrefs: 00195164, 001965F4
Options, xrefs: 00197170, 001971F6
RegisterClassInfo, xrefs: 001964D4
8RQ, xrefs: 00195315
AI_XmlInstall, xrefs: 0019721C, 00197299
8[Q, xrefs: 001964BC
Extension, xrefs: 00195003, 00196577
xUQ, xrefs: 00195A05
(VQ, xrefs: 00195B7E
xDQ, xrefs: 001935DA
10000, xrefs: 00196D9D, 00197994
pkQ, xrefs: 001972A7
AI_ExtractPrereq, xrefs: 0019708A
h[Q, xrefs: 001964E2
1500000, xrefs: 00196C0B
XaQ, xrefs: 001969F7
AI_UserGroups, xrefs: 00197436, 0019762A
hpQ, xrefs: 001976BD
XlQ, xrefs: 00197368
hJQ, xrefs: 00194239
XkQ, xrefs: 00197294
GQ, xrefs: 00193B66
GQ, xrefs: 00193D06
UnpublishComponents, xrefs: 00193F16
ODBCDriver, xrefs: 001949A5, 00196A0F
HVQ, xrefs: 00195BB1
PdQ, xrefs: 00196C8C
fQ, xrefs: 00196EC9
RemoveFiles, xrefs: 001959CD, 00195B13
eQ, xrefs: 00196DF8
@WQ, xrefs: 00195DCB
AI_CountRowAction, xrefs: 00197904
SelfReg, xrefs: 001945D3, 00196B1B
AppId, xrefs: 00194EBD, 001964FA
PoQ, xrefs: 001975D9
8GQ, xrefs: 00193B99
\Q, xrefs: 00196620
(DQ, xrefs: 00193559
eQ, xrefs: 00196D38
2000, xrefs: 001936AC, 00196767, 00197329, 001973A6, 00197423, 001974A0, 00197617, 00197694, 00197711
nQ, xrefs: 001974DF
Feature_, xrefs: 00193E3B, 00195036, 00196588, 00196E47, 0019703D, 001970C3, 00197149, 001971E3
SelfUnregModules, xrefs: 0019456D
UnregisterMIMEInfo, xrefs: 00195229
HLQ, xrefs: 00194652
]Q, xrefs: 001966EF
XOQ, xrefs: 00194CE3
(kQ, xrefs: 0019726E
MoveFile, xrefs: 00195F3F
AI_DownloadPrereq, xrefs: 00197004
pbQ, xrefs: 00196AF0
PZQ, xrefs: 001963F2
BindImage, xrefs: 001963D1, 001963F7
P\Q, xrefs: 001965A3
AppSearch, xrefs: 00193679, 001936FA
ServiceInstall, xrefs: 00196C1E
0KQ, xrefs: 00194405
~, xrefs: 0019717A
Component, xrefs: 00193819, 00193A8D, 00193BD8, 00193D01
xiQ, xrefs: 001970F8
heQ, xrefs: 00196D85
`sQ, xrefs: 00197940
InstallFiles, xrefs: 0019601F
PQ, xrefs: 00194E8F
0SQ, xrefs: 00195520
HTQ, xrefs: 00195779
Font, xrefs: 00194AEB, 00196886
0fQ, xrefs: 00196E31
XPQ, xrefs: 00194EF5
0]Q, xrefs: 00196659
RemoveEnvironmentStrings, xrefs: 00195741
dQ, xrefs: 00196D12
RQ, xrefs: 001952C7
AI_UninstallTasks, xrefs: 0019748D
HrQ, xrefs: 0019785C
8QQ, xrefs: 001950E8
h]Q, xrefs: 00196687
XDQ, xrefs: 001935A7
`_Q, xrefs: 00196848
`rQ, xrefs: 0019786F
StartServices, xrefs: 00196D04
CreateFolders, xrefs: 00195D93
RemoveExistingProducts, xrefs: 00193554
nQ, xrefs: 00197582
UnregisterProgIdInfo, xrefs: 001950E3
RemoveDuplicateFiles, xrefs: 00195887
200000, xrefs: 00196F1D
8HQ, xrefs: 00193DA7
Component_, xrefs: 00193FA8, 00194234, 0019437A, 001944C0, 00194771, 00194892, 001949D8, 00194C6E, 00194DAA, 00195408, 0019554E, 00195694, 0019580E, 00195920, 00195A66, 00195D0B, 00195E2C, 00195F72, 001960B8, 00196344, 00196487, 00196707, 0019678D, 00196813, 00196916, 0019699C, 00196A22, 00196AA8, 00196BAB, 00196C31, 00196CB2, 00196D3D, 00196DC3
PublishComponent, xrefs: 00193F75, 00196DB0
@YQ, xrefs: 0019620D
0JQ, xrefs: 001941D3
_Q, xrefs: 001968B2
RemoveIniFile, xrefs: 001953D5
AI_ProcessAccounts, xrefs: 00197681
WriteEnvironmentStrings, xrefs: 001967DA
HhQ, xrefs: 00196FEC
AI_ChainProductsPseudo, xrefs: 00197887
DuplicateFiles, xrefs: 001962AB
HQ, xrefs: 00193D7B
H^Q, xrefs: 0019674F
3000, xrefs: 00193F42, 00194088, 0019445A, 00194BFE, 00194D44, 00194E8A, 00194FD0, 00195116, 0019525C, 00195774, 001964E7, 0019665E, 00196A82, 00196B85
20000, xrefs: 00196D17
KQ, xrefs: 00194572
XXQ, xrefs: 00196024
100, xrefs: 00196198, 001965E1, 0019751D
AI_GxInstall, xrefs: 00197316
8IQ, xrefs: 00193FAD
hdQ, xrefs: 00196C9F
iQ, xrefs: 00197144
8eQ, xrefs: 00196D5F
`KQ, xrefs: 0019445F
hQQ, xrefs: 00195169
RegisterFonts, xrefs: 00196860
pOQ, xrefs: 00194D16
``Q, xrefs: 00196911
pPQ, xrefs: 00194F3C
HiQ, xrefs: 001970BE
@FQ, xrefs: 0019398B
xqQ, xrefs: 0019779C
XFQ, xrefs: 001939C6
Complus, xrefs: 0019448D, 00196B98
QQ, xrefs: 00195261
RegisterTypeLibraries, xrefs: 00196A6F
PublishComponents, xrefs: 00196D8A
InstallODBC, xrefs: 001968DD, 00196963, 001969E9
12000, xrefs: 001946E6, 0019482C, 00194972, 001958BA, 00195A00, 00195B61, 00195C80, 00195DC6, 00196461, 001968F0, 00196976, 001969FC
RQ, xrefs: 00195487
30000, xrefs: 00193E08, 00196E23
InstallInitialize, xrefs: 00196F0A
lQ, xrefs: 00197337
`TQ, xrefs: 001957AC
InstallValidate, xrefs: 00193B61
(`Q, xrefs: 001968EB
AI_AppSearchEx, xrefs: 00197587, 001975AD
HqQ, xrefs: 00197776
CostFinalize, xrefs: 00193A38
Registry, xrefs: 00194C31, 001966F4
AI_ProcessGroups, xrefs: 00197604
File, xrefs: 00193953, 00195A33, 00196085
Shortcut, xrefs: 0019566B, 00196474
8mQ, xrefs: 0019741E
P[Q, xrefs: 001964CF
pNQ, xrefs: 00194AF0
`qQ, xrefs: 00197789
800, xrefs: 00193B94
QQ, xrefs: 001950B5
VQ, xrefs: 00195D10
PeQ, xrefs: 00196D72
0pQ, xrefs: 0019768F
xLQ, xrefs: 001946B8
@EQ, xrefs: 00193785
JQ, xrefs: 0019434C
PatchSize, xrefs: 00196245
hQ, xrefs: 00197072
AI_UninstallGroups, xrefs: 00197410
HJQ, xrefs: 00194206
(NQ, xrefs: 00194A57
UnpublishFeatures, xrefs: 00194055
^Q, xrefs: 001967D5
`MQ, xrefs: 00194897
(jQ, xrefs: 00197191
PGQ, xrefs: 00193BDD
XNQ, xrefs: 00194ABD
FileSize, xrefs: 001960FF
xsQ, xrefs: 00197956
PmQ, xrefs: 00197431
YQ, xrefs: 001961D0
ServiceControl, xrefs: 00194201, 00194347, 00196D2A
@aQ, xrefs: 001969E4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: FQ$ GQ$ HQ$ PQ$ QQ$ RQ$ YQ$ ZQ$ [Q$ cQ$ dQ$ eQ$ lQ$ mQ$ nQ$(DQ$(EQ$(MQ$(NQ$(OQ$(VQ$(WQ$(XQ$(`Q$(aQ$(bQ$(iQ$(jQ$(kQ$(sQ$(tQ$0JQ$0KQ$0LQ$0SQ$0TQ$0UQ$0]Q$0^Q$0_Q$0fQ$0gQ$0hQ$0pQ$0qQ$0rQ$100$10000$100000$12000$120000$150$1500$15000$1500000$1800$2000$20000$200000$3000$30000$3000000$500$5000$6000$800$8000$8GQ$8HQ$8IQ$8PQ$8QQ$8RQ$8ZQ$8[Q$8\Q$8cQ$8dQ$8eQ$8mQ$8nQ$8oQ$@DQ$@EQ$@FQ$@MQ$@NQ$@OQ$@WQ$@XQ$@YQ$@`Q$@aQ$@bQ$@jQ$@kQ$@lQ$@sQ$AI_AppSearchEx$AI_ChainProductsPseudo$AI_CountRowAction$AI_DefaultActionCost$AI_DownloadPrereq$AI_ExtractPrereq$AI_Game$AI_GxInstall$AI_GxUninstall$AI_InstallPostPrerequisite$AI_InstallPrerequisite$AI_PreRequisite$AI_ProcessAccounts$AI_ProcessGroups$AI_ProcessTasks$AI_ScheduledTasks$AI_UninstallAccounts$AI_UninstallGroups$AI_UninstallTasks$AI_UserAccounts$AI_UserGroups$AI_XmlAttribute$AI_XmlElement$AI_XmlInstall$AI_XmlUninstall$AppId$AppSearch$BindImage$Complus$Component$Component_$CostFinalize$CostInitialize$CreateFolder$CreateFolders$CreateShortcuts$DuplicateFile$DuplicateFiles$Environment$Extension$Feature$Feature_$File$FileCost$FileSize$Font$HJQ$HKQ$HLQ$HTQ$HUQ$HVQ$H]Q$H^Q$H_Q$HgQ$HhQ$HiQ$HpQ$HqQ$HrQ$IniFile$InstallFiles$InstallFinalize$InstallInitialize$InstallODBC$InstallServices$InstallValidate$Location$MIME$MoveFile$MoveFiles$MsiAssembly$MsiConfigureServices$MsiPublishAssemblies$MsiUnpublishAssemblies$ODBCDataSource$ODBCDriver$ODBCTranslator$Options$PGQ$PHQ$PIQ$PQQ$PRQ$PSQ$PZQ$P[Q$P\Q$Patch$PatchFiles$PatchSize$PdQ$PeQ$PfQ$PmQ$PnQ$PoQ$ProcessComponents$ProgId$PublishComponent$PublishComponents$PublishFeatures$RegisterClassInfo$RegisterComPlus$RegisterExtensionInfo$RegisterFonts$RegisterMIMEInfo$RegisterProgIdInfo$RegisterTypeLibraries$Registry$RemoveDuplicateFiles$RemoveEnvironmentStrings$RemoveExistingProducts$RemoveFile$RemoveFiles$RemoveFolders$RemoveIniFile$RemoveIniValues$RemoveODBC$RemoveRegistry$RemoveRegistryValues$RemoveShortcuts$SelfReg$SelfRegModules$SelfUnregModules$ServiceControl$ServiceInstall$Shortcut$StartServices$StopServices$TypeLib$UnpublishComponents$UnpublishFeatures$UnregisterClassInfo$UnregisterComPlus$UnregisterExtensionInfo$UnregisterFonts$UnregisterMIMEInfo$UnregisterProgIdInfo$WriteEnvironmentStrings$WriteIniValues$WriteRegistryValues$XDQ$XEQ$XFQ$XNQ$XOQ$XPQ$XWQ$XXQ$XYQ$XaQ$XbQ$XcQ$XjQ$XkQ$XlQ$`KQ$`LQ$`MQ$`TQ$`UQ$`VQ$`^Q$`_Q$``Q$`gQ$`hQ$`iQ$`qQ$`rQ$`sQ$hHQ$hIQ$hJQ$hQQ$hRQ$hSQ$h[Q$h\Q$h]Q$hdQ$heQ$hfQ$hnQ$hoQ$hpQ$pEQ$pFQ$pGQ$pNQ$pOQ$pPQ$pXQ$pYQ$pZQ$paQ$pbQ$pcQ$pkQ$plQ$pmQ$xDQ$xKQ$xLQ$xMQ$xUQ$xVQ$xWQ$x^Q$x_Q$x`Q$xhQ$xiQ$xjQ$xqQ$xrQ$xsQ$~$GQ$HQ$IQ$JQ$KQ$LQ$QQ$RQ$SQ$TQ$UQ$VQ$ZQ$[Q$\Q$]Q$^Q$_Q$dQ$eQ$fQ$gQ$hQ$iQ$mQ$nQ$oQ$pQ$qQ$rQ
API String ID: 0-1018420627
Opcode ID: 0aa8c61a70fe5324e6d2539befefc6b75680cdc3a3111925f63c4082d2fdcc61
Instruction ID: 73d5c719170bf20cf87f7367f45f7c4ff229b05730fb50a78d9776e1b630a6dc
Opcode Fuzzy Hash: 0aa8c61a70fe5324e6d2539befefc6b75680cdc3a3111925f63c4082d2fdcc61
Instruction Fuzzy Hash: 1A73D320A55784E6E700DB74AD057DE7AA1ABB3304F64D349F1502B2E1DFB806C8EBE5

Function 002EE400 Relevance: 40.8, APIs: 14, Strings: 9, Instructions: 524fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(005143A4,C0000000,00000003,00000000,00000004,00000080,00000000,081DA4CA,-00000001,00514398,00514380), ref: 002EE475
GetLastError.KERNEL32 ref: 002EE49D
OutputDebugStringW.KERNEL32(00000000,00000020), ref: 002EE522
OutputDebugStringW.KERNEL32(00000000,?,0000001C), ref: 002EE652
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0000001C), ref: 002EE6EE
WriteFile.KERNEL32(00000000,00513670,00000000,00000002,00000000,?,0000001D), ref: 002EE865
FlushFileBuffers.KERNEL32(00000000,?,0000001D), ref: 002EE86E

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00483DEC,00000002), ref: 002EE924
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 002EE92D
WriteFile.KERNEL32(00000000,?,00000000,00000002,00000000,00483DEC,00000002), ref: 002EE9D9
FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0000001D), ref: 002EE9E2

Strings

server, xrefs: 002EE8D0, 002EE8D8
OS Version: %u.%u.%u SP%u (%s) [%s], xrefs: 002EE8F4
workstation, xrefs: 002EE8CB
=H, xrefs: 002EE999
x86, xrefs: 002EE8B5
LOGGER->Reusing LOG file at:, xrefs: 002EE5F7, 002EE609, 002EE613
x64, xrefs: 002EE8BE, 002EE8CA
LOGGER->failed to create LOG at:, xrefs: 002EE4DD, 002EE4EF, 002EE4F9
LOGGER->Creating LOG file at:, xrefs: 002EE736, 002EE748, 002EE752

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$BuffersFlushWrite$DebugOutputString$CreateErrorHeapLastPointerProcess
String ID: LOGGER->Creating LOG file at:$LOGGER->Reusing LOG file at:$LOGGER->failed to create LOG at:$OS Version: %u.%u.%u SP%u (%s) [%s]$server$workstation$x64$x86$=H
API String ID: 2331954151-2411580988
Opcode ID: 7b441b52eb0dd3b59b0fd6b133dfd8d954112f9d70f5266a2733795a8ae0039c
Instruction ID: bcf9fa665fadd8bf4ba83dd3d2db9c579b1362c02abca49f9fe58e1fc3769f95
Opcode Fuzzy Hash: 7b441b52eb0dd3b59b0fd6b133dfd8d954112f9d70f5266a2733795a8ae0039c
Instruction Fuzzy Hash: 90129A71A102459BDF00DF68D844BADBBB5BF84324F654269E825AB3D2DB34EE01CB85

Function 001D9330 Relevance: 21.9, APIs: 8, Strings: 4, Instructions: 872COMMON

Download Yara Rule

Strings

Key, xrefs: 001D971C
UIText, xrefs: 001D96F4
Component, xrefs: 001D9391
Text, xrefs: 001D96D0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: Component$Key$Text$UIText
API String ID: 1766480654-1667094980
Opcode ID: 0b99f878f64d355b5e61c965687b4f08c4ccfcd66e48b1ac8b41ab25926e395e
Instruction ID: 322882347c150c4561b53bc6f5faaf123a6980756a575a918dbfe4204ffa2ccf
Opcode Fuzzy Hash: 0b99f878f64d355b5e61c965687b4f08c4ccfcd66e48b1ac8b41ab25926e395e
Instruction Fuzzy Hash: 7572D1B1E00208DFDB14DFA8C845BAEBBB5FF54314F24826AE415AB391D775AA05CF90

Function 001B3130 Relevance: 21.6, APIs: 14, Instructions: 596windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 001B3205
ShowWindow.USER32(?,00000000), ref: 001B3224
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 001B3232
GetWindowRect.USER32(?,?), ref: 001B3249
ShowWindow.USER32(?,00000000), ref: 001B326A
SetWindowLongW.USER32(00000000,000000EB,?), ref: 001B3281

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

ShowWindow.USER32(?,?,?,00000000), ref: 001B342D
GetWindowLongW.USER32(?,000000EB), ref: 001B3461
ShowWindow.USER32(?,?,?,00000000), ref: 001B347F
GetWindowRect.USER32(?,?), ref: 001B34A9
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001B3638
GetWindowRect.USER32(?,?), ref: 001B36E9
GetWindowRect.USER32(?,?), ref: 001B3734
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001B3772

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$LongRectShow$MessageSend$AllocateHeap
String ID:
API String ID: 2680428312-0
Opcode ID: 5134d1a52892ab73d38d1f5b02f1d33c5a2cb2cec84e6415ff7a4581320b46ce
Instruction ID: 357c58b880d7930a35f20a242810ef02b77cfbadc32e4622868d2356d73ffaf1
Opcode Fuzzy Hash: 5134d1a52892ab73d38d1f5b02f1d33c5a2cb2cec84e6415ff7a4581320b46ce
Instruction Fuzzy Hash: 18329AB1A04205AFCB15CF68D884AAEBBF5FF98300F14495DF865A7260DB30EA55CB91

Function 001D7530 Relevance: 21.5, APIs: 2, Strings: 10, Instructions: 510libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 001D7A97
GetProcAddress.KERNEL32(00000000,00000000), ref: 001D7B11

Strings

HYH, xrefs: 001D75E0
Target, xrefs: 001D7762, 001D7970
`Action`= ', xrefs: 001D7581
SELECT `Data` FROM `Binary` WHERE `Name` = ', xrefs: 001D7A27
Source, xrefs: 001D77B6, 001D78FA
Type, xrefs: 001D7679
stoi argument out of range, xrefs: 001D7B7C
EmbeddedUIInstallHandleAccessServer, xrefs: 001D79CD
invalid stoi argument, xrefs: 001D7B72
CustomAction, xrefs: 001D75BE

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CustomAction$EmbeddedUIInstallHandleAccessServer$HYH$SELECT `Data` FROM `Binary` WHERE `Name` = '$Source$Target$Type$`Action`= '$invalid stoi argument$stoi argument out of range
API String ID: 2574300362-3300364256
Opcode ID: aedd2c98f121823e33b1974ca3e3eaeb8a5d2ce6dbf7f99c5ca524cd4a70fe42
Instruction ID: 0eca5c0c8b6b404e78b6938a08d5687170e9e95b1de86f7d5d4d32937ec3c82d
Opcode Fuzzy Hash: aedd2c98f121823e33b1974ca3e3eaeb8a5d2ce6dbf7f99c5ca524cd4a70fe42
Instruction Fuzzy Hash: 5022E071D00258DFDF14DBA4CC55BEEBBB1AF55304F24429AE405BB281EB746A88CBA1

Function 001A82C0 Relevance: 21.4, APIs: 14, Instructions: 411memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 001A87A0: EnterCriticalSection.KERNEL32(005196CC,081DA4CA,00000000,?,?,?,?,?,?,001A7F05,003EC11D,000000FF), ref: 001A87DD
Part of subcall function 001A87A0: LoadCursorW.USER32(00000000,00007F00), ref: 001A8858
Part of subcall function 001A87A0: LoadCursorW.USER32(00000000,00007F00), ref: 001A8900

SysFreeString.OLEAUT32(00000000), ref: 001A8380
SysAllocString.OLEAUT32(00000000), ref: 001A83BB
GetWindowLongW.USER32(?,000000EC), ref: 001A8489
GetWindowLongW.USER32(?,000000EC), ref: 001A8499
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001A84A8
NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A7F05,00000000), ref: 001A84BA
GetWindowLongW.USER32(?,000000EB), ref: 001A84C8
SetWindowTextW.USER32(?,0047FF70), ref: 001A8576
GlobalAlloc.KERNEL32(00000042,00000000), ref: 001A85A7
GlobalLock.KERNEL32(00000000), ref: 001A85B5
GlobalUnlock.KERNEL32(?), ref: 001A8607
SetWindowLongW.USER32(?,000000EB,00000000), ref: 001A869D
SysFreeString.OLEAUT32(00000000), ref: 001A86C0
SysFreeString.OLEAUT32(00000000), ref: 001A872F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Long$String$FreeGlobal$AllocCursorLoad$CriticalEnterLockNtdllProc_SectionTextUnlock
String ID:
API String ID: 3547321447-0
Opcode ID: a1e5bff0c15e6a5391efc290c1f3e6f0ab57c737c30001475d026ac9deb514fd
Instruction ID: b6187102a239d5fc3ec38a07090a989e328d32c179aa754dbccfb89457c5e85e
Opcode Fuzzy Hash: a1e5bff0c15e6a5391efc290c1f3e6f0ab57c737c30001475d026ac9deb514fd
Instruction Fuzzy Hash: A9E1D074A00219DFDF01DFA8DC48BAEBBB8BF49714F144169E911EB291CB759E04CBA1

Function 00302C10 Relevance: 19.8, APIs: 3, Strings: 8, Instructions: 539fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

FindFirstFileW.KERNEL32(?,?,00000000,00000000), ref: 003030E1
FindClose.KERNEL32(00000000), ref: 00303115
FindClose.KERNEL32(00000000), ref: 003031C1

Strings

No acceptable version found. It must be installed from package., xrefs: 00303753
No acceptable version found. Operating System not supported., xrefs: 00303768
No acceptable version found. It is already downloaded and it will be installed., xrefs: 0030376F
Not selected for install., xrefs: 0030377D
An acceptable version was found., xrefs: 0030374C
No acceptable version found. It must be downloaded., xrefs: 0030375A
No acceptable version found. It must be downloaded manually from a site., xrefs: 00303761
No acceptable version found., xrefs: 00303776

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Find$Close$FileFirstHeapProcess
String ID: An acceptable version was found.$No acceptable version found.$No acceptable version found. It is already downloaded and it will be installed.$No acceptable version found. It must be downloaded manually from a site.$No acceptable version found. It must be downloaded.$No acceptable version found. It must be installed from package.$No acceptable version found. Operating System not supported.$Not selected for install.
API String ID: 4254541338-749633484
Opcode ID: ef13aaf12b8dab3a98fdf3c00de45b00e26fb5eb293d54c7c2ce907b3e7165ec
Instruction ID: c63d42de2ff5377ecc54c26910f47b633168c8bff51c99fd09de7c7df03b8667
Opcode Fuzzy Hash: ef13aaf12b8dab3a98fdf3c00de45b00e26fb5eb293d54c7c2ce907b3e7165ec
Instruction Fuzzy Hash: 64229D30A026198FCF15DF68C8A826EBBB5FF48314F1445AED8559B392DB34AE45CF81

Function 001B4FC0 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 397fileCOMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000), ref: 001B501F
PathIsUNCW.SHLWAPI(081DA4CA,*.*,00000000), ref: 001B50E6
FindFirstFileW.KERNEL32(081DA4CA,?,*.*,00000000), ref: 001B5279
GetFullPathNameW.KERNEL32(081DA4CA,00000000,00000000,00000000), ref: 001B5293
GetFullPathNameW.KERNEL32(081DA4CA,00000000,?,00000000), ref: 001B52D0
FindClose.KERNEL32(00000000), ref: 001B5334
SetLastError.KERNEL32(0000007B), ref: 001B533E

Strings

\\?\, xrefs: 001B51F7, 001B5263
*.*, xrefs: 001B5048, 001B50B3, 001B50B4
\\?\UNC\, xrefs: 001B5106, 001B51E1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FindPath$CloseFullName$ErrorFileFirstLast
String ID: *.*$\\?\$\\?\UNC\
API String ID: 539638818-1700010636
Opcode ID: dec11f7b2dbf137c4c9d950c6b7668c3a264e9823d8b5166c24b809ed253aaba
Instruction ID: 922c0592606eb047147516d1ba6c5dd6d74f48eb8c7c0659bd69900cab30b572
Opcode Fuzzy Hash: dec11f7b2dbf137c4c9d950c6b7668c3a264e9823d8b5166c24b809ed253aaba
Instruction Fuzzy Hash: BCE1CF30A01A05DFDB05DF68C889BAEB7B2FF14315F184168E9159F3A6DB369D40CB90

Function 001D0AF0 Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 946windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D0B44

Strings

AiTabPage, xrefs: 001D0D57, 001D0EA1
ControlEvent, xrefs: 001D0DC5
SpawnDialog, xrefs: 001D1217
Title, xrefs: 001D12AE
`Dialog_`=', xrefs: 001D0C8B
Dialog, xrefs: 001D12E8, 001D1310, 001D149B, 001D14E0, 001D150E
' AND `Control_`=', xrefs: 001D0CD4
dSH, xrefs: 001D0DF6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend
String ID: ' AND `Control_`='$AiTabPage$ControlEvent$Dialog$SpawnDialog$Title$`Dialog_`='$dSH
API String ID: 3850602802-1349146678
Opcode ID: 03c335286ae84ef8a1e7857a1501f8126d773057ee9805e6b7a5025ef8b8266a
Instruction ID: aa8b887433e3bae9cd82dc88ad0b3303717353255c9b122aa006b4191f94f124
Opcode Fuzzy Hash: 03c335286ae84ef8a1e7857a1501f8126d773057ee9805e6b7a5025ef8b8266a
Instruction Fuzzy Hash: E5829D71E10258DFCB14DF64C898BEEBBB1BF58304F244299E415A7391DB74AA84CF90

Function 002F8E90 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 605COMMON

Download Yara Rule

APIs

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

GetStdHandle.KERNEL32(000000F5,?,081DA4CA,?,?), ref: 002F9287
GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?), ref: 002F928E
GetStdHandle.KERNEL32(000000F5,0000000C,?,?), ref: 002F92A2
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 002F92A9
GetStdHandle.KERNEL32(000000F5,000000FF,?,00000000,?,00000000,00483DEC,00000002,?,?), ref: 002F9362
SetConsoleTextAttribute.KERNEL32(00000000,?,?), ref: 002F9369
IsWindow.USER32(00000000), ref: 002F9608

Strings

Error, xrefs: 002F959B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ConsoleHandle$AttributeExclusiveLockText$AcquireBufferInfoReleaseScreenWindow
String ID: Error
API String ID: 2349801371-2619118453
Opcode ID: 20b9d934fcd64e0408ba2fd27ff24082199149a35c066feebb6c57534d27c130
Instruction ID: 09e96a762231940613b9b19a8138bf1e2ca885e93b0a1f1ea45182eee554375c
Opcode Fuzzy Hash: 20b9d934fcd64e0408ba2fd27ff24082199149a35c066feebb6c57534d27c130
Instruction Fuzzy Hash: C4428B70D1025ACFDB24DF68CC48BEDBBB0BF54318F1042A9E519A7291EB74AA85DF50

Function 00191490 Relevance: 13.9, Strings: 11, Instructions: 186COMMON

Download Yara Rule

Strings

AI_CF_FRAME_BASE_COLOR, xrefs: 001914CC
AI_CF_CLOSEBTN_BASE_COLOR, xrefs: 0019158E
AI_CF_CLOSEBTN_COLORS, xrefs: 001916FC
AI_CF_FRAME_BORDER3_COLORS, xrefs: 00191665
AI_CF_CLOSEBTN_BORDER_COLORS, xrefs: 0019172F
AI_CF_FRAME_CAPTION2_COLORS, xrefs: 0019150A
AI_CF_FRAME_BORDER1_COLORS, xrefs: 001915D0
AI_CF_FRAME_BORDER2_COLORS, xrefs: 00191612
AI_CF_MINBTN_BASE_COLOR, xrefs: 0019154C
AI_CF_MINBTN_BORDER_COLORS, xrefs: 001916C9
AI_CF_MINBTN_COLORS, xrefs: 00191696

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: AI_CF_CLOSEBTN_BASE_COLOR$AI_CF_CLOSEBTN_BORDER_COLORS$AI_CF_CLOSEBTN_COLORS$AI_CF_FRAME_BASE_COLOR$AI_CF_FRAME_BORDER1_COLORS$AI_CF_FRAME_BORDER2_COLORS$AI_CF_FRAME_BORDER3_COLORS$AI_CF_FRAME_CAPTION2_COLORS$AI_CF_MINBTN_BASE_COLOR$AI_CF_MINBTN_BORDER_COLORS$AI_CF_MINBTN_COLORS
API String ID: 0-1938184520
Opcode ID: b58e2b22caaa0db2ca0414f148a2d7fa1115bcdec2c7353e1baff1f555e55675
Instruction ID: bb336246afaede56bc92485d5d4be38757e76b5aa43b86144b575512e954a751
Opcode Fuzzy Hash: b58e2b22caaa0db2ca0414f148a2d7fa1115bcdec2c7353e1baff1f555e55675
Instruction Fuzzy Hash: 41A14D70D55398DAEB50DF60CD597DDBBB0AF26308F148289E4483B281DBB91B88DF91

Function 001C1310 Relevance: 13.3, Strings: 10, Instructions: 811COMMON

Download Yara Rule

Strings

OldProductCode, xrefs: 001C163F
AI_GenNewCompGuids, xrefs: 001C18A1
, xrefs: 001C1C60
InstanceId, xrefs: 001C15A9
AI_MajorUpgrades, xrefs: 001C17BB
Manufacturer, xrefs: 001C147D
UpgradeCode, xrefs: 001C13E7
ProductVersion, xrefs: 001C1513
ProductCode, xrefs: 001C135C
AI_DynInstances, xrefs: 001C16D2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: $AI_DynInstances$AI_GenNewCompGuids$AI_MajorUpgrades$InstanceId$Manufacturer$OldProductCode$ProductCode$ProductVersion$UpgradeCode
API String ID: 0-614494711
Opcode ID: 2a24254e04bc1b0b03ae2e7ed4b5269dde3a0f3fa0dafb3f1c6631eb182a6bf7
Instruction ID: ff53d8f5ad6f86691deb36cdcc6c07838df4096d0b9c5ed27cd8976d92077cac
Opcode Fuzzy Hash: 2a24254e04bc1b0b03ae2e7ed4b5269dde3a0f3fa0dafb3f1c6631eb182a6bf7
Instruction Fuzzy Hash: 7862E231D00258DBDF18DB64CC54BEEBBB1AF55304F28829DE406B7292DB74AE85CB91

Function 001C61C0 Relevance: 12.9, APIs: 5, Strings: 2, Instructions: 650windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001009,00000000,00000000), ref: 001C62AB

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

Part of subcall function 003BFEC4: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFECE
Part of subcall function 003BFEC4: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFF01
Part of subcall function 003BFEC4: WakeAllConditionVariable.KERNEL32(00512A3C,?,?,0019B597,00513654,00451520), ref: 003BFF0C

SendMessageW.USER32(?,0000104D,00000000,?), ref: 001C679F
SendMessageW.USER32(?,0000102B,?,0000000F), ref: 001C684D
SendMessageW.USER32(?,00001003,00000001,?), ref: 001C68F4

Part of subcall function 002E7720: __cftof.LIBCMT ref: 002E7770

SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 001C6AA8

Strings

Icon, xrefs: 001C65F3
AiFeatIco, xrefs: 001C652C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$ExclusiveLock$AcquireRelease$ConditionVariableWake__cftof
String ID: AiFeatIco$Icon
API String ID: 1739475930-1280411655
Opcode ID: 6e44b4bb86c34d3b745caff72c89b347517498747813ad5c0da1e3b336ba9e6e
Instruction ID: 878886b088b3d96ddd42ed428deeda669004a7b5c5ce2ba965c66a8425a172c1
Opcode Fuzzy Hash: 6e44b4bb86c34d3b745caff72c89b347517498747813ad5c0da1e3b336ba9e6e
Instruction Fuzzy Hash: 5D526A71900258DFDB24DF68CD58BEDBBB1EF69304F1441A9E44AAB291DB70AE84CF50

Function 002D1110 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 002D13E1
SendMessageW.USER32(?,00000443,00000000), ref: 002D1455
MulDiv.KERNEL32(?,00000000), ref: 002D148C

Strings

Segoe UI, xrefs: 002D1463
NumberValidationTipTitle, xrefs: 002D11AB
NumberValidationTipMsg, xrefs: 002D12AD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSendWindow
String ID: NumberValidationTipMsg$NumberValidationTipTitle$Segoe UI
API String ID: 701072176-2319862951
Opcode ID: c3468357ca9b7873b2888c0e8be751d88f6dc0c62e4e6f1f43f4e8ebde8607b6
Instruction ID: f8c4a56ef78c3f145a73dd0e0c8bd3239b1502115d85a2203e67a8117d2b9611
Opcode Fuzzy Hash: c3468357ca9b7873b2888c0e8be751d88f6dc0c62e4e6f1f43f4e8ebde8607b6
Instruction Fuzzy Hash: 5AE1E031A00219AFDB18CF24CC55BEEBBB1FF89304F108299E555A72D1DB74AA55CF90

Function 003E29DE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 003E2AEA
IsValidCodePage.KERNEL32(00000000), ref: 003E2B33
IsValidLocale.KERNEL32(?,00000001), ref: 003E2B42
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 003E2B8A
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 003E2BA9

Strings

tG, xrefs: 003E2A43

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: tG
API String ID: 415426439-868048279
Opcode ID: 81d0e59c00a61da0e2cb4a35457f2c8be0c18695a62851e87e72441002f423e2
Instruction ID: d778978a8ad99db93ed83e78b5246ee58cb48f535e3a1449129aa8b2da89b8ea
Opcode Fuzzy Hash: 81d0e59c00a61da0e2cb4a35457f2c8be0c18695a62851e87e72441002f423e2
Instruction Fuzzy Hash: C3518171A00266AFEB22DFA6CC41ABF73BCBF44700F154679B914EB1D1EB7099448B60

Function 003E3271 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003E3455

Strings

1#IND, xrefs: 003E3376
1#QNAN, xrefs: 003E3384
1#INF, xrefs: 003E33A7
1#SNAN, xrefs: 003E337D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2212374922e38045a0e8d002cea530e8afaefa8ec6f9a6d2215f2c973d9cb3c9
Instruction ID: f5adc095a41e664994175fe2d5b7da74b96f68bf82d18b0392f7b097ead5f386
Opcode Fuzzy Hash: 2212374922e38045a0e8d002cea530e8afaefa8ec6f9a6d2215f2c973d9cb3c9
Instruction Fuzzy Hash: 4CD23A71E082788FDB66CE29DD447EAB7B9EB48304F1546EAD44DE7280D774AE818F40

Function 00329410 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 465COMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

GetLogicalDriveStringsW.KERNEL32(00000064,?), ref: 00329650
GetDriveTypeW.KERNEL32(?), ref: 0032966A
Wow64DisableWow64FsRedirection.KERNEL32(00000000,00000000), ref: 00329713
Wow64RevertWow64FsRedirection.KERNEL32(00000000,00000000), ref: 003299B6

Strings

]%!, xrefs: 003295E8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Wow64$DriveRedirection$DisableHeapLogicalProcessRevertStringsType
String ID: ]%!
API String ID: 4157823300-1069524040
Opcode ID: 23830b1b17eed9382e4da4e3ca0548a1c5d7a968bbe025550f0f288c833fdae0
Instruction ID: 60a02be16fba02ebdcbf59a877211cd0bcfac8c5cb8a15a9f04bfb39b643573d
Opcode Fuzzy Hash: 23830b1b17eed9382e4da4e3ca0548a1c5d7a968bbe025550f0f288c833fdae0
Instruction Fuzzy Hash: 5F02F730A00269CFDF25CF68CC94BADB7B5AF44310F1585EAE51AA7291DB709E85CF90

Function 003BF57D Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,003BF499,00000000,?,003BF631,?,?,?,?), ref: 003BF57F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,?,?,?,?), ref: 003BF5A6
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 003BF5AD
InitializeSListHead.KERNEL32(00000000,?,?,?,?), ref: 003BF5BA
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?), ref: 003BF5CF
HeapFree.KERNEL32(00000000,?,?,?,?), ref: 003BF5D6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: af3d332d2cad1e9a0ad3b54b1bcf4c3481881fd19181680409a397343f003c1f
Instruction ID: fb9e5b5d86e4a6b6a02d952cdfb6fa5454e04e175f87eac77e10c9bf1bb0d4f1
Opcode Fuzzy Hash: af3d332d2cad1e9a0ad3b54b1bcf4c3481881fd19181680409a397343f003c1f
Instruction Fuzzy Hash: 47F0AF356013019FD7319F79AC08B4636B8AFD5B5BF119439FA85C7690DB30C8819B60

Function 003E205F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetACP.KERNEL32(?,?,?,?,?,?,003D6BA4,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 003E2120
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,003D6BA4,?,?,?,00000055,?,-00000050,?,?), ref: 003E214B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 003E22B4

Strings

utf8, xrefs: 003E221D
tG, xrefs: 003E20A1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: tG$utf8
API String ID: 607553120-2238955080
Opcode ID: a25df73c4d215a8eb3ef80c26629ffcc29432cfde48e28d2e717aeb4375625e4
Instruction ID: 832593ac1c16818a34ca7928c32af4d3d32c13faa63a1b73d7bc4fc7fb9b7894
Opcode Fuzzy Hash: a25df73c4d215a8eb3ef80c26629ffcc29432cfde48e28d2e717aeb4375625e4
Instruction Fuzzy Hash: 9C710872600262AAD726AB76CC86FB773ACEF44700F15466AFA05DB1C1EB70ED408760

Function 003E2809 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,003E2B27,00000002,00000000,?,?,?,003E2B27,?,00000000), ref: 003E28A2
GetLocaleInfoW.KERNEL32(00000000,20001004,003E2B27,00000002,00000000,?,?,?,003E2B27,?,00000000), ref: 003E28CB
GetACP.KERNEL32(?,?,003E2B27,?,00000000), ref: 003E28E0

Strings

OCP, xrefs: 003E285D
ACP, xrefs: 003E2827

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 894c25618cea7e27d9c6bd68db50910c1a64b7f2f763fd927a8d138422d841f5
Instruction ID: ae26129cd1fd42fe4f7810154b4911fa173f367a0de5a6650c18316e5b688062
Opcode Fuzzy Hash: 894c25618cea7e27d9c6bd68db50910c1a64b7f2f763fd927a8d138422d841f5
Instruction Fuzzy Hash: 0721B632B00165ABEB3A8F17CD04B9773AEEF54B54B578668E90ADB180E732DD41D390

Function 003200C0 Relevance: 6.6, APIs: 4, Instructions: 644fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

FindFirstFileW.KERNEL32(?,?,00000000,00000000,?,?), ref: 003204FF
FindClose.KERNEL32(00000000), ref: 00320543
CloseHandle.KERNEL32(?,?), ref: 00320841

Part of subcall function 0033F730: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,081DA4CA,?,?,?,?,?,?,0042250D), ref: 0033F794

CloseHandle.KERNEL32(?,?), ref: 00320A0B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Close$FileFindHandle$CreateFirstHeapProcess
String ID:
API String ID: 1937692618-0
Opcode ID: 3f6a0290d99887ca575028638b5ef10b1f24addea437fc81e196d7502851cd18
Instruction ID: c50fb586418faaea7947d5193586f101443fa348d2750aaea2b98133f24467e4
Opcode Fuzzy Hash: 3f6a0290d99887ca575028638b5ef10b1f24addea437fc81e196d7502851cd18
Instruction Fuzzy Hash: 64528B30D01A68CFDB15CB28DC547AEBBB0AF49315F1482D9D419A7392DB70AE85CF80

Function 00362D30 Relevance: 6.6, Strings: 5, Instructions: 314COMMON

Download Yara Rule

Strings

) AND ( , xrefs: 00362F13
>J, xrefs: 00363082, 00363088
>J, xrefs: 00363043
Show, xrefs: 00362EBA
gfff, xrefs: 00362E72

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: ) AND ( $Show$gfff$>J$>J
API String ID: 0-38119615
Opcode ID: 965d8501bb50348e13967488d462ff1a95dab1b747bd9b3516fcbbb785c1340f
Instruction ID: cd61504a861d3796ee5801deab1c4a2c270b021f9f572f10c6cdf5d4d159adeb
Opcode Fuzzy Hash: 965d8501bb50348e13967488d462ff1a95dab1b747bd9b3516fcbbb785c1340f
Instruction Fuzzy Hash: 06D1BC71900258CFDB25DF68C805BAEBBB1BF55304F1586D9E409AB281DB70AE88CF91

Function 003D85CE Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003D865B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 2f1df07007e75af5844a83376c0186215ddafb6c122a321a89280f26ff2c8aad
Instruction ID: e13a3309f45b82b7b49f22bf2395c04981844aeb583b0caa05f47c61d7d49801
Opcode Fuzzy Hash: 2f1df07007e75af5844a83376c0186215ddafb6c122a321a89280f26ff2c8aad
Instruction Fuzzy Hash: 8BB14633D042559FDB138F68D881BEEBBA5EF55310F25816BE505AB381DA34ED01DBA0

Function 0032A7C0 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546789bba54c5cb19d3a4999b72353fa3516a8fd9b1f0fe4acee75292be5a933
Instruction ID: 5797a82c853eeed48efb8f882a372da9218202530015993c4bfd3c0fcd4655c3
Opcode Fuzzy Hash: 546789bba54c5cb19d3a4999b72353fa3516a8fd9b1f0fe4acee75292be5a933
Instruction Fuzzy Hash: 5A91BE709016189FDF10DF28DC49B9DBBB5EF04324F1482D9E819AB292DB309E84CF91

Function 001BC450 Relevance: 5.7, Strings: 4, Instructions: 705COMMON

Download Yara Rule

Strings

AI_NO_BORDER_HOVER, xrefs: 001BC5FC
AI_CONTROL_VISUAL_STYLE, xrefs: 001BC4AA
AI_NO_BORDER_NORMAL, xrefs: 001BC546
AI_CONTROL_VISUAL_STYLE_EX, xrefs: 001BC915

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: AI_CONTROL_VISUAL_STYLE$AI_CONTROL_VISUAL_STYLE_EX$AI_NO_BORDER_HOVER$AI_NO_BORDER_NORMAL
API String ID: 0-932585912
Opcode ID: 7c0638df9ff480d9ddcebaf9bd5766f90faffbdfcc526f16351a376128ce81b0
Instruction ID: 499701ef7f42bb71d5389fcec7a807843bfd1ce9450d8adf9f05809cf5531ae0
Opcode Fuzzy Hash: 7c0638df9ff480d9ddcebaf9bd5766f90faffbdfcc526f16351a376128ce81b0
Instruction Fuzzy Hash: 67420071D002288FDB18DF68CC55BEEBBB1EF85300F14825AE455AB386D774AA45CBE1

Function 0032AC40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,00000010), ref: 0032ACFC
FindClose.KERNEL32(00000000), ref: 0032AE7F

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Strings

%d.%d.%d.%d, xrefs: 0032ADF8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Find$AllocateCloseFileFirstHeap
String ID: %d.%d.%d.%d
API String ID: 1673784098-3491811756
Opcode ID: 88be3092d85e5d1f5daefd3ffefb7dee8880c1f37dfe8975226605c7b303ebd2
Instruction ID: 2bd5c60059a791688598bf7271ecab22a3d4884f3cad81df1b1a5f90ce0dc8b6
Opcode Fuzzy Hash: 88be3092d85e5d1f5daefd3ffefb7dee8880c1f37dfe8975226605c7b303ebd2
Instruction Fuzzy Hash: 1D718D74A05629DFCF21DF28CC48B9DBBB5AF44314F1082D9E819AB291DB359E85CF81

Function 001CF8B0 Relevance: 5.4, Strings: 4, Instructions: 378COMMON

Download Yara Rule

Strings

= ", xrefs: 001CFBE8
Hide, xrefs: 001CF974, 001CF995
<> ", xrefs: 001CF9D1
Show, xrefs: 001CFBB0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: <> "$ = "$Hide$Show
API String ID: 0-289022205
Opcode ID: 38dc7b8692f9e49ad62f0a028d04141c14ee3e818b058a05991c05e8be7c6e86
Instruction ID: cbf250b0b4b04f369b0cf4ec002359a47f20a6c7fc5ceb49897ef84e276cf0a5
Opcode Fuzzy Hash: 38dc7b8692f9e49ad62f0a028d04141c14ee3e818b058a05991c05e8be7c6e86
Instruction Fuzzy Hash: 97023A70D00259CFDB24DF64C855BADB7B1BF65304F1086EAE409AB291DB70AE85CFA1

Function 003224B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

GetLocaleInfoW.KERNEL32(00000000,00000002,0047FF70,00000000), ref: 00322531
GetLocaleInfoW.KERNEL32(00000000,00000002,?,-00000001,00000078,-00000001), ref: 0032256D

Strings

%d-%s, xrefs: 00322577

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: InfoLocale$HeapProcess
String ID: %d-%s
API String ID: 3246605784-1781338863
Opcode ID: 4646adfeb657e33a8deece3efccda194f3df3974e6f578333ef8d91d40a1028d
Instruction ID: c8d9548691dddb443a8ebd85a421cae3a761ff0bc93224a2b570df23abe98fa7
Opcode Fuzzy Hash: 4646adfeb657e33a8deece3efccda194f3df3974e6f578333ef8d91d40a1028d
Instruction Fuzzy Hash: 2931BC71A00219ABDB00DF98DC49BAEFBB4FF48714F204169F515AB391DB759904CBD0

Function 001C0540 Relevance: 5.3, Strings: 4, Instructions: 337COMMON

Download Yara Rule

Strings

OldProductCode, xrefs: 001C087D, 001C08AF, 001C08CF, 001C08D0
MultipleInstances, xrefs: 001C0582
MultipleInstancesProps, xrefs: 001C0680
ProductCode, xrefs: 001C07F8, 001C0845, 001C0846

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: MultipleInstances$MultipleInstancesProps$OldProductCode$ProductCode
API String ID: 0-469785651
Opcode ID: cfbfbd5698040537b44320e4b7315c6496d2537a4465a0a231a5077ecd621d88
Instruction ID: fe569026ee5f5c6512efb2ba43f378d761fdf46d6a6d52614a7a1fbe39906544
Opcode Fuzzy Hash: cfbfbd5698040537b44320e4b7315c6496d2537a4465a0a231a5077ecd621d88
Instruction Fuzzy Hash: 8AC1D276E00216CBCB19DF68C890FBAB7B1FFA9704B15815DD8566B245EB30ED42CB90

Function 003BC4A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,003BC3EC,0000001C,003BC5E1,00000000,?,?,?,?,?,?,?,003BC3EC,00000004,00512554,003BC671), ref: 003BC4B8
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,003BC3EC,00000004,00512554,003BC671), ref: 003BC4D3

Strings

D, xrefs: 003BC4C7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 90a9587907e1f59aca73023006bc1caff77abd9ab2cfe467ef0b8c2266b1239a
Instruction ID: 88c3204082281b406a22cf41fc13a394d486c36e3b5b769360df512ebe0724ae
Opcode Fuzzy Hash: 90a9587907e1f59aca73023006bc1caff77abd9ab2cfe467ef0b8c2266b1239a
Instruction Fuzzy Hash: 250120337101095BCB24DE65CC09BEE7BA9AFC5328F0DC121ED59DB151EA34ED41C680

Function 003E2480 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003E24D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003E251E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003E25E4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a0d071fc0fe617c53d114f39bc25f5862cebf4d37300a0e19f71a3716dda12d4
Instruction ID: aec523bc5de31b886e6f43280053d0e6eff8bdff81f566f4ea2abcdec4e403cd
Opcode Fuzzy Hash: a0d071fc0fe617c53d114f39bc25f5862cebf4d37300a0e19f71a3716dda12d4
Instruction Fuzzy Hash: 2E619E715102679FDB2A9F26CD82BABB3ACEF04300F1542BAED05CA6C5E774D990DB50

Function 002D6B30 Relevance: 4.7, APIs: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,081DA4CA,?,?), ref: 002D6BEF
FindNextFileW.KERNEL32(000000FF,00000010), ref: 002D6CFA
FindClose.KERNEL32(000000FF), ref: 002D6D55

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 50c0786e3fd3bea98a674cc1825891ce14bf3c5559e91716b4a29f0aa6baff88
Instruction ID: 9af5a1578acf77b1af15fedea06d09a56af22aae98191491ba64aabfb4dbae40
Opcode Fuzzy Hash: 50c0786e3fd3bea98a674cc1825891ce14bf3c5559e91716b4a29f0aa6baff88
Instruction Fuzzy Hash: 1E61AB31A102199FCF24DFA4C88CBEEBBB8EF55314F54819AE449A7291DB706E84CF50

Function 001B2BF0 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000004), ref: 001B2C4B
GetWindowLongW.USER32(00000004,000000FC), ref: 001B2C64
SetWindowLongW.USER32(00000004,000000FC,?), ref: 001B2C76

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 8d56cd64f318f85b28585882ea7fa1577d3996b0a9217d59664eb46dc36fbedd
Instruction ID: 2e327dcaef03d59c8d6e4517ae7b1953780798de3d825817661f1430f0647fe9
Opcode Fuzzy Hash: 8d56cd64f318f85b28585882ea7fa1577d3996b0a9217d59664eb46dc36fbedd
Instruction Fuzzy Hash: 41418EB0600656EFDB11DF65D948B9AFBB4FF04314F008269E8149B790D7B6E918DB90

Function 001BA430 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000003,000000FC), ref: 001BA486
SetWindowLongW.USER32(00000003,000000FC,?), ref: 001BA498
DeleteCriticalSection.KERNEL32(?,081DA4CA,?,?,?,?,003EF014,000000FF), ref: 001BA4C3

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: LongWindow$CriticalDeleteSection
String ID:
API String ID: 1978754570-0
Opcode ID: d584072796e2e06cd2e84d0d8cf0ad7021ca40cffcb96c97b6fc14f95f66ab24
Instruction ID: a9cbd062eca5afa7f0212bd9fe2cd93448cb33cf5f1017a919c08639608b1117
Opcode Fuzzy Hash: d584072796e2e06cd2e84d0d8cf0ad7021ca40cffcb96c97b6fc14f95f66ab24
Instruction Fuzzy Hash: F731CF71600605BFCB11DF28DC08B89FBF8BF15314F548229E824E7691D7B5EA14DBA1

Function 003C4C03 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 003C4CFB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 003C4D05
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 003C4D12

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ed5b003f570d2a8d037eb353d6281f80db9200bbfc06552a3f93b517a5ae3653
Instruction ID: f7f6ffecfa1166c772a7efd726b9dd4aefce490735d395d7effb222c4c3ec64c
Opcode Fuzzy Hash: ed5b003f570d2a8d037eb353d6281f80db9200bbfc06552a3f93b517a5ae3653
Instruction Fuzzy Hash: 5931C67590122C9BCB61DF64DC89B8DB7B8BF08311F5045EAE40CA7251E7709F859F45

Function 0019A7E0 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,081DA4CA,00000001,00000000,?,00000000,003E86D0,000000FF,?,0019A78C,00000000,?,?,\\.\pipe\ToServer,003E8DA0), ref: 0019A80B
LockResource.KERNEL32(00000000,?,0019A78C,00000000,?,?,\\.\pipe\ToServer,003E8DA0,000000FF,?,0019A930,00000000,?,?,0033A058,\\.\pipe\ToServer), ref: 0019A816
SizeofResource.KERNEL32(00000000,00000000,?,0019A78C,00000000,?,?,\\.\pipe\ToServer,003E8DA0,000000FF,?,0019A930,00000000,?,?,0033A058), ref: 0019A824

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: 1db3aa09cd375100cb7530c6e2542d4e4b1a61bbf2f1e652271b49b2db153530
Instruction ID: 7703066f01c4083473c3aba5b417a0b6778b14eb87228995414cc793b33ad7ef
Opcode Fuzzy Hash: 1db3aa09cd375100cb7530c6e2542d4e4b1a61bbf2f1e652271b49b2db153530
Instruction Fuzzy Hash: 36110A32E046549BCB349F19EC44B7AB7ECEB88B16F500A3EED1AD3680E7359C0486D0

Function 001AAB70 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(0000001B,000000FC), ref: 001AAB89
SetWindowLongW.USER32(0000001B,000000FC,?), ref: 001AAB97
DestroyWindow.USER32(0000001B,?,?,?,?,?,?,?,?,?,?,?,?,80004003,?,00000000), ref: 001AABC3

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Long$Destroy
String ID:
API String ID: 3055081903-0
Opcode ID: b024f6e9fee5b8e1192ea9cb495caa378410cc0b03743ee9d3e11e772eb6a4e5
Instruction ID: 7b1849afad5ba977048751e59886dc51518f8d8020e50c28fa6418d51fcfca3a
Opcode Fuzzy Hash: b024f6e9fee5b8e1192ea9cb495caa378410cc0b03743ee9d3e11e772eb6a4e5
Instruction Fuzzy Hash: 6DF0B735004B119BDB615F28ED44F92BBE1BF19721B148B19E4BA825E0DB71E844EB25

Function 002EE310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00514398), ref: 002EE36F

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

%04d-%02d-%02d %02d-%02d-%02d, xrefs: 002EE3BD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: HeapLocalProcessTime
String ID: %04d-%02d-%02d %02d-%02d-%02d
API String ID: 1554148984-3768011868
Opcode ID: ad11048a84664f0f1ae383b63f022ddebe826f5cb55cf929658e9d8f9f1018e6
Instruction ID: 4d597a14152aa1d2799052f6a435c53ab9ceffc99e6c4a44fe4952e377e4617d
Opcode Fuzzy Hash: ad11048a84664f0f1ae383b63f022ddebe826f5cb55cf929658e9d8f9f1018e6
Instruction Fuzzy Hash: AA218FB1D00208AFDB14DF99D945BBEFBF8EB4C710F10412AF911A7281E7746940CBA5

Function 003D1430 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1432a6cf3664c1364d47c783a7aca4284c9516d14b83a026fcdfb6590fa67a56
Instruction ID: 3d52fe0d1e3e48aae0bf1e6754b9b2791b3c2ddfc542babb0b9eaa2bb06b2336
Opcode Fuzzy Hash: 1432a6cf3664c1364d47c783a7aca4284c9516d14b83a026fcdfb6590fa67a56
Instruction Fuzzy Hash: 21F13072E012199FDF15CFA9E880AADF7B1FF88314F15826AE815AB391D7309D05CB90

Function 001C7990 Relevance: 3.3, APIs: 2, Instructions: 288windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000102B,00000000,?), ref: 001C7ABB
SendMessageW.USER32(?,0000102B,0000009B,-00000002), ref: 001C7CF8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b88509256d303b55d55d4805e3e8e2151179a299faba8bfc93fff5a5f9164c6a
Instruction ID: cf565fbf62f55eec65489d6399f5bd9956fb3fd3e3109413499d365fa9644a22
Opcode Fuzzy Hash: b88509256d303b55d55d4805e3e8e2151179a299faba8bfc93fff5a5f9164c6a
Instruction Fuzzy Hash: 3EC17C71A042068FCB18CF54C895BEDBBB5FF68304F18856DE85AAB285D774E941CF90

Function 0031A250 Relevance: 3.2, APIs: 2, Instructions: 151fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000000,?,?,00000003,081DA4CA,00000000,?,00000000), ref: 0031A344
FindClose.KERNEL32(00000000,?,00000000), ref: 0031A38F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f9677cefeb45f6fa92e3816252c851997b0ca4544e2a51c16e5885ce56f7496d
Instruction ID: 36cf99b0123c604ea502391eccf996f700b77f04c7e69981f837c3bd0c9701d7
Opcode Fuzzy Hash: f9677cefeb45f6fa92e3816252c851997b0ca4544e2a51c16e5885ce56f7496d
Instruction Fuzzy Hash: 8751BE71A0160ACFDB15DF68C8987AEBBF0FF48315F204529E815AB381DB74AA45CF91

Function 00223140 Relevance: 3.1, APIs: 2, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000FC), ref: 002231C4
SetWindowLongW.USER32(00000000,000000FC,?), ref: 002231D2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 69bbed16920a1408e9587bb5d9e1731592aefb89c8ed0c460a73138d7ee7bc6d
Instruction ID: 7b69a7a511248e49a796889372f237557ee043ad862fb1ea9cdba1015776e375
Opcode Fuzzy Hash: 69bbed16920a1408e9587bb5d9e1731592aefb89c8ed0c460a73138d7ee7bc6d
Instruction Fuzzy Hash: 00316A71A00215EFCF00DF98D984B9ABBF5FB48320F1446A9E824AB2D1C775EE54DB90

Function 001E01D0 Relevance: 3.0, APIs: 2, Instructions: 10COMMON

Download Yara Rule

APIs

__set_se_translator.LIBVCRUNTIME ref: 001E01D5
SetUnhandledExceptionFilter.KERNEL32(Function_00162890), ref: 001E01EB

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled__set_se_translator
String ID:
API String ID: 2480343447-0
Opcode ID: d3939a6c7de35e68d7b0874b2e1962b5978593e029d09e4d138bb5ef62b0a3d2
Instruction ID: 7668c2837360b73b62c20e94c4aeb0efa6db1825e5096625ce6a3df97b4b3f68
Opcode Fuzzy Hash: d3939a6c7de35e68d7b0874b2e1962b5978593e029d09e4d138bb5ef62b0a3d2
Instruction Fuzzy Hash: 56D01270988284EAE716D350AC997A87A600B73745F188029D88249292D7B699DCA323

Function 0034E9B0 Relevance: 2.6, Strings: 1, Instructions: 1360COMMON

Download Yara Rule

Strings

hE, xrefs: 0034F057

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: hE
API String ID: 0-2023966264
Opcode ID: b9f591c3cfd51be078fee70cf99dd33079a4008b7fbb5b3eb969d00789c81a6e
Instruction ID: 47e508ddf4af572b581cc3bcffa5c56936da5cd2efe33980431165e7206c9799
Opcode Fuzzy Hash: b9f591c3cfd51be078fee70cf99dd33079a4008b7fbb5b3eb969d00789c81a6e
Instruction Fuzzy Hash: 12B24D71A083418FD718CE6DC89071EFBE2BBC8314F194A2DF599D7361E6B4E8858B46

Function 0035F6E0 Relevance: 1.8, Strings: 1, Instructions: 556COMMON

Download Yara Rule

Strings

CQ, xrefs: 0035F825

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: CQ
API String ID: 0-587852088
Opcode ID: acb4b080faa4d130ff0e3122e0ef7127f26521961f2c9bafb6ca85d562380ed7
Instruction ID: 61fc6a56802230546599915c0ce6c736697336dcb90a168498564176d9ad9412
Opcode Fuzzy Hash: acb4b080faa4d130ff0e3122e0ef7127f26521961f2c9bafb6ca85d562380ed7
Instruction Fuzzy Hash: E9128C72E002189FCF15DFA8D894AADBBB5FF48314F258169E815BB391DB30AD45CB90

Function 00357230 Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

gfff, xrefs: 003578E4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: f9b75bf121b5bb0a74b957e623c517dce1a53eca744279338bdd51eb314f8f59
Instruction ID: 9ea7dea54ef5456f0075c2e9249937e5e7d23f7cc7538424b16d17890a974f33
Opcode Fuzzy Hash: f9b75bf121b5bb0a74b957e623c517dce1a53eca744279338bdd51eb314f8f59
Instruction Fuzzy Hash: BB12573461C3018BC7199E2DE985B2DBBE6EB84311F15483DED4ACB7B1E639C98C8356

Function 003E26E0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 003E2734

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 37a0f92be3b27a349f38a8c5ef4e94e46387df97f4d4edda639eb5dfad37028f
Instruction ID: 70b1397c39a54edf60107cdd827212e8b17256dba9a23dc78c1c2494aabd0ad5
Opcode Fuzzy Hash: 37a0f92be3b27a349f38a8c5ef4e94e46387df97f4d4edda639eb5dfad37028f
Instruction Fuzzy Hash: 9C21D472611256ABDB2A9B26DC81FBB73ACEF44710F11017AFD05CA282EB34ED448B50

Function 003E2352 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

EnumSystemLocalesW.KERNEL32(003E2480,00000001,00000000,?,-00000050,?,003E2ABE,00000000,?,?,?,00000055,?), ref: 003E23C4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ddee3bbe5859b5e09053bc6c113848cd15c73cad6dfda3e39653036091cc0a53
Instruction ID: 42034360688c9480aaad12c50545f15a8e8b42562564da79b383bfe42d49bf09
Opcode Fuzzy Hash: ddee3bbe5859b5e09053bc6c113848cd15c73cad6dfda3e39653036091cc0a53
Instruction Fuzzy Hash: AF11293B2007055FDB189F3AC8915BBB796FF80359B15452DF9478BA80D375A942CB40

Function 003E290F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,003E278A,00000000,00000000,?), ref: 003E293B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 50d8f759cecca691844e01919f9637048997a69ca628c1770f1c10b1ec1cf199
Instruction ID: 669663f632f1e3d52939cf2da34b01bb1fc2a0463ec7eba08076b585cb3d5efa
Opcode Fuzzy Hash: 50d8f759cecca691844e01919f9637048997a69ca628c1770f1c10b1ec1cf199
Instruction Fuzzy Hash: 30F0F432A00562ABEF295B22C805BBB776CEB40354F064629FD46A71C5EB70FE51C690

Function 003E2260 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 003E22B4

Strings

utf8, xrefs: 003E221D
tG, xrefs: 003E20A1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: tG$utf8
API String ID: 3736152602-2238955080
Opcode ID: af7a636e34ca2bd92c7bf3dc305945ee8e323c896e6ce3f08c3f990063d0896d
Instruction ID: 68d267fba01a3d7df646e8937c441efee8ddd5e5b4c7b43036a16bc5cf2d75f4
Opcode Fuzzy Hash: af7a636e34ca2bd92c7bf3dc305945ee8e323c896e6ce3f08c3f990063d0896d
Instruction Fuzzy Hash: 6FF02833610115ABD725EB75EC4AEBB33ACDF48314F01017AFA02DB282EA34AD059750

Function 003E23ED Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

EnumSystemLocalesW.KERNEL32(003E26E0,00000001,00000000,?,-00000050,?,003E2A82,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 003E2437

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 83f9aa3b6c03f1d7b23d1923a9fa3fe05ca8509513e93fd2a6eea0b9078db369
Instruction ID: e10bf7cc6c907a53839ca58a57bb69fb07208a147849c8ad29e5d22dc8389862
Opcode Fuzzy Hash: 83f9aa3b6c03f1d7b23d1923a9fa3fe05ca8509513e93fd2a6eea0b9078db369
Instruction Fuzzy Hash: 26F046363003545FCB265F77DC81A7B7B98EF80368F06862DF9014BAD0C2B19C42CA00

Function 003D978D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D44B1: EnterCriticalSection.KERNEL32(-00512E60,?,003D5D50,0019B586,00509ED0,0000000C,003D601B,?), ref: 003D44C0

EnumSystemLocalesW.KERNEL32(003D9780,00000001,0050A010,0000000C,003D9BEF,00000000), ref: 003D97C5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: afc76e6102105e08abf737c694af60448e2bc625979b986b85018a54482cb422
Instruction ID: 6702b103151fdedf76b81f0be8b2d426bfa623b7f9721088c510f218ea6590bd
Opcode Fuzzy Hash: afc76e6102105e08abf737c694af60448e2bc625979b986b85018a54482cb422
Instruction Fuzzy Hash: 2FF03236A10304EFDB01EF98E856B9D7BB0FB48721F00826AF420EB3A1DB7589449B40

Function 003E2307 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003D7FC9: GetLastError.KERNEL32(?,00000008,003DA451), ref: 003D7FCD
Part of subcall function 003D7FC9: SetLastError.KERNEL32(00000000,00000000,00000005,000000FF), ref: 003D806F

EnumSystemLocalesW.KERNEL32(003E2260,00000001,00000000,?,?,003E2AE0,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 003E233E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7d07eb9da0f7811f5fa774663cf128d7ac2bd89499206d312f44cfc4211e20c8
Instruction ID: 0bc09b30f6bffe8c67c7910fa4c120deed2021dfb3a7ea61ccd6db28eda2626e
Opcode Fuzzy Hash: 7d07eb9da0f7811f5fa774663cf128d7ac2bd89499206d312f44cfc4211e20c8
Instruction Fuzzy Hash: 41F0553A30025997CB169F76DC4566B7F98EFC1721F074099FA058F691C275D882CB90

Function 001AB360 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

,CQ, xrefs: 001AB3FB

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: ,CQ
API String ID: 0-154016562
Opcode ID: 2669ec08be3c22ef079109769d001ba5802f128e2da15025d373267195f29bef
Instruction ID: c934dd09f7612ad4d1a9d086ffc21633a9c2368563f28401d93fe6b64f3fe0bb
Opcode Fuzzy Hash: 2669ec08be3c22ef079109769d001ba5802f128e2da15025d373267195f29bef
Instruction Fuzzy Hash: B1213CB1901348DFDB01CF58C94479ABBF4FB59718F25829ED414AB392D3BA9A06CB90

Function 001AB9C0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

,CQ, xrefs: 001ABA5B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: ,CQ
API String ID: 0-154016562
Opcode ID: 317ea0a57598a831ed0172e22f3927acefb931ff2605760441880705dae3776e
Instruction ID: 6cf24192dfe33d67d5c5ced42394fa83fc13a41c73181c742eab8bf879ad63b1
Opcode Fuzzy Hash: 317ea0a57598a831ed0172e22f3927acefb931ff2605760441880705dae3776e
Instruction Fuzzy Hash: 13213DB1901348DFDB01CF58C94479ABBF4FB59318F25829ED4149B392D37A9A06CF94

Function 003A1700 Relevance: .7, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3004b4eb86e05d7c00509b24ae8db41beccd32b6489d1e65a3bd48651a4dd4
Instruction ID: e8bdff416926b513522994527e6e9113e0807c669eb4c4c91f2e762779f3dae7
Opcode Fuzzy Hash: 3d3004b4eb86e05d7c00509b24ae8db41beccd32b6489d1e65a3bd48651a4dd4
Instruction Fuzzy Hash: 5922C3B3B543104BD75CCE5DCCA23ADB2D3ABD4218B0E853DB48AC3342EA7DD9598685

Function 00356420 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a26536a7d1c77458b2a8f13ecaa4eb0d17952944ca6cc684d758245bc7b7ac4
Instruction ID: 71d39779a81cb0dcbf5d3c53773f1ed64d1b097453d4b493d9164cdfc98ee08d
Opcode Fuzzy Hash: 9a26536a7d1c77458b2a8f13ecaa4eb0d17952944ca6cc684d758245bc7b7ac4
Instruction Fuzzy Hash: 17D10475B043118FC716CF2CC881A2ABBE1ABD9305F954A3DF899CB365E671D909CB42

Function 003C865E Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055b860adbc24cf5144f92b01ce902e348f817ea6df7545c8adfe49eb7ba8310
Instruction ID: fa1d72573dc7f5e981191ff7dad37e8f73b47bdaec7d52f32e21e1059d3563cd
Opcode Fuzzy Hash: 055b860adbc24cf5144f92b01ce902e348f817ea6df7545c8adfe49eb7ba8310
Instruction Fuzzy Hash: 1FE1AA74A006058FCB26CF68C580FBAB7F1FF49314B254A5ED596DB690DB30AE42CB51

Function 003C82D0 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaee7de9365b9f0717c3a208b3758f0cc84d76a8728d97e60663ea3df183b859
Instruction ID: 4eeb509ab49e47003138674176bb1de83c4f59b6fb0f9027778b491df544b2d6
Opcode Fuzzy Hash: eaee7de9365b9f0717c3a208b3758f0cc84d76a8728d97e60663ea3df183b859
Instruction Fuzzy Hash: 44C1DE78900646CFCB2ACF68C480FBEBBA5AF45700F15461DD592DB692CF30AE46CB51

Function 0034D890 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f74fdbb53eec522143c3c9663faba9b44f6a34bb2bc0c461b0cd360f6cd2b4
Instruction ID: 8e996ca42b687351abcbf9219e083bc48e6c4fae0b680651942807ccb1acfb07
Opcode Fuzzy Hash: d3f74fdbb53eec522143c3c9663faba9b44f6a34bb2bc0c461b0cd360f6cd2b4
Instruction Fuzzy Hash: 94919272B043154BD748DE6DCD9135AF6E6ABC8314F1E853EF94AC73A1E678DC048682

Function 001A8970 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c241b825dfa596cfea25a901b8c3cc02146891eae24c9293b603977b7be076
Instruction ID: ca8e04cbc0ad5aa9b567de9eb5954a2875d76ff0884ff6727fea297669694005
Opcode Fuzzy Hash: 50c241b825dfa596cfea25a901b8c3cc02146891eae24c9293b603977b7be076
Instruction Fuzzy Hash: 6C71F7B1801B48CFE761CF78C94478ABBF0BB15324F148A5DD4A99B3D1D3B96648CB91

Function 003A8320 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b4f4a1008985f58c77f7c77e8010567ea134e3bb0db5420c52cce7de9de22d
Instruction ID: e77869caf564d388f91feb0c583867abb619210c6ec4ff045161b547eefcaa54
Opcode Fuzzy Hash: b1b4f4a1008985f58c77f7c77e8010567ea134e3bb0db5420c52cce7de9de22d
Instruction Fuzzy Hash: 5121E73A7609060B9B4DCB29DC776B532D1E385301789D27DEA5BCB2D3D738849AC340

Function 0028CE20 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692d5e9d713340fec43a872ea7c0cd57a0b722e8bc6ca55c336f846756026d64
Instruction ID: d425c89377933fc6d323eb8491e9f54240aaf53cc5c4ce7d32f20534d83a42f4
Opcode Fuzzy Hash: 692d5e9d713340fec43a872ea7c0cd57a0b722e8bc6ca55c336f846756026d64
Instruction Fuzzy Hash: B54105B0905B49EED704CF69C50878AFBF0BB19318F20865ED4589B781D3BAA658CF94

Function 001B2A80 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e53656a57eae8485240c4533adf7430ec9db824f886f05a4659f6e2ee484c164
Instruction ID: 8ffdc26ceb2aff55aba96768e60780ced85df37f70e79087f7c35e0d1b4a8535
Opcode Fuzzy Hash: e53656a57eae8485240c4533adf7430ec9db824f886f05a4659f6e2ee484c164
Instruction Fuzzy Hash: F631D2B0405B84CEE721CF29C558787BFF4BB15718F108A4DD4E64BB91D3BAA608CB91

Function 001CE1A0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a99101d897c192281306717f2967f45258dfb29e8f8be28881b708514a5d84
Instruction ID: 3cc28f9707a7b2fc98debf76d51d37aa5808f2ebca02f92060d8f5dcdb0ad0a1
Opcode Fuzzy Hash: c7a99101d897c192281306717f2967f45258dfb29e8f8be28881b708514a5d84
Instruction Fuzzy Hash: 7711D2B1905248DFD740CF58D544789BBF4FB09728F2086AEE818DB781D3769A0ADF84

Function 003DA0AA Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction ID: e25a22cf13283d9e62b21d836f584318c009c605460e807de9e1033a5539d204
Opcode Fuzzy Hash: 84adcf6e336c4bae0f721f8d2f7d32daac37cdaf3c253ded2eee1c659e4a4c20
Instruction Fuzzy Hash: 4DE08C33911268EBCB16DB8CEA04A8AF3ECFB44B00B114097B501D3201C270DE00D7D1

Function 003CCB0C Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 368173e5bd919caad5c593be1080eb9ff5bee38a2b6786a592e7c025f46cf6ff
Instruction ID: 52e2c67f0ae4dc9786dbb1dbacb7ec16dabdb5ced374b74667f8287942029b6b
Opcode Fuzzy Hash: 368173e5bd919caad5c593be1080eb9ff5bee38a2b6786a592e7c025f46cf6ff
Instruction Fuzzy Hash: 93C08C74010D0186CE2BA910A2F2BA83354B791782F80388CC60B8B782C91EAC87D741

Function 002FE070 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 308libraryloaderthreadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00517488,081DA4CA), ref: 002FE0E3
EnterCriticalSection.KERNEL32(00517488,081DA4CA), ref: 002FE0F8
GetCurrentProcess.KERNEL32 ref: 002FE105
GetCurrentThread.KERNEL32 ref: 002FE113
SymSetOptions.IMAGEHLP(80000016), ref: 002FE141
LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr,00000000), ref: 002FE1B8
GetProcAddress.KERNEL32(00000000), ref: 002FE1BF
SymInitialize.IMAGEHLP(00000000,00000000,00000001,0047FF70,00000000), ref: 002FE205
StackWalk.IMAGEHLP(0000014C,?,?,?,?,00000000,00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 002FE341
GetModuleHandleW.KERNEL32(00000000,*** Stack Trace (x86) ***,0000001F,?,?,?), ref: 002FE3FA
SymCleanup.IMAGEHLP(00000000,?), ref: 002FE513
LeaveCriticalSection.KERNEL32(00517488,?), ref: 002FE53E

Strings

*** Stack Trace (x86) ***, xrefs: 002FE2D7
SymFromAddr, xrefs: 002FE1AE
[0x%.8Ix] , xrefs: 002FE401
<--------------------MORE--FRAMES-------------------->, xrefs: 002FE39D
MODULE_BASE_ADDRESS, xrefs: 002FE447
Dbghelp.dll, xrefs: 002FE1B3

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CriticalSection$CurrentInitialize$AddressCleanupEnterHandleLeaveLibraryLoadModuleOptionsProcProcessStackThreadWalk
String ID: *** Stack Trace (x86) ***$<--------------------MORE--FRAMES-------------------->$Dbghelp.dll$MODULE_BASE_ADDRESS$SymFromAddr$[0x%.8Ix]
API String ID: 4282195395-80696534
Opcode ID: a57aa37ce21f7c818d3dd7ef2cf9af41aa85328f1bfafb31645695c7e2775d38
Instruction ID: 12f3ed5b6e3bbd3162001976077ff9076e09032b54c67b2660542b07aaee3271
Opcode Fuzzy Hash: a57aa37ce21f7c818d3dd7ef2cf9af41aa85328f1bfafb31645695c7e2775d38
Instruction Fuzzy Hash: 4CD1ED709106A89EDF25DF64CC49BEEBBB4AF54309F1001EAE509AB2A1DB745F84CF50

Function 003336B0 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 343COMMON

Download Yara Rule

Strings

Unable to find file , xrefs: 003336E6
txt, xrefs: 0033379E
Unable to retrieve PowerShell output from file: , xrefs: 00333A44
Unable to retrieve exit code from process., xrefs: 00333A67
powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new, xrefs: 00333843
Unable to get a temp file for script output, temp path: , xrefs: 003337E7
ps1, xrefs: 00333771, 00333783, 0033378D
Unable to create process: , xrefs: 003338E8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: Unable to create process: $Unable to find file $Unable to get a temp file for script output, temp path: $Unable to retrieve PowerShell output from file: $Unable to retrieve exit code from process.$powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new$ps1$txt
API String ID: 0-4129021124
Opcode ID: 0a1631c061f2f26612e5d84054e07b27db23827d961ade8617aca4ac0417741d
Instruction ID: 7f5a1d991b9df9dc61115cea3f8bb38b84debbbd9a850e93cde2d9a1f83926a0
Opcode Fuzzy Hash: 0a1631c061f2f26612e5d84054e07b27db23827d961ade8617aca4ac0417741d
Instruction Fuzzy Hash: 16D1BF71E00609EFCF11DFA8C985BAEBBB4FF18314F248259F411A7291DB74AA05CB95

Function 003005D0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000007,000001F6), ref: 00300618
GetDlgItem.USER32(00000007,000001F8), ref: 00300628
GetDlgItem.USER32(00000007,000001F7), ref: 0030066E
SetWindowTextW.USER32(00000000,?), ref: 00300681
ShowWindow.USER32(00000000,00000005), ref: 003006DF
GetDlgItem.USER32(00000007,000001F7), ref: 00300705
SetWindowTextW.USER32(00000000,?), ref: 00300718
ShowWindow.USER32(00000000,00000000), ref: 00300775
ShowWindow.USER32(?,00000000), ref: 00300780
SetWindowPos.USER32(00000007,00000000,00000000,00000000,?,?,00000616), ref: 003007CD
GetDlgItem.USER32(?,000000FF), ref: 00300800
IsWindow.USER32(00000000), ref: 0030080A
SetWindowPos.USER32(000000FF,00000000,?,?,?,?,00000014,?,000000FF,?,?,00000616), ref: 00300857

Strings

Details <<, xrefs: 00300655
Details >>, xrefs: 003006EC

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Item$Show$Text
String ID: Details <<$Details >>
API String ID: 2476474966-3763984547
Opcode ID: be2deca5bb6114d63a821cab8ea7f925a7de59674ba6d400b00a6da9fdef8b96
Instruction ID: 83608ac4d04938ecdab77945371c199f23710af8f948ca999f3177a7e9f81094
Opcode Fuzzy Hash: be2deca5bb6114d63a821cab8ea7f925a7de59674ba6d400b00a6da9fdef8b96
Instruction Fuzzy Hash: EC91E171900204AFDB29DF68DC99BAEB7F5FF54700F24861DF452A76A0D770A884CBA1

Function 001DD670 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 372libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,00000043), ref: 001DD798
GetProcAddress.KERNEL32(00000000,InitializeEmbeddedUI), ref: 001DD7AA
GetProcAddress.KERNEL32(00000000,ShutdownEmbeddedUI), ref: 001DD7B8
GetProcAddress.KERNEL32(00000000,EmbeddedUIHandler), ref: 001DD7C7

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

InitializeEmbeddedUI, xrefs: 001DD7A4
I, xrefs: 001DD86F
ShutdownEmbeddedUI, xrefs: 001DD7B0
5810bebe, xrefs: 001DD8DE
SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll', xrefs: 001DD6F9
INAN, xrefs: 001DD6A5
build , xrefs: 001DD8CF
EmbeddedUIHandler, xrefs: 001DD7BE
21.9, xrefs: 001DD8BA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressProc$Heap$AllocateLibraryLoadProcess
String ID: I$ build $21.9$5810bebe$EmbeddedUIHandler$INAN$InitializeEmbeddedUI$SELECT `Data` FROM `Binary` WHERE `Name` = 'InstallerAnalytics.dll'$ShutdownEmbeddedUI
API String ID: 230625546-3738551165
Opcode ID: c088f395b43b4bcb749d7d50059a64e7080b2724def65848638e3dcd356dabdf
Instruction ID: 6d0c1689550a02f8abcc2c79c5dd7680083b10f94be5791230b5c70127ab9fc9
Opcode Fuzzy Hash: c088f395b43b4bcb749d7d50059a64e7080b2724def65848638e3dcd356dabdf
Instruction Fuzzy Hash: C2D10275E002099FCB05DF68DC55BAEBBB5FF48714F24426AE811A7381EB74AA05CB90

Function 001A13A0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 270libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoGetActivationFactory,081DA4CA,?,?,?,?,?,?,?,?,?,?,?,?,081DA4CA), ref: 001A1423
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001A1429
LoadLibraryW.KERNEL32(?,.dll,-00000001,00000000,0047FF70,00000000,00000000,00000000), ref: 001A15DB

Strings

DllGetActivationFactory, xrefs: 001A161E
combase.dll, xrefs: 001A141E, 001A14C5
.dll, xrefs: 001A15C2
RoGetActivationFactory, xrefs: 001A1419
CoIncrementMTAUsage, xrefs: 001A14C0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: LibraryLoad$AddressProc
String ID: .dll$CoIncrementMTAUsage$DllGetActivationFactory$RoGetActivationFactory$combase.dll
API String ID: 1469910268-2454113998
Opcode ID: deec71b2842fd2039dd45c08db5ec99089713879f4b6ebf9bd733df986879cc4
Instruction ID: d840dfabfb7f92d17eb3471f50e62b1196b655d4913920a34eb78e905d697d3a
Opcode Fuzzy Hash: deec71b2842fd2039dd45c08db5ec99089713879f4b6ebf9bd733df986879cc4
Instruction Fuzzy Hash: 98B1AE79E10209EFCB15DFA8C955BADFBB4FF59710F148129E815BB2A0DBB09904CB90

Function 002EE0B0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 214fileCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00514380,081DA4CA,-00000001), ref: 002EE0EC
EnterCriticalSection.KERNEL32(-00000001,081DA4CA,-00000001), ref: 002EE0F9
WriteFile.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE12B
FlushFileBuffers.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE134
WriteFile.KERNEL32(00000000,?,?,?,00000000,0047FF40,00000001,?,?,081DA4CA,00000000), ref: 002EE1CC
FlushFileBuffers.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE1D5
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,081DA4CA,00000000), ref: 002EE218
FlushFileBuffers.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE221
WriteFile.KERNEL32(00000000,000000FF,?,?,00000000,00483DEC,00000002,?,?,081DA4CA,00000000), ref: 002EE28E
FlushFileBuffers.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE297
LeaveCriticalSection.KERNEL32(00000000,?,?,081DA4CA,00000000), ref: 002EE2D6

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Strings

=H, xrefs: 002EE251

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$BuffersFlushWrite$CriticalSection$EnterFindInitializeLeaveResource
String ID: =H
API String ID: 1900893598-4141749632
Opcode ID: 324c6cf8b30be850ebde2134c3d077a9466d047fe2e02e44909dac798195358f
Instruction ID: c8a523ee847c84fc327f7f340a6858b94d9b2b2b4eb4a908b1acb7ac0f7267c6
Opcode Fuzzy Hash: 324c6cf8b30be850ebde2134c3d077a9466d047fe2e02e44909dac798195358f
Instruction Fuzzy Hash: E071BD31A012449FDF01DF68EC49BADBBB9FF44314F644198F911AB2A2DB319D01CB95

Function 003002B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002F7D30: LoadLibraryW.KERNEL32(ComCtl32.dll,081DA4CA,?), ref: 002F7D6A
Part of subcall function 002F7D30: GetProcAddress.KERNEL32(00000000,LoadIconMetric), ref: 002F7D90
Part of subcall function 002F7D30: FreeLibrary.KERNEL32(00000000), ref: 002F7E19

GetDlgItem.USER32(?,000001F4), ref: 003002EB
SendMessageW.USER32(00000000,00000170,00000000,00000000), ref: 003002FA
MulDiv.KERNEL32(00000009,00000000), ref: 00300316
GetDlgItem.USER32(?,000001F6), ref: 00300350
IsWindow.USER32(00000000), ref: 00300359
SendMessageW.USER32(00000000,00000030,?,00000000), ref: 00300370
GetDlgItem.USER32(?,000001F8), ref: 0030037E
GetWindowRect.USER32(?,?), ref: 0030038D
GetWindowRect.USER32(00000000,?), ref: 003003A1
GetWindowRect.USER32(00000000,?), ref: 003003B5

Strings

Courier New, xrefs: 0030031C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$ItemRect$LibraryMessageSend$AddressFreeLoadProc
String ID: Courier New
API String ID: 1717253393-2572734833
Opcode ID: 1e9ed5600529a5c8af0c90403a528e22d50fb18837455112752334cee55d0fb2
Instruction ID: ed49fc0f0be5487e2e11503fa0ef69d47d9551767fce586f25ae215e7a28cb91
Opcode Fuzzy Hash: 1e9ed5600529a5c8af0c90403a528e22d50fb18837455112752334cee55d0fb2
Instruction Fuzzy Hash: 3F41D7717803047FE7546F208C87FBAB7A8AF58B00F104538FB06AE1D2DAB0A8448B14

Function 002783F0 Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 460fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000), ref: 002784F0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0041E5C8), ref: 0027862B

Part of subcall function 001DFC00: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,003EA55D,000000FF,?), ref: 001DFC79
Part of subcall function 001DFC00: WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000,?,?,00000000,003EA55D,000000FF,?), ref: 001DFCAF

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?), ref: 0027878B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0041E5C8), ref: 002787FE

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

open, xrefs: 0027882B
EXE, xrefs: 00278448
Failed to create BAT file for cleaning..., xrefs: 00278558
AiEmbeddedDirectCall, xrefs: 002785A7, 00278705
Content of cleaning BAT file=, xrefs: 002786A6
.bat, xrefs: 00278443

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharCloseFileHandleMultiWide$CreateHeapProcessWrite
String ID: .bat$AiEmbeddedDirectCall$Content of cleaning BAT file=$EXE$Failed to create BAT file for cleaning...$open
API String ID: 526443260-2499132982
Opcode ID: 8d40311229bdf1a2ddb456213567bec399c3623c46fee02726d765179eeb856c
Instruction ID: c770b2af286c1a9232141a4a2c30b0a736cf2e861fd97bfe4448939e22532a24
Opcode Fuzzy Hash: 8d40311229bdf1a2ddb456213567bec399c3623c46fee02726d765179eeb856c
Instruction Fuzzy Hash: FF02A0306006499FDB04DF68C898BAD7BB1BF48314F288269F91A9B392DB74DD45CF91

Function 003032D0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 441libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00000000), ref: 00303436
GetProcAddress.KERNEL32(00000000), ref: 0030343D
GetCurrentProcess.KERNEL32(?,00000000,?,?,?,00000000), ref: 00303477

Strings

IsWow64Process2, xrefs: 0030342C
Search result:, xrefs: 00303719
Wrong OS or Os language for:, xrefs: 0030382F
kernel32, xrefs: 00303431
An acceptable version was found., xrefs: 0030379F, 003037A0
Undefined, xrefs: 00303784
Searching for:, xrefs: 00303579

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: An acceptable version was found.$IsWow64Process2$Search result:$Searching for:$Undefined$Wrong OS or Os language for:$kernel32
API String ID: 4190356694-1658165007
Opcode ID: c968be83bc8540fe0a8874fb0f431bf1766ac9c9ba061419118a931aac8fe9f0
Instruction ID: 25218143158c4b4f058969c984744a7a5c8396488cdf0218589f5fa5ff03c488
Opcode Fuzzy Hash: c968be83bc8540fe0a8874fb0f431bf1766ac9c9ba061419118a931aac8fe9f0
Instruction Fuzzy Hash: AF02E070A01604DFDB16DFA8C8A4BADBBB9FF44314F158259E416AB2D1DB34EE46CB40

Function 0032D3D0 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 308libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8F00: GetLastError.KERNEL32(081DA4CA,?,?,00000000,0030D7C0,00000000,0042E9BD,000000FF,?,0032D40A,Kernel32.dll,?,081DA4CA,?,00000000), ref: 002D8F71

GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0032D58F
GetProcAddress.KERNEL32(?,GetPackagePath), ref: 0032D5F8
GetLastError.KERNEL32(?,?,0043CE75,000000FF,?,0030D7C0,?,?,?,?,?,?,00000000), ref: 0032D622
FreeLibrary.KERNEL32(?,?,?,00000000,00000000,?,?,0043CE75,000000FF), ref: 0032D724

Strings

neutral, xrefs: 0032D496
Kernel32.dll, xrefs: 0032D3FD
GetPackagePath, xrefs: 0032D589, 0032D5F2
d;I, xrefs: 0032D718
x86, xrefs: 0032D44C
x64, xrefs: 0032D47A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressErrorLastProc$FreeLibrary
String ID: GetPackagePath$Kernel32.dll$d;I$neutral$x64$x86
API String ID: 329358263-2908840848
Opcode ID: 634149add07b505072515ff517e6d28d0c472a5acc7c5b29bfbb7898aeaafb94
Instruction ID: 0ef35ef75c2429b83e46df4e628141fbb5ba36a3da783db5263500d5a79026b1
Opcode Fuzzy Hash: 634149add07b505072515ff517e6d28d0c472a5acc7c5b29bfbb7898aeaafb94
Instruction Fuzzy Hash: 1EC19B70A002199FCF05DFA8D998AADBBB1FF48315F14816DE805EB391DB74AD05CB90

Function 001CD640 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 231windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000063,80000000,80000000,80000000,80000000,?,00000000,00000000,081DA4CA), ref: 001CD6C8

Part of subcall function 001AA110: SetWindowLongW.USER32(?,000000FC,00000000), ref: 001AA152

SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 001CD7D3
SendMessageW.USER32(00000000,00000439,00000000,0000002C), ref: 001CD7E7
SendMessageW.USER32(00000000,00000421,00000003,?), ref: 001CD7FC
SendMessageW.USER32(00000000,00000418,00000000,0000012C), ref: 001CD811
SendMessageW.USER32(?,000000D6,-00000001,00000000), ref: 001CD828
GetWindowRect.USER32(?,?), ref: 001CD85A
SendMessageW.USER32(00000000,00000412,00000000), ref: 001CD8B6
SendMessageW.USER32(00000000,00000411,00000001,0000002C), ref: 001CD8CA

Strings

tooltips_class32, xrefs: 001CD6C2

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$Window$CreateLongRect
String ID: tooltips_class32
API String ID: 1954517558-1918224756
Opcode ID: af074499e71a8a1dca1ce7c2f1c648505843e126d81d107fc7fa918067078da2
Instruction ID: 7de12f316c24272c1efe7b56c7f6d18bdaff1c0bd1369982bf1da1df79320acf
Opcode Fuzzy Hash: af074499e71a8a1dca1ce7c2f1c648505843e126d81d107fc7fa918067078da2
Instruction Fuzzy Hash: 95913BB1A00219AFDB14DFA4CC95BEEFBF9FF58300F14852AE516EA290D774A904DB50

Function 00192D10 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 135COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0051433C,00000000,081DA4CA,00000000,0042EBA3,000000FF,?,081DA4CA), ref: 00192E83
GetLastError.KERNEL32(?,081DA4CA), ref: 00192E8D

Strings

VolumeCostVolume, xrefs: 00192DF5
HZI, xrefs: 00192D3D
,CQ, xrefs: 00192E79
VolumeCostDifference, xrefs: 00192D63
VolumeCostSize, xrefs: 00192D47
ZI, xrefs: 00192D59
lZI, xrefs: 00192D50
CQ, xrefs: 00192DDB

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpin
String ID: CQ$,CQ$HZI$VolumeCostDifference$VolumeCostSize$VolumeCostVolume$lZI$ZI
API String ID: 439134102-1827279907
Opcode ID: ed72e4bee268760e688b14641311689c61b506f3e97ec14ba9e0db76695cbce2
Instruction ID: aed4eb756343c492bbc04b0713bfe68b508ea5cf1010a8f1e02a1c270f38d35b
Opcode Fuzzy Hash: ed72e4bee268760e688b14641311689c61b506f3e97ec14ba9e0db76695cbce2
Instruction Fuzzy Hash: DB51C4B19002099FDB11DFA4DC45BDEBBF4FB08714F10462AD8219B390D77899488F99

Function 001A87A0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005196CC,081DA4CA,00000000,?,?,?,?,?,?,001A7F05,003EC11D,000000FF), ref: 001A87DD
LoadCursorW.USER32(00000000,00007F00), ref: 001A8858
LoadCursorW.USER32(00000000,00007F00), ref: 001A8900
LeaveCriticalSection.KERNEL32(005196CC), ref: 001A8953

Strings

WM_ATLGETCONTROL, xrefs: 001A87F2
AtlAxWin140, xrefs: 001A880B
WM_ATLGETHOST, xrefs: 001A87E3
h0H, xrefs: 001A8917
AtlAxWinLic140, xrefs: 001A88BD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CriticalCursorLoadSection$EnterLeave
String ID: AtlAxWin140$AtlAxWinLic140$WM_ATLGETCONTROL$WM_ATLGETHOST$h0H
API String ID: 3727441302-3433770002
Opcode ID: a30c815f51cded3ffcf68d07a07c9f4c4bc87ada849acab6517633890dc01974
Instruction ID: 35ccbc7062bed1d94655db00114d4c8aa90ac2d5057d164b3f747113e4ddab91
Opcode Fuzzy Hash: a30c815f51cded3ffcf68d07a07c9f4c4bc87ada849acab6517633890dc01974
Instruction Fuzzy Hash: FC5125B4C01208EFDB11DFA8D858BDEBFB8FF19714F10451AE400B7290DBB95A499BA5

Function 0022B370 Relevance: 15.2, APIs: 10, Instructions: 167COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(00000000,000000F0), ref: 0022B3B7
GetParent.USER32(00000000), ref: 0022B3CA
GetWindow.USER32(00000000,00000004), ref: 0022B3D5
GetWindowRect.USER32(00000000,?), ref: 0022B3E3
GetWindowLongW.USER32(00000000,000000F0), ref: 0022B3F6
MonitorFromWindow.USER32(00000000,00000002), ref: 0022B40E
GetMonitorInfoW.USER32(00000000,?), ref: 0022B424
GetWindowRect.USER32(00000000,?), ref: 0022B44A
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015), ref: 0022B505

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$LongMonitorRect$FromInfoParent
String ID:
API String ID: 1468510684-0
Opcode ID: 25bfaf0b48ffe910cae57a223ee96ff873a229512859df15aa73bfae28189af8
Instruction ID: 9327e04b4d3564457c2c1ccf2250787ca1a029dc76fd7664bdde94e958f489f5
Opcode Fuzzy Hash: 25bfaf0b48ffe910cae57a223ee96ff873a229512859df15aa73bfae28189af8
Instruction Fuzzy Hash: 13519432D10119AFDB11DFA8DD89AEEBBB5FB44710F248629F815E3291DB34AC14DB50

Function 003143F0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 320processfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00315D20: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000010), ref: 00315D4D

Part of subcall function 001A3870: GetModuleHandleW.KERNEL32(Kernel32.dll,GetTempPath2W,?), ref: 001A3967
Part of subcall function 001A3870: GetProcAddress.KERNEL32(00000000), ref: 001A396E
Part of subcall function 001A3870: PathFileExistsW.SHLWAPI(?), ref: 001A39DC

GetFileAttributesW.KERNEL32(?,?,00000003,?,00000001,?,00000000,00000000), ref: 00314598
SetFileAttributesW.KERNEL32(?,00000080), ref: 003145AB
CopyFileW.KERNEL32(?,?,00000000), ref: 003145B8

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?), ref: 003146FA
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00314710
CloseHandle.KERNEL32(?), ref: 00314731
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 00314744

Strings

"%s" %s, xrefs: 0031462E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$Wow64$AttributesHandleModuleProcessRedirectionRevert$AddressCloseCopyCreateExistsHeapNamePathProc
String ID: "%s" %s
API String ID: 3861218247-1070868581
Opcode ID: 3f4d59d5b87adde68b89d6cda522e7e2163690e8982632b0b92f3283c1d4c0f7
Instruction ID: 52ef24f75ec778d221b431918aa059053cfd88e7a21fe3702c1e959534061ba7
Opcode Fuzzy Hash: 3f4d59d5b87adde68b89d6cda522e7e2163690e8982632b0b92f3283c1d4c0f7
Instruction Fuzzy Hash: 24D19C31E00648DFDF15DBA8CC48BADBBB1BF59314F288259E421AB2D5DB74A945CF80

Function 001A67A0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001A67DE
SysAllocString.OLEAUT32(?), ref: 001A67F6
VariantInit.OLEAUT32(?), ref: 001A6831
VariantClear.OLEAUT32(?), ref: 001A689A
VariantClear.OLEAUT32(?), ref: 001A68A8
VariantClear.OLEAUT32(?), ref: 001A68B6
VariantClear.OLEAUT32(?), ref: 001A68C7

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Strings

<body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>, xrefs: 001A694B

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Variant$Clear$AllocAllocateHeapInitString
String ID: <body><h3 style="color:green;">Error loading resource:</h3><p style="white-space:nowrap">"%s"</p></body>
API String ID: 1547307772-1571955069
Opcode ID: 12bba1af9e9d6e34dca38bf6c8a84dba51cd4c9a0dd162d207480767191df9b4
Instruction ID: 05876acda78b832b6dcd6bcfef343ab76e0a657161d3804ee416a533d8219192
Opcode Fuzzy Hash: 12bba1af9e9d6e34dca38bf6c8a84dba51cd4c9a0dd162d207480767191df9b4
Instruction Fuzzy Hash: 65A18275910258DFCB01DFA8DC48BEEBBB8FF59314F14426AE811E7291DB749A05CB90

Function 00333470 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 193fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,ps1,ps1,00000003,?,0030E0E8), ref: 00333588
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 003335CE
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 003335EB
CloseHandle.KERNEL32(00000000), ref: 00333605
CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00333644

Strings

Unable to save script file , xrefs: 00333614
Unable to get temp file , xrefs: 00333569
ps1, xrefs: 003334F1, 00333503, 0033350D, 0033351E

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseHandleWrite$CreateFindHeapProcessResource
String ID: Unable to get temp file $Unable to save script file $ps1
API String ID: 3201387394-4253966538
Opcode ID: 66181195d619f7fed0ce26d4e5865a3f0de59e2c2345f7aa625b36b9ada587f3
Instruction ID: 8fe797af33444fd2af07bb22a83ec5a4ca38d6a8c7f0608be14b36c052129f3e
Opcode Fuzzy Hash: 66181195d619f7fed0ce26d4e5865a3f0de59e2c2345f7aa625b36b9ada587f3
Instruction Fuzzy Hash: 7761F531A00208AFDF01DF68DC85BAEBBB4EF45714F248259F911AB3C2CB749A058BD5

Function 0019EE10 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF28
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF32
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF44
GetExitCodeProcess.KERNEL32(?,?), ref: 0019EF61
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF6B
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF78
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000044,?), ref: 0019EF82

Strings

"%s" %s, xrefs: 0019EEB0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLastProcess$CloseCodeCreateExitHandleHeapObjectSingleWait
String ID: "%s" %s
API String ID: 3234789809-1070868581
Opcode ID: 9eb6f40baa2d40e2e3bfe152e885dc73f56022d6ef1e25e6d8a0dd20f8fc0054
Instruction ID: bb7cd5cee9f3e672a438105ed6e3ae0a594c2d1d49f6df4fb4127d42130afbb3
Opcode Fuzzy Hash: 9eb6f40baa2d40e2e3bfe152e885dc73f56022d6ef1e25e6d8a0dd20f8fc0054
Instruction Fuzzy Hash: A9518D71E00619DFCF14CF68DC04BAEB7B5FF48715F21462AE922A7291D730A981CB91

Function 00322170 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 153libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 003221AE
GetUserDefaultLangID.KERNEL32 ref: 003221BB
LoadLibraryW.KERNEL32(kernel32.dll), ref: 003221CD
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 003221DB
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 003221FE

Strings

GetUserDefaultUILanguage, xrefs: 003221F8
GetSystemDefaultUILanguage, xrefs: 003221D5
kernel32.dll, xrefs: 003221C4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressDefaultLangProc$LibraryLoadSystemUser
String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll
API String ID: 667524283-3528650308
Opcode ID: cdac78a2eb8698478eeb8cd079132ea5c22b5cb52ab923cd7ee0144c14350809
Instruction ID: dca1aa2619c6988f6bbf1ecca72472063b7db24d6490ce11ff241f7b949e01b1
Opcode Fuzzy Hash: cdac78a2eb8698478eeb8cd079132ea5c22b5cb52ab923cd7ee0144c14350809
Instruction Fuzzy Hash: D251E170A043219BC749DF24A86467EB7E2FBE8705F92092EF886CB290DB31D844CB55

Function 003C3740 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003C3777
___except_validate_context_record.LIBVCRUNTIME ref: 003C377F
_ValidateLocalCookies.LIBCMT ref: 003C3808
__IsNonwritableInCurrentImage.LIBCMT ref: 003C3833
_ValidateLocalCookies.LIBCMT ref: 003C3888
___vcrt_initialize_locks.LIBVCRUNTIME ref: 003C389E
___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 003C38B3

Strings

csm, xrefs: 003C381D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
String ID: csm
API String ID: 1385549066-1018135373
Opcode ID: c7a8021a717241deee077ba495c686c325ff78b882aca4452bb7b3fb914dc457
Instruction ID: a5fd91217d54251dc38d09b24cd297f6c3bd8d21ecb3a6024fba8654a6ef7b70
Opcode Fuzzy Hash: c7a8021a717241deee077ba495c686c325ff78b882aca4452bb7b3fb914dc457
Instruction Fuzzy Hash: 6841B174A002189BCF12DF68D884F9EBBB5AF45314F15C1ADF814DB292C7369E19CB91

Function 001E8300 Relevance: 14.0, APIs: 9, Instructions: 458memorysynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

CreateThread.KERNEL32(00000000,00000000,001E8450,004861CC,00000000,00000000), ref: 001E83BC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 001E83D5
CloseHandle.KERNEL32(00000000), ref: 001E83EB
CoInitializeEx.COMBASE(00000000,00000000), ref: 001E84B5
GetProcessHeap.KERNEL32(?,00000000), ref: 001E85C8
HeapFree.KERNEL32(00000000,?,00000000), ref: 001E85CE
GetProcessHeap.KERNEL32(?,00000000), ref: 001E865F
HeapFree.KERNEL32(00000000,?,00000000), ref: 001E8665
CoUninitialize.COMBASE ref: 001E87C8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$Process$Free$CloseCreateHandleInitializeObjectSingleThreadUninitializeWait
String ID:
API String ID: 661592132-0
Opcode ID: 39193ebc7f3c25f2161fa68c73f22e9c0699f9185776e9665dc8c19e7909a00a
Instruction ID: 332141670867b83c0713b36e0a5c8baa4b4c2c7d0545d96b4e57316df22fbba1
Opcode Fuzzy Hash: 39193ebc7f3c25f2161fa68c73f22e9c0699f9185776e9665dc8c19e7909a00a
Instruction Fuzzy Hash: 54029D71D00658DFDF15CFA5C845BEEBBB8FF48314F2041A9E909AB291DB749A05CBA0

Function 0033E860 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 373fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0033E98F
CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0033E9E1
ReadFile.KERNEL32(00000000,?,000003FF,?,00000000), ref: 0033EA23
ReadFile.KERNEL32(00000000,00000000,000003FF,00000000,00000000,00000000), ref: 0033EA6E
CloseHandle.KERNEL32(00000000), ref: 0033EAFE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0033EC86

Strings

--verbose --log-file="%s" --remove-pack-file "%s" "%s", xrefs: 0033E91F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$DeleteRead$CloseCreateHandleHeapProcess
String ID: --verbose --log-file="%s" --remove-pack-file "%s" "%s"
API String ID: 70679524-3685554107
Opcode ID: 1f081a7c519dda8c3177753eb8e3af75aa90cdb3d408a07734f2807c12bd87b6
Instruction ID: fbe418af48cc3c3c06feb7843090fc9bd8ceb74251adcfb3b06f66e10902f5d1
Opcode Fuzzy Hash: 1f081a7c519dda8c3177753eb8e3af75aa90cdb3d408a07734f2807c12bd87b6
Instruction Fuzzy Hash: 8AE191B1A002189FDB11DB28CC94B9DB7B5FF48314F1441E9E619AB392DB34AE85CF94

Function 001AEA10 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0051431C,081DA4CA,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003ECE95), ref: 001AEA7A
GetModuleFileNameW.KERNEL32(0000FFFF,00000104,?,?,?,?,?,?,?,?,?,?,?,?,00000000,003ECE95), ref: 001AEAF4

Strings

,CQ, xrefs: 001AEA62, 001AECC3
6Q, xrefs: 001AEA96

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CriticalEnterFileModuleNameSection
String ID: ,CQ$6Q
API String ID: 764724386-2334299810
Opcode ID: 3f20872b7060eb2de36e0cac1459b0461cb7991730a18961d6df053908865bfd
Instruction ID: 99cccae46dbbd661859a3429a806ebcbd27d2624a9ca3f534320cec25120872f
Opcode Fuzzy Hash: 3f20872b7060eb2de36e0cac1459b0461cb7991730a18961d6df053908865bfd
Instruction Fuzzy Hash: CEC19074A00259DFDB11CFA8D848BAEBBF4BF49714F1440A9E805EB3A1CB75AD45CB60

Function 003BC3F2 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,003BC46D,003BC3D0,003BC671), ref: 003BC409
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 003BC41F
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 003BC434

Strings

@%Q, xrefs: 003BC445
AcquireSRWLockExclusive, xrefs: 003BC419
ReleaseSRWLockExclusive, xrefs: 003BC429
KERNEL32.DLL, xrefs: 003BC404

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: @%Q$AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-3244382479
Opcode ID: 4253019b1dfdcf905bd326084424bf0e878c88b063f06acff6fd295e2317e878
Instruction ID: 4ef132405c71a2e80d463330dc625e83ac0f10baff0daf2e0436ec6cad58dbb3
Opcode Fuzzy Hash: 4253019b1dfdcf905bd326084424bf0e878c88b063f06acff6fd295e2317e878
Instruction Fuzzy Hash: 44F0AF313612529B5B334F666CF56FB76C89A01B4E326607ADB01DB991FA14CE48A290

Function 003000F0 Relevance: 12.2, APIs: 8, Instructions: 154COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 003000FE
EndDialog.USER32(?,00000000), ref: 003001D6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DialogLongWindow
String ID:
API String ID: 900524653-0
Opcode ID: 1c2fd70800e22301bf8001af28dba8ecc9b95a339e25a73903527d1a76bb4e70
Instruction ID: f38eaaa316fb55522bbb3b0a63743f75e4ea36de60d71b9c50ac12d62be0d975
Opcode Fuzzy Hash: 1c2fd70800e22301bf8001af28dba8ecc9b95a339e25a73903527d1a76bb4e70
Instruction Fuzzy Hash: 774128367012141BD7299F3CAC2CBBB77ACDB45331F004F2AFD62C66E0C665C820A6A1

Function 003BF487 Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,003BF631,?,?,?,?), ref: 003BF4AB
HeapAlloc.KERNEL32(00000000,?,?,?,?), ref: 003BF4B2

Part of subcall function 003BF57D: IsProcessorFeaturePresent.KERNEL32(0000000C,003BF499,00000000,?,003BF631,?,?,?,?), ref: 003BF57F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,003BF631,?,?,?,?), ref: 003BF4C2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?), ref: 003BF4E9
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,?,?,?), ref: 003BF4FD
InterlockedPopEntrySList.KERNEL32(00000000,?,?,?,?), ref: 003BF510
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?), ref: 003BF523

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 25ac3648b795f825e53faec49f47d4f9743bc054c4db49a0fd5cfa9ce37f453d
Instruction ID: ad12be43b9a7739ecc5ca799ec0df41a564f511122d5b198ce2421dcec404ded
Opcode Fuzzy Hash: 25ac3648b795f825e53faec49f47d4f9743bc054c4db49a0fd5cfa9ce37f453d
Instruction Fuzzy Hash: EE113171600721AFD7320F79AC49FAB362CEB8179EF225031FB01EA951DB20CC8467A4

Function 002F8090 Relevance: 10.9, APIs: 7, Instructions: 423fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,081DA4CA,00000000), ref: 002F81FB
ReadFile.KERNEL32(00000000,00000000,00001000,?,00000000,00001000), ref: 002F826D
ReadFile.KERNEL32(?,00000000,00001000,00000000,00000000,?,?,00000000), ref: 002F8519
CloseHandle.KERNEL32(?), ref: 002F8577

Part of subcall function 002F8090: LoadStringW.USER32(000000A1,?,00000514,081DA4CA), ref: 002F7FE8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandleHeapLoadProcessString
String ID:
API String ID: 2846944389-0
Opcode ID: 22e3d60c2a597240581558fc59f5f9e47525e31a6be5f6412fa89eb41bf240f5
Instruction ID: 0e185f0966e200f2b16d7b173b85e1ecf4f18e2b3f25c307dc5dda2fdb2d08e5
Opcode Fuzzy Hash: 22e3d60c2a597240581558fc59f5f9e47525e31a6be5f6412fa89eb41bf240f5
Instruction Fuzzy Hash: 8DF1A071E1030D9BDB10CFA4C948BAEFBB5FF45354F204269E915AB381DB74AA44CB91

Function 001B0C90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 289registryCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000000,00000000,Caphyon.AI.ExtUI.IEClickSoundRemover,081DA4CA), ref: 001B0D31
GetLastError.KERNEL32 ref: 001B0D68
RegCloseKey.ADVAPI32(?,0047FF70,00000000,0047FF70,00000000,?,80000001,00000001,00000000,AppEvents\Schemes\Apps\Explorer\Navigating\.Current,00000033), ref: 001B0FDE
CloseHandle.KERNEL32(?,081DA4CA,?,?,00000000,003ED5CD,000000FF,?,0047FF70,00000000,0047FF70,00000000,?,80000001,00000001,00000000), ref: 001B106E

Strings

AppEvents\Schemes\Apps\Explorer\Navigating\.Current, xrefs: 001B0DA0
Caphyon.AI.ExtUI.IEClickSoundRemover, xrefs: 001B0D26

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Close$CreateErrorEventHandleLast
String ID: AppEvents\Schemes\Apps\Explorer\Navigating\.Current$Caphyon.AI.ExtUI.IEClickSoundRemover
API String ID: 1253123496-2079760225
Opcode ID: fb6467291e874a71c35fa16fe8a4645794baadaf52995d0d3dbb3a3e932a7222
Instruction ID: 0e101211bedc2378ba267041de37961b42dce1bec14dad90609065d3c08b23da
Opcode Fuzzy Hash: fb6467291e874a71c35fa16fe8a4645794baadaf52995d0d3dbb3a3e932a7222
Instruction Fuzzy Hash: 60C1CE70E00248EFDB14DF68C854BEEBBB4FF59304F14825DE459A7681DB74AA84CB91

Function 002FD110 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 213COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,081DA4CA,?), ref: 002FD1A7
SymSetSearchPath.IMAGEHLP(081DA4CA,?,081DA4CA,?), ref: 002FD408

Strings

-> , xrefs: 002FD9EC
%hs:%ld, xrefs: 002FD6A4
%hs(), xrefs: 002FD8DA
[0x%.8Ix] , xrefs: 002FD7F7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FileModuleNamePathSearch
String ID: -> $%hs()$%hs:%ld$[0x%.8Ix]
API String ID: 1980563475-3499247214
Opcode ID: caed32833b54b3a33510244587b20ec64bce8542fe55e12291d8ba0441b6971c
Instruction ID: 56e1d84cd87e4b93fbbbe7880d2ec3b49e4de8bf6e90ec195921456f1b3d9d81
Opcode Fuzzy Hash: caed32833b54b3a33510244587b20ec64bce8542fe55e12291d8ba0441b6971c
Instruction Fuzzy Hash: F7919971D0056C8BCB29CF24CC45BEDB7B5AB4A314F1042E9E65DA7292DB709E94CF81

Function 002F44E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179fileCOMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,?,003EDABD,000000FF,?,002F4838,?), ref: 002F4590

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

RemoveDirectoryW.KERNEL32(?,081DA4CA,?,?,00000000,?,?,003EDABD,000000FF,?,002F4838,?,00000000), ref: 002F45CB
GetLastError.KERNEL32(?,081DA4CA,?,?,00000000,?,?,003EDABD,000000FF,?,002F4838,?,00000000), ref: 002F45DB
DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,003EDABD,000000FF,?,80004005,081DA4CA), ref: 002F46B0
GetLastError.KERNEL32(?,?,00000000,?,00000000,003EDABD,000000FF,?,80004005,081DA4CA,?,?,00000000,?,?,003EDABD), ref: 002F46FB

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

\\?\, xrefs: 002F4551, 002F4563, 002F456D, 002F4671, 002F4683, 002F468D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DirectoryErrorLastRemove$DeleteFileFindHeapProcessResource
String ID: \\?\
API String ID: 728736790-4282027825
Opcode ID: 7721e90d0122cbebe78a9f7dd223dd0ed1ca5c9ddc3cd6a45a229b54cc575d68
Instruction ID: db88d28ace1b4c8145d2c8eb1068c9db9f32782b344cb7bdc0981a63ba7db8bf
Opcode Fuzzy Hash: 7721e90d0122cbebe78a9f7dd223dd0ed1ca5c9ddc3cd6a45a229b54cc575d68
Instruction Fuzzy Hash: A851E335A006199FCB00EF68D854B6EF7A8FF04761F14466AFA21D7391DBB49904CB94

Function 001AC230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,081DA4CA,?,?,?,00000000,00000000,?), ref: 001AC26F
GetCurrentThreadId.KERNEL32 ref: 001AC2B3
EnterCriticalSection.KERNEL32(005196CC), ref: 001AC2D3
LeaveCriticalSection.KERNEL32(005196CC), ref: 001AC2F7
CreateWindowExW.USER32(?,?,00000000,005196CC,?,?,?,?,00000000,?,00000000), ref: 001AC351

Part of subcall function 003BF5E9: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00322A61,?,?,?), ref: 003BF5EE
Part of subcall function 003BF5E9: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 003BF5F5

Strings

AXWIN UI Window, xrefs: 001AC3DA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CriticalHeapSection$AllocCreateCurrentEnterErrorLastLeaveProcessThreadWindow
String ID: AXWIN UI Window
API String ID: 213679520-1592869507
Opcode ID: 677516facdf7351399ad065d96b5002f890fbe291022dbac5559e499e2689bf1
Instruction ID: b09fffaa32aa4fdb193100e0a01910bd3fc7cc081a12713c265107088917eab2
Opcode Fuzzy Hash: 677516facdf7351399ad065d96b5002f890fbe291022dbac5559e499e2689bf1
Instruction Fuzzy Hash: 7551A376604305AFEB20DF59EC45BAABBF4FF95B25F10852AF904D7290D770A814CBA0

Function 001B0A20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 150fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,?,081DA4CC), ref: 001B0B63
CloseHandle.KERNEL32(00000000), ref: 001B0BC0

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 001B0C27
CloseHandle.KERNEL32(00000000,?), ref: 001B0C4D

Part of subcall function 003BFEC4: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFECE
Part of subcall function 003BFEC4: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFF01
Part of subcall function 003BFEC4: WakeAllConditionVariable.KERNEL32(00512A3C,?,?,0019B597,00513654,00451520), ref: 003BFF0C

Strings

html, xrefs: 001B0B1C
aix, xrefs: 001B0B21

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireCloseFileHandleRelease$ConditionCreateVariableWakeWrite
String ID: aix$html
API String ID: 3683816281-2369804267
Opcode ID: 36f82a2c75d03fbd46b398f1e6f2f14bcd828247e9e0b77177985101280fcae9
Instruction ID: 49fc00d43e65dc42862fdff36381fc74d471109254b2020d57e29989a4d15201
Opcode Fuzzy Hash: 36f82a2c75d03fbd46b398f1e6f2f14bcd828247e9e0b77177985101280fcae9
Instruction Fuzzy Hash: 6261BCB0900248DFDB11DFA4D968BDEBBF0FB25708F108659E001AB2D1D7B95A48DBA1

Function 001CC040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000043A,00000000,00000074), ref: 001CC0C1
lstrcpynW.KERNEL32(?,?,00000020), ref: 001CC141
MulDiv.KERNEL32(?,00000048,00000000), ref: 001CC17E
SendMessageW.USER32(?,00000444,00000000,00000074), ref: 001CC1B0

Strings

?, xrefs: 001CC184
t, xrefs: 001CC18C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$lstrcpyn
String ID: ?$t
API String ID: 3928028829-1995845436
Opcode ID: c6e629575761ee24435db07314d35f0dcdf1a096af45697582eb33b0577adafd
Instruction ID: a38fc716697c8be6757b74052564a917358a0258e026646bc08b2ab5a709013c
Opcode Fuzzy Hash: c6e629575761ee24435db07314d35f0dcdf1a096af45697582eb33b0577adafd
Instruction Fuzzy Hash: 7C516F71604341AFD721DF60DC49F9ABBE8BB99300F04492DF699C6192D774E948CB92

Function 002F6020 Relevance: 10.6, APIs: 7, Instructions: 121processsynchronizationCOMMON

Download Yara Rule

APIs

Wow64DisableWow64FsRedirection.KERNEL32(00000000,081DA4CA,00000000,00000000), ref: 002F6089
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002F6101
GetLastError.KERNEL32 ref: 002F6112
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002F612E
GetExitCodeProcess.KERNEL32(?,000000FF), ref: 002F613F
CloseHandle.KERNEL32(?), ref: 002F6149
Wow64RevertWow64FsRedirection.KERNEL32(00000000), ref: 002F6164

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Wow64$ProcessRedirection$CloseCodeCreateDisableErrorExitHandleLastObjectRevertSingleWait
String ID:
API String ID: 1153077990-0
Opcode ID: 6d1367b5b61ae7b161994a9130f01aa9429027b29b958392ed155d74ef7cda86
Instruction ID: 91ce383bb979a3a02d035ffcea490c0e6265cb9442740190a3acc3127cc64968
Opcode Fuzzy Hash: 6d1367b5b61ae7b161994a9130f01aa9429027b29b958392ed155d74ef7cda86
Instruction Fuzzy Hash: 5241B171E043499BDB10CFA5CC487AEFBF8EF59314F248269E914A7281D7349984CF50

Function 002FED10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Shlwapi.dll,-00000001,00000000,?,?,?,?,?,?,?,?,0030B47B,?), ref: 002FED2F
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 002FED45
FreeLibrary.KERNEL32(00000000), ref: 002FED88
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,0030B47B,?), ref: 002FEDA4

Strings

Shlwapi.dll, xrefs: 002FED28
DllGetVersion, xrefs: 002FED3F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: DllGetVersion$Shlwapi.dll
API String ID: 1386263645-2240825258
Opcode ID: 5c3f60826f6b08bb7c5bc9e580ff8209400b2dc42384531a5120b65815aa09fc
Instruction ID: e33411b1353c84933f0437949fa98c88d08ba2ce8331dfad60151baf2a27f596
Opcode Fuzzy Hash: 5c3f60826f6b08bb7c5bc9e580ff8209400b2dc42384531a5120b65815aa09fc
Instruction Fuzzy Hash: 4A21DE766003054FCB24DF29E88566FFBE5EFDD255B400A3DF959C6211EA30D8898B92

Function 00310090 Relevance: 9.3, APIs: 6, Instructions: 346comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00310168
CoCreateInstance.COMBASE(0047FEB0,00000000,00000017,004A7CD4,?), ref: 0031019B
CoUninitialize.COMBASE ref: 0031023C

Part of subcall function 00322C60: CreateThread.KERNEL32(00000000,00000000,0033FED0,004A006C,00000000,?), ref: 00322CDD
Part of subcall function 00322C60: GetLastError.KERNEL32 ref: 00322CEA
Part of subcall function 00322C60: WaitForSingleObject.KERNEL32(00000000,FFFFFFFF), ref: 00322D13
Part of subcall function 00322C60: GetExitCodeThread.KERNEL32(00000000,?), ref: 00322D2D
Part of subcall function 00322C60: TerminateThread.KERNEL32(00000000,00000000), ref: 00322D45
Part of subcall function 00322C60: CloseHandle.KERNEL32(00000000), ref: 00322D4E

GetTickCount.KERNEL32 ref: 00310390
__Xtime_get_ticks.LIBCPMT ref: 00310398
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003103F1

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Thread$Create$CloseCodeCountErrorExitHandleHeapInitializeInstanceLastObjectProcessSingleTerminateTickUninitializeUnothrow_t@std@@@WaitXtime_get_ticks__ehfuncinfo$??2@
String ID:
API String ID: 560257006-0
Opcode ID: f23dfb9ac69b868c8abe643b2a8b919b59f3c510002e3c01c9fe78fd63bfa869
Instruction ID: d881916107b9f5772582fbc1637d093a41c996ad424e4d9768e4223b1708f704
Opcode Fuzzy Hash: f23dfb9ac69b868c8abe643b2a8b919b59f3c510002e3c01c9fe78fd63bfa869
Instruction Fuzzy Hash: 6BD1D371A003199FDF09DFA8D884BEEBBB4FF48314F144169E905AB391DB74AA45CB90

Function 001CEF20 Relevance: 9.2, APIs: 6, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000318,00000000,00000004), ref: 001CEF87
SendMessageW.USER32(?,00001304,00000000,00000000), ref: 001CEFAD
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001CEFC5
SendMessageW.USER32(?,0000130A,00000000,?), ref: 001CEFF3
GetParent.USER32(?), ref: 001CF0DB
SendMessageW.USER32(00000000,00000136,?,?), ref: 001CF0EC

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: c78ed316231b55eec7f8355e96d37e503514c419ddabf22456189882097116ef
Instruction ID: 3e20658b740c8f60e0000a8d013a594db588d9f522bbd796a89eca90b84d9f6b
Opcode Fuzzy Hash: c78ed316231b55eec7f8355e96d37e503514c419ddabf22456189882097116ef
Instruction Fuzzy Hash: 39613872900218AFDB219FE4DC09FEEBBB9FF18710F104518F615AB2A0D7746A05DB20

Function 003BEF3D Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,?), ref: 003BEF86
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 003BEFF1
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003BF00E
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003BF04D
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003BF0AC
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 003BF0CF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: a8daed51c30b3b624e38ee05a1eafad10802e18b02afda76b9551e58bcdbca50
Instruction ID: 1ead75eb1bfab96e5503b4f694743b60c56cb264a158c3045de2c3511ad962d0
Opcode Fuzzy Hash: a8daed51c30b3b624e38ee05a1eafad10802e18b02afda76b9551e58bcdbca50
Instruction Fuzzy Hash: AC51C07290020AAFDB226F64CC44FEB7BA9EF40748F128039FA15EA961D770DC50CB50

Function 002D08B0 Relevance: 9.2, APIs: 6, Instructions: 170windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001036,00010000,00000000), ref: 002D0928
GetParent.USER32(00000000), ref: 002D0994
GetWindowRect.USER32(00000000), ref: 002D099B
GetParent.USER32(00000000), ref: 002D09AA

Part of subcall function 002834E0: GetWindowRect.USER32(?,?), ref: 0028357B
Part of subcall function 002834E0: GetWindowRect.USER32(?,?), ref: 00283593

SendMessageW.USER32(?,00001026,00000000,000000FF), ref: 002D0AA6
SendMessageW.USER32(?,0000108A,00000000,00000011), ref: 002D0ABD

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageRectSendWindow$Parent
String ID:
API String ID: 425339167-0
Opcode ID: 1acbd52e67ff01bf7e1efb36cc734ce27593a872e9ff4e88e62f96986436a574
Instruction ID: 6546f229d16ea9b4ec8100fe100d4c7fb2ad8277cdd94788fe3df30f93fba62d
Opcode Fuzzy Hash: 1acbd52e67ff01bf7e1efb36cc734ce27593a872e9ff4e88e62f96986436a574
Instruction Fuzzy Hash: A2614575D10218AFDB10CFA4DC49BEDFBB8FF58310F24821AE815A7291DB746985CBA0

Function 001E05E0 Relevance: 9.2, APIs: 6, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001E062A
std::_Lockit::_Lockit.LIBCPMT ref: 001E064C
std::_Lockit::~_Lockit.LIBCPMT ref: 001E0674
__Getctype.LIBCPMT ref: 001E0755
std::_Facet_Register.LIBCPMT ref: 001E07B7
std::_Lockit::~_Lockit.LIBCPMT ref: 001E07EB

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 5103cffb1cf0324973a91688592584cc024c5f1bcfd184bf5359417b3a55aa76
Instruction ID: 6a92ccfa36e050dbbd3315640546fe4eed26d463cc355e2c105a0ee374f6bb6c
Opcode Fuzzy Hash: 5103cffb1cf0324973a91688592584cc024c5f1bcfd184bf5359417b3a55aa76
Instruction Fuzzy Hash: E561CFB0C00649CFDB02DF69C9417AEFBB0FF68314F148259D844AB391E7B4AA95CB91

Function 001DC2D0 Relevance: 9.1, APIs: 6, Instructions: 144COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001DC317
std::_Lockit::_Lockit.LIBCPMT ref: 001DC339
std::_Lockit::~_Lockit.LIBCPMT ref: 001DC361
__Getctype.LIBCPMT ref: 001DC43F
std::_Facet_Register.LIBCPMT ref: 001DC473
std::_Lockit::~_Lockit.LIBCPMT ref: 001DC4A7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 578fe1f2d3ba1ad06fb289ee7f41ed7d37dca6bbc8bb388e1d0ea4144d6efb29
Instruction ID: b81fd5c15eea1fa0f11fc1593a09245c3d232f48a06a4f10eca7818fc8b71bd2
Opcode Fuzzy Hash: 578fe1f2d3ba1ad06fb289ee7f41ed7d37dca6bbc8bb388e1d0ea4144d6efb29
Instruction Fuzzy Hash: 5F519AB190024ADFDB01DF58C8817AEFBB4FF10314F24855AE805AB391EB74AA49CBD1

Function 001E03E0 Relevance: 9.1, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001E041D
std::_Lockit::_Lockit.LIBCPMT ref: 001E043F
std::_Lockit::~_Lockit.LIBCPMT ref: 001E0467
__Getcoll.LIBCPMT ref: 001E0531
std::_Facet_Register.LIBCPMT ref: 001E0576
std::_Lockit::~_Lockit.LIBCPMT ref: 001E05B7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 8d9c953e94f7c01321a6263f3d79be358abc9efe29af2bab8190a724f8437a09
Instruction ID: 074e8a07ff84555b449551018d826255cbf48e40d57157ae347f0e6596252f65
Opcode Fuzzy Hash: 8d9c953e94f7c01321a6263f3d79be358abc9efe29af2bab8190a724f8437a09
Instruction Fuzzy Hash: B751BBB1C00648EFCB02DF98D994B9DBBB0FF54314F248059E815AB391D7B4AE49CB91

Function 003C164A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003C1641,003C1604,?,?,001D38FD,002F2270,?,00000008), ref: 003C1658
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 003C1666
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003C167F
SetLastError.KERNEL32(00000000,003C1641,003C1604,?,?,001D38FD,002F2270,?,00000008), ref: 003C16D1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 409c2746e93f91a5096c8fbbcde74456dde5f78c576d0cb364517d19d72e3074
Instruction ID: 8c1e10e16610d26223ad0d1325d43641d0a5c7003578775b7a94c3570246e33d
Opcode Fuzzy Hash: 409c2746e93f91a5096c8fbbcde74456dde5f78c576d0cb364517d19d72e3074
Instruction Fuzzy Hash: A601D8321093126EE63727757C5AF5A2688DB12775736023EF920D99E3EF525C187384

Function 001CECD0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

CreateWindowExW.USER32(?,SysTabControl32,?,46010000,00000000,80000000,00000000,00000000,?,00000309,00000000), ref: 001CEDEA
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001CEDF9
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 001CEE05

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Strings

SysTabControl32, xrefs: 001CEDE2
TabHost, xrefs: 001CED5A, 001CED6C, 001CED76

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$CreateFindHeapProcessResourceWindow
String ID: SysTabControl32$TabHost
API String ID: 2520390496-2872506973
Opcode ID: 9b2f47f1ef107d94a1a9f0c0b049871aec7b105ce62620e8893f43c21a40087b
Instruction ID: 7dd4e86dd314faec0642bf0eb2a6c0adf3bece6eb6c2f7f17ddfee6d0c799e7b
Opcode Fuzzy Hash: 9b2f47f1ef107d94a1a9f0c0b049871aec7b105ce62620e8893f43c21a40087b
Instruction Fuzzy Hash: 58619035A002149FCB14DF68D884BAEBBB5FF8C320F144569E915AB391DB34AD05CB95

Function 00318320 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,R.1,00000000,?,00000000,00000000,?,00000000,?,?,?,00312E52,?,00000003), ref: 003183ED
GetLastError.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,00312E52,?,00000003,00000009,081DA4CA,00000000), ref: 003183FE
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 0031841F
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00318471

Strings

R.1, xrefs: 003183DF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: R.1
API String ID: 1717984340-3399494362
Opcode ID: 4ca642013c7322159384a584924aa5d8443871144a210c7d86be1310768fe5af
Instruction ID: 324f09a0c1d4c5e3ddc7da29ef68a9bbaaa98fb088f2cd04ee6899832d4cc1b4
Opcode Fuzzy Hash: 4ca642013c7322159384a584924aa5d8443871144a210c7d86be1310768fe5af
Instruction Fuzzy Hash: 9E51AB71604306FBDB265F65AC81FAB739CEF08B04F244939FA46EA181EF71D8908749

Function 002F6190 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 002F6334
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 002F6350
GetExitCodeProcess.KERNEL32(00000000,00433177), ref: 002F6361
CloseHandle.KERNEL32(00000000), ref: 002F636F

Strings

open, xrefs: 002F6210

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CloseCodeErrorExitHandleLastObjectProcessSingleWait
String ID: open
API String ID: 2321548817-2758837156
Opcode ID: ff7b3f9b9a7131dfc5b18b1afefc847eff11c7d815c2c1f390cbce4eae3cf825
Instruction ID: 28491a3a8dcc943adad42d46002b5619820d76bf08e2c5c180f5081013a4249f
Opcode Fuzzy Hash: ff7b3f9b9a7131dfc5b18b1afefc847eff11c7d815c2c1f390cbce4eae3cf825
Instruction Fuzzy Hash: 07717D71A0064A8BDB04CF68C8587AEFBB4FF48764F144269E925A73D1DB78AD45CF80

Function 001B8870 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

APIs

InterlockedPushEntrySList.KERNEL32(005136C8,00513730,081DA4CA,00000800), ref: 001B8952

Strings

,7Q, xrefs: 001B8921
@<H, xrefs: 001B88B6
&, xrefs: 001B88AF
(7Q, xrefs: 001B8933

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: EntryInterlockedListPush
String ID: &$(7Q$,7Q$@<H
API String ID: 4129690577-3918691093
Opcode ID: a3f10676e17682fa5b9a702e4983aae73ffbb61697f616058eff4a7cd6e2f804
Instruction ID: 5df9bbd59d60d61ad55fd3fcde2c0a20692c3d5049cd3dabd9f335c6215ca78b
Opcode Fuzzy Hash: a3f10676e17682fa5b9a702e4983aae73ffbb61697f616058eff4a7cd6e2f804
Instruction Fuzzy Hash: 713169B1D0021AEBDF01CFA4C845BEEBBB8FB58718F10452AE81167280DBB55B48CBD1

Function 001DF8A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 001DF8F2
OpenProcessToken.ADVAPI32(00000000,00000028,00000000), ref: 001DF8FF
GetLastError.KERNEL32 ref: 001DF93D
CloseHandle.KERNEL32(00000000), ref: 001DF974

Strings

SeShutdownPrivilege, xrefs: 001DF90D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken
String ID: SeShutdownPrivilege
API String ID: 2767541406-3733053543
Opcode ID: a4d03a2c39d4c72da09d19b086af9192c8a616be4d80ff6b30cc4c7f56581417
Instruction ID: 3991676f00e53f2361ee9141f392f8ae3c0fbf0c0781c08dd50fb9916bdefd24
Opcode Fuzzy Hash: a4d03a2c39d4c72da09d19b086af9192c8a616be4d80ff6b30cc4c7f56581417
Instruction Fuzzy Hash: FB314D71A40209AFDB14DFA0DC59BEEBBB8FB08715F104129E512B72C0D775AA09CB64

Function 002D0B40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SetWindowTheme), ref: 002D0C0D
SendMessageW.USER32(?,00001036,00010000,00010000), ref: 002D0C58

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

Part of subcall function 002755B0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 002755F2

Part of subcall function 003BFEC4: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFECE
Part of subcall function 003BFEC4: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFF01
Part of subcall function 003BFEC4: WakeAllConditionVariable.KERNEL32(00512A3C,?,?,0019B597,00513654,00451520), ref: 003BFF0C

Strings

explorer, xrefs: 002D0C38
UxTheme.dll, xrefs: 002D0BA1
SetWindowTheme, xrefs: 002D0C02

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionDirectoryMessageProcSendSystemVariableWake
String ID: SetWindowTheme$UxTheme.dll$explorer
API String ID: 1065053019-3123591815
Opcode ID: 7b645d2badce5291a0ef55dfff9fdc94a37907aaf2586b6848c6342bd1643e72
Instruction ID: c676d10abb18d9e9d034e7aa720689e2e1712f0c6291dd074aa6813eb493bf36
Opcode Fuzzy Hash: 7b645d2badce5291a0ef55dfff9fdc94a37907aaf2586b6848c6342bd1643e72
Instruction Fuzzy Hash: A0210171A81B01BBD722EF14EC45B99BB60F716B21F108626F921673E0C775AD04DB52

Function 003CCB2E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,081DA4CA,?,?,00000000,004512D0,000000FF,?,003CCABE,?,?,003CCA92,?), ref: 003CCB63
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 003CCB75
FreeLibrary.KERNEL32(00000000,?,00000000,004512D0,000000FF,?,003CCABE,?,?,003CCA92,?), ref: 003CCB97

Strings

mscoree.dll, xrefs: 003CCB5C
CorExitProcess, xrefs: 003CCB6D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a6560bc4f005c8082b9c50d35b705d58e630796efe25a1731bba8cb7534125
Instruction ID: d5ba1c32aeb744a9f7babca9bf7df9bfd68d6a66247fc48ff45ec444de679181
Opcode Fuzzy Hash: 78a6560bc4f005c8082b9c50d35b705d58e630796efe25a1731bba8cb7534125
Instruction Fuzzy Hash: E201A73191075DABDB128B90DC09FAEB7B8FB44B15F000679F815E62E0DB749C04CB84

Function 001B5A20 Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 346memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,00000000,?,00000000,081DA4CA), ref: 001B5AE6
HeapFree.KERNEL32(00000000,?,00000000,?,00000000,081DA4CA), ref: 001B5AEC
GetProcessHeap.KERNEL32(?,00000000), ref: 001B5C85
HeapFree.KERNEL32(00000000,?,00000000), ref: 001B5C8B

Strings

#, xrefs: 001B5DB5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: #
API String ID: 3859560861-1885708031
Opcode ID: 3d287922fb9fb1395be0a868c132343fede35bf730676945445f6f83d910fcf0
Instruction ID: b3de43a4353efede04b81738dd1cab7317c673b156fe6e9e84daf0bb8a86c3e4
Opcode Fuzzy Hash: 3d287922fb9fb1395be0a868c132343fede35bf730676945445f6f83d910fcf0
Instruction Fuzzy Hash: 2ED19C71E00609CFDB19CFA8C9857EEFBB6FF54314F1442A9E815A7280D7B56A05CBA0

Function 001E8450 Relevance: 7.8, APIs: 5, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000000), ref: 001E84B5
GetProcessHeap.KERNEL32(?,00000000), ref: 001E85C8
HeapFree.KERNEL32(00000000,?,00000000), ref: 001E85CE
GetProcessHeap.KERNEL32(?,00000000), ref: 001E865F
HeapFree.KERNEL32(00000000,?,00000000), ref: 001E8665
CoUninitialize.COMBASE ref: 001E87C8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$FreeProcess$InitializeUninitialize
String ID:
API String ID: 4239879612-0
Opcode ID: 32e5af9e0bd8b4c28d38246077562069d1efba9b907d7e1dd2cbfcdda8255a96
Instruction ID: fcfa4f5114406ec2d806700bba1437295b89d8f6ba23fcfdefe7628eaf203e59
Opcode Fuzzy Hash: 32e5af9e0bd8b4c28d38246077562069d1efba9b907d7e1dd2cbfcdda8255a96
Instruction Fuzzy Hash: 79B18C70E00659DFDF15CFA5C845BAEBBB8BF58304F1041A9E909AB291DB74AE05CF60

Function 001A2B30 Relevance: 7.7, APIs: 5, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(-000000FE,?,?), ref: 001A2CF4
HeapFree.KERNEL32(00000000,-000000FE,?,?), ref: 001A2CFA
GetProcessHeap.KERNEL32(-000000FE,00000000,00000000,00000000,00000000,00000000,081DA4CA,?,?,?), ref: 001A2D27
HeapFree.KERNEL32(00000000,-000000FE,00000000,00000000,00000000,00000000,00000000,081DA4CA,?,?,?), ref: 001A2D2D
SysFreeString.OLEAUT32(00000000), ref: 001A2D45

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$Free$Process$String
String ID:
API String ID: 2583249535-0
Opcode ID: c55809c6ac16c4490827eab4e5ff0bd4915503d30822998d739507f601035588
Instruction ID: 4988ef752175596d0725cd0e64c6b15f64b6839c79f149a015e028168c57a9cd
Opcode Fuzzy Hash: c55809c6ac16c4490827eab4e5ff0bd4915503d30822998d739507f601035588
Instruction Fuzzy Hash: 8F81AC74E00209DFDF15DFA8C844BEEBBB4AF0A314F244159E811AB292C7789E04CBA1

Function 002F42C0 Relevance: 7.7, APIs: 5, Instructions: 168fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,004988D8,00000001,081DA4CA,?,0000000A,?,00000000,00432C6D,000000FF), ref: 002F43E1
SetFileAttributesW.KERNEL32(?,00000000), ref: 002F43F2
GetFileAttributesW.KERNEL32(?,?,?,004988D8,00000001,081DA4CA,?,0000000A,?,00000000,00432C6D,000000FF), ref: 002F4405
SetFileAttributesW.KERNEL32(?,00000000), ref: 002F4416
FindNextFileW.KERNEL32(?,?), ref: 002F4466

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$Attributes$FindNext
String ID:
API String ID: 3019667586-0
Opcode ID: c41ec4c4748d05199878a3521aea177a96aca2d8f382b47032d562889c504789
Instruction ID: 4b101530874a602642264f1d979791beb0490c8653c2de0107351a6aaa457e78
Opcode Fuzzy Hash: c41ec4c4748d05199878a3521aea177a96aca2d8f382b47032d562889c504789
Instruction Fuzzy Hash: 9F51BD3052060A9FDB24EF68CC48BBEB774FF50355F144229EA25A62E1DBB49A55CB10

Function 001A8FA0 Relevance: 7.6, APIs: 5, Instructions: 132windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001A8FFF
GetDlgItem.USER32(?,?), ref: 001A9024
SendMessageW.USER32(?,?,?,?), ref: 001A90F8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ItemMessageSendWindow
String ID:
API String ID: 799199299-0
Opcode ID: e71461db2e777d8db7c3039c7cd3efc777c047f9e0ceae7244ff5ef792968305
Instruction ID: f627db9d01e6437271fba3611bcab0d9ad48de94b53fc17eb9bc65a9e6064024
Opcode Fuzzy Hash: e71461db2e777d8db7c3039c7cd3efc777c047f9e0ceae7244ff5ef792968305
Instruction Fuzzy Hash: A441D43A3001029FC7188F25D998E77B7B9FB86361F14496AF44ACB561DB32EC90DB20

Function 00280E90 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00280EC4
std::_Lockit::_Lockit.LIBCPMT ref: 00280EE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00280F0E
std::_Facet_Register.LIBCPMT ref: 00281004
std::_Lockit::~_Lockit.LIBCPMT ref: 00281038

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 2d44d029f044aa0aa7bceb33ecfe9a2ee09316e6f2f50c7e6452ba06d2cc427c
Instruction ID: 8c42006016be3c6b5919fe215ec442e070b73795138c4c7302c6680a367622a5
Opcode Fuzzy Hash: 2d44d029f044aa0aa7bceb33ecfe9a2ee09316e6f2f50c7e6452ba06d2cc427c
Instruction Fuzzy Hash: 2651D474901246DFDB12DF58D880BAEBBB4FF20318F248059D815AB3D1DBB59A1ACBD0

Function 002EC240 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002EC274
std::_Lockit::_Lockit.LIBCPMT ref: 002EC296
std::_Lockit::~_Lockit.LIBCPMT ref: 002EC2BE
std::_Facet_Register.LIBCPMT ref: 002EC3A7
std::_Lockit::~_Lockit.LIBCPMT ref: 002EC3DB

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 22f3cccd06e521afaab8a75b2d698d2d9930a0160fc395c892cd953d32e57599
Instruction ID: f46cde5ddfa3c165ed8897177f960f1bea362b8a47099776342516ae99598f35
Opcode Fuzzy Hash: 22f3cccd06e521afaab8a75b2d698d2d9930a0160fc395c892cd953d32e57599
Instruction Fuzzy Hash: 1A51F671900245CFCF02CF99C8857EEBBB0FF50328F248099E815AB391D7B59A16CB91

Function 003BCF0D Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003BCF21
AcquireSRWLockExclusive.KERNEL32(00000008,?,001D82DF,00000000,081DA4CA), ref: 003BCF40
AcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,001D82DF,00000000,081DA4CA), ref: 003BCF6E
TryAcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,001D82DF,00000000,081DA4CA), ref: 003BCFC9
TryAcquireSRWLockExclusive.KERNEL32(00000008,?,?,?,001D82DF,00000000,081DA4CA), ref: 003BCFE0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 608690e8d48d3c1dc6dc02a94f0f35ab40a2b85c698c85ff896fbda79a59ef66
Instruction ID: 4cf8e4f8ad8950556fa37b2795c0abca085111ce42550216b1cb4898e5b727c0
Opcode Fuzzy Hash: 608690e8d48d3c1dc6dc02a94f0f35ab40a2b85c698c85ff896fbda79a59ef66
Instruction Fuzzy Hash: 32418831A1060ADBCB32DF64D4909FAF3BAFF08319B1149AAE646C7D40E730E985CB54

Function 001BF570 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001BF57A
SendMessageW.USER32(?,?,?,0000102B), ref: 001BF5D1
SendMessageW.USER32(?,?,?,0000102B), ref: 001BF624
SendMessageW.USER32(?,00001043,00000000,00000000), ref: 001BF639
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 001BF64A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: bf38c23d2a12bd35af715a0ea0bf30377e4eb35aeb4d2746459930c59088fe08
Instruction ID: 7092ccb65aec1d15def886f924bb5cac6af5d3d07662a4a2573eb656fe861884
Opcode Fuzzy Hash: bf38c23d2a12bd35af715a0ea0bf30377e4eb35aeb4d2746459930c59088fe08
Instruction Fuzzy Hash: DE214D71818386A7E3208F00DD44B5AFBF5BFED718F206B0EF1A0210A4E7F595849B96

Function 002EEF80 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

Part of subcall function 002FDCD0: SHGetSpecialFolderLocation.SHELL32(00000000,00000023,?,?,80000002,80000002,00514380), ref: 002FDCE0
Part of subcall function 002FDCD0: LoadLibraryW.KERNEL32(Shell32.dll,?,80000002,80000002,00514380), ref: 002FDCF3
Part of subcall function 002FDCD0: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 002FDD03

PathFileExistsW.SHLWAPI(?,ADVINST_LOGS,0000000C,00514380), ref: 002EF076

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Strings

ADVINST_LOGS, xrefs: 002EF069
Everyone, xrefs: 002EF099

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressAllocateExistsFileFolderHeapLibraryLoadLocationPathProcSpecial
String ID: ADVINST_LOGS$Everyone
API String ID: 3321256476-3921853867
Opcode ID: ff86d05959c8e0cd19f5e638750890bead00571d07813a4b6f2816b855effc62
Instruction ID: 7c7982fc3b759449b869617f76cf1bba6e3ebdcf3645e6553234899269596e05
Opcode Fuzzy Hash: ff86d05959c8e0cd19f5e638750890bead00571d07813a4b6f2816b855effc62
Instruction Fuzzy Hash: DEA12071901249CFDF00DFA8CA49BAEBBB0EF54324F244168E815BB392DB355E05CBA1

Function 001B54B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 228COMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI(?,?,?,?,081DA4CA,*.*), ref: 001B55A4

Strings

\\?\, xrefs: 001B56BE, 001B5729
*.*, xrefs: 001B54C6
\\?\UNC\, xrefs: 001B55C6, 001B56A5

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Path
String ID: *.*$\\?\$\\?\UNC\
API String ID: 2875597873-1700010636
Opcode ID: e69c7094caa5b35ed45b3b3915987b51bc17402c7443c439fda8e93457862943
Instruction ID: ddaf7a920b12e952bb4f66b264ccd90083cf291e11902e055b2068e81d79317b
Opcode Fuzzy Hash: e69c7094caa5b35ed45b3b3915987b51bc17402c7443c439fda8e93457862943
Instruction Fuzzy Hash: C281F170A00A15CBDB14DF68C848BBEB7B6FF54328F544269E412AB3D1CB769E01CB80

Function 003DA47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003DA62C

Part of subcall function 003D847B: RtlAllocateHeap.NTDLL(00000000,00000000,003D601B,?,003DA123,?,00000000,?,003C9DBC,00000000,003D601B,?,?,?,?,003D5E15), ref: 003D84AD

__freea.LIBCMT ref: 003DA641
__freea.LIBCMT ref: 003DA651

Strings

qK<, xrefs: 003DA560

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID: qK<
API String ID: 2243444508-2526032188
Opcode ID: 998e48b1cd2d8fea1de6b4a080569b000bdb36c9f99b9544552ac09b6f079818
Instruction ID: 9fceeb6e7db137ec187f58d0c65704917aaa8b11df3a78751b0e8f597b39cd34
Opcode Fuzzy Hash: 998e48b1cd2d8fea1de6b4a080569b000bdb36c9f99b9544552ac09b6f079818
Instruction Fuzzy Hash: 6E51B473600516AFDF269F65ED41EBB37A9EF44350B1A052AFD04DA310EA71CD1087A1

Function 002FDA60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002FDA91
CoCreateInstance.COMBASE(0049B5E8,00000000,00000001,0049B5F8,00000000), ref: 002FDAC1
CoUninitialize.COMBASE ref: 002FDCAB

Strings

{374DE290-123F-4565-9164-39C4925E467B}, xrefs: 002FDB0D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: {374DE290-123F-4565-9164-39C4925E467B}
API String ID: 948891078-4280329633
Opcode ID: f1e37dff29c49e5d0be97fec4d211631ba86c0f0f3bf6faab303781630b25448
Instruction ID: 795397a700d97065e80c5fbf1259e94144a0135f2c642815b80db5fa28150e6b
Opcode Fuzzy Hash: f1e37dff29c49e5d0be97fec4d211631ba86c0f0f3bf6faab303781630b25448
Instruction Fuzzy Hash: 5271FF70A2021D9FDF10DFA4D854BFEBBB1FF08744F04406AE942AB290DBB85955CBA5

Function 002F4600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,00000000,?,\\?\,00000004,?,?,00000000,?,00000000,003EDABD,000000FF,?,80004005,081DA4CA), ref: 002F46B0

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

DeleteFileW.KERNEL32(?,081DA4CA,?,?,?,?,00000000,003EDABD,000000FF,?,002F4424), ref: 002F46EB
GetLastError.KERNEL32(?,?,00000000,?,00000000,003EDABD,000000FF,?,80004005,081DA4CA,?,?,00000000,?,?,003EDABD), ref: 002F46FB

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Strings

\\?\, xrefs: 002F4551, 002F4563, 002F456D, 002F4671, 002F4683, 002F468D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: DeleteFile$ErrorFindHeapLastProcessResource
String ID: \\?\
API String ID: 2079828947-4282027825
Opcode ID: dd0d41974803520af7002305db8c5cb263888f50e51f1af6c3df0702dbaa9273
Instruction ID: b1b6c7bece510ff8d548efa84c4bd8bd78af8505827403c20c516baa822f701a
Opcode Fuzzy Hash: dd0d41974803520af7002305db8c5cb263888f50e51f1af6c3df0702dbaa9273
Instruction Fuzzy Hash: 1231F4356006199FCB00EF68D858B6EF7A8FF05365F140569EA21D7391DBB59D04CF84

Function 001A2A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(combase.dll,RoOriginateLanguageException), ref: 001A2A54
GetProcAddress.KERNEL32(00000000,combase.dll), ref: 001A2A5A

Strings

RoOriginateLanguageException, xrefs: 001A2A4A
combase.dll, xrefs: 001A2A4F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RoOriginateLanguageException$combase.dll
API String ID: 2574300362-3996158991
Opcode ID: cb0aa68bacdc1c9d0e60d8f711a8a29bb2efa8ac69ddcbc14f57cfd3dca45acb
Instruction ID: d96de34a1b54a537492e68e1f2f375feb2d732f95b32886e1c790b9b9ad62615
Opcode Fuzzy Hash: cb0aa68bacdc1c9d0e60d8f711a8a29bb2efa8ac69ddcbc14f57cfd3dca45acb
Instruction Fuzzy Hash: 03317C75D002299BCB26DF98C905BEEBBB4FB15710F10462AE815A72D0DBB45A48CBD1

Function 00330460 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0032DE8A,00000000,081DA4CA,?,?,00000000), ref: 0033046E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0032DE8A,00000000,081DA4CA,?,?,00000000), ref: 00330499
GetLastError.KERNEL32(0032DE8A,00000000,081DA4CA,?,?,00000000,?,?,?,?,?,0043D0D5,000000FF,?,0032D822,?), ref: 00330503

Strings

AdvancedInstaller, xrefs: 003304EA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateEvent$ErrorLast
String ID: AdvancedInstaller
API String ID: 1131763895-1372594473
Opcode ID: dba93752f2108894ff7afcbac3935847edf1ad058f0b3a7b9339c31c5903126e
Instruction ID: 012544749acee7e4da480583621f158a4c71824238b3a6d207182dc57abd2609
Opcode Fuzzy Hash: dba93752f2108894ff7afcbac3935847edf1ad058f0b3a7b9339c31c5903126e
Instruction Fuzzy Hash: A7219331240304ABDB15AF21DCD9B563BA8EF84709F104069FA019F2D6DBB1E941CB94

Function 002D0590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002D0B40: GetProcAddress.KERNEL32(SetWindowTheme), ref: 002D0C0D
Part of subcall function 002D0B40: SendMessageW.USER32(?,00001036,00010000,00010000), ref: 002D0C58

CreateWindowExW.USER32(80000000,SysListView32,?,00000000,?,80000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002D05E2
SendMessageW.USER32(00000000,00000031,00000000,00000000), ref: 002D05FA
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 002D0606

Part of subcall function 001AA110: SetWindowLongW.USER32(?,000000FC,00000000), ref: 001AA152

Strings

SysListView32, xrefs: 002D05D9

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$Window$AddressCreateLongProc
String ID: SysListView32
API String ID: 5470851-78025650
Opcode ID: c4c7e475a4329a1b6619ac7a064f97a2f0fca210651343a7d6edf54a8b6a8875
Instruction ID: c1bf3a1d848438c462e3172ee5884798042257cb3247dc28635c866bbe06e5eb
Opcode Fuzzy Hash: c4c7e475a4329a1b6619ac7a064f97a2f0fca210651343a7d6edf54a8b6a8875
Instruction Fuzzy Hash: 5311AC35300310BFD2109B15CC05F5BFBA9FB89754F008619FA44A72A0C3B1ED00CBA1

Function 002FCDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 003BFF15: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF20
Part of subcall function 003BFF15: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B526,00513654,081DA4CA,?,?,003E8E9D,000000FF,?,0033947D,081DA4CA,?), ref: 003BFF5A

LoadLibraryA.KERNEL32(Dbghelp.dll,SymFromAddr), ref: 002FCE0E
GetProcAddress.KERNEL32(00000000), ref: 002FCE15

Part of subcall function 003BFEC4: AcquireSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFECE
Part of subcall function 003BFEC4: ReleaseSRWLockExclusive.KERNEL32(00512A40,?,?,0019B597,00513654,00451520), ref: 003BFF01
Part of subcall function 003BFEC4: WakeAllConditionVariable.KERNEL32(00512A3C,?,?,0019B597,00513654,00451520), ref: 003BFF0C

Strings

SymFromAddr, xrefs: 002FCE04
Dbghelp.dll, xrefs: 002FCE09

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionLibraryLoadProcVariableWake
String ID: Dbghelp.dll$SymFromAddr
API String ID: 1702099962-642441706
Opcode ID: 1d00dc0955a2c7aa3ae67b0bcab23f644d9fc3eba44e6d8cbf6d3de03dbf23e7
Instruction ID: 2e40cd6e50d3a68717620d75a11edf44a2962e4f585ca9792651465875d8b9f0
Opcode Fuzzy Hash: 1d00dc0955a2c7aa3ae67b0bcab23f644d9fc3eba44e6d8cbf6d3de03dbf23e7
Instruction Fuzzy Hash: E901D471A02646EFCB11CF58ED46B987BB4F748B24F214236EA11C77D1D738A9889B06

Function 003C471C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,003C46CD,00000000,00000001,00512DD0,?,?,?,003C4870,00000004,InitializeCriticalSectionEx,0047A524,InitializeCriticalSectionEx), ref: 003C4729
GetLastError.KERNEL32(?,003C46CD,00000000,00000001,00512DD0,?,?,?,003C4870,00000004,InitializeCriticalSectionEx,0047A524,InitializeCriticalSectionEx,00000000,?,003C4A1D), ref: 003C4733
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,003C38A3), ref: 003C475B

Strings

api-ms-, xrefs: 003C4740

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 98f94326bcbec5082265a432d431bbf494626f668b94ea3ebbfcdcc253dd7126
Instruction ID: 060868ff47c0210b2d4f1382cfad2b296d00539750bb0ac2250f231939846acc
Opcode Fuzzy Hash: 98f94326bcbec5082265a432d431bbf494626f668b94ea3ebbfcdcc253dd7126
Instruction Fuzzy Hash: E8E04F30684305F7EB112BA1FC46F993E69AB81F56F208034FA0CED4E2E7A6DD509759

Function 003DA7D3 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(081DA4CA,00000000,00000000,?), ref: 003DA836

Part of subcall function 003DF27D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,qK<,003DA622,?,00000000,-00000008), ref: 003DF329

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 003DAA91
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 003DAAD9
GetLastError.KERNEL32 ref: 003DAB7C

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 1ec23694b573b64127447ada2a320ad5983a2514c84e862a1f07d6b00faaee3f
Instruction ID: 95eada3b30967fee245ec48f548259d3dd109ffa3d22753123910caaa2d44ba2
Opcode Fuzzy Hash: 1ec23694b573b64127447ada2a320ad5983a2514c84e862a1f07d6b00faaee3f
Instruction Fuzzy Hash: D0D18A76D006489FCF02CFA8E980AEDBBB5FF09314F18852AE855EB351D730A946CB51

Function 001BE910 Relevance: 6.3, APIs: 4, Instructions: 337windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001037,00000000,00000000), ref: 001BEA8D
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 001BEAA6

Part of subcall function 0019B0F0: RtlAllocateHeap.NTDLL(?,00000000,?,081DA4CA,00000000,003E8920,000000FF,?,?,0050A344,?,?,003394E7,80004005,081DA4CA,?), ref: 0019B13A

Part of subcall function 002D0690: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,?,?,00000000,?,001BEAE8,?,80004005,?), ref: 002D071A
Part of subcall function 002D0690: SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D0754

SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 001BEBE3
SendMessageW.USER32(?,00001061,00000000,00000005), ref: 001BECDF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend$AllocateHeapWindow
String ID:
API String ID: 3168177373-0
Opcode ID: 814859c7962192ab3b1304e49b62d0f4ff08ad26fa6f6bdd39a0f6dd4aa62d44
Instruction ID: 070121a71acac24dbc3db9b1bd4026b5578551d1b648a688cf45c21cd073a86c
Opcode Fuzzy Hash: 814859c7962192ab3b1304e49b62d0f4ff08ad26fa6f6bdd39a0f6dd4aa62d44
Instruction Fuzzy Hash: 6CD18C71E00209AFDB14DFA8D894BEEFBF5FF48314F144219E825AB290DB74A944CB90

Function 001A8090 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 001A8178
SysFreeString.OLEAUT32(00000000), ref: 001A81CC
SysFreeString.OLEAUT32(00000000), ref: 001A81EE
SysFreeString.OLEAUT32(00000000), ref: 001A8380

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 25e42e20346f8281dd2b0339658965d2a2789d1769c921bf634f813ea0a6b4a9
Instruction ID: ac0ebe5278a995bbf96b5e972942ea9e2b0fa5948f3f5cfdcb784cb13ff36857
Opcode Fuzzy Hash: 25e42e20346f8281dd2b0339658965d2a2789d1769c921bf634f813ea0a6b4a9
Instruction Fuzzy Hash: DCB15A75A0021ADFDB15DFA8CC44BAEBBB8FF49714F104169E915E7290DB34AE05CBA0

Function 001C85B0 Relevance: 6.3, APIs: 4, Instructions: 279windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000001,0000110A,00000004,?), ref: 001C86B1
SendMessageW.USER32(00000001,0000110A,00000001,00000000), ref: 001C86E6
SendMessageW.USER32(?,0000110A,00000004,?), ref: 001C88A2
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 001C88C8

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 48e130d25c935e5fc30c59d53d3d962aff463d93abd3bc6e163346822bedea69
Instruction ID: 0a6129a1498a51125ff035586b22a91ea2402e32bb656d68300ba0c65a048e40
Opcode Fuzzy Hash: 48e130d25c935e5fc30c59d53d3d962aff463d93abd3bc6e163346822bedea69
Instruction Fuzzy Hash: 1FB16771A00218DFCB19CF68D884FAEBBB5BF68310F55456DE815AB291DB30EC45CBA0

Function 001DA550 Relevance: 6.2, APIs: 4, Instructions: 243COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 001DA659
std::_Throw_Cpp_error.LIBCPMT ref: 001DA664

Part of subcall function 003BCEEF: ReleaseSRWLockExclusive.KERNEL32(?,?,003BCD2D,00512568,?,?,?,?,?,0019FB80,?,00000001,?,?,00000000,00000000), ref: 003BCF03

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: 77526bd9db320a39e2268276d98a4546b01bfe476dcfc32150553dce25d6f551
Instruction ID: 540e8d61635937fecc0c63cbf1cdd1ab09241356b47861002f6177e4215c0f71
Opcode Fuzzy Hash: 77526bd9db320a39e2268276d98a4546b01bfe476dcfc32150553dce25d6f551
Instruction Fuzzy Hash: FC9190B1E00208DFDB04DF58C8457AFBBB5FF98314F14825AE925AB381D7B5AA05CB91

Function 001AE110 Relevance: 6.2, APIs: 4, Instructions: 228COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 001AE1BA
SysFreeString.OLEAUT32(00000000), ref: 001AE200

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 56a6fb086b942b9565c4b7d0bf2be9b6e9da9d2c63b572e3e35defb42bb7cbfb
Instruction ID: 14aedf6c6ebf1887167a2544c85a0e24b200460b6361a4eea315a53ab194bfe5
Opcode Fuzzy Hash: 56a6fb086b942b9565c4b7d0bf2be9b6e9da9d2c63b572e3e35defb42bb7cbfb
Instruction Fuzzy Hash: 6471AD76A00219AFDB11DF68DC44BAEBBB8FF45720F10426AE815D7391DB76AD00CB90

Function 001AA180 Relevance: 6.2, APIs: 4, Instructions: 196comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(004830BC,00000000,00000001,00483744,?), ref: 001AA255

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: fafe337d545c96062f57d08e394b7a90326283ef8ed4a9a79e28ef3d395e03fe
Instruction ID: 04f36c256bad67c9b44c2cd6225e07a932a537434614d89f46a98c26d6df61ff
Opcode Fuzzy Hash: fafe337d545c96062f57d08e394b7a90326283ef8ed4a9a79e28ef3d395e03fe
Instruction Fuzzy Hash: FB61B178A002159BCF248F94C854BBDB7B4FF0AB10F64452AF801EB280D77ADD80D762

Function 001B1780 Relevance: 6.2, APIs: 4, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 001B18C8
SysAllocString.OLEAUT32(00000000), ref: 001B18DF
VariantClear.OLEAUT32(?), ref: 001B18FB
VariantClear.OLEAUT32(?), ref: 001B1930

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ClearVariant$AllocString
String ID:
API String ID: 2502263055-0
Opcode ID: 10911ff0fbc7a8af4dd9a182c716b036e040eca0553056b35d23f54a3516516e
Instruction ID: 87ed3be8426bd33cbf3967be3020ff4763dbacdb542000a87eefe67fe9f1665f
Opcode Fuzzy Hash: 10911ff0fbc7a8af4dd9a182c716b036e040eca0553056b35d23f54a3516516e
Instruction Fuzzy Hash: A15191B1A00258ABCB20DF28DC50BD9B7B4FF48714F5186A9E919E7351DB30AD80CB94

Function 0030CF30 Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0030CF92
GetShortPathNameW.KERNEL32(?,?,?), ref: 0030D011
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0030D061
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,-00000001,00000000,00000000), ref: 0030D097

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ByteCharMultiNamePathShortWide
String ID:
API String ID: 3379522384-0
Opcode ID: a2a7e8272a81dab562d672d3ff01e7b5c555ee5b571983e33ce524b276c93d34
Instruction ID: 64de793527e341b8ceb392adca1e53df9f55cb8f50669d130b10668691152e5b
Opcode Fuzzy Hash: a2a7e8272a81dab562d672d3ff01e7b5c555ee5b571983e33ce524b276c93d34
Instruction Fuzzy Hash: AC51BA71600206AFDB05DFA8DC99B6EBBB5FF44324F104229F9259B2D0DB71A841CB90

Function 0033AA20 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000A3,80000000,00000003,00000000,00000003,00000080,00000000,081DA4CA,00000000,Function_00029A00), ref: 0033AA6A
GetFileSize.KERNEL32(00000000,00000000), ref: 0033AA9B
ReadFile.KERNEL32(?,00000000,00010000,?,00000000,00010000), ref: 0033AB2B
CloseHandle.KERNEL32(00000000), ref: 0033ABF6

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 0d9b07b775f5ae7776b723f10e395cf744c589c17b3ef3a9082b01251e65af57
Instruction ID: 4f99e17155f027abb52f3f61e678db69cbf8481689fc1ead746c0ca527d5ee0f
Opcode Fuzzy Hash: 0d9b07b775f5ae7776b723f10e395cf744c589c17b3ef3a9082b01251e65af57
Instruction Fuzzy Hash: A751E1719002589FEB218F68CC85BDEFBB9FF55314F208199E489A7282DB741A89CF51

Function 002834E0 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0028357B
GetWindowRect.USER32(?,?), ref: 00283593
GetWindowRect.USER32(?,?), ref: 00283600
GetWindowLongW.USER32(?,000000EC), ref: 00283624

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$Rect$Long
String ID:
API String ID: 3486571012-0
Opcode ID: 52eeab8087d5493e6be6a54a2f00a12bc9e84b29eeb32c2f82dd4c4c8a0478d8
Instruction ID: 9ea2f9f95a520d96c5ef8acb61e66a3772bae944e2c668a6cc59fe4aa0090e78
Opcode Fuzzy Hash: 52eeab8087d5493e6be6a54a2f00a12bc9e84b29eeb32c2f82dd4c4c8a0478d8
Instruction Fuzzy Hash: D541AD366083059FC300DF14D884AABB7F8FF9DB04F448A2EF84597251EB30EA558B62

Function 001B2D50 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000FC,00000000), ref: 001B2DA6
GetParent.USER32(?), ref: 001B2DDA

Part of subcall function 003BF5E9: GetProcessHeap.KERNEL32(00000008,00000008,00000000,00322A61,?,?,?), ref: 003BF5EE
Part of subcall function 003BF5E9: HeapAlloc.KERNEL32(00000000,?,?,?), ref: 003BF5F5

SetWindowLongW.USER32(?,000000EB), ref: 001B2E1B
ShowWindow.USER32(?,00000000), ref: 001B2E3D

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Window$HeapLong$AllocParentProcessShow
String ID:
API String ID: 78937335-0
Opcode ID: 168c57202ab05bc576a474ba9860cf7a9cfb94dcf42b6acad9f8be3ca04d1967
Instruction ID: 7857eb7db6b3c49a6d06bdfa2983ea5ed5a3adeccd1d969c6ded15e7a2f445cf
Opcode Fuzzy Hash: 168c57202ab05bc576a474ba9860cf7a9cfb94dcf42b6acad9f8be3ca04d1967
Instruction Fuzzy Hash: 6D3182756002149FCB15AF25EC84AAA7BE9FF99314B0442A9FC15DB266DB30DD04CBA2

Function 003BEEF5 Relevance: 6.1, APIs: 4, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00282727,?,003BD407,003BD450,?,003BD296,00000000,00000000,00000000,00000004,00282727,00000001,?,00281346,0000005B), ref: 003BEF08
IsProcessorFeaturePresent.KERNEL32(00000017,003C4C02,?,003C4B71,?,?,003C4D80,?,?,?,?,?,00000000,?,?), ref: 003C9E60

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: EncodeFeaturePointerPresentProcessor
String ID:
API String ID: 4030241255-0
Opcode ID: b9bbc0dbf4584bd691a722fb08333bcdf3863454d886b7a26ed30e364fc3ea77
Instruction ID: dfb0af67f4aa01139e657ce71ae67fc613bbab2d53bdb8f3611b81a4ddd71bfb
Opcode Fuzzy Hash: b9bbc0dbf4584bd691a722fb08333bcdf3863454d886b7a26ed30e364fc3ea77
Instruction Fuzzy Hash: 63115C72200344BBE7266BA5FC4AFAB3B9DDBD4715F154129F608D91E1DAB18C04D7A0

Function 00332390 Relevance: 6.1, APIs: 4, Instructions: 69synchronizationCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,00000000,00000000,003315B2,?,?,?,?,?,00000003,00000000,081DA4CA,?,00000000), ref: 003323A3
GetLastError.KERNEL32(?,?,00000000,00000000,003315B2,?,?,?,?,?,00000003,00000000,081DA4CA,?,00000000), ref: 003323D0
WaitForSingleObject.KERNEL32(?,0000000A,?,?,00000000,00000000,003315B2,?,?,?,?,?,00000003,00000000,081DA4CA), ref: 0033240A
SetEvent.KERNEL32(?,?,?,00000000,00000000,003315B2,?,?,?,?,?,00000003,00000000,081DA4CA,?,00000000), ref: 00332433

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Event$ErrorLastObjectResetSingleWait
String ID:
API String ID: 708712559-0
Opcode ID: 043896f49576aa9631ed4d907c953c68e241935c8f2301063fb1103c82a468d6
Instruction ID: 866a4ccbb72b3e16ba061da3d9befa0c4a5e31ec67fbbe961ca3c6931ffeac8b
Opcode Fuzzy Hash: 043896f49576aa9631ed4d907c953c68e241935c8f2301063fb1103c82a468d6
Instruction Fuzzy Hash: FC11E9322007008FDB324F57E8C8B177BA4FBA5326F51882EE18386562C374E895D760

Function 001A1100 Relevance: 6.1, APIs: 4, Instructions: 62threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001A1110

Part of subcall function 003BCC8E: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,001A1126,?,00000000,00000000), ref: 003BCC9A
Part of subcall function 003BCC8E: GetExitCodeThread.KERNEL32(?,00000000,?,?,?,001A1126,?,00000000,00000000), ref: 003BCCB3
Part of subcall function 003BCC8E: CloseHandle.KERNEL32(?,?,?,?,001A1126,?,00000000,00000000), ref: 003BCCC5

std::_Throw_Cpp_error.LIBCPMT ref: 001A1139
std::_Throw_Cpp_error.LIBCPMT ref: 001A1140
std::_Throw_Cpp_error.LIBCPMT ref: 001A1147

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID:
API String ID: 2210105531-0
Opcode ID: caa08007db02848228bd14d75142dcdecbc870768d5c209cb985ff6c8fe14587
Instruction ID: ef5009612995654603f1fc0ee6455cc0437bb8d1d8a7324914fb8b251069db4b
Opcode Fuzzy Hash: caa08007db02848228bd14d75142dcdecbc870768d5c209cb985ff6c8fe14587
Instruction Fuzzy Hash: D4114835525704ABD7326BB09C0BB997B98AF10B25F14811EF65C5F9C2EBB1AC0087C2

Function 003BD264 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003BD26B
std::_Lockit::_Lockit.LIBCPMT ref: 003BD276
std::_Lockit::~_Lockit.LIBCPMT ref: 003BD2E4

Part of subcall function 003BD3C7: std::locale::_Locimp::_Locimp.LIBCPMT ref: 003BD3DF

std::locale::_Setgloballocale.LIBCPMT ref: 003BD291

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: e879143abee2066248c6c94434668de91dd811a293f3cedf2bfc75d1b54650c7
Instruction ID: df6b82fb564ab56192de281ebfde6bd124e745dd0676000f5c15312dfee9ca53
Opcode Fuzzy Hash: e879143abee2066248c6c94434668de91dd811a293f3cedf2bfc75d1b54650c7
Instruction Fuzzy Hash: 2D01FC38A002108BCB0BEF20D840ABD7B71FF84304F144009E9015B392DF74AE56CB89

Function 003E6467 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,003BE005,003CB7C7,00000000,00000000,?,003E4B7D,00000000,00000001,00000000,?,?,003DABD0,?,00000000,00000000), ref: 003E647E
GetLastError.KERNEL32(?,003E4B7D,00000000,00000001,00000000,?,?,003DABD0,?,00000000,00000000,?,?,?,003DB18E,?), ref: 003E648A

Part of subcall function 003E6450: CloseHandle.KERNEL32(FFFFFFFE,003E649A,?,003E4B7D,00000000,00000001,00000000,?,?,003DABD0,?,00000000,00000000,?,?), ref: 003E6460

___initconout.LIBCMT ref: 003E649A

Part of subcall function 003E6411: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,003E6440,003E4B6A,?,?,003DABD0,?,00000000,00000000,?), ref: 003E6424

WriteConsoleW.KERNEL32(00000000,003BE005,003CB7C7,00000000,?,003E4B7D,00000000,00000001,00000000,?,?,003DABD0,?,00000000,00000000,?), ref: 003E64AF

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 980c21440f6bb66f0d42acfcd7a3fb9fa8866b22d2522228f68bd025f9e77d29
Instruction ID: 3b5006d6844fe418f1fb6d0e29e44ef5904075d0df66fa63d7e4e4db856ffdc3
Opcode Fuzzy Hash: 980c21440f6bb66f0d42acfcd7a3fb9fa8866b22d2522228f68bd025f9e77d29
Instruction Fuzzy Hash: 44F0FE36000175BBCF222FD3DC1598D3F25FB587E1B014120FA089A1B1C6318960AF90

Function 001D4790 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D4CC4

Strings

d, xrefs: 001D49EE
Component, xrefs: 001D4806

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Component$d
API String ID: 885266447-676972764
Opcode ID: 886bcccdd0735b88a4ee15f717a69c32f416241ec71cf1ae93daf14efdff18d6
Instruction ID: 2a4b3e41b7f3981012f619653eec3c12a850b53b58058eb901eb0c01c2e1210f
Opcode Fuzzy Hash: 886bcccdd0735b88a4ee15f717a69c32f416241ec71cf1ae93daf14efdff18d6
Instruction Fuzzy Hash: 8C024971D00218DFDB24CFA4C895BAEBBB5FF59314F24819AE509A7391D770AA84CF90

Function 001D87F0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D8D24

Strings

d, xrefs: 001D8A4E
Component, xrefs: 001D8866

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Component$d
API String ID: 885266447-676972764
Opcode ID: 3dc363b078ae408daddd214344fb36c733aea513f0149ff304cff5911bb7b9bc
Instruction ID: e3213039762c322c216a9c22de29f5805d0e0034073b5588d05699d6d2f3bca7
Opcode Fuzzy Hash: 3dc363b078ae408daddd214344fb36c733aea513f0149ff304cff5911bb7b9bc
Instruction Fuzzy Hash: 22024871D00218DFDB14CFA4C894BEDBBB5FF59314F24819AE509A7291DB70AA84CF91

Function 001A6490 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,AtlAxWin140,?,?,?,80000000,00000000,00000000,?,00000000,00000000), ref: 001A6512
SendMessageW.USER32(00000008,00000000,00000000,00000000), ref: 001A6601

Part of subcall function 001A82C0: SysFreeString.OLEAUT32(00000000), ref: 001A8380

Strings

AtlAxWin140, xrefs: 001A650A

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateFreeMessageSendStringWindow
String ID: AtlAxWin140
API String ID: 4045344427-3842940177
Opcode ID: ae843702b5ccf9c00d2777d62a3c116b0854e9814cd5f1f28cd2893f07d7b8ee
Instruction ID: 5ffd4a6a1da15b129c983218956295d2191a58ce246285aff010b6c3ed59e996
Opcode Fuzzy Hash: ae843702b5ccf9c00d2777d62a3c116b0854e9814cd5f1f28cd2893f07d7b8ee
Instruction Fuzzy Hash: 97A15774A102199FCB04DF68DC84B6EBBB9FF88714F1441A9E905AB3A1CB71AD01CF94

Function 003354B0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 003355E3

Strings

User refused to install a newer version., xrefs: 00335681
User accepted to install a newer version., xrefs: 00335678, 0033569F, 003356A0

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ActiveWindow
String ID: User accepted to install a newer version.$User refused to install a newer version.
API String ID: 2558294473-4113633398
Opcode ID: 5ab450d4a048618332337569851df784ed34182878919974398d8b70b415d6c2
Instruction ID: 43d60bd17775ee3ed85eadd1b7aebedb7c2e9561dde80139e772eb5d586115dc
Opcode Fuzzy Hash: 5ab450d4a048618332337569851df784ed34182878919974398d8b70b415d6c2
Instruction Fuzzy Hash: D7810331A006059FCB05DF68C8857ADBBB1EF89314F1981ADE815AB392DB35AD02CF90

Function 003345A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,081DA4EA,00000000,00000000,-00000002,0049D434,?,?,081DA4CA,0043E0A6,000000FF), ref: 00334660

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

Part of subcall function 002F7B80: FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,081DA4CA,?,00000000), ref: 002F7BCB
Part of subcall function 002F7B80: GetLastError.KERNEL32(?,00000000), ref: 002F7BD5

Strings

upd, xrefs: 003345DF
Downloading of updates failed. Error:, xrefs: 003346E7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CopyErrorFileFormatHeapLastMessageProcess
String ID: Downloading of updates failed. Error:$upd
API String ID: 2459518595-329979656
Opcode ID: ad289a803cc0f3eefbaa7aaf88b136f75a731d047fa303cc2c08a31c6d7a7c67
Instruction ID: 5d00d6b564ea33951dac1bf591c309fdb116acfeba0cea8df091a65042f920b2
Opcode Fuzzy Hash: ad289a803cc0f3eefbaa7aaf88b136f75a731d047fa303cc2c08a31c6d7a7c67
Instruction Fuzzy Hash: A2711335A002458FDB15DF68CC95BAEB7B5FF81314F19826CE8269B2D1DB34AE05CB80

Function 0035F080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenEventW.KERNEL32(00000000,00000000,081DA4CA,_pbl_evt,00000008,?,?,0049B45C,00000001,081DA4CA), ref: 0035F12E
CreateEventW.KERNEL32(00000000,00000001,00000001,?), ref: 0035F14B

Strings

_pbl_evt, xrefs: 0035F102

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Event$CreateOpen
String ID: _pbl_evt
API String ID: 2335040897-4023232351
Opcode ID: 2e29ecaa34734018cc104ab696f6b5a70616a0b2ab05a4f9f6aa62527f5028d9
Instruction ID: e505d02d1fe3a1cf57da4df150575502313fd17a0f68bc7d5e3aa6c574cbfbe9
Opcode Fuzzy Hash: 2e29ecaa34734018cc104ab696f6b5a70616a0b2ab05a4f9f6aa62527f5028d9
Instruction Fuzzy Hash: B951C071D10608EFDB14DFA8CD45BAEB7B4EF18714F208229E815A76C0EB746A08CB94

Function 002EF2A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,80000002,081DA4CA,?,80000002,00514380), ref: 002EF2DF
CreateDirectoryW.KERNEL32(80000002,00000000,?,80000002,00514380), ref: 002EF340

Strings

ADVINST_LOGS, xrefs: 002EF318

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CreateDirectoryPathTemp
String ID: ADVINST_LOGS
API String ID: 2885754953-2492584244
Opcode ID: 839e12bed5a04adfc52b381bdaeb22eeb8564f86547400728359ed2f578c5c5a
Instruction ID: 64b345c2d004b0fcc8e411e79df83e623abda6a431c008aebf15a7942c76495d
Opcode Fuzzy Hash: 839e12bed5a04adfc52b381bdaeb22eeb8564f86547400728359ed2f578c5c5a
Instruction Fuzzy Hash: C651F47595029ACBCB709F29C8047BAB3B4FF50714F6445BEE849972D0EB344D82CB90

Function 00212A40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

09Q, xrefs: 00212B83
49Q, xrefs: 00212B71

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID:
String ID: 09Q$49Q
API String ID: 0-231953359
Opcode ID: 13db547d81ec6d49eba8528abc39f2059d93c301fa1bb7c76e357c994cf78248
Instruction ID: 36ef6b4007efde3e6af0812c55d0e114dc4325a8ee43a955d07e16bdef82af1b
Opcode Fuzzy Hash: 13db547d81ec6d49eba8528abc39f2059d93c301fa1bb7c76e357c994cf78248
Instruction Fuzzy Hash: 7C518CB5D05259EBDB01CFA4C845BEEBBB8FB14718F10452AE811B7380D7B55A48CBA1

Function 002EEA70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0019B480: GetProcessHeap.KERNEL32 ref: 0019B4D5

WriteFile.KERNEL32(?,00000005,?,?,00000000,00483DEC,00000002,?,00000000,CPU: ,00000005), ref: 002EEB61
FlushFileBuffers.KERNEL32(?), ref: 002EEB6A

Part of subcall function 0019A920: FindResourceW.KERNEL32(00000000,?,00000006,00000000,?,?,0033A058,\\.\pipe\ToServer,?,00000000,?,?,003EDFC6,000000FF,?,00339551), ref: 0019A943

Strings

CPU: , xrefs: 002EEAC8, 002EEADA, 002EEAE4

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: File$BuffersFindFlushHeapProcessResourceWrite
String ID: CPU:
API String ID: 2793600070-1724696780
Opcode ID: 7d4293ebbd0136fc842698675fbba417771827ed0ead0418bc66cd5bb72aaa19
Instruction ID: 111946af0b14f337ffef0d1c6e716cf8860a23c486a5f8c0683bf4d64a1b225c
Opcode Fuzzy Hash: 7d4293ebbd0136fc842698675fbba417771827ed0ead0418bc66cd5bb72aaa19
Instruction Fuzzy Hash: A141BF31A016099FCB00DFA8DC59BAEBBB4FF44324F254269F821A7391DB74AD11CB90

Function 002FC760 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(000013FF,00000000,?,00000000,00000000,00000000,00000000,081DA4CA,0049A950), ref: 002FC7CC
LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 002FC8C3

Part of subcall function 002E79F0: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002E7A9A

Strings

Failed to get Windows error message [win32 error 0x, xrefs: 002FC7EA

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FormatFreeIos_base_dtorLocalMessagestd::ios_base::_
String ID: Failed to get Windows error message [win32 error 0x
API String ID: 201254970-3373098694
Opcode ID: 8d2db37f78a72cb138d06e8c3ca6f146c4ebc872aa19e53ffacb60e29add2985
Instruction ID: 33c705519c058dc274443595db2ac5b0bf30a666e54660346a895e21264553eb
Opcode Fuzzy Hash: 8d2db37f78a72cb138d06e8c3ca6f146c4ebc872aa19e53ffacb60e29add2985
Instruction Fuzzy Hash: 5E41A370E103099BDB10DF58C94ABAEBBF8EF44714F244269E505AB2D1D7B49A48CBD1

Function 001DC640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001DC66B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001DC6CE

Strings

bad locale name, xrefs: 001DC6F1

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: a4ac79c1843224b525e305bc2c42d5a3bcfb64e0bd72ffddd3ac4cdf25100928
Instruction ID: 0b9f55e121d5abe58628ddfddffcad8c6e219f1412325118ab3a434283237676
Opcode Fuzzy Hash: a4ac79c1843224b525e305bc2c42d5a3bcfb64e0bd72ffddd3ac4cdf25100928
Instruction Fuzzy Hash: 8521D270809784DED721CF68C90478FBFF4AF15714F108A9EE49597B81D3B9A608CBA1

Function 003BFABA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003C00A1
___raise_securityfailure.LIBCMT ref: 003C0189

Strings

H*Q, xrefs: 003C0184

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: H*Q
API String ID: 3761405300-4073695264
Opcode ID: f56cfc22bab3cd5c83b416575622cbbfb389bd05f684eb6ed2ff51d8a234bb3c
Instruction ID: 2b61447b8ac7133adb75412abf33fc41e60e0a9bc73bc4c908fbee08cca98247
Opcode Fuzzy Hash: f56cfc22bab3cd5c83b416575622cbbfb389bd05f684eb6ed2ff51d8a234bb3c
Instruction Fuzzy Hash: B821B0B8508340DAD725CF15F895B847BB4FB68314F10942EE909CB6B1E7B498A9EF05

Function 003C019C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003C01A7
___raise_securityfailure.LIBCMT ref: 003C0264

Strings

H*Q, xrefs: 003C025F

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: H*Q
API String ID: 3761405300-4073695264
Opcode ID: d5c45cfc7ce7ce0282508f1f07fe176ab8124fa69f4c27a0fdd20835931d0e0e
Instruction ID: 5ac6cea4bb16a9bfc5ec6e2b2b4cc433eb85d43a6f001c10d9ab0d9a13f9fbdc
Opcode Fuzzy Hash: d5c45cfc7ce7ce0282508f1f07fe176ab8124fa69f4c27a0fdd20835931d0e0e
Instruction Fuzzy Hash: 7E1190B8518384DBC715CF16E981AC47BB4FB28300F00D01EE8098B7B0E7B499AAEF45

Function 001A6098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 001A60C8

Strings

Unknown exception, xrefs: 001A60A0
C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp, xrefs: 001A60B3

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: ActiveWindow
String ID: C:\ReleaseAI\platform\ui\controls\mshtml\GenericAxControl.cpp$Unknown exception
API String ID: 2558294473-2631306498
Opcode ID: b47ff1339adaa3e293d988a3d07b360c0ceb9015abd4ac718cf8ee746e41ca40
Instruction ID: a7e429a605b4d6a656f52a72c4df551a4b3d97eac71c4496c09abb12a681d948
Opcode Fuzzy Hash: b47ff1339adaa3e293d988a3d07b360c0ceb9015abd4ac718cf8ee746e41ca40
Instruction Fuzzy Hash: 96F0E130D1528CEEDF06EBF4C9157DDBFB06B62704F648499A1417B286DBB81B08E792

Function 001FA250 Relevance: 5.3, APIs: 4, Instructions: 276memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,00000000,?), ref: 001FA4CD
HeapFree.KERNEL32(00000000,?,?,?,00000000,?), ref: 001FA4D3
GetProcessHeap.KERNEL32(?,?,?), ref: 001FA52D
HeapFree.KERNEL32(00000000,?,?,?), ref: 001FA533

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 95d7ef86c9f4a959cb421ce00982bd2baa2a58471f2b2df887499ddab6dd8f4b
Instruction ID: fac5e9ba5ff33363b2d3aa576d73e6a0917a9bc92518fac59199bb91cae302bb
Opcode Fuzzy Hash: 95d7ef86c9f4a959cb421ce00982bd2baa2a58471f2b2df887499ddab6dd8f4b
Instruction Fuzzy Hash: E3B1CEB1D0020CDFCB19DFA8C848BEDFBB4BF54314F54426AE519AB291DB78A905CB91

Function 003BF26A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 001ACF10: InitializeCriticalSectionAndSpinCount.KERNEL32(005129C8,00000000,081DA4CA,00190000,Function_00258920,000000FF,?,003BF299,?,?,?,00197C9A), ref: 001ACF35
Part of subcall function 001ACF10: GetLastError.KERNEL32(?,003BF299,?,?,?,00197C9A), ref: 001ACF3F

IsDebuggerPresent.KERNEL32(?,?,?,00197C9A), ref: 003BF29D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00197C9A), ref: 003BF2AC

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003BF2A7

Memory Dump Source

Source File: 00000000.00000002.2285841123.0000000000191000.00000020.00000001.01000000.00000003.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.2285812902.0000000000190000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286058169.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286142021.000000000050F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286170701.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286241366.0000000000512000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2286385445.000000000051D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190000_fxsound_setup.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: cf2ebc032d71bc96b103fbf8a2003e894a07931c50a9b8a6d1fd688677cb78c4
Instruction ID: d84871984d2771e0c026e3b62ce7f6b690842841afe50a8d083c40151b760adc
Opcode Fuzzy Hash: cf2ebc032d71bc96b103fbf8a2003e894a07931c50a9b8a6d1fd688677cb78c4
Instruction Fuzzy Hash: 55E092782047108FD3219F34E8043867BE0AF55348F05CD6DED85CAB52DBB5E484CBA2

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fxsound_setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\3a9dfd.rbs

C:\Program Files\FxSound LLC\FxSound\Apps\DfxInstall.dll

C:\Program Files\FxSound LLC\FxSound\Apps\DfxSetupDrv.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon32.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\ptdevcon64.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxdevcon64.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.inf

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvad.sys

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x64\fxvadntamd64.cat

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxdevcon32.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.inf

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvad.sys

C:\Program Files\FxSound LLC\FxSound\Drivers\win10\x86\fxvadntx86.cat

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxdevcon64.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.inf

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvad.sys

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x64\fxvadntamd64.cat

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxdevcon32.exe

C:\Program Files\FxSound LLC\FxSound\Drivers\win7\x86\fxvad.inf

Windows Analysis Report
fxsound_setup.exe

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre