Windows Analysis Report pcc_installer_9.7.2227.4112+++.exe

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\ProgramData\Avanquest\PC Cleaner\logs\2024.04.16_10.34.37_pcc_installer_9.7.2227.4112+++_pid=6504.txt

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.107.212.238:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.212.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49732 version: TLS 1.2

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\TemporaryBuilds\azure-adaware-pool-build-de-1\11\s\_build\bin\x86\Release\installer.pdb source: pcc_installer_9.7.2227.4112+++.exe
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb` source: sciter.dll
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb source: sciter.dll

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FC27DE GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: partner-tracking.lavasoft.com

Source: sciter.dll	String found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0:
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net00
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net01
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032786316.00000000093E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3274166770.0000000009522000.00000004.00000800.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032923017.0000000003474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.066
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Copyright
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2031840920.0000000003474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0N
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032190331.00000000093B9000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032606130.00000000099B5000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.00000000093D6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032689254.0000000009437000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032786316.00000000093E6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoBlack
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032107026.0000000009964000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoLight
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.00000000093D6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoThin
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: sciter.dll	String found in binary or memory: http://www.winimage.com/zLibDll
Source: sciter.dll	String found in binary or memory: http://www.winimage.com/zLibDllabcdefghijklmnopqrstuvwxyz0123456789
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/event2
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/eventx
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://bgk-rapi.adaware.com/api
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://bgk-rapi.adaware.com/apihttps://stage-bgk-rapi.adaware.com/api'
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/install
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/installSoftware
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io/myip
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io/myipverify-peerinstallation-idMod
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://inapp.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://inapp.pchelpsoft.com/api/v1/eventBasic
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://partner-tracking.lavasoft.com/api/tracking
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://partner-tracking.lavasoft.com/api/trackingc6c53987-bc57-4c76-902d-b4816fc590f2
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paygw.adaware.com/redirect/custom/avanquestpccleaner
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://pc-cleaner-updateservice.adaware.com/pccleaner
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://pc-cleaner-updateservice.adaware.com/pccleanerInstallerKernel::ScenarioDetector::~ScenarioDe
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stackoverflow.com/a/36
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-analytic.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-analytic.pchelpsoft.com/api/v1/eventhttps://analytic.pchelpsoft.com/api/v1/eventSessio
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-bgk-rapi.adaware.com/api
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-inapp.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-inapp.pchelpsoft.com/api/v1/eventBasic
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-paygw.adaware.com/redirect/custom/avanquestpccleanerhttps://paygw.adaware.com/redirect
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=TS3sF3So%2FHA%3D&step=2
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3D
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3D&mkey1=DEFAUL
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3Dcheckouthttps
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.107.212.238:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.212.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49732 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FB30F0	0_2_00FB30F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FC5790	0_2_00FC5790
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1D0F0	0_2_00E1D0F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1B090	0_2_00E1B090
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00F25010	0_2_00F25010
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1F1F0	0_2_00E1F1F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A100	0_2_00E1A100
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A3F0	0_2_00E1A3F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E380	0_2_00E1E380
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1B4C0	0_2_00E1B4C0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E6D5E0	0_2_00E6D5E0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1D570	0_2_00E1D570
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E26670	0_2_00E26670
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1C650	0_2_00E1C650
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00F49780	0_2_00F49780
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A720	0_2_00E1A720
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E710	0_2_00E1E710
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A8C0	0_2_00E1A8C0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E598D0	0_2_00E598D0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FD38B0	0_2_00FD38B0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E87890	0_2_00E87890
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E10820	0_2_00E10820
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E9F0	0_2_00E1E9F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E32940	0_2_00E32940
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E9C930	0_2_00E9C930
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1DAB0	0_2_00E1DAB0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E31A30	0_2_00E31A30
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E74BE0	0_2_00E74BE0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00DFEBD0	0_2_00DFEBD0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E06B20	0_2_00E06B20
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE8B30	0_2_00FE8B30
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE0CA1	0_2_00FE0CA1
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FF6E93	0_2_00FF6E93
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE0FE3	0_2_00FE0FE3
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_01002E9C	0_2_01002E9C
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E19F50	0_2_00E19F50

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00FD2250 appears 45 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00E22460 appears 35 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00F56AB0 appears 32 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00DE32C0 appears 51 times

PE file contains executable resources (Code or Archives)

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3268500455.00000000042A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3267744460.0000000003C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3278570408.000000006CACD000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe	Binary or memory string: OriginalFilenamePC Cleaner Installer.exe6 vs pcc_installer_9.7.2227.4112+++.exe

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus22.evad.winEXE@1/10@4/5

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00E87890 CoCreateInstance,VariantInit,VariantClear,VariantClear,VariantClear,std::_Throw_Cpp_error,std::_Throw_Cpp_error,VariantClear,SysAllocString,VariantClear,VariantClear,SysAllocString,VariantClear,SysAllocString,SysAllocString,SysFreeString,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,

0_2_00E87890

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00E30B40 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_00E30B40

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Roaming\Avanquest

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Mutant created: \Sessions\1\BaseNamedObjects\c6c53987-bc57-4c76-902d-b4816fc590f2

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: iphlpapi.dllif_nametoindexLoadLibraryExW\/AddDllDirectoryschannel
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: installer:analytics-helper.h
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: installer:analytics-helper.hinvalid fill character '{'
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: QAInstallerApplicationcomponentIndexcomponentsCountcurrentComponentTypedownloadingdescriptionpositionanother-installation-in-progressprogress-changedhide-window-request`anonymous-namespace'::ScenarioExecutorAsset::ScenarioExecutorAsset`anonymous-namespace'::ScenarioExecutorAsset::GetInstallDirget install dir`anonymous-namespace'::ScenarioExecutorAsset::SetInstallDirset install dir. path={}`anonymous-namespace'::ScenarioExecutorAsset::GetCreateDesktopShortcutget create desktop shortcut`anonymous-namespace'::ScenarioExecutorAsset::SetCreateDesktopShortcutset create desktop shortcut={}`anonymous-namespace'::ScenarioExecutorAsset::GetLaunchDesktopget launch desktop`anonymous-namespace'::ScenarioExecutorAsset::SetLaunchDesktopset launch desktop={}`anonymous-namespace'::ScenarioExecutorAsset::GetStartScanget start scan`anonymous-namespace'::ScenarioExecutorAsset::SetStartScanset start scan={}`anonymous-namespace'::ScenarioExecutorAsset::Start`anonymous-namespace'::ScenarioExecutorAsset::Interrupt`anonymous-namespace'::ScenarioExecutorAsset::CreateNetworkMonitor`anonymous-namespace'::ScenarioExecutorAsset::IsInternetConnectionAvailableScenarioExecutorInstallDirCreateDesktopShortcutLaunchDesktopStartScan`anonymous-namespace'::ScenarioExecutorAsset::Init`anonymous-namespace'::ScenarioExecutorAsset::AttachSignalsBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::onBeforeReleaseBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::removeListenerBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::onBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::FireEvent`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_7>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_6>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_5>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_4>::operator ()on HideWindowRequest default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_3>::operator ()on ProgressChanged default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_2>::operator ()on AnotherInstallationInProgress default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_1>::operator ()
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: cpr-helper-lib-mt:proxies.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: cpr-helper-lib-mt:proxies.cppbad lexical cast: source type value could not be interpreted as targethttp://=;
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:product.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:product.cppfailed to lock resourcefailed to load resourcefailed to get module handlefailed to get size of resource. error=failed to create zip archive from bufferfailed to find resourceno item in archive
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`UserSID Private DATA %USERPROFILE%ComputerNameUSERNAMEInstallerKernel::ScenarioExecutor::Signals::AttachOnAnotherInstallationInProgressattach on another installation in progressInstallerKernel::ScenarioExecutor::Signals::AttachOnStartedInstallerKernel::ScenarioExecutor::Signals::AttachOnHideWindowRequestattach on hide windows requestInstallerKernel::ScenarioExecutor::Signals::AttachOnProgressChangedattach on progress changedInstallerKernel::ScenarioExecutor::Signals::AttachOnErrorInstallerKernel::ScenarioExecutor::ScenarioExecutorInstallerKernel::ScenarioExecutor::Signals::AttachOnFinishedInstallerKernel::ScenarioExecutor::Signals::AttachOnInterruptedInstallerKernel::ScenarioExecutor::AttachOnAnotherInstallationInProgressInstallerKernel::ScenarioExecutor::AttachOnProgressChangedInstallerKernel::ScenarioExecutor::~ScenarioExecutorInstallerKernel::ScenarioExecutor::AttachOnStartedInstallerKernel::ScenarioExecutor::AttachOnFinishedInstallerKernel::ScenarioExecutor::AttachOnInterruptedInstallerKernel::ScenarioExecutor::AttachOnHideWindowRequestattach on hide window requestget install dir. path={}InstallerKernel::ScenarioExecutor::SetInstallDirInstallerKernel::ScenarioExecutor::AttachOnErrorInstallerKernel::ScenarioExecutor::GetInstallDirInstallerKernel::ScenarioExecutor::SetCreateDesktopShortcutset create desktop shortcut. value={}InstallerKernel::ScenarioExecutor::GetCreateDesktopShortcutget create desktop shortcut. value={}set launch desktop. value={}InstallerKernel::ScenarioExecutor::GetStartScanAfterLaunchInstallerKernel::ScenarioExecutor::GetLaunchDesktopInstallerKernel::ScenarioExecutor::SetLaunchDesktopset start scan after launch. value={}failed to execute scenario. error={}get start scan after launchInstallerKernel::ScenarioExecutor::SetStartScanAfterLaunchscenario execution interrupted. scenario={}another installation in progressExecuteScenarioInstallerKernel::ScenarioExecutor::Start::<lambda_1>::operator ()unknownfailed to execute scenario. scenario={}. error={}failed to execute scenario. scenario={}. error=unknownInstallerKernel::ScenarioExecutor::JoinInstallerKernel::ScenarioExecutor::IsCompletedInstallerKernel::ScenarioExecutor::StartInstallerKernel::ScenarioExecutor::Interruptset default install dir pathProgramW6432is completedInstallerKernel::ScenarioExecutor::SetDefaultInstallDirPathinstall_dir={}InstallerKernel::ScenarioExecutor::ExecuteScenariofailed to get env ProgramW6432C:\Program Filesexecute scenario. scenario={}--first-run --start-scanInstallerKernel::ScenarioExecutor::LaunchDesktoplaunch desktopdesktop_path={}InstallerKernel::ComponentFactory::GetComponentunknown componentunknown component. component={}
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/install
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`get original paramsModulesCommon::PartnerParams::GetOriginalParamshttps://cloud.pchelpsoft.com/desktop/pc-cleaner/installSoftware\{}\{}x-gtm-server-previewZW52LTIyMnxxY3ZqbmRvaHZHZ3NOeXc5N3pWS3d3fDE4YzEwNDg1ZWZlMjhlZjY3ZDRjMQ==Cannot write DWORD value: RegSetValueExW failed.executeInstallerKernel::InstallScenario::ExecuteInstallerKernel::InstallScenario::InstallScenarioinstall scenario failed. error={}install scenario interruptedStartServiceGTMPostInstallupdate installation registry recordInstallerKernel::InstallScenario::UpdateInstallationRegistryRecordget components to installInstallerKernel::InstallScenario::GetComponentsToInstallinstallation registry record updatedinstallation registry record createdfailed to create installation registry record. error={}, msg={}installation registry record not found. create one at {}gmt response. status code={}, text={}do GMT post install callInstallerKernel::InstallScenario::DoGTMPostInstallCallinstalledInstallerKernel::InstallScenario::InstallComponentsfailed to post partner params to gmt. error={}failed to post gmt partner params. status code={}, text={}, error={}, message={}gmt post successInstallComponentinstall componentsStopServiceStopApplicationInstallerKernel::UninstallScenario::ExecuteInstallerKernel::UninstallScenario::UninstallScenarioInstallerKernel::UninstallScenario::GetComponentsToUninstalluninstall scenario failed. error={}uninstall scenario interruptedDeleteCommonAppDataDirUninstallComponentuninstall componentsInstallerKernel::UninstallScenario::UninstallComponentsget components to uninstallInstallerKernel::UninstallScenario::DeletePathAfterRebootfailed to delete common app data dir. error={}delete common app data dirInstallerKernel::UninstallScenario::DeleteCommonAppDataDirfailed to MoveFileEx. error={}. path={}{} will be deleted after rebootdelete path after reboot. path={}
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`service-controller.exe Serviceservice_controller_file_path={}--stop-servicefailed to stop via rpc. error={}InstallerKernel::ServiceController::StopInstallerKernel::ServiceController::Startfailed to start service. error={}InstallerKernel::ServiceController::StopViaRpcstop via rpcstopfailed to stop service={}. status={:#x}'installer-kernel:service-controller.cppServiceHelper::CheckServiceStatefailed to get service state. error={}`
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:msi-transaction.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: JFKF%msi-helper-lib-mt:msi-transaction.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: process_helper_lib_mt:process-helper.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: JFKF(process_helper_lib_mt:process-helper.cpp

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Contains functionality to dynamically determine API calls

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: certificate valid

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pcc_installer_9.7.2227.4112+++.exe

Static file information: File size 8440840 > 1048576

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x262c00
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a3400
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3c6800

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\TemporaryBuilds\azure-adaware-pool-build-de-1\11\s\_build\bin\x86\Release\installer.pdb source: pcc_installer_9.7.2227.4112+++.exe
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb` source: sciter.dll
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb source: sciter.dll

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00DE8120 LoadLibraryW,GetProcAddress,FreeLibrary,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FD1EF4 push ecx; ret

0_2_00FD1F07

Drops PE files

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f\sciter.dll

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\ProgramData\Avanquest\PC Cleaner\logs\2024.04.16_10.34.37_pcc_installer_9.7.2227.4112+++_pid=6504.txt

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FC5390 LoadLibraryExW,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,SetLastError,

0_2_00FC5390

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE AND InterfaceIndex=14
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE AND InterfaceIndex=14

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Window / User API: windowPlacementGot 680

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f\sciter.dll

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe TID: 6484

Thread sleep time: -120000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018BD000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.00000000018A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductDUC62T2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.Noney*

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FDD5F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FDD5F2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00DE8120 LoadLibraryW,GetProcAddress,FreeLibrary,

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FDD5F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FDD5F2
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FD1CB5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00FD1CB5

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_01002178
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_01002354
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00FC2451
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: EnumSystemLocalesW,	0_2_00FF97B2
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_010019DF
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: EnumSystemLocalesW,	0_2_01001D71
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetLastError,GetLocaleInfoEx,	0_2_00FC5C79
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: GetLocaleInfoW,	0_2_00FF9D75
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: EnumSystemLocalesW,	0_2_01001C8B
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: EnumSystemLocalesW,	0_2_01001CD6

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FD2295 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FD2295

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FFBAEC GetTimeZoneInformation,

0_2_00FFBAEC

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00E6FA70 GetModuleHandleW,GetProcAddress,RtlGetVersion,GetProcAddress,RtlGetVersion,

0_2_00E6FA70

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.107.212.238	geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.16.148.130	partner-tracking.lavasoft.com	United States	13335	CLOUDFLARENETUS	false
104.16.212.94	pc-cleaner-updateservice.adaware.com	United States	13335	CLOUDFLARENETUS	false
172.67.73.195	analytic.pchelpsoft.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io	20.107.212.238	true
pc-cleaner-updateservice.adaware.com	104.16.212.94	true
analytic.pchelpsoft.com	172.67.73.195	true
partner-tracking.lavasoft.com	104.16.148.130	true

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E23DF0 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,	0_2_00E23DF0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E23C30 BCryptGenRandom,	0_2_00E23C30
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E23EB0 BCryptCloseAlgorithmProvider,	0_2_00E23EB0

Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000000.2006802112.0000000001034000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ba8ced9a-0

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\ProgramData\Avanquest\PC Cleaner\logs\2024.04.16_10.34.37_pcc_installer_9.7.2227.4112+++_pid=6504.txt

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.107.212.238:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.212.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49732 version: TLS 1.2

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\TemporaryBuilds\azure-adaware-pool-build-de-1\11\s\_build\bin\x86\Release\installer.pdb source: pcc_installer_9.7.2227.4112+++.exe
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb` source: sciter.dll
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb source: sciter.dll

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: partner-tracking.lavasoft.com

Source: sciter.dll	String found in binary or memory: http://%s:%d;https=https://%s:%dHTTP/1.0:
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net00
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net01
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032786316.00000000093E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3274166770.0000000009522000.00000004.00000800.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032923017.0000000003474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.066
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Copyright
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2031840920.0000000003474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0N
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032190331.00000000093B9000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032606130.00000000099B5000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.00000000093D6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032689254.0000000009437000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032786316.00000000093E6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoBlack
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032107026.0000000009964000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoLight
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032743053.0000000009475000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.00000000093D6000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032819806.0000000009A05000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3273324940.000000000939B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoThin
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://www.entrust.net/rpa0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: sciter.dll	String found in binary or memory: http://www.winimage.com/zLibDll
Source: sciter.dll	String found in binary or memory: http://www.winimage.com/zLibDllabcdefghijklmnopqrstuvwxyz0123456789
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/event2
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytic.pchelpsoft.com/api/v1/eventx
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://bgk-rapi.adaware.com/api
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://bgk-rapi.adaware.com/apihttps://stage-bgk-rapi.adaware.com/api'
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/install
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/installSoftware
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io/myip
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://geoip.bluebeach-9a0f96b5.northeurope.azurecontainerapps.io/myipverify-peerinstallation-idMod
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://inapp.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://inapp.pchelpsoft.com/api/v1/eventBasic
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://partner-tracking.lavasoft.com/api/tracking
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://partner-tracking.lavasoft.com/api/trackingc6c53987-bc57-4c76-902d-b4816fc590f2
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paygw.adaware.com/redirect/custom/avanquestpccleaner
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://pc-cleaner-updateservice.adaware.com/pccleaner
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://pc-cleaner-updateservice.adaware.com/pccleanerInstallerKernel::ScenarioDetector::~ScenarioDe
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stackoverflow.com/a/36
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-analytic.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-analytic.pchelpsoft.com/api/v1/eventhttps://analytic.pchelpsoft.com/api/v1/eventSessio
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-bgk-rapi.adaware.com/api
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-inapp.pchelpsoft.com/api/v1/event
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-inapp.pchelpsoft.com/api/v1/eventBasic
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://stage-paygw.adaware.com/redirect/custom/avanquestpccleanerhttps://paygw.adaware.com/redirect
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=TS3sF3So%2FHA%3D&step=2
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3D
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3D&mkey1=DEFAUL
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://store.pchelpsoft.com/clickgate/join.aspx?ref=pchelpsoft.com&ujid=tQ7K0qOn5OA%3Dcheckouthttps
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://www.entrust.net/rpa0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: unknown	HTTPS traffic detected: 104.16.148.130:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.107.212.238:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.212.94:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.73.195:443 -> 192.168.2.5:49732 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FB30F0	0_2_00FB30F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FC5790	0_2_00FC5790
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1D0F0	0_2_00E1D0F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1B090	0_2_00E1B090
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00F25010	0_2_00F25010
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1F1F0	0_2_00E1F1F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A100	0_2_00E1A100
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A3F0	0_2_00E1A3F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E380	0_2_00E1E380
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1B4C0	0_2_00E1B4C0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E6D5E0	0_2_00E6D5E0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1D570	0_2_00E1D570
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E26670	0_2_00E26670
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1C650	0_2_00E1C650
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00F49780	0_2_00F49780
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A720	0_2_00E1A720
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E710	0_2_00E1E710
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1A8C0	0_2_00E1A8C0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E598D0	0_2_00E598D0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FD38B0	0_2_00FD38B0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E87890	0_2_00E87890
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E10820	0_2_00E10820
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1E9F0	0_2_00E1E9F0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E32940	0_2_00E32940
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E9C930	0_2_00E9C930
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E1DAB0	0_2_00E1DAB0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E31A30	0_2_00E31A30
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E74BE0	0_2_00E74BE0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00DFEBD0	0_2_00DFEBD0
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E06B20	0_2_00E06B20
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE8B30	0_2_00FE8B30
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE0CA1	0_2_00FE0CA1
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FF6E93	0_2_00FF6E93
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00FE0FE3	0_2_00FE0FE3
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_01002E9C	0_2_01002E9C
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: 0_2_00E19F50	0_2_00E19F50

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00FD2250 appears 45 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00E22460 appears 35 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00F56AB0 appears 32 times
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Code function: String function: 00DE32C0 appears 51 times

PE file contains executable resources (Code or Archives)

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Sample file is different than original file name gathered from version info

Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3268500455.00000000042A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3267744460.0000000003C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3278570408.000000006CACD000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamesciter.dllD vs pcc_installer_9.7.2227.4112+++.exe
Source: pcc_installer_9.7.2227.4112+++.exe	Binary or memory string: OriginalFilenamePC Cleaner Installer.exe6 vs pcc_installer_9.7.2227.4112+++.exe

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus22.evad.winEXE@1/10@4/5

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

0_2_00E87890

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00E30B40 FindResourceW,LoadResource,LockResource,SizeofResource,

0_2_00E30B40

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Roaming\Avanquest

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Mutant created: \Sessions\1\BaseNamedObjects\c6c53987-bc57-4c76-902d-b4816fc590f2

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: iphlpapi.dllif_nametoindexLoadLibraryExW\/AddDllDirectoryschannel
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: installer:analytics-helper.h
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: installer:analytics-helper.hinvalid fill character '{'
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: QAInstallerApplicationcomponentIndexcomponentsCountcurrentComponentTypedownloadingdescriptionpositionanother-installation-in-progressprogress-changedhide-window-request`anonymous-namespace'::ScenarioExecutorAsset::ScenarioExecutorAsset`anonymous-namespace'::ScenarioExecutorAsset::GetInstallDirget install dir`anonymous-namespace'::ScenarioExecutorAsset::SetInstallDirset install dir. path={}`anonymous-namespace'::ScenarioExecutorAsset::GetCreateDesktopShortcutget create desktop shortcut`anonymous-namespace'::ScenarioExecutorAsset::SetCreateDesktopShortcutset create desktop shortcut={}`anonymous-namespace'::ScenarioExecutorAsset::GetLaunchDesktopget launch desktop`anonymous-namespace'::ScenarioExecutorAsset::SetLaunchDesktopset launch desktop={}`anonymous-namespace'::ScenarioExecutorAsset::GetStartScanget start scan`anonymous-namespace'::ScenarioExecutorAsset::SetStartScanset start scan={}`anonymous-namespace'::ScenarioExecutorAsset::Start`anonymous-namespace'::ScenarioExecutorAsset::Interrupt`anonymous-namespace'::ScenarioExecutorAsset::CreateNetworkMonitor`anonymous-namespace'::ScenarioExecutorAsset::IsInternetConnectionAvailableScenarioExecutorInstallDirCreateDesktopShortcutLaunchDesktopStartScan`anonymous-namespace'::ScenarioExecutorAsset::Init`anonymous-namespace'::ScenarioExecutorAsset::AttachSignalsBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::onBeforeReleaseBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::removeListenerBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::onBaseAsset<class `anonymous namespace'::ScenarioExecutorAsset>::FireEvent`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_7>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_6>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_5>::operator ()`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_4>::operator ()on HideWindowRequest default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_3>::operator ()on ProgressChanged default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_2>::operator ()on AnotherInstallationInProgress default handler. fire - {}`anonymous-namespace'::ScenarioExecutorAsset::AttachSignals::<lambda_1>::operator ()
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: cpr-helper-lib-mt:proxies.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: cpr-helper-lib-mt:proxies.cppbad lexical cast: source type value could not be interpreted as targethttp://=;
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:product.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:product.cppfailed to lock resourcefailed to load resourcefailed to get module handlefailed to get size of resource. error=failed to create zip archive from bufferfailed to find resourceno item in archive
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`UserSID Private DATA %USERPROFILE%ComputerNameUSERNAMEInstallerKernel::ScenarioExecutor::Signals::AttachOnAnotherInstallationInProgressattach on another installation in progressInstallerKernel::ScenarioExecutor::Signals::AttachOnStartedInstallerKernel::ScenarioExecutor::Signals::AttachOnHideWindowRequestattach on hide windows requestInstallerKernel::ScenarioExecutor::Signals::AttachOnProgressChangedattach on progress changedInstallerKernel::ScenarioExecutor::Signals::AttachOnErrorInstallerKernel::ScenarioExecutor::ScenarioExecutorInstallerKernel::ScenarioExecutor::Signals::AttachOnFinishedInstallerKernel::ScenarioExecutor::Signals::AttachOnInterruptedInstallerKernel::ScenarioExecutor::AttachOnAnotherInstallationInProgressInstallerKernel::ScenarioExecutor::AttachOnProgressChangedInstallerKernel::ScenarioExecutor::~ScenarioExecutorInstallerKernel::ScenarioExecutor::AttachOnStartedInstallerKernel::ScenarioExecutor::AttachOnFinishedInstallerKernel::ScenarioExecutor::AttachOnInterruptedInstallerKernel::ScenarioExecutor::AttachOnHideWindowRequestattach on hide window requestget install dir. path={}InstallerKernel::ScenarioExecutor::SetInstallDirInstallerKernel::ScenarioExecutor::AttachOnErrorInstallerKernel::ScenarioExecutor::GetInstallDirInstallerKernel::ScenarioExecutor::SetCreateDesktopShortcutset create desktop shortcut. value={}InstallerKernel::ScenarioExecutor::GetCreateDesktopShortcutget create desktop shortcut. value={}set launch desktop. value={}InstallerKernel::ScenarioExecutor::GetStartScanAfterLaunchInstallerKernel::ScenarioExecutor::GetLaunchDesktopInstallerKernel::ScenarioExecutor::SetLaunchDesktopset start scan after launch. value={}failed to execute scenario. error={}get start scan after launchInstallerKernel::ScenarioExecutor::SetStartScanAfterLaunchscenario execution interrupted. scenario={}another installation in progressExecuteScenarioInstallerKernel::ScenarioExecutor::Start::<lambda_1>::operator ()unknownfailed to execute scenario. scenario={}. error={}failed to execute scenario. scenario={}. error=unknownInstallerKernel::ScenarioExecutor::JoinInstallerKernel::ScenarioExecutor::IsCompletedInstallerKernel::ScenarioExecutor::StartInstallerKernel::ScenarioExecutor::Interruptset default install dir pathProgramW6432is completedInstallerKernel::ScenarioExecutor::SetDefaultInstallDirPathinstall_dir={}InstallerKernel::ScenarioExecutor::ExecuteScenariofailed to get env ProgramW6432C:\Program Filesexecute scenario. scenario={}--first-run --start-scanInstallerKernel::ScenarioExecutor::LaunchDesktoplaunch desktopdesktop_path={}InstallerKernel::ComponentFactory::GetComponentunknown componentunknown component. component={}
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: https://cloud.pchelpsoft.com/desktop/pc-cleaner/install
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`get original paramsModulesCommon::PartnerParams::GetOriginalParamshttps://cloud.pchelpsoft.com/desktop/pc-cleaner/installSoftware\{}\{}x-gtm-server-previewZW52LTIyMnxxY3ZqbmRvaHZHZ3NOeXc5N3pWS3d3fDE4YzEwNDg1ZWZlMjhlZjY3ZDRjMQ==Cannot write DWORD value: RegSetValueExW failed.executeInstallerKernel::InstallScenario::ExecuteInstallerKernel::InstallScenario::InstallScenarioinstall scenario failed. error={}install scenario interruptedStartServiceGTMPostInstallupdate installation registry recordInstallerKernel::InstallScenario::UpdateInstallationRegistryRecordget components to installInstallerKernel::InstallScenario::GetComponentsToInstallinstallation registry record updatedinstallation registry record createdfailed to create installation registry record. error={}, msg={}installation registry record not found. create one at {}gmt response. status code={}, text={}do GMT post install callInstallerKernel::InstallScenario::DoGTMPostInstallCallinstalledInstallerKernel::InstallScenario::InstallComponentsfailed to post partner params to gmt. error={}failed to post gmt partner params. status code={}, text={}, error={}, message={}gmt post successInstallComponentinstall componentsStopServiceStopApplicationInstallerKernel::UninstallScenario::ExecuteInstallerKernel::UninstallScenario::UninstallScenarioInstallerKernel::UninstallScenario::GetComponentsToUninstalluninstall scenario failed. error={}uninstall scenario interruptedDeleteCommonAppDataDirUninstallComponentuninstall componentsInstallerKernel::UninstallScenario::UninstallComponentsget components to uninstallInstallerKernel::UninstallScenario::DeletePathAfterRebootfailed to delete common app data dir. error={}delete common app data dirInstallerKernel::UninstallScenario::DeleteCommonAppDataDirfailed to MoveFileEx. error={}. path={}{} will be deleted after rebootdelete path after reboot. path={}
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: +`service-controller.exe Serviceservice_controller_file_path={}--stop-servicefailed to stop via rpc. error={}InstallerKernel::ServiceController::StopInstallerKernel::ServiceController::Startfailed to start service. error={}InstallerKernel::ServiceController::StopViaRpcstop via rpcstopfailed to stop service={}. status={:#x}'installer-kernel:service-controller.cppServiceHelper::CheckServiceStatefailed to get service state. error={}`
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: msi-helper-lib-mt:msi-transaction.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: JFKF%msi-helper-lib-mt:msi-transaction.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: process_helper_lib_mt:process-helper.cpp
Source: pcc_installer_9.7.2227.4112+++.exe	String found in binary or memory: JFKF(process_helper_lib_mt:process-helper.cpp

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Contains functionality to dynamically determine API calls

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: certificate valid

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: pcc_installer_9.7.2227.4112+++.exe

Static file information: File size 8440840 > 1048576

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x262c00
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1a3400
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3c6800

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: pcc_installer_9.7.2227.4112+++.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\TemporaryBuilds\azure-adaware-pool-build-de-1\11\s\_build\bin\x86\Release\installer.pdb source: pcc_installer_9.7.2227.4112+++.exe
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb` source: sciter.dll
Source:	Binary string: E:\sciter\sciter\sdk.js\bin\windows\x32\sciter.pdb source: sciter.dll

Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pcc_installer_9.7.2227.4112+++.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00DE8120 LoadLibraryW,GetProcAddress,FreeLibrary,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FD1EF4 push ecx; ret

0_2_00FD1F07

Drops PE files

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f\sciter.dll

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

File created: C:\ProgramData\Avanquest\PC Cleaner\logs\2024.04.16_10.34.37_pcc_installer_9.7.2227.4112+++_pid=6504.txt

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

0_2_00FC5390

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE AND InterfaceIndex=14
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE AND InterfaceIndex=14

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Window / User API: windowPlacementGot 680

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5d06d429-dca2-4a00-a698-747e6e242f0f\sciter.dll

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe TID: 6484

Thread sleep time: -120000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.0000000001935000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018BD000.00000004.00000020.00020000.00000000.sdmp, pcc_installer_9.7.2227.4112+++.exe, 00000000.00000002.3266256295.00000000018A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: pcc_installer_9.7.2227.4112+++.exe, 00000000.00000003.2032326209.00000000018EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: stringComputer System ProductComputer System ProductDUC62T2ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.Noney*

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00FDD5F2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FDD5F2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pcc_installer_9.7.2227.4112+++.exe

Code function: 0_2_00DE8120 LoadLibraryW,GetProcAddress,FreeLibrary,