Windows Analysis Report
chica-pc-shield-1-75-0-1300-en-win.exe

Overview

General Information

Sample name:	chica-pc-shield-1-75-0-1300-en-win.exe
Analysis ID:	1545541
MD5:	1870fbe03e739325c142eacbe1667ff3
SHA1:	7b86308efbcde9175b405445179bbceb196d0f73
SHA256:	fba0337b65c15b029ee4f87b3db5fcfc6ce61a29289d9e6c58d0bcebee995ce0
Tags:	exeuser-MaxMax66
Infos:

Detection

GhostRat, KillMBR, Xtreme RAT

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected GhostRat

Yara detected KillMBR

Yara detected Xtreme RAT

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to hide user accounts

Creates a FSFilter Anti-Virus service

Creates an undocumented autostart registry key

Found PHP interpreter

May modify the system service descriptor table (often done to hook functions)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Credential Stealer

Yara signature match

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E02A0 CryptAcquireContextW,	12_2_005E02A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E0410 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_005E0410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB6FFD0 CryptAcquireContextW,	12_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,	12_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	12_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E400 CryptAcquireContextW,	12_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,	12_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,	12_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	12_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F869C00 CryptGenRandom,	12_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F853130 CryptGenRandom,	12_2_6F853130
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E71F0 CryptAcquireContextW,	14_2_008E71F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E71C0 CryptGenRandom,	14_2_008E71C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB6FFD0 CryptAcquireContextW,	14_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,	14_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	14_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	14_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	14_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E400 CryptAcquireContextW,	14_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,	14_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,	14_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	14_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F869C00 CryptGenRandom,	14_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F853130 CryptGenRandom,	14_2_6F853130

Uses 32bit PE files

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: certificate valid

Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: z:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: x:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: v:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: t:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: r:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: p:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: n:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: l:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: j:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: h:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: f:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: b:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: y:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: w:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: u:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: s:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: q:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: o:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: m:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: k:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: i:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: g:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: a:

May infect USB drives

Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\OUTLOOK EXPRESS\AUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\OUTLOOK EXPRESS\AUTORUN.INFq
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, %USERROOT%\Documentsautorun.inf
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Malware.Trace, %PROGRAMFILES%\Outlook Express\autorun.inf
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Autorun.inf
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [AUTORUN]
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\DOCUMENTSAUTORUN.INF@
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTSAUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTSAUTORUN.INFc
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Autorun.infc

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,	12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6F8625E0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 65.9.66.107 65.9.66.107

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07

Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\IM#####.JPG-WWW.MYSPACE.COM.EXE equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\IMAGE-WWW.FACEBOOK.COM-####-.JPG.EXEDC4E equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\PIC####-JPG-WWW.FACEBOOK.COM.EXEt equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\USERS\user\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SYSTEM32\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SYSWOW64\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Agent, %SYSDIR%\taskmde.youtube.superpop.http.www.youtube.com equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\|*www.facebook.scr equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Downloader, %TEMP%\I_AM_EMO.gif---www.facebook.com equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Bot.Gen && PATTERN=*\.JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=IM.Worm && PATTERN=*\IMAGE-www.facebook.com-####-.JPG.exe && STRINGS=992, 55505821 equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=PasswordStealer.Kurit && VERSION=1, %NULL% && VERSION=2, www.hotmail.com && VERSION=3, 1?0?0?0 && VERSION=5, Microsoft Corporation equals www.hotmail.com (Hotmail)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent && PATTERN=*\PIC####-JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent && VERSION=1, Www.Yahoo-i.Com && VERSION=2, %NULL% && VERSION=3, 1.00 && VERSION=5, %NULL% && VERSION=7, Yahoo.exe equals www.yahoo.com (Yahoo)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\IM#####?JPG-www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=*\IM.JPG?www.myspace.com.exe && VERSION=FALSE && STRINGS=78, 546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F6465 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\PIC##########-JPG-www.facebook.com && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.AgentBypass && PATTERN=*.JPG-www.myspace.com.exe && VERSION=FALSE && STRINGS=0, 4D5A90 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Downloader && PATTERN=*\www.facebook.com.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Email.Gen && PATTERN=*\IM######?JPG#?www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook tools.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook_hack.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo && PATTERN=*\.JPG-www.facebook.exe && VERSION=FALSE equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo && PATTERN=*\IM#####.JPG-www.myspace.com.exe && VERSION=FALSE && STRINGS=1082, 000083F801746C85C0742AC7042408000000FFD0BBFFFFFFFF89D88B75FC8B5DF889EC5DC204003D930000C074BD3D940000C074BB89D88B75FC8B5DF889EC5DC204008D76003D050000C075E8C704240B00000031F689742404E8 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo.Gen && PATTERN=*www.facebook.com.scr && VERSION=FALSE && STRINGS=1568, 5589E583EC08C7042401000000FF1508414200 && STRINGS=496, 2E62737300000000??????????????000000000000000000000000000000000000000000??0000?? equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo.Gen && SIZE=24000, 100000 && PATTERN=**\n########_##.JPG-www.facebook.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comn equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.hotmail.com6 equals www.hotmail.com (Hotmail)

Source: global traffic	DNS traffic detected: DNS query: stats.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: edge.data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: hw.data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: llnw.data-cdn.mbamupdates.com

Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.WW-XXOOXX-CH.NET
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Http://WwW.YlmF.CoM
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1002.03r.info:338/13.jpg
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://182.237.1.106:333/32.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.78.240.87/ebb.php
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Photos.MSN.com
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anthneic.blogspot.com/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://as.starware.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.ez173.com/
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://best-pc.co.kr
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bsalsa.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.ez173.com/
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://cdn.stat
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.mal
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwa
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://cdn.static.malwareb
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwareb-
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwareby
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/clie
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_r
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/Chameleon_64x64.png
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/FileAssassin_64x64.png
Source: cpcs.exe, 00000009.00000003.2510041575.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/StartupLite_64x64.png
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/anti_rootkit_64x64.png
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.stb
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cha.91mt.com/asp/xg.asp
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d1.kuai8.com
Source: cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://downloads.malwarebytes.org/mbam-download.php
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://downloads.malwarebytes.org/mbam-download.phpon
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edits.mywebsearch.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geral.gratixhost.com.br/publicidade/publicidade.js
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.proxy.icq.com/hello
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=0000000
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=1000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://koxp.alcazer.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exe
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exeC:
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://redirecionamentosb.com/sw4.pac
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://redirecionamentosb.com/sw4.packer
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://saskentbbq.com/sasmate
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sms911.ru
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://snake.gnuchina.org
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://topagacilaboratuari.com/topagaci.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sf.net
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.clic
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wara6.homeftp.org/c
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wfef5.mine.nu/config.asp
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wsy539.myrice.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.6071.com/
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.8es.cn/code/adview_pic.php
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.GoCasino.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.GoCasino.com11
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.Parodieront.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.a0?a.co0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.com
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.comion
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.comz
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimp.ru
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ankord.com/)
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/enable-partial-reads
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-content
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-contenthttp://xml.org/sax/features/validatio
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.best-pc.co.kr
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032168361.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2795341385.0000000002100000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032244303.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034370148.000000000213C000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034264033.0000000003110000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791392614.0000000002140000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792550502.0000000002144000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791262908.000000000213C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com
Source: cpcsgui.exe	String found in binary or memory: http://www.chicalogic.com/pc-shield-re
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-re9
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-reJ
Source: cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rei
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rel
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rew
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chukotka.kz/cache/msn.php?id=0
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com/PostAccepter.aspxQ5
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cookst.com/sentry/api/20110306.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cookst.com/sentry/api/20110306.exeW
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.czsoft.go1.icpcn.com/
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.desksave.de
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emule-project.net
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.go2000.cn
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.go2000.cn.&
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com039~$
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.grandesgans.com/Vista.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.grandesgans.com/Vista.comr.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.heaventools.com)
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jetswap.comD
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.malwarebytes.o
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.malwarebytes.oY
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.or
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/chameleon
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fil
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/file
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fileass
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fileassassin
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/mbar
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/startuplite
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/=H
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ntkrnl.com
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ntkrnl.comy
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pdfforge.org/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.qqceo.net
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rivalgaming.com/ClientPrivacyPolicy.rg0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.skrsoftware.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://www.w3.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ww-xxooxx-ch.net
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zippay.ru/robo-pay.php?lang=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xdinheirox.rememberit.com.au/
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921

Spam, unwanted Advertisements and Ransom Demands

Yara detected KillMBR

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Operating System Destruction

Yara detected KillMBR

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy

Yara detected Xtreme RAT

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Found PHP interpreter

Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: The PHP Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0042F520 NtdllDefWindowProc_A,	1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423B84 NtdllDefWindowProc_A,	1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004125D8 NtdllDefWindowProc_A,	1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00478648 NtdllDefWindowProc_A,	1_2_00478648
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045746C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045746C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E934

Contains functionality to delete services

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F872930 CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,Sleep,CloseServiceHandle,CloseServiceHandle,

12_2_6F872930

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

Code function: 14_2_008E5DD0 DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,CreateEnvironmentBlock,CloseHandle,_memset,CreateProcessAsUserW,DestroyEnvironmentBlock,CloseHandle,DestroyEnvironmentBlock,CloseHandle,CloseHandle,CloseHandle,

14_2_008E5DD0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Creates files inside the driver directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Windows\system32\drivers\is-VCK25.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\is-VCK25.tmp			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048053F	1_2_0048053F
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00470584	1_2_00470584
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0046727C	1_2_0046727C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004352C8	1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048DA5C	1_2_0048DA5C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0043035C	1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004444C8	1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004345C4	1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00486720	1_2_00486720
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00444A70	1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00430EE8	1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045EF9C	1_2_0045EF9C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045B04C	1_2_0045B04C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00445168	1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004692DC	1_2_004692DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00445574	1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004519BC	1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0043DD50	1_2_0043DD50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DA210	12_2_005DA210
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F22DD	12_2_005F22DD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005EE281	12_2_005EE281
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BC3C0	12_2_005BC3C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E8410	12_2_005E8410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FC4E4	12_2_005FC4E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F267B	12_2_005F267B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FA62E	12_2_005FA62E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DE6F0	12_2_005DE6F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E47F0	12_2_005E47F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005C4790	12_2_005C4790
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F2A4D	12_2_005F2A4D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FAB7F	12_2_005FAB7F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B4CD0	12_2_005B4CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F8D90	12_2_005F8D90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F2E35	12_2_005F2E35
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FB0D0	12_2_005FB0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E5110	12_2_005E5110
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DF3B0	12_2_005DF3B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B1410	12_2_005B1410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5560	12_2_005B5560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FB7AC	12_2_005FB7AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5860	12_2_005B5860
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005D9930	12_2_005D9930
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B79E0	12_2_005B79E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DBB30	12_2_005DBB30
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5D40	12_2_005B5D40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F1E48	12_2_005F1E48
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005C3E40	12_2_005C3E40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B1EF0	12_2_005B1EF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB950F0	12_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB57020	12_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB76B10	12_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5BB50	12_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB51AE0	12_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB53900	12_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5E8D0	12_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB68F97	12_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9EFF4	12_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB76F20	12_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9BF20	12_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BBAEF44	12_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB95DB0	12_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB90CD0	12_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB903E0	12_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB53240	12_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB671A0	12_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB54133	12_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB66080	12_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5F000	12_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB68045	12_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5F7CC	12_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB6376C	12_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB925C0	12_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5C480	12_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB52400	12_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB62450	12_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88CDF0	12_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85B9E0	12_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852ED0	12_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F896C84	12_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F854C50	12_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F888C70	12_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A4BD0	12_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F864AE0	12_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A2890	12_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86A7D0	12_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85C7E0	12_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86E690	12_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A467F	12_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88A590	12_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89C4D5	12_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852420	12_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F888390	12_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F892310	12_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86A1F0	12_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A412E	12_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8700A0	12_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89C0ED	12_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A5FE4	12_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89BD1B	12_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86BD60	12_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F869C00	12_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86FAA0	12_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88DAB0	12_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8739F0	12_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89B97D	12_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F861720	12_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F873720	12_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89B4E8	12_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86B370	12_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A52AC	12_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86F260	12_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8511E0	12_2_6F8511E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_3_033C236A	12_3_033C236A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008EC0D0	14_2_008EC0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B027	14_2_0091B027
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009091D0	14_2_009091D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009211DF	14_2_009211DF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008EE140	14_2_008EE140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091D3F0	14_2_0091D3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091F3F0	14_2_0091F3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009103F0	14_2_009103F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B3F9	14_2_0091B3F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E3520	14_2_008E3520
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091A7F4	14_2_0091A7F4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B7E1	14_2_0091B7E1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00921730	14_2_00921730
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0090C740	14_2_0090C740
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00907870	14_2_00907870
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00922B44	14_2_00922B44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091AC89	14_2_0091AC89
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00920C8E	14_2_00920C8E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00921E0C	14_2_00921E0C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00906F90	14_2_00906F90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB950F0	14_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB57020	14_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB76B10	14_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5BB50	14_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB51AE0	14_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB53900	14_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5E8D0	14_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB68F97	14_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9EFF4	14_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB76F20	14_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9BF20	14_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BBAEF44	14_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB95DB0	14_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB90CD0	14_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB903E0	14_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB53240	14_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB671A0	14_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB54133	14_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB66080	14_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5F000	14_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB68045	14_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5F7CC	14_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB6376C	14_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB925C0	14_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5C480	14_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB52400	14_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB62450	14_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88CDF0	14_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85B9E0	14_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852ED0	14_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F896C84	14_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F854C50	14_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F888C70	14_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A4BD0	14_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F864AE0	14_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A2890	14_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86A7D0	14_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85C7E0	14_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86E690	14_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A467F	14_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88A590	14_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89C4D5	14_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852420	14_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F888390	14_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F892310	14_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86A1F0	14_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A412E	14_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8700A0	14_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89C0ED	14_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A5FE4	14_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89BD1B	14_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86BD60	14_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F869C00	14_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86FAA0	14_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88DAB0	14_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8739F0	14_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89B97D	14_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F861720	14_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F873720	14_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89B4E8	14_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86B370	14_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A52AC	14_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86F260	14_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8511E0	14_2_6F8511E0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004078F4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00457DF4 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00457BE8 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403684 appears 224 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00453344 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004460A4 appears 59 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 0090D53A appears 64 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 0090EF60 appears 33 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 008E1450 appears 138 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F856530 appears 139 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F88F635 appears 79 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 005ECC60 appears 34 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 005E6ABC appears 70 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F88F635 appears 79 times

PE file contains executable resources (Code or Archives)

Source: chica-pc-shield-1-75-0-1300-en-win.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-L12IJ.tmp.1.dr	Static PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-L12IJ.tmp.1.dr	Static PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe

Uses 32bit PE files

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25

Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V2\custom\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +tub.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Basic\nLoader\Projekt1.vbp3
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 20 Prof Updater\Project1.vbpo
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AD:\??????.vbpyc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v5\Server\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\????????.vbp>d
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Logoff.vbp
Source: cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Documents and Settings\Administrador\Desktop\new project\New_Project1.vbp?
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N\IEAdBlocker.vbp%
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbpOc
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AJ:\Jhocko\Loader\Loader.vbpw
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (*\AC:\SteveMac\VB6\Controls\S-Grid5\pVBALGrid6.vbpH\
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbp?c
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \calculator.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\GroundPlayer.vbpen#
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\DZYA.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z1.vbpY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VBPacked && SIZE=240000, 265000 && RESOURCE=RT_ICON, 1403, AAD517AAD504CBEE04CBEE04CBEE04CBEE3ABEDA32AA6492454D92454DA6666A2D3ECC4E77D72B42D42831CA2D3ECC2D3ECC2F9059 && PESECTION=1, * && VOFFSET=424, 8, 15, 504543
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\pzFBNe.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _Generated-3\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Server\winlog.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????????????.vbpe1WH4
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\????????????????\Modif\ica\??????????????\Computer ???? ??????ica d orp\???????????? ???????????? ??r EMINEMOr????????a.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mmmm?.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \M3\Desktop\CR\ST\S.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Santos\Desktop\Stub\stub.vbp
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AF:\untitled01\new\7\tools\backup\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: itc\it_inst\Project1.vbp=,
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AZ:\q\q.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\sethc.vbpu
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mdx 0\Osigsnad drsydcao1.vbp0000
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oGachi to Gachito.vbpC.
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: M3\Desktop\Machine\Setup.vbpZ
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @*\AC:\Project1.vbpown65
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????.vbp^c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbpEc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win11\DirtyBusinessNewMod.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\dTtI.vbpbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \EXE\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AH:\V1.0\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: D:\????????.vbp!
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CommonDialog_Class.vbp
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5DD000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A5DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: john\Desktop\Stub\stub.vbpN
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NYHOMv.vbpN~
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Priv8\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \GoogleGroupsBHO.vbpW
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AD:\Projekt1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \GoogleGroupsBHO.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbpcc
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: New Folder\Project1.vbp
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E5C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .*\AC:\SteveMac\VB6\XHELPE~1\SSubTmr\SubTimer6.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0zcyfqrkkdgt opgz\|kxrcbpWqe\|oml6.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fgf.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \newwish\uniedit.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \serv\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????????.vbp?A
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \JKMobile.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z1.vbper
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Simple\Stub\stub.vbp8
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\????????.vbp"c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????.vbpHc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: io\deho\deho.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????????????.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\??????.vbp,c
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\Stub3\GqtM3.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Nero.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \newwish\uniedit.vbpxe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VBPassSteal && STRINGS=1169, 62737465616C65725F6C6F6164 && STRINGS=128, B71207DBF3736988F3736988F3736988 && STRINGS=987, 332E30300055505821
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \puxa vb\viks.vbp7
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Server\winlog.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Tool Febrero\Proyecto1.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sax 0\Pdoaeatsd.vbpq
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????????????????????.vbpTY
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PCsig2\stub\STUB.vbp'
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AE:\Projekt1.vbp9
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Santa\Project1.vbpU
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbprc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mdx 0\Osigsnad drsydcao1.vbpsL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \_new3_test_006\project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \IMPORTANT.vbp>s
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X\Server\Project1.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y:\code\prog\my\mycall.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: free\leader\driver.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Generated-1\Project1.vbp^
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\ssss\VEhvdQTbQ.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\??????????.vbp

Source: classification engine

Classification label: mal54.rans.troj.evad.winEXE@30/92@19/3

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_004555E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,	12_2_6F85FAE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,	14_2_6F85FAE0

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_00455E0C

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,		12_2_6F88EBA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,		14_2_6F88EBA0

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005BB070 CharUpperW,CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,Process32NextW,CloseHandle,

12_2_005BB070

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_00456574 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456574

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F872F00 CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,

12_2_6F872F00

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

Code function: 14_2_008E1E80 StartServiceCtrlDispatcherW,

14_2_008E1E80

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Program Files (x86)\ChicaLogic

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\CPCSScannerMutex

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

File created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp

Jump to behavior

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: kernel32.dll	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /silent	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /install	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /uninstall	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /stop	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /starttray	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /startalways	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: PK_	12_2_005F4AA0

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: cpcsgui.exe	String found in binary or memory: /stop
Source: cpcsgui.exe	String found in binary or memory: /stop
Source: cpcsgui.exe	String found in binary or memory: /install

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

File read: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe "C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: unknown	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe" /install /silent
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: ChicaPC-Shield Notifications.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe
Source: Uninstall ChicaPC-Shield.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe
Source: ChicaPC-Shield.lnk.1.dr	LNK file: ..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
Source: ChicaPC-Shield.lnk0.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Automated click: OK
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: certificate valid

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static file information: File size 8967808 > 1048576

Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_0044852C

PE file contains sections with non-standard names

Source: is-6PN99.tmp.1.dr

Static PE information: section name: .sxdata

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_02142704 pushad ; retn 0046h	1_3_02142705
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A4000 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040994C push 00409989h; ret	1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00483AD8 push 00483BE6h; ret	1_2_00483BDE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax	1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx	1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00494888 push ecx; mov dword ptr [esp], ecx	1_2_0049488D
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00412928 push 0041298Bh; ret	1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx	1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004851C8 push ecx; mov dword ptr [esp], ecx	1_2_004851CD
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004591A8 push 004591ECh; ret	1_2_004591E4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx	1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx	1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741

Persistence and Installation Behavior

Creates a FSFilter Anti-Virus service

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Registry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\Instances\CPCSProtector Instance Altitude

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbam.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamcore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-KP3IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\System32\drivers\is-VCK25.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-0DUR6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\mbam.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	File created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\cpcs.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamnet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-DB4G5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-S0PAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\System32\drivers\is-VCK25.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\cpcs.sys (copy)			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULL			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULL			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\Instances

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield Notifications.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnk	Jump to behavior

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F88F120 ChangeServiceConfig2W,StartServiceW,GetLastError,

12_2_6F88F120

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|NT_AUTORITY

May modify the system service descriptor table (often done to hook functions)

Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,	1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00424194 IsIconic,SetActiveWindow,	1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048348C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0048348C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417598 IsIconic,GetCapture,	1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417CCE IsIconic,SetWindowPos,	1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CD0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F118

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && SIZE=96304, 123880 && VERSION=1, HEX-RAYS SA && VERSION=3, 5.5.0.925 && VERSION=7, IDAG.EXE && RESOURCE=RT_GROUP_ICON, 0, 000001000100??????000100??00????00000100
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.SPYEYES && SIZE=80000, 420000 && VERSION=1, DATARESCUE SA/NV && VERSION=3, 5.2.0.908 && VERSION=7, IDAG.EXE && VERSION=8, THE INTERACTIVE DISASSEMBLER && STRINGS=456, 504543327A4F
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OLLYDBG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=WORM.NEERIS, %TEMP%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && SIZE=1000, 1000000 && VERSION=1, DANIEL PISTELLI && VERSION=3, 7.9.0.0 && VERSION=7, CFF EXPLORER.EXE
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COBSERVER.EXE"
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API_LOG.DLL
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, %PROGRAMFILES%\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IDAG.EXE\|DEBUGGER, DP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.DOWNLOADER.MDN && VERSION=1, HEX-RAYS SA && VERSION=7, IDAG.EXE && RESOURCE=RT_VERSION, 134, 30003400310039 && STRINGS=%PE3% + 952, 637279707465642E657865
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\FILE.EXESBIEDLL.DLL3;
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=HIJACK.DISALLOWRUN, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN\|FOLDERSNIFFER=FOLDERSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FILEMON.EXE
Source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXETDH6N
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.SPYEYES && VERSION=1, UNDERGROUND INFORMATION CENTER && VERSION=3, 1.5.800.2006 RC7 && VERSION=4, PE TOOLS V1.5 RC7 && VERSION=7, PETOOLS.EXE && STRINGS=%PE2% + 306, 50004D00560059004B0055004A0046004C0037 && STRINGS=472, 50454332774F
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && VERSION=5, JIQKZMOK && VERSION=7, COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFF EXPLORER.EXE2
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.FRAUDLOAD, %SYSDIR%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\|SBIESVC.EXE=\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLDBGHELP
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, %APPDATA%\WINDBG\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VNETSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.FAKEALERT && VERSION=7, VNETSNIFFER.EXE && STRINGS=128, 136F6768570E093B570E093B570E093B5202563B730E093B5202063B5C0E093B4406543B550E093BD406543B500E093B570E083B230E093B5202693B540E093BBB05573B560E093B5202533B560E093B
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API_LOG.DLLSBIEDLL.DLLCURRENTUSERANDY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNSC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.DOWNLOADER, %TEMP%\PROCMON.EXE, NV
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\WINDUMP.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 5EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 45B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 4830000 memory reserve \| memory write watch

Contains functionality to query network adapater information

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,	12_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	12_2_6BBB2620
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,	14_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	14_2_6BBB2620

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-VCK25.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Windows\system32\drivers\cpcs.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API coverage: 6.5 %
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	API coverage: 8.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5800

Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h		12_2_6F856A20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h		14_2_6F856A20

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,	12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6F8625E0

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=10000000, 15000000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=20000, 150000 && VERSION=1, VMware? Inc. && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareTray.exe && STRINGS=464, 50454332764F
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=6592, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.FakeAlert, HKCR\VMwareApp.VMware*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, HKLM\System\CurrentControlSet\Services\VMwareService
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=25000, 300000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Bot && DIGISIG=FALSE && VERSION=1, %NULL% && VERSION=4, vmnethcp.exe && STRINGS=%PE2% - 1276, 420069006F004300720065006400500072006F0076002E006500780065 && STRINGS=128, 504500004C010300 && STRINGS=216, 00000000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\NetDDEVMTools
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware process Tool=\help.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Local Settings\VMwareDnD\QTTask.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=1, VMware? Inc.* && STRINGS=48, 000000000000000000000000D80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????52696368????????0000000000000000504500004C010400????????0000000000000000E0000F010B01????00??000000??000000????00????00000010000000??00000000400000100000000200000400000005000100040000000000000000????0000040000????0100020000800000??0000??00000000??0000??000000000000100000000000000000000000????0000????000000????00????0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000????0000??000000??????00??000000000000000000000000??0000??0000000000000000000000000000000000000000000000000000002E636F6465000000????00000010000000??000000040000000000000000000000000000200000602E64617461000000????000000??000000??000000??0000000000000000000000000000400000C02E72646174610000????000000????0000??000000??000000000000000000000000000040000040??????????????????????0000????0000????0000??0000000000000000000000000000C0000040
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Spyware.Zbot && VERSION=2, VMware Tools Core Service && STRINGS=128, AB5FE84BEF3E8618EF3E8618EF3E86186C228818EE3E861886218F18F33E861806218B18EE3E861852696368EF3E8618 && STRINGS=432, 2E7465787400000000F0040000100000008A02000002000050454332774F000000000000600000E02E72737263000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Spybot && VERSION=1, VMware? Inc. && VERSION=3, 8.4.6.16648 && VERSION=7, VMUpgradeHelper.exe && PESECTION=2, .rsrc
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, %PROGRAMFILES%\VMware NAT\kav.dll
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent.VM, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMWARE=\read.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|hgfsg
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationrL=
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exeSd
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.um
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.PcClient && SIZE=1605590, 1665590 && VERSION=7, Copyright 1998-2010 VMware?Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.SpyNet, %SYSDIR%\Resource\VMware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareUser.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, 98BCE83BDCDD8668DCDD8668DCDD86685FC18868DDDD866893FF8F68C1DD8668EAFB8B68DDDD866852696368DCDD8668
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.ServStart && VERSION=1, ? && VERSION=4, VMware Workstationr && VERSION=8, VMware Workstationd
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Messa && VERSION=1, %NULL% && VERSION=7, /VMWare Machine/Desktop/ && VERSION=8, %NULL%
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware * process=\kernel##.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WHITE=\VMware\VMware Server\vmapplib.dll
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSrvc.exeY&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Agent && VERSION=1, VMware? Inc. && VERSION=2, %NULL% && VERSION=3, 22.01.#### && VERSION=5, %NULL% && VERSION=7, #.exe && PESECTION=1, UPX0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.FakeMS && VERSION=1, Microsoft Corporation && VERSION=7, VMSrvc.exe && PESECTION=1, .code_01 && VOFFSET=230, 8, 3, 0221
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=7820, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM\VMWARESERVICE.EXE C"n
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Zlob, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware hptray
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\VMware\Windows Messenger\tao.ico, DP
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && PATTERN=**\go.exe && VERSION=1, VMware? Inc. && VERSION=7, usbRun.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\System\VMwareService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|MwareUser=\VMware Tools\MwareUser.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VB && SIZE=1000, 600000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, ace_upgrade.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\vmware-tray.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=400000, 600000 && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.,
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|vmware remotemks=System32\vmremotems.exe
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxService.exek
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.0
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /VMWare Machine/Desktop/$
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=1, VMware? Inc. && VERSION=4, VMwareUser && STRINGS=11632, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VIRTUALVMWAREQEMU
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792960995.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Workstationdn
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware admin Tool=\Fonts##.exe
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationdP=
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Infostealer.Gampass, %SYSDIR%\VMware.dll, NV
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-hosts
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareTray.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, D1187782957919D1957919D1957919D1166517D1947919D1DA5B10D19B7919D1A35F14D1947919D152696368957919D1
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.<
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\|Shell=vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Spyware.Password && VERSION=1, VMware? Inc. && STRINGS=456, 50454332
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\VMWARE FILES\VMNETDHCP.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, vmware-fullscreen.exe && STRINGS=128, 695EEBF12D3F85A22D3F85A2E16F95C222609AC2E36F95C22260CBC2A16E95C2
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Downloader && SIZE=10000, 400000 && VERSION=3, 7.0.1 build-227600 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationrGeno
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=1, Photoshop && VERSION=7, Simon Inc.exe && VERSION=8, VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Tools Core Service
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Downloader, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|hgfstikyc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareTray.exeZc
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareService.exe && STRINGS=128, C25247E5863329B6863329B6A27C95DF61739ADFA07C95DF785F89DFE27D95DF585F8CDFBF7C95DF61739ADFA37C95DF6173CADF807C95DF61739ADFAE7C95DF585F8CDFA37C95DF52696368863329B600000000000000005045
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=128, BD1FAAC9F97EC49AF97EC49AF97EC49A7A62CA9AF87EC49A9061CD9AD07EC49A1061C99AF87EC49A52696368F97EC49A && STRINGS=472, 50454332774F0000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Templates\vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.=l
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWAREAPP.VMWARE*TE
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Zbot && VERSION=1, VMware? Inc. && STRINGS=584, 494E4954 && STRINGS=624, 2E7864617461
Source: cpcs.exe, 00000009.00000003.2545306895.000000000DFF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\VMWARE-TRAY.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exeDc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetectionVMTools
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.FakeAlert && VERSION=1, VMware? Inc. && VERSION=7, vmware.exe && PESECTION=1, UPX0 && STRINGS=%PE3% + 240, 426F6D65
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\|Microsoft Routing Utilities=\vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VB && SIZE=80000, 900000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, hqtray.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware.exe6l
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.JRQService, HKLM\SYSTEM\CurrentControlSet\SERVICES\VMWARE APPLICATIONSJRQ
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMWARES=\spooles.exe

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_005EC5A8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_0044852C

Enables debug privileges

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_005EC5A8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005ED25A SetUnhandledExceptionFilter,	12_2_005ED25A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E74E5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_005E74E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6F8957BE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009100E5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_009100E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00911507 SetUnhandledExceptionFilter,	14_2_00911507
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0090D600 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0090D600
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6F8957BE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,		12_2_6F88F460
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,		14_2_6F88F460

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

Code function: OpenProcess,OpenProcessToken,CloseHandle, explorer.exe

14_2_008E60F0

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0047808C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047808C

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005BB550 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

12_2_005BB550

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E09C

Source: cpcsgui.exe, cpcsscheduler.exe	Binary or memory string: Shell_TrayWnd
Source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: oP&\InstancesHKLM\SYSTEM\CurrentControlSet\Services\ InstanceDefaultInstanceAltitudeFlags\\.\pipe\Notification AreaUser Promoted Notification AreaToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndCouldn't load the library.Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Ransom, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|MailAgent=??\Progman.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.Ambler && VERSION=1, Microsoft Corporation && VERSION=3, 9.32 && VERSION=8, Program manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: GetLocaleInfoA,	1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: GetLocaleInfoA,	1_2_004085B4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	12_2_005E860D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_005F06F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_005F6897
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_005F09E7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	12_2_005F4EFC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_005F4FD6
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	12_2_005ED05D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_005EB419
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_005F172C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_005F1821
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_005F18C8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_005F1923
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_005F1AF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_005EFA9D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_005F1BB4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_005F1C57
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_005F1C1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	12_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	12_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	12_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_6F89B194
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_0091A0D8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_0091806B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_0091A1CD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_00917121
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_0091A2CF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_0091A274
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_0091A4A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	14_2_00912447
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_0091A5C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_0091A560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_0091A603
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_0091C63D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_0091C772
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_009168FE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	14_2_00916824
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	14_2_009199CE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_00917D7D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	14_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	14_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	14_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_6F89B194

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_004584A0 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_004584A0

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0045559C GetUserNameA,

1_2_0045559C

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6BB6DF4B GetTimeZoneInformation,__strftime_l,__free_locale,

12_2_6BB6DF4B

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D30A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\WINRAR\FORMATS\KAVSTART.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaua.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYAGENT.AYE
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVINSTALL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APORTS.EXE
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LIVESRV.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tisspwiz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boxmod.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quhlpsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\Windows NT\kav.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Banker, %USERROOT%\Local Settings\Application Data\nod32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATF-CLEANER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAVASM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengps.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAFW.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psimsvc.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BUSCAREG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SCAN.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYSTEM\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %WINDIR%\Resources\temas\Windows.exe\rundll32\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360rpt.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanwscs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVIRARKD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanmsg.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavfnsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psctrls.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, %WINDIR%\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKPROXY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %ROOTDRIVE%\Nueva carpeta\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashwebsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows\CurrentVersion\App Paths\360safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASVIEWER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcacheck.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsdfwd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe
Source: cpcs.exe, 00000009.00000003.2544720380.000000000D6EC000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Banker, %SYSDIR%\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acals.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2GUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaegmgr.exe
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASWCLNR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccprovsp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent.DC, %SYSDIR%\iExplorer\iefix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Messa, %APPDATA%\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.XTRat, %WINDIR%\avast\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %TEMP%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %ROOTDRIVE%\windy\Nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %SYSDIR%\wbem\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV.Gen, %TEMP%\mtg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFUPGRADE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AFMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREESETUP.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BOOTSAFE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\InstallDir\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	Binary or memory string: $vars\commonappdata$\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSASCUI.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %TEMP%\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxcfg.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\AVGUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmbmsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAGLOBALLIGHT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufseagnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlnsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.SCR
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlinent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HijackThis.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.BAT
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeaTimer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAntiSpyware.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufnavi.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\SYS\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafeTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2START.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVMENU.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BC5CA6A.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALERTMAN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PWHITE=%PROGRAMFILES%\BitDefender\BitDefender 2013\bdagent.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kasmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qoeloader.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFGMNG32.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxpol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMWIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALSVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\makereport.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATEYE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprottray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYSERVICENT.AYE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32st.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avenger.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\System\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTUNERSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webproxy.exe
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D66D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Downloader, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\|unlockerassistant=data\unlocker\unlockerassistant.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.LOGGINGSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %TEMP%\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCR\Applications\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashmaisv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAMSVR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent.DC, %APPDATA%\SYSTEM\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfctlcom.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\SYSTEM\virus.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acais.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APT.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mbam.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpavserver.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: **\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upschd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CF9409.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.COM
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Small, %MYDOCS%\360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCTL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGARKT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpfw.exe
Source: cpcs.exe, 00000009.00000003.2546826441.000000000D614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\AVP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFASEM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, %SYSDIR%\Sys32\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avguard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.CONFIGURATOR2.EXE
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tpsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ulibcfg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxfwhlp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\avG\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.PoisonIvy, %TEMP%\ixp000.tmp\123.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\aaa\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %APPDATA%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\WIN_XP.EXE.EXEI
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.SpyRat, %SYSDIR%\Microsoft\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Microsoft WIN_XP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bifrose, %WINDIR%\Win_Xp\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2541405292.000000000D450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXEW

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.9.66.84	data-cdn.mbamupdates.com	United States		16509	AMAZON-02US	false
65.9.66.107	unknown	United States		16509	AMAZON-02US	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
data-cdn.mbamupdates.com	65.9.66.84	true
edge.data-cdn.mbamupdates.com	unknown	unknown
hw.data-cdn.mbamupdates.com	unknown	unknown
llnw.data-cdn.mbamupdates.com	unknown	unknown
stats.mbamupdates.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
http://data-cdn.mbamupdates.com/v1/custom/chicalogic/version.chk	false	unknown
http://data-cdn.mbamupdates.com/v0/clients/chicalogic/mbam.check.program	false	unknown
http://data-cdn.mbamupdates.com/v1/news/chicalogic/version.chk	false	unknown
http://data-cdn.mbamupdates.com/v1/config/chicalogic/version.chk	false	unknown

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E02A0 CryptAcquireContextW,	12_2_005E02A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E0410 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_005E0410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB6FFD0 CryptAcquireContextW,	12_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,	12_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	12_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	12_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E400 CryptAcquireContextW,	12_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,	12_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,	12_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	12_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F869C00 CryptGenRandom,	12_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F853130 CryptGenRandom,	12_2_6F853130
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E71F0 CryptAcquireContextW,	14_2_008E71F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E71C0 CryptGenRandom,	14_2_008E71C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB6FFD0 CryptAcquireContextW,	14_2_6BB6FFD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB54B60 _memset,SHGetValueW,lstrlenA,CryptUnprotectData,std::exception::exception,GetLastError,__CxxThrowException@8,LocalFree,	14_2_6BB54B60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB70240 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	14_2_6BB70240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB70140 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	14_2_6BB70140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E570 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptDeriveKey,CryptEncrypt,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,	14_2_6F85E570
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E400 CryptAcquireContextW,	14_2_6F85E400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852FB9 _wcstoul,CryptGenRandom,CryptGenRandom,	14_2_6F852FB9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852ED0 CryptGenRandom,_wcstoul,CryptGenRandom,CryptGenRandom,	14_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85E670 CryptCreateHash,CryptHashData,CryptDestroyHash,CryptGetHashParam,CryptDestroyHash,CryptDestroyHash,	14_2_6F85E670
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F869C00 CryptGenRandom,	14_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F853130 CryptGenRandom,	14_2_6F853130

Uses 32bit PE files

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: certificate valid

Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: z:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: x:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: v:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: t:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: r:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: p:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: n:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: l:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: j:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: h:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: f:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: b:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: y:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: w:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: u:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: s:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: q:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: o:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: m:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: k:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: i:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: g:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: e:
Source: C:\Windows\System32\svchost.exe	File opened: c:
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	File opened: a:

May infect USB drives

Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\OUTLOOK EXPRESS\AUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFD6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\OUTLOOK EXPRESS\AUTORUN.INFq
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, %USERROOT%\Documentsautorun.inf
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Malware.Trace, %PROGRAMFILES%\Outlook Express\autorun.inf
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Autorun.inf
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [AUTORUN]
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\DOCUMENTSAUTORUN.INF@
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTSAUTORUN.INF
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTSAUTORUN.INFc
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \autorun.inf
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Autorun.infc

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,	12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6F8625E0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 65.9.66.107 65.9.66.107

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49921 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49933 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49945 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.84:443 -> 192.168.2.5:49957 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49995 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49997 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:49999 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 65.9.66.107:443 -> 192.168.2.5:50001 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/config/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/news/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v1/custom/chicalogic/version.chk HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07
Source: global traffic	HTTP traffic detected: GET /v0/clients/chicalogic/mbam.check.program HTTP/1.1Accept-Encoding: gzipConnection: CloseHost: data-cdn.mbamupdates.comUser-Agent: mbam - chicalogic_trial (scanner) - base:1.75.0.1300 - rules:v2013.04.04.07

Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\IM#####.JPG-WWW.MYSPACE.COM.EXE equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\IMAGE-WWW.FACEBOOK.COM-####-.JPG.EXEDC4E equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: *\PIC####-JPG-WWW.FACEBOOK.COM.EXEt equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\USERS\user\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SYSTEM32\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\SYSWOW64\TASKMDE.YOUTUBE.SUPERPOP.HTTP.WWW.YOUTUBE.COM equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\WINDOWS\TEMP\I_AM_EMO.GIF---WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Agent, %SYSDIR%\taskmde.youtube.superpop.http.www.youtube.com equals www.youtube.com (Youtube)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\|*www.facebook.scr equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Firewall Administrating=www.myspace.com equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: EXTRA=Trojan.Downloader, %TEMP%\I_AM_EMO.gif---www.facebook.com equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Bot.Gen && PATTERN=*\.JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=IM.Worm && PATTERN=*\IMAGE-www.facebook.com-####-.JPG.exe && STRINGS=992, 55505821 equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=PasswordStealer.Kurit && VERSION=1, %NULL% && VERSION=2, www.hotmail.com && VERSION=3, 1?0?0?0 && VERSION=5, Microsoft Corporation equals www.hotmail.com (Hotmail)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent && PATTERN=*\PIC####-JPG-www.facebook.com.exe && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent && VERSION=1, Www.Yahoo-i.Com && VERSION=2, %NULL% && VERSION=3, 1.00 && VERSION=5, %NULL% && VERSION=7, Yahoo.exe equals www.yahoo.com (Yahoo)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\IM#####?JPG-www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=*\IM.JPG?www.myspace.com.exe && VERSION=FALSE && STRINGS=78, 546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F6465 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Agent.Gen && PATTERN=**\PIC##########-JPG-www.facebook.com && VERSION=FALSE && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.AgentBypass && PATTERN=*.JPG-www.myspace.com.exe && VERSION=FALSE && STRINGS=0, 4D5A90 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Downloader && PATTERN=*\www.facebook.com.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.Email.Gen && PATTERN=*\IM######?JPG#?www.myspace.com.exe && STRINGS=0, 4D5A equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook tools.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Trojan.MSIL && VERSION=1, www.facebook.com && VERSION=7, facebook_hack.exe equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo && PATTERN=*\.JPG-www.facebook.exe && VERSION=FALSE equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo && PATTERN=*\IM#####.JPG-www.myspace.com.exe && VERSION=FALSE && STRINGS=1082, 000083F801746C85C0742AC7042408000000FFD0BBFFFFFFFF89D88B75FC8B5DF889EC5DC204003D930000C074BD3D940000C074BB89D88B75FC8B5DF889EC5DC204008D76003D050000C075E8C704240B00000031F689742404E8 equals www.myspace.com (Myspace)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo.Gen && PATTERN=*www.facebook.com.scr && VERSION=FALSE && STRINGS=1568, 5589E583EC08C7042401000000FF1508414200 && STRINGS=496, 2E62737300000000??????????????000000000000000000000000000000000000000000??0000?? equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Worm.Palevo.Gen && SIZE=24000, 100000 && PATTERN=**\n########_##.JPG-www.facebook.exe && STRINGS=0, 4D5A equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comn equals www.facebook.com (Facebook)
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.hotmail.com6 equals www.hotmail.com (Hotmail)

Source: global traffic	DNS traffic detected: DNS query: stats.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: edge.data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: hw.data-cdn.mbamupdates.com
Source: global traffic	DNS traffic detected: DNS query: llnw.data-cdn.mbamupdates.com

Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.WW-XXOOXX-CH.NET
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Http://WwW.YlmF.CoM
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://1002.03r.info:338/13.jpg
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://182.237.1.106:333/32.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.78.240.87/ebb.php
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Photos.MSN.com
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anthneic.blogspot.com/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://as.starware.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.ez173.com/
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://best-pc.co.kr
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bsalsa.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.ez173.com/
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://cdn.stat
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.mal
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwa
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://cdn.static.malwareb
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwareb-
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwareby
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/clie
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_r
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/Chameleon_64x64.png
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/FileAssassin_64x64.png
Source: cpcs.exe, 00000009.00000003.2510041575.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/StartupLite_64x64.png
Source: cpcsgui.exe	String found in binary or memory: http://cdn.static.malwarebytes.org/client_resources/1.7/images/anti_rootkit_64x64.png
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdn.stb
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cha.91mt.com/asp/xg.asp
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://d1.kuai8.com
Source: cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://downloads.malwarebytes.org/mbam-download.php
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://downloads.malwarebytes.org/mbam-download.phpon
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://edits.mywebsearch.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geral.gratixhost.com.br/publicidade/publicidade.js
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.proxy.icq.com/hello
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=0000000
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knock-knock-knock.info/export/code2.php?c=1000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://koxp.alcazer.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exe
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://link0125baixa2010.fromru.com/arroxa.exeC:
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://redirecionamentosb.com/sw4.pac
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://redirecionamentosb.com/sw4.packer
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://saskentbbq.com/sasmate
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sms911.ru
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://snake.gnuchina.org
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://topagacilaboratuari.com/topagaci.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://upx.sf.net
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://w.clic
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wara6.homeftp.org/c
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wfef5.mine.nu/config.asp
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wsy539.myrice.com
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.6071.com/
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.8es.cn/code/adview_pic.php
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.GoCasino.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.GoCasino.com11
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.Parodieront.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.a0?a.co0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.com
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.comion
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.abyssmedia.comz
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aimp.ru
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ankord.com/)
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/enable-partial-reads
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-content
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.appinf.com/features/no-whitespace-in-element-contenthttp://xml.org/sax/features/validatio
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.best-pc.co.kr
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032168361.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2795341385.0000000002100000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032244303.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034370148.000000000213C000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2034264033.0000000003110000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791392614.0000000002140000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792550502.0000000002144000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2791262908.000000000213C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com
Source: cpcsgui.exe	String found in binary or memory: http://www.chicalogic.com/pc-shield-re
Source: cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-re9
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-reJ
Source: cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rei
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rel
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chicalogic.com/pc-shield-rew
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chukotka.kz/cache/msn.php?id=0
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.contoso.com/PostAccepter.aspxQ5
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cookst.com/sentry/api/20110306.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cookst.com/sentry/api/20110306.exeW
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.czsoft.go1.icpcn.com/
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.desksave.de
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.emule-project.net
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.go2000.cn
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.go2000.cn.&
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com0
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com039~$
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.grandesgans.com/Vista.com
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.grandesgans.com/Vista.comr.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.heaventools.com)
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jetswap.comD
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.malwarebytes.o
Source: cpcs.exe, 00000009.00000003.2509521137.0000000003553000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.malwarebytes.oY
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.or
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/chameleon
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fil
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/file
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fileass
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/fileassassin
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/mbar
Source: cpcsgui.exe	String found in binary or memory: http://www.malwarebytes.org/products/startuplite
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/=H
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ntkrnl.com
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ntkrnl.comy
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pdfforge.org/
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.qqceo.net
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp, chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000000.2033381655.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rivalgaming.com/ClientPrivacyPolicy.rg0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.skrsoftware.com/
Source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.super-ec.cnhttp://wghai.com/echttp://qsyou.com
Source: cpcs.exe, 00000009.00000003.2509409389.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509325799.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	String found in binary or memory: http://www.w3.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ww-xxooxx-ch.net
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zippay.ru/robo-pay.php?lang=
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xdinheirox.rememberit.com.au/
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: cpcsscheduler.exe, 0000000E.00000002.3285698951.000000006BCC3000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://xml.org/sax/properties/lexical-handler

Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921

Spam, unwanted Advertisements and Ransom Demands

Yara detected KillMBR

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Operating System Destruction

Yara detected KillMBR

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: thequickbrow_APT1 Author: AlienVault Labs
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy

Yara detected Xtreme RAT

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Found PHP interpreter

Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Backdoor.Tidserv && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=590, 00405F77696E6F63
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS && VERSION=1, The PHP Group && VERSION=7, php.exe && STRINGS=23973, 616669735C7300637264725C256F3F2E62007664655B726C5C735D7C6D63765C67003F645D0000005A006F72747325
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: POLY=Rootkit.TDSS.Gen && SIZE=70000, 1500000 && VERSION=1, The PHP Group && VERSION=3, 5.2.11.11 && VERSION=7, php.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: The PHP Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0042F520 NtdllDefWindowProc_A,	1_2_0042F520
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423B84 NtdllDefWindowProc_A,	1_2_00423B84
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004125D8 NtdllDefWindowProc_A,	1_2_004125D8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00478648 NtdllDefWindowProc_A,	1_2_00478648
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045746C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045746C

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E934

Contains functionality to delete services

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F872930 CloseServiceHandle,ControlService,DeleteService,CloseServiceHandle,Sleep,CloseServiceHandle,CloseServiceHandle,

12_2_6F872930

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

14_2_008E5DD0

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_004555E4

Creates files inside the driver directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Windows\system32\drivers\is-VCK25.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\is-VCK25.tmp			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Detected potential crypto function

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048053F	1_2_0048053F
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00470584	1_2_00470584
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0046727C	1_2_0046727C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004352C8	1_2_004352C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048DA5C	1_2_0048DA5C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0043035C	1_2_0043035C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004444C8	1_2_004444C8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004345C4	1_2_004345C4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00486720	1_2_00486720
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00444A70	1_2_00444A70
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00430EE8	1_2_00430EE8
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045EF9C	1_2_0045EF9C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0045B04C	1_2_0045B04C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00445168	1_2_00445168
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004692DC	1_2_004692DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00445574	1_2_00445574
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004519BC	1_2_004519BC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0043DD50	1_2_0043DD50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DA210	12_2_005DA210
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F22DD	12_2_005F22DD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005EE281	12_2_005EE281
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BC3C0	12_2_005BC3C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E8410	12_2_005E8410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FC4E4	12_2_005FC4E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F267B	12_2_005F267B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FA62E	12_2_005FA62E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DE6F0	12_2_005DE6F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E47F0	12_2_005E47F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005C4790	12_2_005C4790
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F2A4D	12_2_005F2A4D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FAB7F	12_2_005FAB7F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B4CD0	12_2_005B4CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F8D90	12_2_005F8D90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F2E35	12_2_005F2E35
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FB0D0	12_2_005FB0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E5110	12_2_005E5110
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DF3B0	12_2_005DF3B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B1410	12_2_005B1410
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5560	12_2_005B5560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005FB7AC	12_2_005FB7AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5860	12_2_005B5860
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005D9930	12_2_005D9930
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B79E0	12_2_005B79E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005DBB30	12_2_005DBB30
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B5D40	12_2_005B5D40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005F1E48	12_2_005F1E48
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005C3E40	12_2_005C3E40
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005B1EF0	12_2_005B1EF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB950F0	12_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB57020	12_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB76B10	12_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5BB50	12_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB51AE0	12_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB53900	12_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5E8D0	12_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB68F97	12_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9EFF4	12_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB76F20	12_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9BF20	12_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BBAEF44	12_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB95DB0	12_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB90CD0	12_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB903E0	12_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB53240	12_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB671A0	12_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB54133	12_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB66080	12_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5F000	12_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB68045	12_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5F7CC	12_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB6376C	12_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB925C0	12_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB5C480	12_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB52400	12_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB62450	12_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88CDF0	12_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85B9E0	12_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852ED0	12_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F896C84	12_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F854C50	12_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F888C70	12_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A4BD0	12_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F864AE0	12_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A2890	12_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86A7D0	12_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85C7E0	12_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86E690	12_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A467F	12_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88A590	12_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89C4D5	12_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F852420	12_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F888390	12_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F892310	12_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86A1F0	12_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A412E	12_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8700A0	12_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89C0ED	12_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A5FE4	12_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89BD1B	12_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86BD60	12_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F869C00	12_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86FAA0	12_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88DAB0	12_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8739F0	12_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89B97D	12_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F861720	12_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F873720	12_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F89B4E8	12_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86B370	12_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8A52AC	12_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F86F260	12_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8511E0	12_2_6F8511E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_3_033C236A	12_3_033C236A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008EC0D0	14_2_008EC0D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B027	14_2_0091B027
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009091D0	14_2_009091D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009211DF	14_2_009211DF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008EE140	14_2_008EE140
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091D3F0	14_2_0091D3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091F3F0	14_2_0091F3F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009103F0	14_2_009103F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B3F9	14_2_0091B3F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_008E3520	14_2_008E3520
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091A7F4	14_2_0091A7F4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091B7E1	14_2_0091B7E1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00921730	14_2_00921730
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0090C740	14_2_0090C740
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00907870	14_2_00907870
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00922B44	14_2_00922B44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0091AC89	14_2_0091AC89
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00920C8E	14_2_00920C8E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00921E0C	14_2_00921E0C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00906F90	14_2_00906F90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB950F0	14_2_6BB950F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB57020	14_2_6BB57020
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB76B10	14_2_6BB76B10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5BB50	14_2_6BB5BB50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB51AE0	14_2_6BB51AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB53900	14_2_6BB53900
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5E8D0	14_2_6BB5E8D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB68F97	14_2_6BB68F97
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9EFF4	14_2_6BB9EFF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB76F20	14_2_6BB76F20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9BF20	14_2_6BB9BF20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BBAEF44	14_2_6BBAEF44
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB95DB0	14_2_6BB95DB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB90CD0	14_2_6BB90CD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB903E0	14_2_6BB903E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB53240	14_2_6BB53240
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB671A0	14_2_6BB671A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB54133	14_2_6BB54133
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB66080	14_2_6BB66080
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5F000	14_2_6BB5F000
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB68045	14_2_6BB68045
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5F7CC	14_2_6BB5F7CC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB6376C	14_2_6BB6376C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB925C0	14_2_6BB925C0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB5C480	14_2_6BB5C480
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB52400	14_2_6BB52400
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB62450	14_2_6BB62450
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88CDF0	14_2_6F88CDF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85B9E0	14_2_6F85B9E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852ED0	14_2_6F852ED0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F896C84	14_2_6F896C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F854C50	14_2_6F854C50
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F888C70	14_2_6F888C70
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A4BD0	14_2_6F8A4BD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F864AE0	14_2_6F864AE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A2890	14_2_6F8A2890
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86A7D0	14_2_6F86A7D0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85C7E0	14_2_6F85C7E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86E690	14_2_6F86E690
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A467F	14_2_6F8A467F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88A590	14_2_6F88A590
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89C4D5	14_2_6F89C4D5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F852420	14_2_6F852420
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F888390	14_2_6F888390
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F892310	14_2_6F892310
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86A1F0	14_2_6F86A1F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A412E	14_2_6F8A412E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8700A0	14_2_6F8700A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89C0ED	14_2_6F89C0ED
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A5FE4	14_2_6F8A5FE4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89BD1B	14_2_6F89BD1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86BD60	14_2_6F86BD60
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F869C00	14_2_6F869C00
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86FAA0	14_2_6F86FAA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88DAB0	14_2_6F88DAB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8739F0	14_2_6F8739F0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89B97D	14_2_6F89B97D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F861720	14_2_6F861720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F873720	14_2_6F873720
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F89B4E8	14_2_6F89B4E8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86B370	14_2_6F86B370
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8A52AC	14_2_6F8A52AC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F86F260	14_2_6F86F260
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8511E0	14_2_6F8511E0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00408C0C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00406AC4 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 0040595C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00445DD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004344DC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004078F4 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00457DF4 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00457BE8 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00403684 appears 224 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 00453344 appears 94 times
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: String function: 004460A4 appears 59 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 0090D53A appears 64 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 0090EF60 appears 33 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 008E1450 appears 138 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F856530 appears 139 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: String function: 6F88F635 appears 79 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 005ECC60 appears 34 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F895C50 appears 36 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6BBB1303 appears 78 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F853910 appears 41 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 005E6ABC appears 70 times
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: String function: 6F88F635 appears 79 times

PE file contains executable resources (Code or Archives)

Source: chica-pc-shield-1-75-0-1300-en-win.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: chica-pc-shield-1-75-0-1300-en-win.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-L12IJ.tmp.1.dr	Static PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-L12IJ.tmp.1.dr	Static PE information: Resource name: DRIVERTYPE type: PE32 executable (native) Intel 80386, for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-DB4G5.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032976073.0000000002128000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe
Source: chica-pc-shield-1-75-0-1300-en-win.exe, 00000000.00000003.2032819935.00000000023F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs chica-pc-shield-1-75-0-1300-en-win.exe

Uses 32bit PE files

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 00000012.00000003.2839561000.000000000CFD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: 00000009.00000003.2546777163.000000000C828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000009.00000003.2545861202.000000000D4FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000012.00000003.2839681114.000000000D42B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: thequickbrow_APT1 author = AlienVault Labs, info = CommentCrew-threat-apt1
Source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25

Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V2\custom\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +tub.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Basic\nLoader\Projekt1.vbp3
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 20 Prof Updater\Project1.vbpo
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AD:\??????.vbpyc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v5\Server\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\????????.vbp>d
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Logoff.vbp
Source: cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Documents and Settings\Administrador\Desktop\new project\New_Project1.vbp?
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N\IEAdBlocker.vbp%
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbpOc
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AJ:\Jhocko\Loader\Loader.vbpw
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (*\AC:\SteveMac\VB6\Controls\S-Grid5\pVBALGrid6.vbpH\
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbp?c
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ????.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: uveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \calculator.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\GroundPlayer.vbpen#
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\DZYA.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z1.vbpY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VBPacked && SIZE=240000, 265000 && RESOURCE=RT_ICON, 1403, AAD517AAD504CBEE04CBEE04CBEE04CBEE3ABEDA32AA6492454D92454DA6666A2D3ECC4E77D72B42D42831CA2D3ECC2D3ECC2F9059 && PESECTION=1, * && VOFFSET=424, 8, 15, 504543
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\pzFBNe.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _Generated-3\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Server\winlog.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????????????.vbpe1WH4
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\????????????????\Modif\ica\??????????????\Computer ???? ??????ica d orp\???????????? ???????????? ??r EMINEMOr????????a.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mmmm?.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \M3\Desktop\CR\ST\S.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Santos\Desktop\Stub\stub.vbp
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AF:\untitled01\new\7\tools\backup\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: itc\it_inst\Project1.vbp=,
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AZ:\q\q.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\sethc.vbpu
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mdx 0\Osigsnad drsydcao1.vbp0000
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oGachi to Gachito.vbpC.
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: M3\Desktop\Machine\Setup.vbpZ
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @*\AC:\Project1.vbpown65
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????.vbp^c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbpEc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win11\DirtyBusinessNewMod.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\dTtI.vbpbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \EXE\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AH:\V1.0\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: D:\????????.vbp!
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CommonDialog_Class.vbp
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5DD000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A5DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Bureau\Copie de Nouveau dossier (3)\Project1.vbpQ
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: john\Desktop\Stub\stub.vbpN
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NYHOMv.vbpN~
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Priv8\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \GoogleGroupsBHO.vbpW
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AD:\Projekt1.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \GoogleGroupsBHO.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????.vbpcc
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: New Folder\Project1.vbp
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004E5C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .*\AC:\SteveMac\VB6\XHELPE~1\SSubTmr\SubTimer6.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0zcyfqrkkdgt opgz\|kxrcbpWqe\|oml6.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fgf.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \newwish\uniedit.vbp
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \serv\Project1.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????????.vbp?A
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \JKMobile.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: z1.vbper
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Simple\Stub\stub.vbp8
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\????????.vbp"c
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????.vbpHc
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: io\deho\deho.vbp
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????????????????.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\??????.vbp,c
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\Stub3\GqtM3.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Nero.vbp
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \newwish\uniedit.vbpxe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VBPassSteal && STRINGS=1169, 62737465616C65725F6C6F6164 && STRINGS=128, B71207DBF3736988F3736988F3736988 && STRINGS=987, 332E30300055505821
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \puxa vb\viks.vbp7
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Server\winlog.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Tool Febrero\Proyecto1.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sax 0\Pdoaeatsd.vbpq
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????????????????????????.vbpTY
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PCsig2\stub\STUB.vbp'
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AE:\Projekt1.vbp9
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Santa\Project1.vbpU
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\??????.vbprc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Mdx 0\Osigsnad drsydcao1.vbpsL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \_new3_test_006\project1.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\????????.vbp
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \IMPORTANT.vbp>s
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X\Server\Project1.vbpn
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y:\code\prog\my\mycall.vbp
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: free\leader\driver.vbp
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Generated-1\Project1.vbp^
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\ssss\VEhvdQTbQ.vbp
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AC:\??????????.vbp

Source: classification engine

Classification label: mal54.rans.troj.evad.winEXE@30/92@19/3

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,	1_2_004555E4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,	12_2_6F85FAE0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F85FAE0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,	14_2_6F85FAE0

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_00455E0C

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,		12_2_6F88EBA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: CloseServiceHandle,CreateServiceW,GetLastError,OpenServiceW,		14_2_6F88EBA0

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005BB070 CharUpperW,CreateToolhelp32Snapshot,Process32FirstW,CharUpperW,Process32NextW,CloseHandle,

12_2_005BB070

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_00456574 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

1_2_00456574

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F872F00 CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,

12_2_6F872F00

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

Code function: 14_2_008E1E80 StartServiceCtrlDispatcherW,

14_2_008E1E80

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Program Files (x86)\ChicaLogic

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\CPCSScannerMutex

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

File created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp

Jump to behavior

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: kernel32.dll	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /silent	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /install	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /uninstall	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /stop	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /starttray	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: /startalways	12_2_005B3D10
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Command line argument: PK_	12_2_005F4AA0

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: cpcsgui.exe	String found in binary or memory: /stop
Source: cpcsgui.exe	String found in binary or memory: /stop
Source: cpcsgui.exe	String found in binary or memory: /install

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

File read: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe "C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: unknown	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe" /install /silent
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp "C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp" /SL5="$20430,8630815,54272,C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /starttrial	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe" /update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msvbvm60.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: vb6zz.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbam.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: advpack.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: asycfilt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msiso.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mshtml.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: srpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mbamnet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msimtf.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d2d1.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvbvm60.dll

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: ChicaPC-Shield Notifications.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe
Source: Uninstall ChicaPC-Shield.lnk.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe
Source: ChicaPC-Shield.lnk.1.dr	LNK file: ..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe
Source: ChicaPC-Shield.lnk0.1.dr	LNK file: ..\..\..\..\..\..\..\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Automated click: I accept the agreement
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Automated click: OK
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static PE information: certificate valid

Source: chica-pc-shield-1-75-0-1300-en-win.exe

Static file information: File size 8967808 > 1048576

Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdbb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Server.pdb source: cpcs.exe, 00000009.00000003.2535416200.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \obj\Release\Welp.pdbY{ source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: miniloader-patchdate-stub.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DarkShell\Server\svchost\Debug\Serverz.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: se\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \sw_modem\HSF_HWICH\i386\HSFHWICH.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdbre source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: Intel Corporationse\NSP.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdbj source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Cryptor\stub6\Release\stub6.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb%0A source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Release\AvG.pdb>M source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\TranceCo.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdbE source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\USERS\user\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NB10??????N????:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ????????????????.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspergillus.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dell\Desktop\SOMA.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fukmp.pdb% source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\dll\mbam.dll\build\mbam.pdb` source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\dev\stuk_rar\release\setup.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbamscheduler.exe\build\mbamscheduler.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004EC9000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\PROGRAM FILES (X86)\FACEHACK\FACEHACK.PDB%vz$ source: cpcs.exe, 00000009.00000003.2546311082.000000000D10C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdbeb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb0?0A source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdbr source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Adware.Agent, %PROGRAMFILES%\Isilo\iSiloDisplaySample.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: db.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2534960911.000000000A69B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Nuova cartella\myform\myform\obj\Release\myform.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $:\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\??????????????????????????????????????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdbtor source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??:\??????????\??W????????\????????????????????????????????????????G????\????????????\??????\????????????.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\d\objfre_wxp_x86\i386\HG.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z(1)\stub\Release\stub.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p:\vc5\x64\release\resident.pdbO6 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ent.pdb source: cpcs.exe, 00000009.00000003.2533784758.000000000A13A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work_temp\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: URGABPW.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TDIMUED.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hnetmon.pdbU source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vpamjon.pdbd9 source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \accs\accs\accs\obj\Release\accs.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: REAPER\Stub\stub rc\obj\Release\stub rc.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: w:\Project\!lego2new\lego_2011.xx.xx_2.xx\release\NSP.pdb/ source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\sar\Debug\sar.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ryptnet.pdb source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533526590.000000000A5A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdbn source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sxtyy.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptnet.pdbB source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\reg\reg\obj\Debug\reg.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HookDllDriver\objfre\i386\hookdll.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NGPCorp\DLL\Release\DLL.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbPY source: cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb[ source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\TP\AppData\Local\Temp\zy3gqjbl.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdbk source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\NTDDK\DEMO\_DarkTest\i386\DarkTest.pdbem source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Bacipy.pdb source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533630438.000000000A445000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8$W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Prevazatorul.pdb source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &:\UMPk.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?????.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \ResBegleiter\obj\x86\Release\Devi.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\tmp\test.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ld.pdb source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529941329.000000000A2A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\utf8\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \AccountCreator.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Fecira.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb)] source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb<. source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: W:\w\Loader.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bk22\kloader\Release\i386\kloader.pdbt,n source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb< source: cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Projects\War Crypter\Release\Stub.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb?_ source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Project1\Project1\obj\Release\Project1.pdb source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WWMWCMGV.pdb=; source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ??@RSDS??????????????????????????????????o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \w.a.t.c.h\w.a.t.c.h\obj\Release\w.a.t.c.h.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\job\gh0st1.0\Release\Loader.pdb\ source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\FACEBOOK\FACEBOOK STEALER.PDB source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\XRoot_Build\XC\Vm\Release\x86\StubExe.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \x86\Debug\Balle2.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\WFD\Tools\Server\_Downloader\Share\SFX Package\Pack\obj\x86\Debug\Pack.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Emuhucuqih.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IEXPLORE\Debug\wibvusd.pdbR source: cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XC\Vm\Release\x86\StubExe.pdbX source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\work\test\test2\Release\test2.pdbd source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdbz source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: note.pdb source: cpcs.exe, 00000009.00000003.2535475306.000000000B056000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EXTRA=Password.Stealer, %TEMP%\Facebook\Facebook Stealer.pdb, DP source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\key\lasass\Debug\lasass.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vCrypt Stub.pdb7 source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\local0\asf\release\build-2.2.14\support\Release\ab.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\SVN Control Code\app_client\Loader\Release\Loader.pdb source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: x:\werdon.pdb source: cpcs.exe, 00000009.00000003.2535304844.0000000009F2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \MyProjects\eMule\Debug\eMule.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\SVN\mbam\exe\mbampt.exe\build\mbampt.pdb source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2789847670.0000000004F26000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Socksbuilder\stub\release\stub.pdb source: cpcs.exe, 00000009.00000003.2535574656.000000000A39A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Tr0gdor\Rxbot 7.6\Debug\rBot.pdb source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cm_acl.pdb source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dtcser\sys\i386\killvv.pdb+ source: cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Double Onesass.pdbx7 source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_0044852C

PE file contains sections with non-standard names

Source: is-6PN99.tmp.1.dr

Static PE information: section name: .sxdata

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll"

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_02142704 pushad ; retn 0046h	1_3_02142705
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A3ED7 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_3_021A4000 push 4002145Eh; ret	1_3_021A4005
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040994C push 00409989h; ret	1_2_00409981
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00483AD8 push 00483BE6h; ret	1_2_00483BDE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax	1_2_004062B5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx	1_2_004104E5
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00494888 push ecx; mov dword ptr [esp], ecx	1_2_0049488D
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00412928 push 0041298Bh; ret	1_2_00412983
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx	1_2_0040CE3A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004851C8 push ecx; mov dword ptr [esp], ecx	1_2_004851CD
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004591A8 push 004591ECh; ret	1_2_004591E4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx	1_2_0040F39A
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx	1_2_00443444
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741

Persistence and Installation Behavior

Creates a FSFilter Anti-Virus service

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Registry value created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\Instances\CPCSProtector Instance Altitude

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbam.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamcore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-KP3IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\System32\drivers\is-VCK25.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-0DUR6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\mbam.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	File created: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\cpcs.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamnet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-DB4G5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-S0PAI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\System32\drivers\is-VCK25.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\Windows\system32\drivers\cpcs.sys (copy)			Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\System32\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULL			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt NULL			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CPCSProtector\Instances

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\ChicaPC-Shield Notifications.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChicaLogic\ChicaPC-Shield\Uninstall ChicaPC-Shield.lnk	Jump to behavior

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6F88F120 ChangeServiceConfig2W,StartServiceW,GetLastError,

12_2_6F88F120

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ChicaPC-Shield	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList|NT_AUTORITY

May modify the system service descriptor table (often done to hook functions)

Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042285C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C0C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,	1_2_004241DC
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00424194 IsIconic,SetActiveWindow,	1_2_00424194
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418384
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_0048348C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_0048348C
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417598 IsIconic,GetCapture,	1_2_00417598
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417CCE IsIconic,SetWindowPos,	1_2_00417CCE
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CD0

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

1_2_0041F118

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2843530652.000000000847A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2648389472.0000000008271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && SIZE=96304, 123880 && VERSION=1, HEX-RAYS SA && VERSION=3, 5.5.0.925 && VERSION=7, IDAG.EXE && RESOURCE=RT_GROUP_ICON, 0, 000001000100??????000100??00????00000100
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.SPYEYES && SIZE=80000, 420000 && VERSION=1, DATARESCUE SA/NV && VERSION=3, 5.2.0.908 && VERSION=7, IDAG.EXE && VERSION=8, THE INTERACTIVE DISASSEMBLER && STRINGS=456, 504543327A4F
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IDAG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OLLYDBG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=WORM.NEERIS, %TEMP%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && SIZE=1000, 1000000 && VERSION=1, DANIEL PISTELLI && VERSION=3, 7.9.0.0 && VERSION=7, CFF EXPLORER.EXE
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COBSERVER.EXE"
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API_LOG.DLL
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\REGMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, %PROGRAMFILES%\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IDAG.EXE\|DEBUGGER, DP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.DOWNLOADER.MDN && VERSION=1, HEX-RAYS SA && VERSION=7, IDAG.EXE && RESOURCE=RT_VERSION, 134, 30003400310039 && STRINGS=%PE3% + 952, 637279707465642E657865
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\FILE.EXESBIEDLL.DLL3;
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SUPERANTISPYWARE.EXE
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DEC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\WINDUMP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=HIJACK.DISALLOWRUN, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN\|FOLDERSNIFFER=FOLDERSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FILEMON.EXE
Source: cpcs.exe, 00000009.00000003.2545306895.000000000E06C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXETDH6N
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.SPYEYES && VERSION=1, UNDERGROUND INFORMATION CENTER && VERSION=3, 1.5.800.2006 RC7 && VERSION=4, PE TOOLS V1.5 RC7 && VERSION=7, PETOOLS.EXE && STRINGS=%PE2% + 306, 50004D00560059004B0055004A0046004C0037 && STRINGS=472, 50454332774F
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.AGENT && VERSION=5, JIQKZMOK && VERSION=7, COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529454596.000000000A126000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CFF EXPLORER.EXE2
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.FRAUDLOAD, %SYSDIR%\WINDUMP.EXE, NV
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN\|SBIESVC.EXE=\MICROSOFT\SBIESVC.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLDBGHELP
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, %APPDATA%\WINDBG\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VNETSNIFFER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=TROJAN.FAKEALERT && VERSION=7, VNETSNIFFER.EXE && STRINGS=128, 136F6768570E093B570E093B570E093B5202563B730E093B5202063B5C0E093B4406543B550E093BD406543B500E093B570E083B230E093B5202693B540E093BBB05573B560E093B5202533B560E093B
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: API_LOG.DLLSBIEDLL.DLLCURRENTUSERANDY
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINDBG.EXE
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COBSERVER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.AGENT, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=SECURITY.HIJACK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUTORUNSC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=TROJAN.DOWNLOADER, %TEMP%\PROCMON.EXE, NV
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\WINDUMP.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 5EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 45B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Memory allocated: 4830000 memory reserve \| memory write watch

Contains functionality to query network adapater information

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,	12_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	12_2_6BBB2620
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,inet_addr,	14_2_6BB55B90
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	14_2_6BBB2620

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-VCK25.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CI4PM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-L12IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamext.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\mbamtoast.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\7z.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsservice.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6PN99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Windows\system32\drivers\cpcs.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-SJQ69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-6H2TN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-J2CDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcspt.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-K9CAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-UQ1R3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-9INTD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-93AED.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\is-CU77C.tmp	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API coverage: 6.5 %
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	API coverage: 8.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 5800

Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h		12_2_6F856A20
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F856A20 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esp+3ch], 08h and CTI: jc 6F856C16h		14_2_6F856A20

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00452A60 FindFirstFileA,GetLastError,	1_2_00452A60
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00474E64 FindFirstFileA,FindNextFileA,FindClose,	1_2_00474E64
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00464030 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00464030
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00462628 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462628
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00463BB4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463BB4
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: 1_2_00497C84 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00497C84
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005BBAD0 FindFirstFileW,FindNextFileW,FindClose,	12_2_005BBAD0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	12_2_6F8625E0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB592B0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6BB592B0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8625E0 FindFirstFileW,FindNextFileW,FindClose,	14_2_6F8625E0

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=10000000, 15000000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=20000, 150000 && VERSION=1, VMware? Inc. && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareTray.exe && STRINGS=464, 50454332764F
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=6592, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.FakeAlert, HKCR\VMwareApp.VMware*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, HKLM\System\CurrentControlSet\Services\VMwareService
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=25000, 300000 && VERSION=1, VMware? Inc. && VERSION=3, 6.0.2 build-59824 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000007934000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Bot && DIGISIG=FALSE && VERSION=1, %NULL% && VERSION=4, vmnethcp.exe && STRINGS=%PE2% - 1276, 420069006F004300720065006400500072006F0076002E006500780065 && STRINGS=128, 504500004C010300 && STRINGS=216, 00000000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\NetDDEVMTools
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware process Tool=\help.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Local Settings\VMwareDnD\QTTask.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=1, VMware? Inc.* && STRINGS=48, 000000000000000000000000D80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????52696368????????0000000000000000504500004C010400????????0000000000000000E0000F010B01????00??000000??000000????00????00000010000000??00000000400000100000000200000400000005000100040000000000000000????0000040000????0100020000800000??0000??00000000??0000??000000000000100000000000000000000000????0000????000000????00????0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000????0000??000000??????00??000000000000000000000000??0000??0000000000000000000000000000000000000000000000000000002E636F6465000000????00000010000000??000000040000000000000000000000000000200000602E64617461000000????000000??000000??000000??0000000000000000000000000000400000C02E72646174610000????000000????0000??000000??000000000000000000000000000040000040??????????????????????0000????0000????0000??0000000000000000000000000000C0000040
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Spyware.Zbot && VERSION=2, VMware Tools Core Service && STRINGS=128, AB5FE84BEF3E8618EF3E8618EF3E86186C228818EE3E861886218F18F33E861806218B18EE3E861852696368EF3E8618 && STRINGS=432, 2E7465787400000000F0040000100000008A02000002000050454332774F000000000000600000E02E72737263000000
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Spybot && VERSION=1, VMware? Inc. && VERSION=3, 8.4.6.16648 && VERSION=7, VMUpgradeHelper.exe && PESECTION=2, .rsrc
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, %PROGRAMFILES%\VMware NAT\kav.dll
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent.VM, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMWARE=\read.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|hgfsg
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationrL=
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exeSd
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.um
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.PcClient && SIZE=1605590, 1665590 && VERSION=7, Copyright 1998-2010 VMware?Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.SpyNet, %SYSDIR%\Resource\VMware.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareUser.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, 98BCE83BDCDD8668DCDD8668DCDD86685FC18868DDDD866893FF8F68C1DD8668EAFB8B68DDDD866852696368DCDD8668
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.ServStart && VERSION=1, ? && VERSION=4, VMware Workstationr && VERSION=8, VMware Workstationd
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Messa && VERSION=1, %NULL% && VERSION=7, /VMWare Machine/Desktop/ && VERSION=8, %NULL%
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware * process=\kernel##.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WHITE=\VMware\VMware Server\vmapplib.dll
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMSrvc.exeY&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Backdoor.Agent && VERSION=1, VMware? Inc. && VERSION=2, %NULL% && VERSION=3, 22.01.#### && VERSION=5, %NULL% && VERSION=7, #.exe && PESECTION=1, UPX0
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.FakeMS && VERSION=1, Microsoft Corporation && VERSION=7, VMSrvc.exe && PESECTION=1, .code_01 && VOFFSET=230, 8, 3, 0221
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=7820, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM\VMWARESERVICE.EXE C"n
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Zlob, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware hptray
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\VMware\Windows Messenger\tao.ico, DP
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && PATTERN=**\go.exe && VERSION=1, VMware? Inc. && VERSION=7, usbRun.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\System\VMwareService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|MwareUser=\VMware Tools\MwareUser.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VB && SIZE=1000, 600000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, ace_upgrade.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bot, %WINDIR%\vmware-tray.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && SIZE=400000, 600000 && VERSION=3, 8.4.5.14951 && VERSION=7, VMwareUser.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.&
Source: cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.,
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|vmware remotemks=System32\vmremotems.exe
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxService.exek
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.0
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /VMWare Machine/Desktop/$
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|VMware? Inc.
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=1, VMware? Inc. && VERSION=4, VMwareUser && STRINGS=11632, 5045436F6D7061637432
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VIRTUALVMWAREQEMU
Source: chica-pc-shield-1-75-0-1300-en-win.tmp, 00000001.00000003.2792960995.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\d
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Workstationdn
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMware admin Tool=\Fonts##.exe
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A5B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationdP=
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Infostealer.Gampass, %SYSDIR%\VMware.dll, NV
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware-hosts
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, VMwareTray.exe && VOFFSET=448, 8, 4, 504543 && STRINGS=128, D1187782957919D1957919D1957919D1166517D1947919D1DA5B10D19B7919D1A35F14D1947919D152696368957919D1
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.<
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\|Shell=vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Spyware.Password && VERSION=1, VMware? Inc. && STRINGS=456, 50454332
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\VMWARE FILES\VMNETDHCP.EXE
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.KoobFace && VERSION=7, vmware-fullscreen.exe && STRINGS=128, 695EEBF12D3F85A22D3F85A2E16F95C222609AC2E36F95C22260CBC2A16E95C2
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Downloader && SIZE=10000, 400000 && VERSION=3, 7.0.1 build-227600 && VERSION=7, vmware.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware WorkstationrGeno
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=1, Photoshop && VERSION=7, Simon Inc.exe && VERSION=8, VMWARE BEST VIRTUAL
Source: cpcs.exe, 00000009.00000003.2533842656.000000000A4B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Tools Core Service
Source: cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxService.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Downloader, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\|hgfstikyc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareTray.exeZc
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareService.exe && STRINGS=128, C25247E5863329B6863329B6A27C95DF61739ADFA07C95DF785F89DFE27D95DF585F8CDFBF7C95DF61739ADFA37C95DF6173CADF807C95DF61739ADFAE7C95DF585F8CDFA37C95DF52696368863329B600000000000000005045
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Agent && VERSION=7, VMwareUser.exe && STRINGS=128, BD1FAAC9F97EC49AF97EC49AF97EC49A7A62CA9AF87EC49A9061CD9AD07EC49A1061C99AF87EC49A52696368F97EC49A && STRINGS=472, 50454332774F0000
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %USERROOT%\Templates\vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware? Inc.=l
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWAREAPP.VMWARE*TE
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.Zbot && VERSION=1, VMware? Inc. && STRINGS=584, 494E4954 && STRINGS=624, 2E7864617461
Source: cpcs.exe, 00000009.00000003.2545306895.000000000DFF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\VMWARE-TRAY.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exeDc
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetectionVMTools
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.FakeAlert && VERSION=1, VMware? Inc. && VERSION=7, vmware.exe && PESECTION=1, UPX0 && STRINGS=%PE3% + 240, 426F6D65
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\|Microsoft Routing Utilities=\vmnethcp.exe
Source: cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Trojan.VB && SIZE=80000, 900000 && VERSION=1, VMware? Inc. && VERSION=3, 6.5.2 build-156735 && VERSION=7, hqtray.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware.exe6l
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.JRQService, HKLM\SYSTEM\CurrentControlSet\SERVICES\VMWARE APPLICATIONSJRQ
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|VMWARES=\spooles.exe

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_005EC5A8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0044852C LoadLibraryExA,LoadLibraryA,GetProcAddress,

1_2_0044852C

Enables debug privileges

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005EC5A8 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_005EC5A8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005ED25A SetUnhandledExceptionFilter,	12_2_005ED25A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_005E74E5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_005E74E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6F8957BE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_009100E5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_009100E5
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_00911507 SetUnhandledExceptionFilter,	14_2_00911507
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_0090D600 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0090D600
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9DAC1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6BB9DAC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6BB9AE8F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6BB9AE8F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F890061 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6F890061
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F8957BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6F8957BE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to automate explorer (e.g. start an application)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: 12_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,		12_2_6F88F460
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: 14_2_6F88F460 CloseServiceHandle,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,FindWindowExW,GetClientRect,SendMessageW,SendMessageW,		14_2_6F88F460

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe

Code function: OpenProcess,OpenProcessToken,CloseHandle, explorer.exe

14_2_008E60F0

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0047808C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047808C

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\ssubtmr6.dll"
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s "C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\vbalsgrid6.ocx"

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_005BB550 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

12_2_005BB550

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

1_2_0042E09C

Source: cpcsgui.exe, cpcsscheduler.exe	Binary or memory string: Shell_TrayWnd
Source: cpcsgui.exe, 0000000C.00000002.2571547852.000000006F8B1000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: oP&\InstancesHKLM\SYSTEM\CurrentControlSet\Services\ InstanceDefaultInstanceAltitudeFlags\\.\pipe\Notification AreaUser Promoted Notification AreaToolbarWindow32SysPagerTrayNotifyWndShell_TrayWndCouldn't load the library.Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Ransom, HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|MailAgent=??\Progman.exe*
Source: cpcs.exe, 00000009.00000003.2556561426.0000000006534000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2561266540.0000000003D26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: POLY=Worm.Ambler && VERSION=1, Microsoft Corporation && VERSION=3, 9.32 && VERSION=8, Program manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: GetLocaleInfoA,	1_2_00408568
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Code function: GetLocaleInfoA,	1_2_004085B4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	12_2_005E860D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_005F06F9
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_005F6897
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_005F09E7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	12_2_005F4EFC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_005F4FD6
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	12_2_005ED05D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_005EB419
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_005F172C
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_005F1821
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_005F18C8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_005F1923
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_005F1AF4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_005EFA9D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_005F1BB4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_005F1C57
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_005F1C1B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	12_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	12_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	12_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	12_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	12_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,	12_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	12_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	12_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	12_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	12_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	12_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	12_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	12_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	12_2_6F89B194
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_0091A0D8
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_0091806B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_0091A1CD
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_00917121
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_0091A2CF
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_0091A274
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_0091A4A0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	14_2_00912447
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_0091A5C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_0091A560
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_0091A603
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_0091C63D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_0091C772
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_009168FE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	14_2_00916824
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	14_2_009199CE
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_00917D7D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_6BBAEBF0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_6BBAEA1F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_6BBAE9C4
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_6BBAE91D
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_6BBAE828
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_6BBB0F1E
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6BBAED17
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_6BBAED53
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6BBAECB0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_6BBB1053
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_6F89AFC3
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	14_2_6F89CF1A
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	14_2_6F89AF68
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_6F89AEC1
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_6F89ADCC
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_6F898D56
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,	14_2_6F89462F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	14_2_6F8925C7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_6F8A0575
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	14_2_6F8A049B
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_6F899CA0
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	14_2_6F8999B2
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	14_2_6F89F43F
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6F89B2BB
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	14_2_6F89B2F7
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_6F89B254
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsscheduler.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_6F89B194

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

1_2_004584A0

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-LBG9E.tmp\chica-pc-shield-1-75-0-1300-en-win.tmp

Code function: 1_2_0045559C GetUserNameA,

1_2_0045559C

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcsgui.exe

Code function: 12_2_6BB6DF4B GetTimeZoneInformation,__strftime_l,__free_locale,

12_2_6BB6DF4B

Source: C:\Users\user\Desktop\chica-pc-shield-1-75-0-1300-en-win.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Source: C:\Program Files (x86)\ChicaLogic\ChicaPC-Shield\cpcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: cpcs.exe, 00000009.00000003.2545034326.000000000DF4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D30A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\WINRAR\FORMATS\KAVSTART.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaua.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYAGENT.AYE
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A55F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVINSTALL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APORTS.EXE
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LIVESRV.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tisspwiz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boxmod.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quhlpsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %PROGRAMFILES%\Windows NT\kav.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Banker, %USERROOT%\Local Settings\Application Data\nod32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATF-CLEANER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAVASM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengps.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAFW.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psimsvc.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BUSCAREG.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SCAN.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYSTEM\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %WINDIR%\Resources\temas\Windows.exe\rundll32\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebscd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360rpt.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanwscs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVIRARKD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanmsg.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavfnsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psctrls.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Worm.AutoRun, %WINDIR%\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKPROXY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvmonxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\Microsoft\Windows Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %ROOTDRIVE%\Nueva carpeta\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderui.exe
Source: cpcs.exe, 00000012.00000003.2840443937.000000000E02A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\TEMPLATES\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashwebsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav.exe
Source: cpcs.exe, 00000009.00000003.2529369405.0000000009D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows\CurrentVersion\App Paths\360safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASVIEWER.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcacheck.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsdfwd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spiderml.exe
Source: cpcs.exe, 00000009.00000003.2544720380.000000000D6EC000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2544527727.000000000D6DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Banker, %SYSDIR%\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acals.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2GUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaegmgr.exe
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASWCLNR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccprovsp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\sched.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acaas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent.DC, %SYSDIR%\iExplorer\iefix.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Messa, %APPDATA%\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.XTRat, %WINDIR%\avast\nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %TEMP%\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %ROOTDRIVE%\windy\Nod32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvsrvxp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %SYSDIR%\wbem\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV.Gen, %TEMP%\mtg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFUPGRADE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AFMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREESETUP.EXE
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgtray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe
Source: cpcs.exe, 00000009.00000003.2529281722.0000000009BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BOOTSAFE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\InstallDir\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2510009992.0000000003565000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500648179.0000000002B4E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2500622555.0000000002B48000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2510085331.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509982383.000000000355F000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2509920343.000000000354D000.00000004.00000020.00020000.00000000.sdmp, cpcsgui.exe	Binary or memory string: $vars\commonappdata$\mbam-setup.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccenter.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe
Source: cpcs.exe, 00000009.00000003.2533526590.000000000A5C7000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533704715.000000000A5CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSASCUI.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\DOCUMENTS\SYS\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %TEMP%\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATCHME.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\install\virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxcfg.exe
Source: cpcs.exe, 00000009.00000003.2544897121.000000000DD58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\AVGUARD.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmbmsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAGLOBALLIGHT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufseagnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravmond.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlnsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.SCR
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onlinent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HijackThis.exe
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\PUBLIC\LOCAL SETTINGS\APPLICATION DATA\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.BAT
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACS.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TeaTimer.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAntiSpyware.exe
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Procexp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ufnavi.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgupd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\SYS\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KSafeTray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2START.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVMENU.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BC5CA6A.EXE
Source: cpcs.exe, 00000009.00000003.2543791751.000000000DC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\LOCAL SETTINGS\APPLICATION DATA\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srengldr.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgas.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALERTMAN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kissvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000009734000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PWHITE=%PROGRAMFILES%\BitDefender\BitDefender 2013\bdagent.exe
Source: cpcs.exe, 00000009.00000003.2528855901.000000000A101000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ABREGMON.EXE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kasmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qoeloader.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFGMNG32.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxpol.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avengine.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kxetray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %USERROOT%\Templates\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe
Source: cpcs.exe, 00000009.00000003.2533161271.000000000A44A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: virusutilities.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvxp.kxp
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAMWIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALSVC.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpwin.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\makereport.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CATEYE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprottray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Virus.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SuperKiller.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AYSERVICENT.AYE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32st.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %APPDATA%\Microsoft\Defender\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avenger.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, %MYDOCS%\System\msascui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTUNERSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe
Source: cpcs.exe, 00000009.00000003.2529734518.000000000A248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.EXE
Source: cpcs.exe, 00000009.00000003.2545740501.000000000E112000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\DEFAULT\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webproxy.exe
Source: cpcs.exe, 00000009.00000003.2544527727.000000000D66D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\ROAMING\AVG\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Downloader, HKCU\Software\Microsoft\Windows\CurrentVersion\Run\|unlockerassistant=data\unlocker\unlockerassistant.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.LOGGINGSERVICE.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.MultipleAV, %TEMP%\avg\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2533389394.000000000A54E000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529734518.000000000A217000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2532883037.000000000A53D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000E01A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\APPDATA\LOCAL\TEMP\PROCMON.EXE
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKCR\Applications\360tray.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashmaisv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAMSVR.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent.DC, %APPDATA%\SYSTEM\kwatch.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sfctlcom.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\SYSTEM\virus.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avgnt.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acais.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ravtask.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APT.EXE
Source: cpcs.exe, 00000009.00000003.2534960911.000000000A621000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2533161271.000000000A493000.00000004.00000020.00020000.00000000.sdmp, cpcs.exe, 00000009.00000003.2528855901.000000000A14E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mbam.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpavserver.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: **\NOD32.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upschd.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CF9409.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMBOFIX.COM
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Small, %MYDOCS%\360Safe.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMAIN.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCTL.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGARKT.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpfw.exe
Source: cpcs.exe, 00000009.00000003.2546826441.000000000D614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\NETWORKSERVICE\APPDATA\LOCAL\TEMP\AVP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswupdsv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CAPFASEM.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Backdoor, %SYSDIR%\Sys32\cmdagent.exe
Source: cpcs.exe, 00000009.00000003.2529231058.0000000009F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avguard.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spidernt.exe
Source: cpcs.exe, 00000009.00000003.2545034326.000000000DFB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\TEMPLATES\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ARCABIT.CORE.CONFIGURATOR2.EXE
Source: cpcs.exe, 00000009.00000003.2546561141.000000000BF7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SERVICEPROFILES\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\MSASCUI.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tpsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ulibcfg.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxfwhlp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umxagent.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTRAY.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\emlproxy.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Security.Hijack, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashserv.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Rogue.MultipleAV, %USERROOT%\Local Settings\Application Data\avG\MSASCui.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.PoisonIvy, %TEMP%\ixp000.tmp\123.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %SYSDIR%\aaa\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %PROGRAMFILES%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Agent, %APPDATA%\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2544105021.000000000DDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXE
Source: cpcs.exe, 00000009.00000003.2546029145.000000000D31E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES (X86)\WIN_XP.EXE.EXEI
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.SpyRat, %SYSDIR%\Microsoft\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Trojan.Agent, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|Microsoft WIN_XP
Source: cpcs.exe, 00000009.00000003.2556561426.0000000008334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EXTRA=Backdoor.Bifrose, %WINDIR%\Win_Xp\Win_Xp.exe
Source: cpcs.exe, 00000009.00000003.2541405292.000000000D450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\SYSWOW64\MICROSOFT\WIN_XP.EXEW

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0000000F.00000003.2652428311.0000000004663000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cpcs.exe PID: 2412, type: MEMORYSTR

Windows Analysis Report
chica-pc-shield-1-75-0-1300-en-win.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1545541
Product:	CloudBasic
Start time:	16:56:11
Start date:	30.10.2024
Sample:	chica-pc-shield-1-75-0-1300-en-win.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1870fbe03e739325c142eacbe1667ff3
SHA1:	7b86308efbcde9175b405445179bbceb196d0f73
SHA256:	fba0337b65c15b029ee4f87b3db5fcfc6ce61a29289d9e6c58d0bcebee995ce0
Filetype:	Win32 Executable (generic) a (10002005/4) 98.86%

Windows Analysis Report chica-pc-shield-1-75-0-1300-en-win.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
chica-pc-shield-1-75-0-1300-en-win.exe