Play interactive tour

Edit tour

Analysis Report PCHelpSoftDriverUpdater.exe

Overview

General Information

Sample Name:	PCHelpSoftDriverUpdater.exe
Analysis ID:	373291
MD5:	f4b86e43f13c4e9600dc455531f5c83d
SHA1:	06c5151bd700d3cf5e25f8bd891b7df0bf8055a4
SHA256:	672325a3d825c1825ec3a9576b490b5fe6c5237a1a5e345c95234e9351f6d9c3
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Classification

Startup

System is w10x64

PCHelpSoftDriverUpdater.exe (PID: 6536 cmdline: 'C:\Users\user\Desktop\PCHelpSoftDriverUpdater.exe' MD5: F4B86E43F13C4E9600DC455531F5C83D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
PCHelpSoftDriverUpdater.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.348011977.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000000.334331696.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PCHelpSoftDriverUpdater.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.0.PCHelpSoftDriverUpdater.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: PCHelpSoftDriverUpdater.exe	Virustotal: Detection: 10%			Perma Link
Source: PCHelpSoftDriverUpdater.exe	ReversingLabs: Detection: 17%

Source: PCHelpSoftDriverUpdater.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: PCHelpSoftDriverUpdater.exe	Static PE information: certificate valid
Source: PCHelpSoftDriverUpdater.exe	Static PE information: certificate valid

Source: PCHelpSoftDriverUpdater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingg20
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt08
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://www.indyproject.org/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: http://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://cdn.pchelpsoft.com/pchelpsoft/PC_Cleaner.exeU
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-home.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-renew.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-support.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-uninstall.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-upsell.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver_updater_buy.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?redirectId=pchelpsoft/driver_updater_postinstall.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://webtools.avanquest.com/redirect.cfm?redirectId=pchelpsoft/driver_updater_update_param.htm
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.globalsign.com/repository/03
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.globalsign.com/repository/06
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/company/eula/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/company/eula/U
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/company/privacy-policy/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/company/privacy-policy/U
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/de/company/eula/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/de/company/privacy-policy/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/es/company/eula/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/es/company/privacy-policy/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/fr/company/eula/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/fr/company/privacy-policy/
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: https://www.pchelpsoft.com/product/pc-cleaner/

Source: PCHelpSoftDriverUpdater.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows

Source: PCHelpSoftDriverUpdater.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PCHelpSoftDriverUpdater.exe, 00000000.00000002.351241548.0000000000A25000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamestub64.exeV vs PCHelpSoftDriverUpdater.exe
Source: PCHelpSoftDriverUpdater.exe	Binary or memory string: OriginalFilenamestub64.exeV vs PCHelpSoftDriverUpdater.exe

Source: C:\Users\user\Desktop\PCHelpSoftDriverUpdater.exe

Section loaded: sqlite3.dll

Jump to behavior

Source: PCHelpSoftDriverUpdater.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED

Source: PCHelpSoftDriverUpdater.exe

Binary string: \Device\HarddiskVolume

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: Yara match	File source: PCHelpSoftDriverUpdater.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.348011977.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.334331696.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PCHelpSoftDriverUpdater.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.PCHelpSoftDriverUpdater.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\PCHelpSoftDriverUpdater.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PCHelpSoftDriverUpdater.exe	Virustotal: Detection: 10%
Source: PCHelpSoftDriverUpdater.exe	ReversingLabs: Detection: 17%

Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: NATS-SEFI-ADD
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: NATS-DANO-ADD
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: jp-ocr-b-add
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: jp-ocr-hand-add
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ISO_6937-2-add
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: application/vnd.groove-help
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: "application/x-install-instructions
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 250-STARTTLS
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 80-no-installed
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: /stat/install
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: /stat/install_ex
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: /stat/install_break
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: /install /quiet /norestart
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ins+66.2-start-process
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ins-63-install
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: CANCEL-INSTALLING
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ins+65-installing
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ins+67-installed
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: ins-69-install-finally
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 20-update-started
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 50-scan-started
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: new-10-start
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: old-10-startU
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: res-10-start-
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: restatus-19-installing-
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 60-restore-started
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 20-backup-started
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: 10-started
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: /INSTALL
Source: PCHelpSoftDriverUpdater.exe	String found in binary or memory: Start with /INSTALL

Source: PCHelpSoftDriverUpdater.exe	Static PE information: certificate valid
Source: PCHelpSoftDriverUpdater.exe	Static PE information: certificate valid

Source: PCHelpSoftDriverUpdater.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: PCHelpSoftDriverUpdater.exe

Static file information: File size 7534336 > 1048576

Source: PCHelpSoftDriverUpdater.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x577600
Source: PCHelpSoftDriverUpdater.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x181200

Source: PCHelpSoftDriverUpdater.exe

Static PE information: More than 200 imports for user32.dll

Source: PCHelpSoftDriverUpdater.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: PCHelpSoftDriverUpdater.exe

Static PE information: section name: .didata

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PCHelpSoftDriverUpdater.exe	Binary or memory string: VMware
Source: PCHelpSoftDriverUpdater.exe	Binary or memory string: VMware VMCI Host Device

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	DLL Side-Loading1	DLL Side-Loading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	System Information Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PCHelpSoftDriverUpdater.exe	10%	Virustotal		Browse
PCHelpSoftDriverUpdater.exe	3%	Metadefender		Browse
PCHelpSoftDriverUpdater.exe	18%	ReversingLabs	Win32.PUA.Avanquest

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.pchelpsoft.com/company/eula/U	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-upsell.htm	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/product/pc-cleaner/	PCHelpSoftDriverUpdater.exe	false		high
http://www.pchelpsoft.com/images/build-phone-banners/phone_activation.png	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?redirectId=pchelpsoft/driver_updater_update_param.htm	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/fr/company/privacy-policy/	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/de/company/eula/	PCHelpSoftDriverUpdater.exe	false		high
https://cdn.pchelpsoft.com/pchelpsoft/PC_Cleaner.exeU	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?redirectId=pchelpsoft/driver_updater_postinstall.htm	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-renew.htm	PCHelpSoftDriverUpdater.exe	false		high
http://schemas.xmlsoap.org/soap/envelope/	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-uninstall.htm	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-home.htm	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/company/privacy-policy/U	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/es/company/privacy-policy/	PCHelpSoftDriverUpdater.exe	false		high
http://www.indyproject.org/	PCHelpSoftDriverUpdater.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.pchelpsoft.com/es/company/eula/	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/company/eula/	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/company/privacy-policy/	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver_updater_buy.htm	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/de/company/privacy-policy/	PCHelpSoftDriverUpdater.exe	false		high
https://www.pchelpsoft.com/fr/company/eula/	PCHelpSoftDriverUpdater.exe	false		high
https://webtools.avanquest.com/redirect.cfm?eredirectId=pchelpsoft/driver-updater-5-support.htm	PCHelpSoftDriverUpdater.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	373291
Start date:	22.03.2021
Start time:	21:32:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PCHelpSoftDriverUpdater.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.444152498205596
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	PCHelpSoftDriverUpdater.exe
File size:	7534336
MD5:	f4b86e43f13c4e9600dc455531f5c83d
SHA1:	06c5151bd700d3cf5e25f8bd891b7df0bf8055a4
SHA256:	672325a3d825c1825ec3a9576b490b5fe6c5237a1a5e345c95234e9351f6d9c3
SHA512:	2f129895ef233153357c5b5a68c95d318ffacb377f8eec5d96fc2db7942913bed3e965f5d8ab22290f9f6269dfd6e66af1f067ab8a32115a2385261b1dba6e35
SSDEEP:	98304:1rop0DMd1ZeIGAfhV/G5WCM1om3R113aYskgzAaxXE8I+DP:18p0DMPZeIJb/domZ3Jj1z8IiP
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	62eececae6b6e120

Static PE Info

General
Entrypoint:	0x97e178
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6022A598 [Tue Feb 9 15:09:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	13db1f725255bb231bd388e4cee83093

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	2/17/2020 1:34:33 PM 6/3/2021 11:15:28 AM
Subject Chain	E=mark@pchelpsoft.com, CN=PC HelpSoft Labs Inc, OU=Software, O=PC HelpSoft Labs Inc, STREET=455 Sitkum Rd Unit 312, L=Victoria, S=British Columbia, C=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=0884553, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	D54A425613E3EF92B691C9F5D9CFC3C0
Thumbprint SHA-1:	739339F5BFCE5D3D35306187EB565D5E3D153104
Thumbprint SHA-256:	B4B17BB6152810B746E55E7B31946396BBD84F002FA677DD8F3A634E9468F258
Serial:	726588307C76C615C7BE4882

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000024h
push 00000000h
push 00000000h
dec ecx
jne 00007F71748844DBh
push ecx
push ebx
push esi
push edi
mov eax, 009638C4h
call 00007F71743149A8h
xor eax, eax
push ebp
push 0097EA2Ah
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov edx, 009ADDD0h
mov eax, 00000001h
call 00007F717430D38Fh
call 00007F7174844B12h
mov al, 01h
call 00007F71746ED067h
mov eax, dword ptr [009ADDD0h]
mov edx, 0097EA48h
call 00007F717431138Ch
jne 00007F717488451Ah
push 0097EA60h
push 00000000h
push 001F0001h
call 00007F71743186D5h
test eax, eax
jne 00007F7174884CE4h
push 0097EA60h
push 00000000h
push 00000000h
call 00007F71743180F7h
xor eax, eax
call 00007F71748422ACh
call 00007F7174868C03h
jmp 00007F7174884CC4h
mov eax, dword ptr [009ADDD0h]
mov edx, 0097EA94h
call 00007F7174311343h
jne 00007F7174884535h
push 0097EAB0h
push 00000000h
push 001F0001h
call 00007F717431868Ch
test eax, eax
jne 00007F7174884C9Bh
push 0097EAB0h
push 00000000h
push 00000000h
call 00007F71743180AEh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b5000	0x99	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5ae000	0x5c7c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b8000	0x181200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x72bc00	0x3b00	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5b7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5af138	0xdf0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5b4000	0xebe	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x577470	0x577600	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x579000	0x5f2c	0x6000	False	0.441284179688	data	6.08033157391	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x57f000	0x25cf4	0x25e00	False	0.333049711221	data	5.75668513604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x5a5000	0x8ea8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x5ae000	0x5c7c	0x5e00	False	0.299825465426	data	5.25983356278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.didata	0x5b4000	0xebe	0x1000	False	0.32177734375	data	4.00225783822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0x5b5000	0x99	0x200	False	0.265625	data	1.88445853555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x5b6000	0x64c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x5b7000	0x5d	0x200	False	0.193359375	data	1.37922570427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5b8000	0x181200	0x181200	False	0.378956330128	data	6.52299052797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5bbc84	0x134	data	English	United States
RT_CURSOR	0x5bbdb8	0x134	data	English	United States
RT_CURSOR	0x5bbeec	0x134	data	English	United States
RT_CURSOR	0x5bc020	0x134	data	English	United States
RT_CURSOR	0x5bc154	0x134	data	English	United States
RT_CURSOR	0x5bc288	0x134	data	English	United States
RT_CURSOR	0x5bc3bc	0x134	data	English	United States
RT_BITMAP	0x5bc4f0	0x1d0	data	English	United States
RT_BITMAP	0x5bc6c0	0x1e4	data	English	United States
RT_BITMAP	0x5bc8a4	0x1d0	data	English	United States
RT_BITMAP	0x5bca74	0x1d0	data	English	United States
RT_BITMAP	0x5bcc44	0x1d0	data	English	United States
RT_BITMAP	0x5bce14	0x1d0	data	English	United States
RT_BITMAP	0x5bcfe4	0x1d0	data	English	United States
RT_BITMAP	0x5bd1b4	0x1d0	data	English	United States
RT_BITMAP	0x5bd384	0x1d0	data	English	United States
RT_BITMAP	0x5bd554	0x1d0	data	English	United States
RT_ICON	0x5bd724	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x5c194c	0x25a8	data	English	United States
RT_ICON	0x5c3ef4	0x10a8	data	English	United States
RT_ICON	0x5c4f9c	0x988	data	English	United States
RT_ICON	0x5c5924	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_STRING	0x5c5d8c	0x284	data
RT_STRING	0x5c6010	0x2b0	data
RT_STRING	0x5c62c0	0x468	data
RT_STRING	0x5c6728	0x55c	data
RT_STRING	0x5c6c84	0xb04	data
RT_STRING	0x5c7788	0x77c	data
RT_STRING	0x5c7f04	0x420	data
RT_STRING	0x5c8324	0x898	data
RT_STRING	0x5c8bbc	0x106c	data
RT_STRING	0x5c9c28	0x9f8	data
RT_STRING	0x5ca620	0x894	data
RT_STRING	0x5caeb4	0x87c	data
RT_STRING	0x5cb730	0x400	data
RT_STRING	0x5cbb30	0x2cc	data
RT_STRING	0x5cbdfc	0x3dc	data
RT_STRING	0x5cc1d8	0x404	data
RT_STRING	0x5cc5dc	0x600	data
RT_STRING	0x5ccbdc	0x3c8	data
RT_STRING	0x5ccfa4	0x48c	data
RT_STRING	0x5cd430	0x428	data
RT_STRING	0x5cd858	0x34c	data
RT_STRING	0x5cdba4	0x390	data
RT_STRING	0x5cdf34	0x288	data
RT_STRING	0x5ce1bc	0x4b0	data
RT_STRING	0x5ce66c	0x49c	data
RT_STRING	0x5ceb08	0x34c	data
RT_STRING	0x5cee54	0x368	data
RT_STRING	0x5cf1bc	0xac	data
RT_STRING	0x5cf268	0x15c	data
RT_STRING	0x5cf3c4	0x108	data
RT_STRING	0x5cf4cc	0x494	data
RT_STRING	0x5cf960	0x3cc	data
RT_STRING	0x5cfd2c	0x45c	data
RT_STRING	0x5d0188	0x350	data
RT_STRING	0x5d04d8	0x3e0	data
RT_STRING	0x5d08b8	0x600	data
RT_STRING	0x5d0eb8	0x43c	data
RT_STRING	0x5d12f4	0x388	data
RT_STRING	0x5d167c	0x374	data
RT_STRING	0x5d19f0	0x450	data
RT_STRING	0x5d1e40	0x138	data
RT_STRING	0x5d1f78	0xcc	data
RT_STRING	0x5d2044	0x1f8	data
RT_STRING	0x5d223c	0x40c	data
RT_STRING	0x5d2648	0x384	data
RT_STRING	0x5d29cc	0x310	data
RT_STRING	0x5d2cdc	0x334	data
RT_RCDATA	0x5d3010	0xfc	PNG image data, 240 x 24, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d310c	0xf4	PNG image data, 140 x 28, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3200	0x12b	PNG image data, 250 x 45, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d332c	0xf4	PNG image data, 152 x 29, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3420	0x158	PNG image data, 200 x 45, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3578	0xed	PNG image data, 99 x 29, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3668	0xbc	PNG image data, 99 x 29, 4-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3724	0x1fb	PNG image data, 22 x 22, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3920	0x19a	PNG image data, 676 x 51, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d3abc	0xb64	PNG image data, 152 x 29, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d4620	0x10b	PNG image data, 200 x 45, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d472c	0x100	PNG image data, 99 x 29, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d482c	0x10b	PNG image data, 229 x 32, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d4938	0xc21	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d555c	0xc2e	PNG image data, 17 x 19, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d618c	0xbe9	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d6d78	0xc1f	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d7998	0x4d2	PNG image data, 20 x 20, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5d7e6c	0x240	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d80ac	0xb17	PNG image data, 17 x 19, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5d8bc4	0x5c7	data	English	United States
RT_RCDATA	0x5d918c	0x10	data
RT_RCDATA	0x5d919c	0x132	PNG image data, 212 x 50, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5d92d0	0xf99	PNG image data, 800 x 606, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5da26c	0x7b4	PNG image data, 500 x 500, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5daa20	0x6c7	PNG image data, 500 x 375, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5db0e8	0x69a	PNG image data, 400 x 460, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5db784	0x3a4	PNG image data, 350 x 260, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dbb28	0x34e	PNG image data, 350 x 230, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dbe78	0x56e	PNG image data, 380 x 210, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5dc3e8	0x3e9	PNG image data, 450 x 250, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dc7d4	0x4f6	PNG image data, 510 x 310, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dcccc	0x52e	PNG image data, 450 x 350, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dd1fc	0x650	PNG image data, 500 x 300, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5dd84c	0x564	PNG image data, 588 x 315, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5dddb0	0x2cb	PNG image data, 680 x 260, 4-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5de07c	0x743	PNG image data, 680 x 350, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5de7c0	0x3018	PNG image data, 500 x 457, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5e17d8	0x323a	PNG image data, 684 x 457, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5e4a14	0x5cc	PNG image data, 820 x 568, 4-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5e4fe0	0x649	PNG image data, 850 x 624, 4-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x5e562c	0x1046	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5e6674	0x1059	PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5e76d0	0x397	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5e7a68	0xfcd	PNG image data, 40 x 47, 8-bit/color RGBA, interlaced	Russian	Russia
RT_RCDATA	0x5e8a38	0xeec	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5e9924	0x10b0	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5ea9d4	0x104b	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5eba20	0xf24	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5ec944	0x5d2	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5ecf18	0x317	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5ed230	0x286f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5efaa0	0x3288	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f2d28	0xef1	PNG image data, 40 x 44, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f3c1c	0x7ea	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f4408	0xfa3	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f53ac	0xdd5	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f6184	0x1f8	PNG image data, 28 x 28, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f637c	0x710	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f6a8c	0x10e6	PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f7b74	0x10d8	PNG image data, 61 x 48, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x5f8c4c	0xf7a	PNG image data, 40 x 47, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5f9bc8	0xeda	PNG image data, 40 x 43, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5faaa4	0x13c3	PNG image data, 48 x 49, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x5fbe68	0x51b1	PNG image data, 250 x 250, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x60101c	0xe7c	PNG image data, 115 x 26, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x601e98	0x1bc8	data
RT_RCDATA	0x603a60	0x85e	PNG image data, 760 x 450, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6042c0	0x7d3	PNG image data, 750 x 200, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x604a94	0xecb	PNG image data, 760 x 210, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x605960	0x862	PNG image data, 760 x 450, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6061c4	0x627	PNG image data, 720 x 330, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6067ec	0x62e	PNG image data, 720 x 330, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x606e1c	0x62d	PNG image data, 720 x 330, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x60744c	0x2294	PNG image data, 243 x 50, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x6096e0	0x22eb	PNG image data, 325 x 48, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x60b9cc	0x179	PNG image data, 765 x 45, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_RCDATA	0x60bb48	0x5891	PNG image data, 717 x 321, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6113dc	0xad6	PNG image data, 790 x 450, 8-bit colormap, non-interlaced	Russian	Russia
RT_RCDATA	0x611eb4	0x25c	PNG image data, 225 x 53, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x612110	0x57600	PE32+ executable (GUI) x86-64, for MS Windows	Russian	Russia
RT_RCDATA	0x669710	0xc07	PNG image data, 285 x 33, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x66a318	0xc10	PNG image data, 285 x 33, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x66af28	0x1b2d	PNG image data, 509 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x66ca58	0x1bbe	PNG image data, 509 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x66e618	0x1aac	PNG image data, 509 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6700c4	0x1b06	PNG image data, 509 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x671bcc	0x120b	PNG image data, 509 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x672dd8	0x1dd9	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x674bb4	0x1e14	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6769c8	0x1d64	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x67872c	0x1d19	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x67a448	0x1ddf	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x67c228	0x14ba	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x67d6e4	0x1dd9	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x67f4c0	0x1e14	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6812d4	0x1d64	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x683038	0x1d19	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x684d54	0x1ddf	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x686b34	0x14ba	PNG image data, 636 x 35, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x687ff0	0x15b8	PNG image data, 425 x 33, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x6895a8	0x165e	PNG image data, 425 x 33, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x68ac08	0x15fc	PNG image data, 425 x 33, 8-bit/color RGB, non-interlaced	Russian	Russia
RT_RCDATA	0x68c204	0x132	Delphi compiled form 'TColection_Main_Form'
RT_RCDATA	0x68c338	0x7db	Delphi compiled form 'TDebugForm'
RT_RCDATA	0x68cb14	0xd98d	Delphi compiled form 'TForm1a'
RT_RCDATA	0x69a4a4	0xdd9	Delphi compiled form 'TForm2b'
RT_RCDATA	0x69b280	0x12eb	Delphi compiled form 'TForm2b2'
RT_RCDATA	0x69c56c	0x92a	Delphi compiled form 'TForm2c1'
RT_RCDATA	0x69ce98	0x765	Delphi compiled form 'TForm2c2'
RT_RCDATA	0x69d600	0x53c	Delphi compiled form 'TForm3a'
RT_RCDATA	0x69db3c	0x774	Delphi compiled form 'TForm3b'
RT_RCDATA	0x69e2b0	0xabd4	Delphi compiled form 'TForm3c'
RT_RCDATA	0x6a8e84	0x779	Delphi compiled form 'TForm3e'
RT_RCDATA	0x6a9600	0xbdf	Delphi compiled form 'TForm4c'
RT_RCDATA	0x6aa1e0	0x2430	Delphi compiled form 'TForm6a'
RT_RCDATA	0x6ac610	0x2dee	Delphi compiled form 'TForm7a'
RT_RCDATA	0x6af400	0x10aa9	Delphi compiled form 'TForm8a'
RT_RCDATA	0x6bfeac	0xba7	Delphi compiled form 'TForm8b'
RT_RCDATA	0x6c0a54	0x842	Delphi compiled form 'TForm8c'
RT_RCDATA	0x6c1298	0x211c0	Delphi compiled form 'TForm8d'
RT_RCDATA	0x6e2458	0xe21	Delphi compiled form 'TFormDM'
RT_RCDATA	0x6e327c	0x1913	Delphi compiled form 'TFormF1'
RT_RCDATA	0x6e4b90	0x1385	Delphi compiled form 'TFormF2'
RT_RCDATA	0x6e5f18	0x1f71	Delphi compiled form 'TFormF3'
RT_RCDATA	0x6e7e8c	0x52d	Delphi compiled form 'TFormF4'
RT_RCDATA	0x6e83bc	0xf84	Delphi compiled form 'TFormFreeDownload'
RT_RCDATA	0x6e9340	0x7b4	Delphi compiled form 'TFormFreeStart'
RT_RCDATA	0x6e9af4	0x22f1	Delphi compiled form 'TFormUpdates'
RT_RCDATA	0x6ebde8	0x81f	Delphi compiled form 'TfrmBackupConfirm'
RT_RCDATA	0x6ec608	0x996	Delphi compiled form 'TfrmBackupMain'
RT_RCDATA	0x6ecfa0	0xa0f	Delphi compiled form 'TfrmBackupSelectMain'
RT_RCDATA	0x6ed9b0	0x220d	Delphi compiled form 'TfrmCacheCleaner'
RT_RCDATA	0x6efbc0	0x178	Delphi compiled form 'TfrmCheckURL'
RT_RCDATA	0x6efd38	0x1048	Delphi compiled form 'TfrmCtaBig'
RT_RCDATA	0x6f0d80	0x1ecb	Delphi compiled form 'TfrmExit'
RT_RCDATA	0x6f2c4c	0x1508	Delphi compiled form 'TfrmExpired'
RT_RCDATA	0x6f4154	0x195a4	Delphi compiled form 'TfrmExpiredSoon'
RT_RCDATA	0x70d6f8	0x104d	Delphi compiled form 'TfrmFreeCTA'
RT_RCDATA	0x70e748	0x6335	Delphi compiled form 'TfrmHistory'
RT_RCDATA	0x714a80	0x6fc8	Delphi compiled form 'TfrmMain'
RT_RCDATA	0x71ba48	0x15bf	Delphi compiled form 'TfrmProFeaturesForm'
RT_RCDATA	0x71d008	0xc83	Delphi compiled form 'TfrmRegister'
RT_RCDATA	0x71dc8c	0x7fe3	Delphi compiled form 'TfrmResult'
RT_RCDATA	0x725c70	0x3cc3	Delphi compiled form 'TfrmStartScreen'
RT_RCDATA	0x729934	0x1b07	Delphi compiled form 'TfrmStartScreenLite'
RT_RCDATA	0x72b43c	0x26e3	Delphi compiled form 'TfrmSubCta'
RT_RCDATA	0x72db20	0x776	Delphi compiled form 'TfrmSubResultMain'
RT_RCDATA	0x72e298	0xf26	Delphi compiled form 'TfrmViewRepair'
RT_RCDATA	0x72f1c0	0x24ec	Delphi compiled form 'TfrmViewRepairBig'
RT_RCDATA	0x7316ac	0xf86	Delphi compiled form 'TfrmViewRepairCTA'
RT_RCDATA	0x732634	0xf7d	GIF image data, version 89a, 48 x 48	English	United States
RT_RCDATA	0x7335b4	0x40ab	GIF image data, version 89a, 48 x 48	Russian	Russia
RT_RCDATA	0x737660	0x110f	data	English	United States
RT_GROUP_CURSOR	0x738770	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x738784	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x738798	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x7387ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x7387c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x7387d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x7387e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x7387fc	0x4c	data	English	United States
RT_VERSION	0x738848	0x3a4	data	English	United States
RT_MANIFEST	0x738bec	0x583	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	Russian	Russia

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, SetCurrentDirectoryW, GetCurrentDirectoryW, RemoveDirectoryW, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExA, CreateWindowExW, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindowAsync, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextA, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageA, SendMessageW, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PostThreadMessageA, PostThreadMessageW, PostQuitMessage, PostMessageA, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MoveWindow, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LockWindowUpdate, LoadStringW, LoadKeyboardLayoutW, LoadImageA, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericW, IsCharAlphaW, InvalidateRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageExtraInfo, GetMessageA, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowA, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CountClipboardFormats, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcA, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, TextOutA, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocA, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetRectRgn, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsW, GetTextFaceA, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontFamiliesExW, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateFontA, CreateFontW, CreateEnhMetaFileW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseEnhMetaFile, Chord, BitBlt, ArcTo, Arc, AngleArc
version.dll	VerQueryValueA, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW
kernel32.dll	lstrlenW, lstrcmpiW, lstrcmpA, lstrcmpW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, VerSetConditionMask, VerifyVersionInfoW, VerLanguageNameW, UnmapViewOfFile, TerminateThread, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, SleepEx, Sleep, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFilePointer, SetFileAttributesA, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryA, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, OpenProcess, OpenMutexW, OpenFileMappingA, OpenFileMappingW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, MapViewOfFile, LockResource, LocalSize, LocalFree, LocalAlloc, LoadResource, LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, LeaveCriticalSection, LCMapStringW, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalMemoryStatusEx, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExA, GetVersionExW, GetVersion, GetUserDefaultLCID, GetUserDefaultUILanguage, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempPathW, GetSystemTime, GetSystemInfo, GetSystemDirectoryW, GetSystemDefaultUILanguage, GetStdHandle, GetProcessTimes, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameA, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoA, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCurrentDirectoryW, GetComputerNameA, GetComputerNameW, GetCommandLineA, GetCommandLineW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageA, FormatMessageW, FlushInstructionCache, FindResourceA, FindResourceW, FindNextFileA, FindNextFileW, FindFirstFileA, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExitThread, ExitProcess, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DeviceIoControl, DeleteFileA, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessA, CreateProcessW, CreatePipe, CreateMutexA, CreateMutexW, CreateFileMappingA, CreateFileMappingW, CreateFileA, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryA, CreateDirectoryW, CopyFileA, CopyFileW, CompareStringW, CloseHandle, Beep
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExA, RegSetValueExW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExA, RegCreateKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameA, GetUserNameW, GetTokenInformation, FreeSid, AllocateAndInitializeSid, AdjustTokenPrivileges
IMAGEHLP.DLL	ImageRvaToVa, ImageNtHeader
SHFolder.dll	SHGetFolderPathW
kernel32.dll	Sleep
netapi32.dll	NetWkstaGetInfo
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, SysFreeString, SysAllocString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromRect, MonitorFromWindow
msvcrt.dll	isxdigit, isupper, isspace, ispunct, isprint, islower, isgraph, isdigit, iscntrl, isalpha, isalnum, toupper, tolower, strchr, strlen, strncmp, memset, memcpy, memcmp
shell32.dll	SHFileOperationW, ShellExecuteExA, ShellExecuteExW, ShellExecuteA, ShellExecuteW, Shell_NotifyIconW, ExtractIconW
wininet.dll	InternetGetConnectedState, InternetSetStatusCallback, InternetSetOptionW, InternetSetFilePointer, InternetReadFile, InternetQueryOptionW, InternetOpenW, InternetGetLastResponseInfoW, InternetConnectW, InternetCloseHandle, HttpSendRequestW, HttpQueryInfoW, HttpOpenRequestW, HttpAddRequestHeadersW
shell32.dll	SHGetPathFromIDListW, SHGetDesktopFolder, SHBrowseForFolderW
comdlg32.dll	PrintDlgW, GetSaveFileNameA, GetSaveFileNameW
advapi32.dll	LookupAccountSidW, AllocateAndInitializeSid
ntdll.dll	RtlGetNtVersionNumbers, NtQueryInformationProcess
crypt32.dll	CryptQueryObject, CertGetNameStringW, CertFindAttribute, CertFreeCTLContext, CertFreeCertificateContext, CertFindCertificateInStore, CertCloseStore, CertOpenStore, CryptMsgGetParam, CryptMsgUpdate, CryptMsgClose, CryptMsgOpenToDecode
advapi32.dll	CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_ntoa, inet_addr, htons, connect, closesocket, bind
winhttp.dll	WinHttpWriteData, WinHttpSetOption, WinHttpSetCredentials, WinHttpSendRequest, WinHttpReceiveResponse, WinHttpReadData, WinHttpQueryOption, WinHttpQueryHeaders, WinHttpQueryDataAvailable, WinHttpQueryAuthSchemes, WinHttpOpenRequest, WinHttpOpen, WinHttpGetProxyForUrl, WinHttpGetIEProxyConfigForCurrentUser, WinHttpConnect, WinHttpCloseHandle, WinHttpAddRequestHeaders
iphlpapi.dll	GetIpAddrTable
iphlpapi.dll	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
kernel32.dll	RtlUnwind
shell32.dll	SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
sqlite3.dll	sqlite3_finalize, sqlite3_column_type, sqlite3_column_text, sqlite3_column_int, sqlite3_column_double, sqlite3_column_bytes, sqlite3_column_blob, sqlite3_step, sqlite3_column_decltype, sqlite3_column_name, sqlite3_column_count, sqlite3_prepare, sqlite3_free, sqlite3_errcode, sqlite3_errmsg, sqlite3_close, sqlite3_open
advapi32.dll	StartServiceW, QueryServiceStatus, QueryServiceConfigW, OpenServiceW, OpenSCManagerW, EnumServicesStatusExW, EnumDependentServicesW, ControlService, CloseServiceHandle, ChangeServiceConfigW
kernel32.dll	GetProcessId
kernel32.dll	GlobalMemoryStatusEx
Wintrust.dll	CryptCATEnumerateCatAttr, CryptCATEnumerateAttr, CryptCATEnumerateMember, CryptCATClose, CryptCATOpen
winmm.dll	timeGetTime
crtdll.dll	isprint, tolower, isspace

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	2	0x45e9f8
dbkFCallWrapperAddr	1	0x9a7c5c
madTraceProcess	3	0x722cdc

Version Infos

Description	Data
LegalCopyright	Copyright 2021 PC HelpSoft
InternalName	PC HelpSoft Driver Updater
FileVersion	5.3.524
CompanyName	PC HelpSoft
LegalTrademarks	Copyright 2021 PC HelpSoft
ProductName	PC HelpSoft Driver Updater
ProductVersion	5.3.524
FileDescription	PC HelpSoft Driver Updater
OriginalFilename	PCHelpSoftDriverUpdater.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• PCHelpSoftDriverUpdater.exe

Click to jump to process

Memory Usage

• PCHelpSoftDriverUpdater.exe

Click to jump to process

System Behavior

Analysis Process: PCHelpSoftDriverUpdater.exe PID: 6536 Parent PID: 5916

Function Logs

General

Start time:	21:33:14
Start date:	22/03/2021
Path:	C:\Users\user\Desktop\PCHelpSoftDriverUpdater.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PCHelpSoftDriverUpdater.exe'
Imagebase:	0x400000
File size:	7534336 bytes
MD5 hash:	F4B86E43F13C4E9600DC455531F5C83D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.348011977.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.334331696.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PCHelpSoftDriverUpdater.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: PCHelpSoftDriverUpdater.exe PID: 6536 Parent PID: 5916

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Sections loaded by Windows