Edit tour

Windows Analysis Report
ASC.exe

Overview

General Information

Sample Name:	ASC.exe
Analysis ID:	596151
MD5:	39e7dd53300ddfcd2778b0378ea105bb
SHA1:	842e25a50091aa57f07d0978c954343f09e7ecbb
SHA256:	0d94cf843a6837489718a70acfdf3d897c3b210c29a5616cb43e4a16ef68ecf1
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

ASC.exe (PID: 7024 cmdline: "C:\Users\user\Desktop\ASC.exe" MD5: 39E7DD53300DDFCD2778B0378EA105BB)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
ASC.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000001.428394096.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000000.423445015.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.ASC.exe.1e0000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
1.0.ASC.exe.1e0000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: ASC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: ASC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: ASC.exe	String found in binary or memory: http://ascstats.iobit.com/usage.phpU
Source: ASC.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: ASC.exe	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: ASC.exe	String found in binary or memory: http://download.iobit.com/asc7/toolbox/Toolbox.ini
Source: ASC.exe	String found in binary or memory: http://iobit.info/rd/asc-feedback
Source: ASC.exe	String found in binary or memory: http://jp.iobit.com/rd/asc-download-db
Source: ASC.exe	String found in binary or memory: http://jp.iobit.com/rd/asc-download-iu
Source: ASC.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: ASC.exe	String found in binary or memory: http://s.symcd.com06
Source: ASC.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ASC.exe	String found in binary or memory: http://s2.symcb.com0
Source: ASC.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ASC.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ASC.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: ASC.exe	String found in binary or memory: http://startup.iobit.com/proportion.php
Source: ASC.exe	String found in binary or memory: http://stats.iobit.com/active_month.php
Source: ASC.exe	String found in binary or memory: http://stats.iobit.com/usage.php
Source: ASC.exe	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ASC.exe	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ASC.exe	String found in binary or memory: http://sv.symcd.com0&
Source: ASC.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: ASC.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: ASC.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: ASC.exe	String found in binary or memory: http://update.iobit.com/infofiles/asc6/update-pro.ini
Source: ASC.exe	String found in binary or memory: http://update.iobit.com/infofiles/asc6/update.ini
Source: ASC.exe	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: ASC.exe	String found in binary or memory: http://www.cd4o.com/drivers/
Source: ASC.exe	String found in binary or memory: http://www.cd4o.com/drivers/wlst/v.json
Source: ASC.exe	String found in binary or memory: http://www.google.com/search?q=
Source: ASC.exe	String found in binary or memory: http://www.google.com/search?q=U
Source: ASC.exe	String found in binary or memory: http://www.indyproject.org/
Source: ASC.exe	String found in binary or memory: http://www.iobit.com
Source: ASC.exe	String found in binary or memory: http://www.iobit.com/appgoto.php?name=asc
Source: ASC.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: ASC.exe	String found in binary or memory: http://www.symauth.com/rpa00
Source: ASC.exe	String found in binary or memory: https://chrome.google.com/webstore/detail/iobit-surfing-protection/imgpenhngnbnmhdkpdfnfhdpmfgmihdnD
Source: ASC.exe	String found in binary or memory: https://chrome.google.com/webstore/detail/iobit-surfing-protection/imgpenhngnbnmhdkpdfnfhdpmfgmihdno
Source: ASC.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: ASC.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: ASC.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: ASC.exe	String found in binary or memory: https://forums.iobit.com/forum/advanced-systemcare/advanced-systemcare-14
Source: ASC.exe	String found in binary or memory: https://forums.iobit.com/forum/advanced-systemcare/asc-v14-skins
Source: ASC.exe	String found in binary or memory: https://iexplore.exeU
Source: ASC.exe	String found in binary or memory: https://s1.driverboosterscan.com/worker.php
Source: ASC.exe	String found in binary or memory: https://s2.driverboosterscan.com/worker.php
Source: ASC.exe	String found in binary or memory: https://vk.com/iobit_softS
Source: ASC.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ASC.exe	String found in binary or memory: https://www.globalsign.com/repository/03
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=%s&ver=%s&lan=%s&%s
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=asc
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=asc&ver=
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=asc&ver=%s&lan=%s&from=fac_db
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=asc&ver=%s&lan=%s&to=faq_nocamera
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/appgoto.php?name=ascU
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?%s&ref=%s&aff=%s&refs=asc14trialaction&lan=%s
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?id=%s&ref=%s&aff=%s&refs=%s&lan=%s
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?id=protectascu_affvsasc14&ref=asc14tr&aff=
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?id=scandb_affvsasc14&ref=asc14tr&aff=%s&refs=asc14trialscan&lan=%s
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?id=speedupdb_affvsasc14&ref=asc14tr&aff=
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/goto.php?id=speedupiu_affvsasc14&ref=asc14tr&aff=
Source: ASC.exe	String found in binary or memory: https://www.iobit.com/onlinefeedback.php
Source: ASC.exe	String found in binary or memory: https://www.itopvpn.com/vpn-windows?ref=ascfix
Source: ASC.exe	String found in binary or memory: https://www.itopvpn.com/vpn-windows?ref=asctb

Source: ASC.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: LegalTrademarks OriginalFileName vs ASC.exe
Source: ASC.exe, 00000001.00000001.428394096.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: LegalTrademarks OriginalFileName vs ASC.exe
Source: ASC.exe	Binary or memory string: LegalTrademarks OriginalFileName vs ASC.exe

Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ASC.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\ASC.exe	Section loaded: scan.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: datastate.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: datastate.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: sdcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: pluginhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: quartz.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: productnews2.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ASC.exe	Section loaded: winmmbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\ASC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ASC.exe	String found in binary or memory: 250-STARTTLS
Source: ASC.exe	String found in binary or memory: NATS-SEFI-ADD
Source: ASC.exe	String found in binary or memory: NATS-DANO-ADD
Source: ASC.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: ASC.exe	String found in binary or memory: jp-ocr-b-add
Source: ASC.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: ASC.exe	String found in binary or memory: jp-ocr-hand-add
Source: ASC.exe	String found in binary or memory: ISO_6937-2-add
Source: ASC.exe	String found in binary or memory: /Address family not supported by protocol family
Source: ASC.exe	String found in binary or memory: 0user_pref("network.http.request.max-start-delay"
Source: ASC.exe	String found in binary or memory: $Surfing Protection\PluginInstall.exeIsVersionLarger4/InstallU
Source: ASC.exe	String found in binary or memory: cmd.exe /c %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "& {1...10 \|chcp 65001\|Get-StartApps\| where AppID -Like "._!" \|format-list\|Out-File $env:Temp\StartApps.txt}"U
Source: ASC.exe	String found in binary or memory: 'Ini AppList:----------------------start
Source: ASC.exe	String found in binary or memory: /InstallIsVersionLarger4
Source: ASC.exe	String found in binary or memory: /install_start
Source: ASC.exe	String found in binary or memory: ?/sp- /verysilent /suppressmsgboxes /install_start /insur=asc_tb
Source: ASC.exe	String found in binary or memory: Windows 10cmd.exe /c %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -Command "& {1...10 \|chcp 65001\|Get-StartApps\| where AppID -Like "._!" \|format-list\|Out-File $env:Temp\StartApps.txt}"SVWUQ
Source: ASC.exe	String found in binary or memory: 8/AntRun /Addr "%s" /Subject "%s" /Product "%s" /App "%s"
Source: ASC.exe	String found in binary or memory: $PromoteAfterFix-InstallPromoteTime:
Source: ASC.exe	String found in binary or memory: BThe skin file is corrupted. Please re-install Advanced SystemCare.
Source: ASC.exe	String found in binary or memory: images/loading
Source: ASC.exe	String found in binary or memory: "imgname=images/add_btn_disable.png
Source: ASC.exe	String found in binary or memory: Monitor the key factors which may affect your PC performance in real time and provide you with some useful quick-launch buttons/options to enhance your PC performance.
Source: ASC.exe	String found in binary or memory: imgname=images/loading_b.png
Source: ASC.exe	String found in binary or memory: imgname=images/loading.png

Source: ASC.exe

Binary string: \Device\Scsi\SI%d1

Source: classification engine

Classification label: sus23.evad.winEXE@1/0@0/0

Source: Yara match	File source: ASC.exe, type: SAMPLE
Source: Yara match	File source: 1.2.ASC.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.ASC.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000001.428394096.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.423445015.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE trusted (flag NUMERIC, pid INTEGER PRIMARY KEY, itemid TEXT, caption TEXT, path TEXT, publisher TEXT, systype NUMERIC, version TEXT);
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE voted (itemid TEXT, caption TEXT, path TEXT, publisher TEXT, systype NUMERIC, version TEXT, score NUMERIC, votedate TEXT);U

Source: ASC.exe

Static file information: File size 9428936 > 1048576

Source: ASC.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ASC.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5bac00
Source: ASC.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x2cbc00

Source: ASC.exe	Static PE information: More than 200 imports for user32.dll
Source: ASC.exe	Static PE information: More than 200 imports for kernel32.dll

Source: ASC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ASC.exe

Binary or memory string: SUPERANTISPYWARE.EXE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ASC.exe	Binary or memory string: Hyper-V Data Exchange Service=1
Source: ASC.exe	Binary or memory string: vmicvss=1
Source: ASC.exe	Binary or memory string: vmicshutdown=1
Source: ASC.exe	Binary or memory string: vmicheartbeat=1

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ASC.exe	Binary or memory string: Shell_TrayWndSV
Source: ASC.exe	Binary or memory string: Progman

Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: mcagent.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: ApVxdWin.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgrsx.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: guardxkickoff.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: AVKService.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: fsgk32.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: AVKProxy.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: nspmain.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: TMBMSRV.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: AVKWCtl.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: fsav32.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgscanx.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgemc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: fsdfwd.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: a2service.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: fsgk32st.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: acs.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avp.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: TmProxy.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgcsrvx.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgnsx.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: a2start.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: CLPSLS.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: FSMA32.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: PsImSvc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: op_mon.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: vsserv.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: PavPrSrv.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: cfp.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: msmpeng.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: AVKTray.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: -C:\Program Files\Windows Defender\MSASCui.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: dwengine.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: mcshield.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: nspupsvc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgwdsvc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SUPERAntiSpyware.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: pctsSvc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: guardxservice.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: bdagent.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: pctsAuxs.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: cmdagent.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avguard.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: PsCtrlS.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: zlclient.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: pctsTray.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: avgtray.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: SAVAdminService.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: nspsvc.exe
Source: ASC.exe, 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: PavFnSvr.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ASC.exe	3%	Metadefender		Browse
ASC.exe	7%	ReversingLabs

Source	Detection	Scanner	Label
https://s1.driverboosterscan.com/worker.php	0%	Avira URL Cloud	safe
http://www.cd4o.com/drivers/	0%	Avira URL Cloud	safe
https://www.itopvpn.com/vpn-windows?ref=ascfix	0%	Avira URL Cloud	safe
http://www.indyproject.org/	0%	URL Reputation	safe
https://www.itopvpn.com/vpn-windows?ref=asctb	0%	Avira URL Cloud	safe
http://www.borland.com/namespaces/Types	0%	URL Reputation	safe
http://www.cd4o.com/drivers/wlst/v.json	0%	Avira URL Cloud	safe
http://iobit.info/rd/asc-feedback	0%	Avira URL Cloud	safe
https://s2.driverboosterscan.com/worker.php	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://download.iobit.com/asc7/toolbox/Toolbox.ini	ASC.exe	false		high
http://www.google.com/search?q=U	ASC.exe	false		high
https://chrome.google.com/webstore/detail/iobit-surfing-protection/imgpenhngnbnmhdkpdfnfhdpmfgmihdnD	ASC.exe	false		high
http://ascstats.iobit.com/usage.phpU	ASC.exe	false		high
https://s1.driverboosterscan.com/worker.php	ASC.exe	false	Avira URL Cloud: safe	unknown
http://www.cd4o.com/drivers/	ASC.exe	false	Avira URL Cloud: safe	unknown
https://forums.iobit.com/forum/advanced-systemcare/asc-v14-skins	ASC.exe	false		high
http://schemas.xmlsoap.org/soap/encoding/	ASC.exe	false		high
http://update.iobit.com/infofiles/asc6/update-pro.ini	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=asc&ver=%s&lan=%s&to=faq_nocamera	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=ascU	ASC.exe	false		high
https://www.itopvpn.com/vpn-windows?ref=ascfix	ASC.exe	false	Avira URL Cloud: safe	unknown
https://vk.com/iobit_softS	ASC.exe	false		high
http://schemas.xmlsoap.org/soap/envelope/	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=%s&ver=%s&lan=%s&%s	ASC.exe	false		high
http://stats.iobit.com/usage.php	ASC.exe	false		high
http://www.google.com/search?q=	ASC.exe	false		high
http://www.indyproject.org/	ASC.exe	false	URL Reputation: safe	unknown
https://www.itopvpn.com/vpn-windows?ref=asctb	ASC.exe	false	Avira URL Cloud: safe	unknown
https://www.iobit.com/goto.php?id=speedupiu_affvsasc14&ref=asc14tr&aff=	ASC.exe	false		high
http://stats.iobit.com/active_month.php	ASC.exe	false		high
http://www.symauth.com/cps0(	ASC.exe	false		high
https://www.iobit.com/goto.php?%s&ref=%s&aff=%s&refs=asc14trialaction&lan=%s	ASC.exe	false		high
https://www.iobit.com/goto.php?id=protectascu_affvsasc14&ref=asc14tr&aff=	ASC.exe	false		high
https://forums.iobit.com/forum/advanced-systemcare/advanced-systemcare-14	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=asc&ver=	ASC.exe	false		high
http://jp.iobit.com/rd/asc-download-db	ASC.exe	false		high
http://update.iobit.com/infofiles/asc6/update.ini	ASC.exe	false		high
http://www.borland.com/namespaces/Types	ASC.exe	false	URL Reputation: safe	unknown
http://www.cd4o.com/drivers/wlst/v.json	ASC.exe	false	Avira URL Cloud: safe	unknown
https://www.iobit.com/onlinefeedback.php	ASC.exe	false		high
http://www.symauth.com/rpa00	ASC.exe	false		high
https://www.iobit.com/goto.php?id=speedupdb_affvsasc14&ref=asc14tr&aff=	ASC.exe	false		high
http://www.iobit.com/appgoto.php?name=asc	ASC.exe	false		high
http://iobit.info/rd/asc-feedback	ASC.exe	false	Avira URL Cloud: safe	unknown
http://www.iobit.com	ASC.exe	false		high
http://jp.iobit.com/rd/asc-download-iu	ASC.exe	false		high
http://startup.iobit.com/proportion.php	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=asc&ver=%s&lan=%s&from=fac_db	ASC.exe	false		high
https://www.iobit.com/goto.php?id=scandb_affvsasc14&ref=asc14tr&aff=%s&refs=asc14trialscan&lan=%s	ASC.exe	false		high
https://chrome.google.com/webstore/detail/iobit-surfing-protection/imgpenhngnbnmhdkpdfnfhdpmfgmihdno	ASC.exe	false		high
https://www.iobit.com/appgoto.php?name=asc	ASC.exe	false		high
https://www.iobit.com/goto.php?id=%s&ref=%s&aff=%s&refs=%s&lan=%s	ASC.exe	false		high
https://s2.driverboosterscan.com/worker.php	ASC.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	596151
Start date and time:	2022-03-24 10:47:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ASC.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus23.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: ASC.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.827890866438132
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	ASC.exe
File size:	9428936
MD5:	39e7dd53300ddfcd2778b0378ea105bb
SHA1:	842e25a50091aa57f07d0978c954343f09e7ecbb
SHA256:	0d94cf843a6837489718a70acfdf3d897c3b210c29a5616cb43e4a16ef68ecf1
SHA512:	7c00eb6249bd50465671ed046bc86d494a1c6a176b636026610ff51529dcf21e289c77bae32350d04b56b815b8fcefc97733e5d12ca5596951fd187a90c4c1d4
SSDEEP:	98304:9VKc3zWm+tZb1hc7JuRgqASLfja4owAIVqUYJqFbpOdusDV+GmO8JORcWd:LKXhcluYS3a4VFwUYJqFEdusY28QRcWd
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	ccb6694d6d3996e8

Static PE Info

General

Entrypoint:	0x9bf804
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60112AFD [Wed Jan 27 08:57:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f917f94c3967ac1e168873f449955be1

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFECh
xor eax, eax
mov dword ptr [ebp-14h], eax
mov eax, 009BA5E4h
call 00007F5288508DB0h
xor eax, eax
push ebp
push 009BF938h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000000h
push 00000000h
push 00000000h
push 00000000h
push 00000000h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F528869EDDAh
mov ecx, dword ptr [ebp-14h]
mov edx, 009BF950h
mov eax, 009BF984h
call 00007F5288A56660h
call 00007F5288871707h
call 00007F5288AB8696h
test eax, eax
jne 00007F5288ABE2B3h
mov eax, 009BF9C0h
call 00007F52886EFC10h
call 00007F52885685EBh
jmp 00007F5288ABE2A7h
call 00007F5288568638h
call 00007F5288AB8DF7h
mov edx, dword ptr [009DD784h]
mov dword ptr [edx], eax
call 00007F5288AB8C8Eh
mov edx, dword ptr [009DD158h]
mov dword ptr [edx], eax
mov eax, dword ptr [009DD158h]
cmp dword ptr [eax], 01h
jne 00007F5288ABE2C2h
call 00007F5288AB881Bh
mov edx, dword ptr [009DD784h]
mov dword ptr [edx], eax
mov eax, dword ptr [009DD784h]
cmp dword ptr [eax], 00000000h
jne 00007F5288ABE2ABh
mov eax, dword ptr [009DD158h]
xor edx, edx
mov dword ptr [eax], edx
mov eax, dword ptr [009DD314h]
mov eax, dword ptr [eax]
call 00007F5288630B2Ch
mov eax, dword ptr [009DD784h]
cmp dword ptr [eax], 00000000h
je 00007F5288ABE2ADh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x631000	0x4a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62a000	0x6a1a	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x680000	0x2cbb7c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8fac00	0x33c8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x634000	0x4b424	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x633000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x62b54c	0xf84	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5baaec	0x5bac00	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x5bc000	0x3a0c	0x3c00	False	0.501302083333	data	6.0449450879	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x5c0000	0x1dc20	0x1de00	False	0.529133433577	data	6.23096359535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x5de000	0x4bc80	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x62a000	0x6a1a	0x6c00	False	0.291956018519	data	5.23051582368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.edata	0x631000	0x4a	0x200	False	0.125	data	0.774099021092	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x632000	0x258	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x633000	0x18	0x200	False	0.0546875	data	0.214732517787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x634000	0x4b424	0x4b600	False	0.602255648839	data	6.73181350157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x680000	0x2cbb7c	0x2cbc00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MAD	0x68255c	0x14	data
MAD	0x682570	0x61218	data
RT_CURSOR	0x6e3788	0x134	data	English	United States
RT_CURSOR	0x6e38bc	0x134	data	English	United States
RT_CURSOR	0x6e39f0	0x134	data	English	United States
RT_CURSOR	0x6e3b24	0x134	data	English	United States
RT_CURSOR	0x6e3c58	0x134	data	English	United States
RT_CURSOR	0x6e3d8c	0x134	data	English	United States
RT_CURSOR	0x6e3ec0	0x134	data	English	United States
RT_BITMAP	0x6e3ff4	0x1d0	data	English	United States
RT_BITMAP	0x6e41c4	0x1e4	data	English	United States
RT_BITMAP	0x6e43a8	0x1d0	data	English	United States
RT_BITMAP	0x6e4578	0x1d0	data	English	United States
RT_BITMAP	0x6e4748	0x1d0	data	English	United States
RT_BITMAP	0x6e4918	0x1d0	data	English	United States
RT_BITMAP	0x6e4ae8	0x1d0	data	English	United States
RT_BITMAP	0x6e4cb8	0x1d0	data	English	United States
RT_BITMAP	0x6e4e88	0x1d0	data	English	United States
RT_BITMAP	0x6e5058	0x1d0	data	English	United States
RT_BITMAP	0x6e5228	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e52e8	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e53c8	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e54a8	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e5588	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e5648	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e5708	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6e57e8	0x1028	dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
RT_BITMAP	0x6e6810	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e6c38	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e7060	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e7488	0x1028	dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
RT_BITMAP	0x6e84b0	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e88d8	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e8d00	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e9128	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6e9550	0x1028	dBase IV DBT, block length 4096, next free block index 40, next free block 0, next used block 0
RT_BITMAP	0x6ea578	0x428	GLS_BINARY_LSB_FIRST
RT_BITMAP	0x6ea9a0	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6eaa60	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6eab40	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x6eac00	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6eb228	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6eb850	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ebe78	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ec4a0	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ecac8	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ed0f0	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ed718	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6edd40	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ee368	0x628	dBase IV DBT, block length 512, next free block index 40, next free block 10040268, next used block 10040319	English	United States
RT_BITMAP	0x6ee990	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x6eea70	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0	Chinese	China
RT_ICON	0x730a98	0x3a48	data	Chinese	China
RT_ICON	0x7344e0	0x25a8	data	Chinese	China
RT_ICON	0x736a88	0x1a68	data	Chinese	China
RT_ICON	0x7384f0	0x10a8	data	Chinese	China
RT_ICON	0x739598	0x988	data	Chinese	China
RT_ICON	0x739f20	0x468	GLS_BINARY_LSB_FIRST	Chinese	China
RT_STRING	0x73a388	0x15c	data
RT_STRING	0x73a4e4	0x2ac	data
RT_STRING	0x73a790	0x220	data
RT_STRING	0x73a9b0	0x3e4	data
RT_STRING	0x73ad94	0x494	data
RT_STRING	0x73b228	0x39c	data
RT_STRING	0x73b5c4	0x2e4	data
RT_STRING	0x73b8a8	0x44c	data
RT_STRING	0x73bcf4	0x398	data
RT_STRING	0x73c08c	0x3e4	data
RT_STRING	0x73c470	0x2e4	data
RT_STRING	0x73c754	0x368	data
RT_STRING	0x73cabc	0x3cc	data
RT_STRING	0x73ce88	0x420	data
RT_STRING	0x73d2a8	0x2c4	data
RT_STRING	0x73d56c	0x448	data
RT_STRING	0x73d9b4	0x870	data
RT_STRING	0x73e224	0x7fc	data
RT_STRING	0x73ea20	0x418	data
RT_STRING	0x73ee38	0x498	data
RT_STRING	0x73f2d0	0x15c	data
RT_STRING	0x73f42c	0xd0	data
RT_STRING	0x73f4fc	0x114	data
RT_STRING	0x73f610	0x364	data
RT_STRING	0x73f974	0x3e4	data
RT_STRING	0x73fd58	0x3cc	data
RT_STRING	0x740124	0x5bc	data
RT_STRING	0x7406e0	0x324	data
RT_STRING	0x740a04	0x344	data
RT_STRING	0x740d48	0x3e8	data
RT_STRING	0x741130	0x24c	data
RT_STRING	0x74137c	0xb8	data
RT_STRING	0x741434	0xd0	data
RT_STRING	0x741504	0x37c	data
RT_STRING	0x741880	0x448	data
RT_STRING	0x741cc8	0x368	data
RT_STRING	0x742030	0x2d4	data
RT_RCDATA	0x742304	0x82e8	data	English	United States
RT_RCDATA	0x74a5ec	0x10	data
RT_RCDATA	0x74a5fc	0xf88	ASCII text, with CRLF line terminators	English	United States
RT_RCDATA	0x74b584	0xf95	ASCII text, with CRLF line terminators	English	United States
RT_RCDATA	0x74c51c	0xfbf	ASCII text, with CRLF line terminators	English	United States
RT_RCDATA	0x74d4dc	0x2980	data
RT_RCDATA	0x74fe5c	0x9e5	Delphi compiled form 'TASCNCItemFrame'
RT_RCDATA	0x750844	0xe70	Delphi compiled form 'TASCNotificationCenterForm'
RT_RCDATA	0x7516b4	0x11db	Delphi compiled form 'TASCWhatsNewFrm'
RT_RCDATA	0x752890	0x128	Delphi compiled form 'TDiskBitmapFrame'
RT_RCDATA	0x7529b8	0x1855	Delphi compiled form 'TDownloadPromptForm'
RT_RCDATA	0x754210	0x2821	Delphi compiled form 'TFmFullyAccelerate'
RT_RCDATA	0x756a34	0x3387	Delphi compiled form 'TFmScanPromote'
RT_RCDATA	0x759dbc	0x22bd	Delphi compiled form 'TFormActiveAutoUpt'
RT_RCDATA	0x75c07c	0x2f7	Delphi compiled form 'TFormCover'
RT_RCDATA	0x75c374	0x3b90	Delphi compiled form 'TFormExtentInfo'
RT_RCDATA	0x75ff04	0x1e33	Delphi compiled form 'TFormGiftPromote'
RT_RCDATA	0x761d38	0x102e4a	Delphi compiled form 'TFormMiniOffer'
RT_RCDATA	0x864b84	0x19ed	Delphi compiled form 'TFormSaleTip'
RT_RCDATA	0x866574	0x12fb	Delphi compiled form 'TFormTbTips'
RT_RCDATA	0x867870	0x4d396	Delphi compiled form 'TForm_ASC'
RT_RCDATA	0x8b4c08	0x12c3	Delphi compiled form 'TForm_Countdown'
RT_RCDATA	0x8b5ecc	0x19439	Delphi compiled form 'TForm_Setting'
RT_RCDATA	0x8cf308	0xadd5	Delphi compiled form 'TFrameActionCenter8'
RT_RCDATA	0x8da0e0	0x1537	Delphi compiled form 'TframeLatestNews'
RT_RCDATA	0x8db618	0x3c80	Delphi compiled form 'TFrameSoftwareUpdater'
RT_RCDATA	0x8df298	0x392b	Delphi compiled form 'TFrameToolbox'
RT_RCDATA	0x8e2bc4	0x129f	Delphi compiled form 'TfrmCustomDialog'
RT_RCDATA	0x8e3e64	0x19ae	Delphi compiled form 'TfrmDetailTip'
RT_RCDATA	0x8e5814	0x1aa9	Delphi compiled form 'TfrmDialogHint'
RT_RCDATA	0x8e72c0	0xe98	Delphi compiled form 'TfrmFaceDialog'
RT_RCDATA	0x8e8158	0x2172	Delphi compiled form 'TfrmFuncMsg'
RT_RCDATA	0x8ea2cc	0x56a8	Delphi compiled form 'TfrmMenu'
RT_RCDATA	0x8ef974	0x7168	Delphi compiled form 'TfrmProtect'
RT_RCDATA	0x8f6adc	0xa86c	Delphi compiled form 'TfrmSpeedUp'
RT_RCDATA	0x901348	0x94e5	Delphi compiled form 'TFrmTurboConfig'
RT_RCDATA	0x90a830	0xb82	Delphi compiled form 'TMadExcept'
RT_RCDATA	0x90b3b4	0x34e	Delphi compiled form 'TMEContactForm'
RT_RCDATA	0x90b704	0x228	Delphi compiled form 'TMEDetailsForm'
RT_RCDATA	0x90b92c	0x2a3	Delphi compiled form 'TMEScrShotForm'
RT_RCDATA	0x90bbd0	0xa91	Delphi compiled form 'TSMMsg'
RT_RCDATA	0x90c664	0xe1a	Delphi compiled form 'TSMYesNoMsg'
RT_RCDATA	0x90d480	0x3d7f5	Delphi compiled form 'TStartupManagerFrame'
RT_GROUP_CURSOR	0x94ac78	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94ac8c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94aca0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94acb4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94acc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94acdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x94acf0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x94ad04	0x68	data	Chinese	China
RT_VERSION	0x94ad6c	0x318	data	English	United States
RT_MANIFEST	0x94b084	0x7a2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States
RT_MANIFEST	0x94b828	0x352	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileW, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExA, CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateLayeredWindow, UpdateWindow, UnregisterClassA, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowRgn, SetWindowsHookExW, SetWindowTextA, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongW, SetCapture, SetActiveWindow, SendMessageTimeoutA, SendMessageA, SendMessageW, SendInput, ScrollWindow, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageA, PostThreadMessageW, PostQuitMessage, PostMessageA, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LockWindowUpdate, LoadStringW, LoadKeyboardLayoutW, LoadImageA, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowTextW, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageA, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameA, GetClassNameW, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowA, FindWindowW, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcA, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AttachThreadInput, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	TransparentBlt, AlphaBlend
gdi32.dll	UnrealizeObject, TextOutA, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocA, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBitsToDevice, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, Pie, PatBlt, OffsetViewportOrgEx, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextFaceA, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextExtentExPointW, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetROP2, GetPixel, GetPaletteEntries, GetObjectType, GetObjectA, GetObjectW, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtSelectClipRgn, ExcludeClipRect, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRoundRectRgn, CreateRectRgnIndirect, CreateRectRgn, CreatePolyPolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateFontA, CreateFontW, CreateEnhMetaFileW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, CloseEnhMetaFile, BitBlt
version.dll	VerQueryValueA, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW
mpr.dll	WNetGetUserA
kernel32.dll	lstrlenW, lstrcpyW, lstrcmpiA, lstrcmpiW, lstrcmpA, lstrcmpW, WriteProcessMemory, WritePrivateProfileStringW, WritePrivateProfileSectionW, WriteFile, WinExec, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, WaitForMultipleObjects, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFreeEx, VirtualFree, VirtualAllocEx, VirtualAlloc, VerLanguageNameW, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SignalObjectAndWait, SetWaitableTimer, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetProcessWorkingSetSize, SetLastError, SetFilePointer, SetFileAttributesA, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SearchPathW, ResumeThread, ResetEvent, RemoveDirectoryA, RemoveDirectoryW, ReleaseSemaphore, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, PeekNamedPipe, OutputDebugStringW, OpenProcess, OpenFileMappingA, OpenFileMappingW, OpenEventW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, MapViewOfFile, LockResource, LocalSize, LocalFree, LocalAlloc, LoadResource, LoadLibraryExA, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, IsBadCodePtr, InitializeCriticalSection, HeapFree, HeapDestroy, HeapAlloc, GlobalUnlock, GlobalSize, GlobalMemoryStatusEx, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalGetAtomNameW, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExA, GetVersionExW, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempPathW, GetTempFileNameW, GetSystemTimeAsFileTime, GetSystemTime, GetSystemInfo, GetSystemDirectoryW, GetSystemDefaultLangID, GetSystemDefaultLCID, GetStdHandle, GetShortPathNameW, GetProcessTimes, GetProcAddress, GetPrivateProfileStringW, GetPrivateProfileIntW, GetPriorityClass, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameA, GetModuleFileNameW, GetLogicalDrives, GetLogicalDriveStringsW, GetLocaleInfoA, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileAttributesExW, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCurrentDirectoryW, GetComputerNameA, GetComputerNameW, GetCommandLineA, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageA, FormatMessageW, FlushInstructionCache, FindResourceA, FindResourceW, FindNextFileA, FindNextFileW, FindFirstFileA, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExitThread, ExitProcess, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DeviceIoControl, DeleteFileA, DeleteFileW, DeleteCriticalSection, DefineDosDeviceW, CreateWaitableTimerW, CreateThread, CreateSemaphoreW, CreateProcessA, CreateProcessW, CreatePipe, CreateMutexA, CreateMutexW, CreateFileMappingA, CreateFileMappingW, CreateFileA, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryA, CreateDirectoryW, CopyFileA, CopyFileW, CompareStringA, CompareStringW, CloseHandle, CancelWaitableTimer, Beep
advapi32.dll	SetSecurityDescriptorDacl, RevertToSelf, RegUnLoadKeyW, RegSetValueExA, RegSetValueExW, RegReplaceKeyW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyA, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegOpenKeyW, RegLoadKeyW, RegFlushKey, RegEnumValueW, RegEnumKeyA, RegEnumKeyW, RegEnumKeyExW, RegDeleteValueA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExA, RegCreateKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW, LookupAccountSidW, LookupAccountNameW, IsValidSecurityDescriptor, InitializeSecurityDescriptor, ImpersonateLoggedOnUser, GetUserNameA, GetUserNameW, GetTokenInformation, GetSidSubAuthorityCount, GetSidSubAuthority, FreeSid, DuplicateTokenEx, CreateProcessAsUserW, AllocateAndInitializeSid, AdjustTokenPrivileges
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_addr, htons, connect, closesocket, bind
shell32.dll	ShellExecuteExA, ShellExecuteExW, ShellExecuteA, ShellExecuteW, SHGetFileInfoW, SHFileOperationW, ExtractIconExW, CommandLineToArgvW
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, VariantClear, SysFreeString
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, OleUninitialize, OleInitialize, GetRunningObjectTable, CreateItemMoniker, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CLSIDFromProgID, ProgIDFromCLSID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoSetProxyBlanket, CoInitializeSecurity, CoGetClassObject, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
URLMON.DLL	URLDownloadToFileW
wininet.dll	InternetSetOptionW, InternetReadFile, InternetQueryOptionW, InternetOpenW, InternetConnectW, InternetCloseHandle, HttpSendRequestW, HttpQueryInfoW, HttpOpenRequestW, HttpAddRequestHeadersW, FindNextUrlCacheEntryW, FindFirstUrlCacheEntryW, FindCloseUrlCache, DeleteUrlCacheEntryW
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	SHGetSpecialFolderPathW, SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHChangeNotify, SHBrowseForFolderW
comdlg32.dll	PrintDlgW, GetSaveFileNameA, GetSaveFileNameW, GetOpenFileNameW
kernel32.dll	RtlUnwind
shell32.dll	SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
Kernel32.dll	GetLongPathNameW
kernel32.dll	Sleep
ole32.dll	CLSIDFromString, CoTaskMemFree, StringFromCLSID, CoCreateGuid
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
winmm.dll	timeGetTime
advapi32.dll	UnlockServiceDatabase, StartServiceW, QueryServiceStatus, QueryServiceLockStatusW, QueryServiceConfigW, OpenServiceW, OpenSCManagerW, LockServiceDatabase, GetServiceDisplayNameW, EnumServicesStatusW, CreateServiceW, ControlService, CloseServiceHandle, ChangeServiceConfigW
kernel32.dll	GetUserDefaultUILanguage, GetSystemDefaultUILanguage
Scan.dll	CreateScanThreadObj, CreateScanObj, CreateRepairObj, CreateDbObj, CreateEnumObj
cabinet.dll	FDIDestroy, FDICopy, FDIIsCabinet, FDICreate
kernel32.dll	GetUserDefaultUILanguage, GetSystemDefaultUILanguage
advapi32.dll	ChangeServiceConfig2W
kernel32.dll	ProcessIdToSessionId
datastate.dll	Func, Server, Clear
ole32.dll	CLSIDFromString
Kernel32.dll	GetLongPathNameW
datastate.dll	Func, Server, Clear
ole32.dll	CoUninitialize, CoInitialize
shell32.dll	SHGetMalloc
netapi32.dll	NetApiBufferFree, NetUserGetInfo, NetUserEnum
advapi32.dll	ConvertSidToStringSidW
sqlite3.dll	sqlite3_bind_parameter_index, sqlite3_bind_null, sqlite3_bind_int64, sqlite3_bind_int, sqlite3_bind_double, sqlite3_bind_text, sqlite3_bind_blob, sqlite3_reset, sqlite3_finalize, sqlite3_column_int64, sqlite3_column_type, sqlite3_column_text, sqlite3_column_double, sqlite3_column_bytes, sqlite3_column_blob, sqlite3_step, sqlite3_column_decltype, sqlite3_column_name, sqlite3_column_count, sqlite3_prepare_v2, sqlite3_free, sqlite3_errcode, sqlite3_errmsg, sqlite3_close, sqlite3_open
shlwapi.dll	PathCombineW
Kernel32.dll	GetSystemDefaultLangID
kernel32.dll	GetLongPathNameW
dataexchange.dll	DCAPI_GetMapCellInfo, DCAPI_GetCurrentPath, DCAPI_GetCurrentPos, DCAPI_GetFragmentInfo, DCAPI_Initialize
sdcore.dll	SDAPI_SetSkipFileSize, SDAPI_SetMapCellCount, SDAPI_PauseDefrag, SDAPI_StopDefrag
netapi32.dll	NetApiBufferFree, NetUserGetInfo, NetUserSetInfo
Advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSecurityDescriptorToStringSecurityDescriptorW
netapi32.dll	NetApiBufferFree
Netapi32.dll	NetShareEnum, NetShareSetInfo, NetShareGetInfo
kernel32.dll	ReleaseMutex
crypt32.dll	CryptQueryObject, CertGetNameStringW, CertFreeCertificateContext, CertFindCertificateInStore, CertCloseStore, CryptMsgGetParam, CryptMsgClose
crypt32.dll	CryptMsgClose, CertCloseStore, CertFreeCertificateContext, CertGetNameStringW, CertFindCertificateInStore, CryptMsgGetParam, CryptQueryObject
shell32.dll	IsUserAnAdmin
kernel32.dll	ProcessIdToSessionId
netapi32.dll	NetApiBufferFree, NetUserEnum
Kernel32.dll	GetLongPathNameW
Kernel32.dll	ProcessIdToSessionId
advapi32.dll	ConvertSidToStringSidW
userenv.dll	DestroyEnvironmentBlock, CreateEnvironmentBlock
wtsapi32.dll	WTSFreeMemory, WTSQuerySessionInformationW
Advapi32.dll	QueryServiceConfig2W
PluginHelper.dll	GenerateHMac
msvcrt.dll	_gcvt
kernel32.dll	VerSetConditionMask, VerifyVersionInfoW
Kernel32.dll	GetSystemDefaultUILanguage, GetLongPathNameW
ntdll.dll	NtQuerySystemInformation
quartz.dll	AMGetErrorTextW
ProductNews2.dll	CheckIsVerUpdate, FreeData, SetProxyParams, DoNewsShowStat, DoNewsClickStat, GetNextNews, StartGetNews, UpdateParams
ntdll.dll	NtQueryInformationProcess

Exports

Name	Ordinal	Address
madTraceProcess	1	0x469ec4

Version Infos

Description	Data
LegalCopyright	IObit. All rights reserved.
InternalName	ASC
FileVersion	14.2.0.220
CompanyName	IObit
LegalTrademarks	IObit
Comments
ProductName	Advanced SystemCare
ProductVersion	14.2
FileDescription	Advanced SystemCare
OriginalFilename	ASC.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

• ASC.exe

Click to jump to process

Memory Usage

• ASC.exe

Click to jump to process

Target ID:	1
Start time:	11:48:58
Start date:	24/03/2022
Path:	C:\Users\user\Desktop\ASC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ASC.exe"
Imagebase:	0x1e0000
File size:	9428936 bytes
MD5 hash:	39E7DD53300DDFCD2778B0378EA105BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000001.428394096.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.475568879.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000000.423445015.00000000001E1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ASC.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: ASC.exePID: 7024, Parent PID: 5744

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Section Activities

Windows Analysis Report
ASC.exe