c2e6a132106f2c7ac254447dbd160c9d1d7acd06dd16a6d7d2100c5602fc8f72

Resubmissions

28/12/2022, 19:54

221228-ymyemsbd75 9

28/12/2022, 19:41

221228-yeazdaee2v 10

Analysis

max time kernel
103s
max time network
106s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/12/2022, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-Up.exe
Size

54.7MB
MD5

333bba364d4d009ae856418f4d4facbc
SHA1

24cbf0dec314e1658133485a1913239a54bb7891
SHA256

c2e6a132106f2c7ac254447dbd160c9d1d7acd06dd16a6d7d2100c5602fc8f72
SHA512

ffd82dad6afc35be55c39c659a5328d9ddcc958d3dd46a2c509ae733f1206ed6a16b8f382e7c0536222e01c25928fea85d2f47f7b5f845bf59d9bec93f75b421
SSDEEP

1572864:L6zmuyS1xkPeXU25Vw8IuEd0QhF/H3kpN:L6zmuykxkRG2du80Vz

Score

10^/10

bootkit discovery persistence spyware stealer upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012304-56.dat	acprotect

Executes dropped EXE 28 IoCs

pid	Process
1624	ASCInit.exe
1760	Register.exe
1008	ASCService.exe
1352	smBootTimebase.exe
328	smBootTime.exe
1588	UninstallInfo.exe
1292	BrowserCleaner.exe
432	PrivacyShield.exe
1088	smBootTime.exe
860	RealTimeProtector.exe
1836	smBootTime.exe
1648	PPUninstaller.exe
1156	Display.exe
560	RealTimeProtector.exe
328	RealTimeProtector.exe
1736	DiskDefrag.exe
776	RealTimeProtector.exe
1088	smBootTime.exe
804	startupInfo.exe
1720	startupInfo.exe
468	RealTimeProtector.exe
840	Display.exe
912	AutoSweep.exe
1352	ASCFeature.exe
1044	AutoSweep.exe
564	ASC.exe
1896	ASCTray.exe
1832	AutoCare.exe

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ = "C:\\Program Files (x86)\\Advanced SystemCare Pro\\ASCExtMenu_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ = "C:\\Program Files (x86)\\Advanced SystemCare Pro\\ASCExtMenu_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012304-56.dat	upx
behavioral1/memory/1216-60-0x0000000074E60000-0x0000000074E6A000-memory.dmp	upx
behavioral1/memory/1216-63-0x0000000074E60000-0x0000000074E6A000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1624	ASCInit.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1760	Register.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1760	Register.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1008	ASCService.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
328	smBootTime.exe
1624	ASCInit.exe
1624	ASCInit.exe
1588	UninstallInfo.exe
1624	ASCInit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Advanced SystemCare = "\"C:\\Program Files (x86)\\Advanced SystemCare Pro\\ASCTray.exe\" /Auto"	ASCInit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ASC.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\OptFailed.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\IObit Uninstaller\BCleanerdb	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\IObit Uninstaller\DistrustPlugin.ini	smBootTimebase.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\IObit Uninstaller\DistrustPlugin.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\config.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\delayEx.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\OptimizeRecord.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\delStartups.ini	smBootTimebase.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare\Startup Manager\Ignore.ini	smBootTimebase.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\Romanian.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Update\Update.ini	Set-Up.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\ScanData\config.ini	ASC.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Turkish.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Toolbox_Language\German.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\SPNativeMessage.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\BrowerProtect\Inject.js	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Flemish.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\ASCInit.log	ASCInit.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\BrowerProtect\errorpage.html	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\BrowerProtect\images\safe_logo.png	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Swedish.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Vietnamese.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\PrivacyShield.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Database\InBoxDriverFeature\win764.ini	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\Czech.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\French.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\wlh_amd64\RegistryDefragBootTime.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\skin\classic.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\win7_amd64\AscRegistryFilter.sys	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\win7_x86\AscFileControl.sys	Set-Up.exe
File opened for modification	C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare\License.ini	ASCInit.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\StartupInfo.log	startupInfo.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\Malay.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Database\ASCPhishList.db	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Finnish.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Portuguese (PT-PT).lng	Set-Up.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.log	AutoSweep.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\Database\ZLB85F7.tmp	ASC.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\ASCServiceLog\history.ini	ASCService.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.exe_py.log	AutoSweep.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\AutoCare.log	AutoCare.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\LocalData\WhiteList.ini	ASC.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\ASCUpgrade.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Dutch.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Toolbox_Language\Bulgarian.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\win7_ia64\AscRegistryFilter.sys	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\skin\public.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Database\InBoxDriverFeature\vista64.ini	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\PinLink\ICONPIN32.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\BrowerProtect\images\square.png	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\win7_x86\AscRegistryFilter.sys	Set-Up.exe
File opened for modification	C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.log	ASCService.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\DetectionEx.ini	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\PluginHelper.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Scanner.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\BrowerProtect\images\popbox_btn_ok.png	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\drivers\Monitor_win10_x64.sys	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\MonitorDisk.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\ProductNews2.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\cpuidsdk.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Database\ignore.dbd	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\Spanish.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Adblock\js\google_adsbygoogle.js	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Language\Greek.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Toolbox_Language\Ukrainian.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\DNSProtect.exe	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\dataexchange.dll	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Database\ActiveBoost.db	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Database\Reg.dbd	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Update\SoftUpdater.ini	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Language\Indonesian.lng	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Surfing Protection\Database\SPSpecialUrl.db	Set-Up.exe
File created	C:\Program Files (x86)\Advanced SystemCare Pro\Toolbox_Language\Polish.lng	Set-Up.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	PPUninstaller.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico	PPUninstaller.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1884	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	smBootTimebase.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}\ = "ICExtMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}\TypeLib\ = "{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\ProgID\ = "ASCExtMenu.CExtMenu.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Advanced SystemCare Pro\\ASCExtMenu_64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu.1\ = "CExtMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\TypeLib\ = "{60AD0991-ECD4-49dc-B170-8B7E7C60F51B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\VersionIndependentProgID\ = "ASCExtMenu.CExtMenu"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Advanced SystemCare Pro"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\ = "CExtMenu Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\ = "CExtMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\CLSID\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\CurVer\ = "ASCExtMenu.CExtMenu.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu\CLSID\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ = "C:\\Program Files (x86)\\Advanced SystemCare Pro\\ASCExtMenu_64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{60AD0991-ECD4-49DC-B170-8B7E7C60F51B}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASCExtMenu.CExtMenu.1\ = "CExtMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Advanced SystemCare	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Advanced SystemCare\ = "{2803063F-4B8D-4dc6-8874-D1802487FE2D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shellex\ContextMenuHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA935377-E17C-4475-B1BF-DE3110613A99}\ = "ICExtMenu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2803063F-4B8D-4dc6-8874-D1802487FE2D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1216	Set-Up.exe
1624	ASCInit.exe
1624	ASCInit.exe
1760	Register.exe
1760	Register.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1352	smBootTimebase.exe
1008	ASCService.exe
1008	ASCService.exe
328	smBootTime.exe
328	smBootTime.exe
1588	UninstallInfo.exe
1588	UninstallInfo.exe
432	PrivacyShield.exe
1292	BrowserCleaner.exe
432	PrivacyShield.exe
1292	BrowserCleaner.exe
1588	UninstallInfo.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1088	smBootTime.exe
1088	smBootTime.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
1008	ASCService.exe
860	RealTimeProtector.exe
860	RealTimeProtector.exe
1836	smBootTime.exe
1836	smBootTime.exe
1648	PPUninstaller.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
460	Process not Found
460	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1008	ASCService.exe
Token: SeIncBasePriorityPrivilege	1008	ASCService.exe
Token: SeRestorePrivilege	912	AutoSweep.exe
Token: SeBackupPrivilege	912	AutoSweep.exe
Token: SeRestorePrivilege	1044	AutoSweep.exe
Token: SeBackupPrivilege	1044	AutoSweep.exe
Token: SeRestorePrivilege	564	ASC.exe
Token: SeBackupPrivilege	564	ASC.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1648	PPUninstaller.exe
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
564	ASC.exe
1896	ASCTray.exe
1896	ASCTray.exe
564	ASC.exe
1896	ASCTray.exe
1832	AutoCare.exe
1832	AutoCare.exe
1832	AutoCare.exe
1832	AutoCare.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe

Suspicious use of SendNotifyMessage 50 IoCs

pid	Process
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
912	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1044	AutoSweep.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1832	AutoCare.exe
1832	AutoCare.exe
1832	AutoCare.exe
1832	AutoCare.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe
1896	ASCTray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1624	1216	Set-Up.exe	28
PID 1216 wrote to memory of 1624	1216	Set-Up.exe	28
PID 1216 wrote to memory of 1624	1216	Set-Up.exe	28
PID 1216 wrote to memory of 1624	1216	Set-Up.exe	28
PID 1624 wrote to memory of 1760	1624	ASCInit.exe	29
PID 1624 wrote to memory of 1760	1624	ASCInit.exe	29
PID 1624 wrote to memory of 1760	1624	ASCInit.exe	29
PID 1624 wrote to memory of 1760	1624	ASCInit.exe	29
PID 1008 wrote to memory of 1352	1008	ASCService.exe	31
PID 1008 wrote to memory of 1352	1008	ASCService.exe	31
PID 1008 wrote to memory of 1352	1008	ASCService.exe	31
PID 1008 wrote to memory of 1352	1008	ASCService.exe	31
PID 1624 wrote to memory of 1888	1624	ASCInit.exe	32
PID 1624 wrote to memory of 1888	1624	ASCInit.exe	32
PID 1624 wrote to memory of 1888	1624	ASCInit.exe	32
PID 1624 wrote to memory of 1888	1624	ASCInit.exe	32
PID 1888 wrote to memory of 1884	1888	cmd.exe	34
PID 1888 wrote to memory of 1884	1888	cmd.exe	34
PID 1888 wrote to memory of 1884	1888	cmd.exe	34
PID 1888 wrote to memory of 1884	1888	cmd.exe	34
PID 1008 wrote to memory of 328	1008	ASCService.exe	35
PID 1008 wrote to memory of 328	1008	ASCService.exe	35
PID 1008 wrote to memory of 328	1008	ASCService.exe	35
PID 1008 wrote to memory of 328	1008	ASCService.exe	35
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 1588	1624	ASCInit.exe	36
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 896	1624	ASCInit.exe	37
PID 1624 wrote to memory of 1292	1624	ASCInit.exe	38
PID 1624 wrote to memory of 1292	1624	ASCInit.exe	38
PID 1624 wrote to memory of 1292	1624	ASCInit.exe	38
PID 1624 wrote to memory of 1292	1624	ASCInit.exe	38
PID 1624 wrote to memory of 432	1624	ASCInit.exe	39
PID 1624 wrote to memory of 432	1624	ASCInit.exe	39
PID 1624 wrote to memory of 432	1624	ASCInit.exe	39
PID 1624 wrote to memory of 432	1624	ASCInit.exe	39
PID 1008 wrote to memory of 1088	1008	ASCService.exe	40
PID 1008 wrote to memory of 1088	1008	ASCService.exe	40
PID 1008 wrote to memory of 1088	1008	ASCService.exe	40
PID 1008 wrote to memory of 1088	1008	ASCService.exe	40
PID 1008 wrote to memory of 860	1008	ASCService.exe	41
PID 1008 wrote to memory of 860	1008	ASCService.exe	41
PID 1008 wrote to memory of 860	1008	ASCService.exe	41
PID 1008 wrote to memory of 860	1008	ASCService.exe	41
PID 1008 wrote to memory of 1836	1008	ASCService.exe	42
PID 1008 wrote to memory of 1836	1008	ASCService.exe	42
PID 1008 wrote to memory of 1836	1008	ASCService.exe	42
PID 1008 wrote to memory of 1836	1008	ASCService.exe	42
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45
PID 1216 wrote to memory of 1648	1216	Set-Up.exe	45

C:\Users\Admin\AppData\Local\Temp\Set-Up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-Up.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Program Files (x86)\Advanced SystemCare Pro\ASCInit.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\ASCInit.exe" /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Program Files (x86)\Advanced SystemCare Pro\Register.exe
    "C:\Program Files (x86)\Advanced SystemCare Pro\Register.exe" /post
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c SC description AdvancedSystemCareService15 "Advanced SystemCare Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\SysWOW64\sc.exe
      SC description AdvancedSystemCareService15 "Advanced SystemCare Service"
      4⤵
      Launches sc.exe
      PID:1884
- - C:\Program Files (x86)\Advanced SystemCare Pro\UninstallInfo.exe
    "C:\Program Files (x86)\Advanced SystemCare Pro\UninstallInfo.exe" /install asc15
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1588
- - C:\Windows\System32\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Advanced SystemCare Pro\ASCExtMenu_64.dll"
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:896
- - C:\Program Files (x86)\Advanced SystemCare Pro\BrowserCleaner.exe
    "C:\Program Files (x86)\Advanced SystemCare Pro\BrowserCleaner.exe" /InitData
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1292
- - C:\Program Files (x86)\Advanced SystemCare Pro\PrivacyShield.exe
    "C:\Program Files (x86)\Advanced SystemCare Pro\PrivacyShield.exe" /ShowStr=silentWriteCache
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:432
- C:\Program Files (x86)\Advanced SystemCare Pro\PPUninstaller.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\PPUninstaller.exe" /i
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:1648
- C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe" /install
  2⤵
  - Executes dropped EXE
  PID:560
- - C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe
    "C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe" /Run
    3⤵
    - Executes dropped EXE
    PID:328
- C:\Program Files (x86)\Advanced SystemCare Pro\DiskDefrag.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\DiskDefrag.exe" /install
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe" /Run
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe" /UpdateTaskschd
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\Advanced SystemCare Pro\ASCExtMenu_64.dll"
  2⤵
  PID:732
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Advanced SystemCare Pro\ASCExtMenu_64.dll"
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:1816
- C:\Program Files (x86)\Advanced SystemCare Pro\startupInfo.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\startupInfo.exe" /SM
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Program Files (x86)\Advanced SystemCare Pro\startupInfo.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\startupInfo.exe" /Auto
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1720
- C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe" /RunCurUs
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Program Files (x86)\Advanced SystemCare Pro\Display.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\Display.exe" /service
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.exe" /SvcAutoClean
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:912
- C:\Program Files (x86)\Advanced SystemCare Pro\ASCFeature.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\ASCFeature.exe" /asc /user
  2⤵
  - Executes dropped EXE
  PID:1352

C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe
"C:\Program Files (x86)\Advanced SystemCare Pro\ASCService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Program Files (x86)\Advanced SystemCare Pro\smBootTimebase.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\smBootTimebase.exe" /boottime
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe" /UpdateTaskschd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:328
- C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\RealTimeProtector.exe" /RunCurUs
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\smBootTime.exe" /AddAutoRun /3 /43003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C005400610073006B0073005C004100530043005F0053006B00690070005500610063005F00410064006D0069006E00
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Advanced SystemCare Pro\Display.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\Display.exe" /service
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\AutoSweep.exe" /SvcAutoClean
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1044
- C:\Program Files (x86)\Advanced SystemCare Pro\AutoCare.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\AutoCare.exe" /autorun /AdvanceScan
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1832

C:\Program Files (x86)\Advanced SystemCare Pro\ASC.exe
"C:\Program Files (x86)\Advanced SystemCare Pro\ASC.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:564
- C:\Program Files (x86)\Advanced SystemCare Pro\ASCTray.exe
  "C:\Program Files (x86)\Advanced SystemCare Pro\ASCTray.exe" /manual
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced SystemCare Pro\ASC.EXE

Filesize
10.3MB

MD5
ffdf9f22011ac25b64eb1887ada65518

SHA1
bf7a8aba1246b25ca9b652ad5cb53bdf4e678624

SHA256
ce70cd780f5a5f08f7f58808918d45f2ebaec1e47e430a5493d0a01b19f6f7cd

SHA512
c56a77ad1e7ddb43f0c3da92c12ed401d0ec61f5fa57db7a723e86589bab506672de6b09dafa7bbb2b39a63f94703b6d66e924028ee144f94129f4c0561d16a4

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\ASCInit.exe

Filesize
697KB

MD5
df0bed89f3935b1164f50223a584f539

SHA1
ebf75d0c28b6e976ff0bcf2b82cf47154e6afc01

SHA256
ca1349d1b689161ed9bc22c314c351b49e640d34f5885974fc705ab29ed63da9

SHA512
e968582cc233b7553129db2223c0e3caf78c70a309a77a368fe47b290478d2cd42f4d5d91686fd74f397b926a6ad2d4de5378d324f34df95d847c29ba295f002

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Database\ignore.dbd

Filesize
12KB

MD5
2802a5adfe7744bfca1ad914491de635

SHA1
43a7182b44282bf5b8a9a6b01cfc726d8a27d511

SHA256
d65c68d86d849e867d6ccce13312377bfab9f9d10de1fd82ebfe4d096aa3c797

SHA512
b76335b6dbcea3497d8a5842decbe6db140ead51ba01c9d7bb0b59cb1847f8f989d08a3ea6a346ce03569d2da6609d2803f111c7c5e49f928ca4b16c34189dfa

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\HardwareLib.dll

Filesize
186KB

MD5
d36e4ca83428e7231419de843e28e2b8

SHA1
b1e83397cbd5e56397d499e8ae5d7da3e334c560

SHA256
0dbdf4fae32fc394b5135e4ddfad46fbc1901e7088b512ede49bc8ee60ca757d

SHA512
2bead4b2da5150f573db7b0f7f8e1640c75f1cb83c5239e29707fca007f6112e1a5ac3df9b78eadbd2bd03885e8b5ea550c3018784ea93ad27e7d166aa50f9ce

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Arabic.lng

Filesize
316KB

MD5
c246a0057ceec46f073557ee23086d15

SHA1
062c71b9fa8c520e86b007c7a63490e8efd1b76e

SHA256
d351cd5b5997ffe3cd3e3ece699bd9471076dd6d3c94367cf3a18e637130b151

SHA512
bf8a77189552c14cd891391cf501ea261e7aa75539c92d9aeea041a200b8a80ac0975d6db77387e9e06fed1669f73b940e06a8ab72498fd2d8c6f61b9b3a2997

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Bulgarian.lng

Filesize
306KB

MD5
bc9a0dc4cb04c8d542d63b757977f2ec

SHA1
056461859a78038b398a29b7350f285444be41fc

SHA256
f336e37466a36a45eacf95d17968a8f9b81b85d9d2fdfc1e03f434e76d7bf3b0

SHA512
feb927a12a20fc141593312f405c07ffb0c321d125345358c9c7dfbaa0688432d06efc197e30e1be4e7700a631efb45b77bf344cfa5c04cbacf63154c1b1537d

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\ChineseSimp.lng

Filesize
199KB

MD5
35e6d2d22a95d80cc6ed58e4595b9d9e

SHA1
090358f557b695d2ac109c7f6c3a75d1fba33c84

SHA256
eee2b65ac250cd31259a40fe36611d56fc3bd8c74c06200a470a1b86a7e12f29

SHA512
864ca1669fc0eadf9f08974fbfd8d5fafa02e52d1852b581c16b796b1d8e92583afb364e9f68f9548823360b5c9000f3ae3fc08255f78c9ea189e5cc8f64b596

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\ChineseTrad.lng

Filesize
205KB

MD5
f58d7386418f1ee79c53591f26e1029c

SHA1
36a60749f2538d6380487ccf3b05052b580526dd

SHA256
a562b7e3935d55e7784887910477af3a92597f757717b6efed93fbfef0ed78ce

SHA512
d643435766b28cf6dad2f6d8194ed79bdd75d0c711ae9ef9980267a3edf35e31b1c4e9ba0b34f2902afeb674c6187ead0330cfb6aaf257cc489be3ce1a398de8

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Croatian.lng

Filesize
351KB

MD5
1518467232ea1002b53914af45bd29c5

SHA1
a76a116ab70fd0825f392bcc86a3f5418a621fcf

SHA256
a778c21201efc38e6b5447912c016e95f496dcf2dbab5640081a042faf9b6e7e

SHA512
dcc253128ada531d97903f40abbfbfd4db1d709ec72a57b7c4a09e2013343a537944779ddddf8a638151a98940f544d1ad400d33eb85b5a6a06478cd82e5b00d

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Czech.lng

Filesize
345KB

MD5
1ded59752f062dd516f45236f894935f

SHA1
0947f1213a58e3eabbe55619b081149fabaf0057

SHA256
4e00a5654b260f0f57afc15733f488d0a601d4a8c7499fe77553d4700e60e204

SHA512
e449a24ff04668ac4ce03db3f5dc33895b3c1a4220d8b85683350d1f0dd125556664e68ab11b4c402fcb31d55f82b3dfab1cbdf53768fdd3ad058607676775d4

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Danish.lng

Filesize
343KB

MD5
1c6e848bfb2eb8690c74932acbb1ff6f

SHA1
68346458aa49ccfbfbab77b0ef66eb9d441e2ef8

SHA256
00d76e4ba8095a61b1dda130da65b7703a6844758ee7610bc628702994207ace

SHA512
eefe32a2217798451fcbcf634ed3f2f6e50cc331a063e2da95c2b5f16fc3ebbf6f47a92a68289a40af4205d77d07627aa54ecaa853b759b2e2280af6467d7c53

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Dutch.lng

Filesize
355KB

MD5
4be0968e02a5296dcadf545381b1251d

SHA1
d093c8ac6ef02129ca9874e405a20137a4370556

SHA256
ec4c6c5b7baf11a9c5e42f079b735aa2b6073dccb89c2c0e0cec39f58f580ad6

SHA512
14998eb1239f3384734f7b9af8c19fa7d187934d9f4d3d0550e42ad2f224d0b64f9272846daf4b9e98f2f5f8b2c1aba2f014636a9dbb6449804f9ed2c56bfb66

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\English.lng

Filesize
325KB

MD5
400d4ae937e82f814820495f59ebfd6e

SHA1
fbfa305ce895fc7f97423e4fe0efcb87d7376dee

SHA256
beb55028ec125be781565e02dc6b8b758479b156373010dd366bedc0f240c692

SHA512
f48c1649b73b9cd9b483b6ab230e33aa0fb4492263ad454d490220790a506b0a8fd56b8dc718bf3b06642f06dcadc98a487637c2605be56ffbd5b54e9cd4cce8

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Finnish.lng

Filesize
348KB

MD5
a17c964f0d0496310e48f042d480d8f0

SHA1
9acb8452c26e9917ed59393d78548c6f1abc7e5c

SHA256
bdeb8b0553364e9879f2c0bc31248b1351ffb826cca8efa51f7770f79d8cec9a

SHA512
b27bdf483efdab0dcc4170770eba1e5caa78a87a3beb3049a7c99a004050279fdca3f223aaac6ff8d2e586056634a165f9255d2c53cc83160ab03847f39b7233

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Flemish.lng

Filesize
356KB

MD5
972271018cdbfbcd772443d79b2488d5

SHA1
1bd78d6751f5b578bffc031768dec5ac16df8e98

SHA256
5837906a7a2ec58df5e2e957e24eb98818551188247c670020787d56e7d4cc8d

SHA512
0ac5c6bdae1f0ba2b9f6fcf7544230bb143204a8f0bdad14b5c041cbc7a2591720fbdb3afe64a9fd8299dac5a70404f641afe8f1b33a60378175837420c4462d

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\French.lng

Filesize
384KB

MD5
039457f8350d0025f088b329c71deef6

SHA1
7503ea5ce8e211bfcb359a9163047d4342e03e2d

SHA256
cf23580131d43dcbeab90db89ff2c5035d97455401e3afeb78dedfe4de94162d

SHA512
11a7927ee26c95aa3486d537847f00d3254e3cfda30b70c5cbd61a0a8d1fe7bc41c31434b6022a896eebd854323025ef426518a088a5163d7296001339c58349

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Georgian.lng

Filesize
311KB

MD5
ea676c328ef2356498585ed2543fbf18

SHA1
8f6ce15d29bf9760a13b1dddd1e0ea94e3afe3c7

SHA256
5721b304e6e964dd9629a9574d577e6bb0b2d4a24c7ffce64a3e4bac4b1b66f1

SHA512
545a41990dc13ceedd46420e26a17ac8e3f4a411cd3133bbbd269db608a6eac71e991850c1d8689efe88274de4fe78bd04d2a21dab9ad2fe4d3bb7a731452d8b

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\German.lng

Filesize
369KB

MD5
994ee6e0002e8bc27c3bd52d9802c6e6

SHA1
96ce19462c3619f8f2ef0bb6cb3da6fa30787231

SHA256
bbb9690757285c49754eecc9df2ac286cda9455c63c957922111595019e00201

SHA512
d33c0422e19b7c2a8193450895dd179be563380a89d26cfcdd8b2aab72e7df54e99edd21ba1423189dce77fc7d8c59e7c28bd3e956ea663f283d421e823c11cd

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Greek.lng

Filesize
392KB

MD5
cbbc95a95d9c55a93ab29856a4c5b66b

SHA1
91526c9d056e6b754ce2f716175dea1da58b432e

SHA256
6271385760b7153957a0a8d80383dfa3628c3f43da213d68987e3a8431323e1d

SHA512
40c8600df02a392c189d029baeec932ec649d0d62c2d1b71c5f8bceaf0f318d6fcc42dace00748c41b4f2fb1cc8349b6ea1c3072434fbdf3d15e1b4da6023d3d

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Hebrew.lng

Filesize
291KB

MD5
6ca109618a81fc57d8c77a3324054ae2

SHA1
814c5548b3443801c5575c900d1a2a86de3b8168

SHA256
d32534fcbefba41ae350dab108f0cd90dcb5c4563cf2ccabbf4fb982dcaa7788

SHA512
cc0608a3b84f5af7c9c9697c4b3c5e20a4978d7832b9bdf2bd6b3090796d2acd0bbc03f2af708a6ec2fe86f17ac90920020cc5aad9c24159febac12c0b003f17

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Hungarian.lng

Filesize
363KB

MD5
74fd4736ec205a7961b68d168fe22d41

SHA1
6933e61c12879265eddb5a377f84e38e5335233c

SHA256
46244b8ad76e577fc7489f5ffc8ec5eabeb92dec3b3c410365cd241570e81fff

SHA512
48a38e01ae1e30935ba4039f0bd481203d93c57f7af4e201797fcfedd91b68893eedb63201f8ce5f0e66ab3883200096f094ae1317703d43c0efc8cb1cc06919

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Indonesian.lng

Filesize
347KB

MD5
29e2e289970ff5007cea2385865ecf0f

SHA1
fdf38bb12d697f9056297473938e416ddca1635b

SHA256
609f81c09667a5caff54d57d542cf51936cb1209ced172dfd0ea36d6ac5deb6e

SHA512
330219f377b36a5e11685579214848181e414811c71a9442b2b776684f5c360ef17be8ac444f4d358350201d080eb3b67cbe02ac58b6525bd46f8153b194c66e

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Language\Italian.lng

Filesize
367KB

MD5
fa736d39d0c24c2cc652b93e3e30e95f

SHA1
151145862f3b86059910878ded5cd3451b3b5135

SHA256
86bf2e160f4be3910fafb900a940f20b4f201803a249f42525c0f356f7da7cd9

SHA512
89321774952a37bde5cf0b6fbe5dd8e05c191695923032aee1a4eae4a98523b8bc426b2e4e133d3e5734d938a89a808cdcdd9d411f3d53f7e01519ac3555e2b9

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\OFCommon.dll

Filesize
825KB

MD5
cd64a781f610ddc9db06de5dfb02308c

SHA1
95ec05ff1d0627925fb5b7c888ab8fbef91d6e4a

SHA256
bdbb3238c1d00a340a0df60f7285c554ad36da3405582a47443f4bbbce4e047b

SHA512
066b6cbb61385f42248a5786653a74315303a185d2e408995b6b6553864a0fb7431a098552e834c3eada31c9a4250723b1698907e0101f327b29fb6e67026fb6

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Register.exe

Filesize
2.8MB

MD5
0a851cb1ba4aa3f12825e3e31df6d75d

SHA1
695b130a472ec9edcdefde20b73638e082f24443

SHA256
16af2329ca6d3e7fc474d6749a9800e4f85c23a85ac9c25e3bb4c7781a8d92f1

SHA512
eca9d54f28885ed0235875bb77095274b6028e5b86e7b4d77a426e70794aa3e99d60d3aa50b0c7b0cb4f8acd1fa509a1d2a6136ac73249d99663c522e71e04e7

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\Register.exe

Filesize
2.8MB

MD5
0a851cb1ba4aa3f12825e3e31df6d75d

SHA1
695b130a472ec9edcdefde20b73638e082f24443

SHA256
16af2329ca6d3e7fc474d6749a9800e4f85c23a85ac9c25e3bb4c7781a8d92f1

SHA512
eca9d54f28885ed0235875bb77095274b6028e5b86e7b4d77a426e70794aa3e99d60d3aa50b0c7b0cb4f8acd1fa509a1d2a6136ac73249d99663c522e71e04e7

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\madBasic_.bpl

Filesize
205KB

MD5
118d01291fe0f6f9e191dc43bf2eb0e6

SHA1
9e66be00c9e4675e22d907107175dc8a2ac64621

SHA256
44af308bac61e9ab0ded3ac567d7f90c186eaae3b4e7e0c5b079c611681139f9

SHA512
b9f28448fd94d562c26e6aede961e252bf6fbaf8b95b1c804076394fab2a79c635af467a010326c64110d06e116d8f908b93da586b6dfa56ea5f4ca593883415

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\madDisAsm_.bpl

Filesize
58KB

MD5
f385cdbcfe747006d30a7b5a10e6659c

SHA1
d60d0794f8d09b7f3ec299f5f01dee0e82a181fc

SHA256
b1fe3bec41e2bda7b30d8b44c802b0bb98a2a57838fb07adfe4b6f98520afa95

SHA512
41e4f5446e6eeb5a87b0e19fb6cbdc0a5dd38ecfc7bfd7e969acb45c1cdf2b4d0abc1172f43d1c87f50350367a48e4e54c5d2af2492674ddd9dbbe6f62654fb2

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\madExcept_.bpl

Filesize
419KB

MD5
e4dcf5ca70ce7c50a41df7905faf3a11

SHA1
cc1a0b8a18deae0f2d1a207d4ab04c766959cce0

SHA256
c7e0b5293c08d9277ab21232adde89f5fa6b264948f92ff078c41586dce853bb

SHA512
75330f6965393faa060f746dca08e102a4363d005e4d2b5cac8d0ecf9da318b2971dc048b3881fd83ea1d484b8ad78147a4b4b0aa0df7059c08608a498bf8c19

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\rtl120.bpl

Filesize
1.1MB

MD5
866fff3729a6fafb8e9e6efadcc32b11

SHA1
620738e1b58a250281bebe2e0edd7adb0264144d

SHA256
6ca51e4bd13cda4547493ed2907422f3c729ca86b1e3507bcfd0f55bf45d3c4f

SHA512
bbbc2536fe2c9280ef76d54295cddd12c6d8a836354a0c466b720977116025a03f2a0af8ba65d4342f67dffa3975d45b3d3b44814c8695f0e6381d4f400365a6

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\vcl120.bpl

Filesize
1.9MB

MD5
5f8789273cce227f42ffac6bdcbef0ec

SHA1
aec918df12b1a49de8c7a6cb78851614bcda996a

SHA256
308fb9b5a2f71cacf4630d1aff156b74df163bd7a6ecaf5d8145172b6ca295f7

SHA512
2affa60ad03a5a3bf2a59e0a1858a53a89768f7667ce01453d1baef84336477842caca752a34c1c3c9b4ee3457e2af0502a9a3b50a3553a199a2610eca23bf58

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\vclx120.bpl

Filesize
220KB

MD5
c9c17bc11045e31a953390e66ca7ceba

SHA1
f5d31708852ffc17578cd77da344fa211bf775ed

SHA256
d9db0ff0992034f50ab33285b9e73e3232d6a9fe808d444695e37200df1a50a7

SHA512
47f872420ea0db3a9dccbc226e156bc2be1b04debf39e75f07e111e857d2bea716f5681af93c33ac7c3f43a58441f31caf7c4c38c8685a4dcbc9d5613de288bd

Download Submit
C:\Program Files (x86)\Advanced SystemCare Pro\webres.dll

Filesize
880KB

MD5
981391696b41beb20d7280a43ef3145e

SHA1
3ed4a8cda7f167d0501321c6c48aff85d95fcfca

SHA256
7bc78a954a978596a90ae7c273e57a0b5b0668ae38294bbd144128e707c7ce27

SHA512
146d70ede0f84d4a956f6fec39c94b7d5d7627754c3f654975951364143c63d2ff61134c00247d9336a3409f1a880c70a3a5bacccb94f3776f5a5440bef0d674

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Advanced SystemCare\Main.Ini

Filesize
332B

MD5
389b3950ce38f2d1ca54f0cd5117e1cc

SHA1
1c959fd826e51a70a4cfbf3ca00c4dbd5c957a49

SHA256
c80a7ba31b6f7d52c2b26e37c62a727dcdd4f21c9ea6a4894d477bf1cfe6b4a3

SHA512
be64e571cec13b8c9bf7a2cd606a46bcaf8235007fb7f4ce658f43bf22f5766059e8a27d0d47401668276eb2024c4f9410328dd6250b67a869e0d516433587f2

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Advanced SystemCare\Main.ini

Filesize
332B

MD5
389b3950ce38f2d1ca54f0cd5117e1cc

SHA1
1c959fd826e51a70a4cfbf3ca00c4dbd5c957a49

SHA256
c80a7ba31b6f7d52c2b26e37c62a727dcdd4f21c9ea6a4894d477bf1cfe6b4a3

SHA512
be64e571cec13b8c9bf7a2cd606a46bcaf8235007fb7f4ce658f43bf22f5766059e8a27d0d47401668276eb2024c4f9410328dd6250b67a869e0d516433587f2

Download Submit
\??\c:\program files (x86)\advanced systemcare pro\skin\classic.dll

Filesize
5.6MB

MD5
2731aa9ecd53ebf78aee68fc7a42111d

SHA1
cb9a47d943726d62ad4a87b0c1f3a79e1724bb71

SHA256
28eb523e4b9646fd77afee9743b2cf9bd88b835537d4592f6c4fb48e2bc12282

SHA512
c2491fd0578608be95921430a79f7cd2d2bf2dd042edbda0f5f2f27853c08132099df7a1a6c6cb3509f71fa43d8d6a68a8714f4a76fc3b7d0e106d9fce134e9b

Download Submit
\??\c:\program files (x86)\advanced systemcare pro\skin\public.dll

Filesize
60KB

MD5
f4a655981f3b5fcc967773d4bc6f8684

SHA1
acff97fa0bb0b2f610d194484e19388917c78a31

SHA256
5d0933724e06b361195e68d8165f707d14b539e9ac4ad00563cfe6336f097ae4

SHA512
125a3995431b65aa8c01cda31d8a5929d948f22919883fa4ca831a12119214062d643b8f65b5c05c96fb83d12be2bc56e6c074c54e03f207260aff19f8766bc1

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\ASC.exe

Filesize
10.3MB

MD5
ffdf9f22011ac25b64eb1887ada65518

SHA1
bf7a8aba1246b25ca9b652ad5cb53bdf4e678624

SHA256
ce70cd780f5a5f08f7f58808918d45f2ebaec1e47e430a5493d0a01b19f6f7cd

SHA512
c56a77ad1e7ddb43f0c3da92c12ed401d0ec61f5fa57db7a723e86589bab506672de6b09dafa7bbb2b39a63f94703b6d66e924028ee144f94129f4c0561d16a4

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\ASC.exe

Filesize
10.3MB

MD5
ffdf9f22011ac25b64eb1887ada65518

SHA1
bf7a8aba1246b25ca9b652ad5cb53bdf4e678624

SHA256
ce70cd780f5a5f08f7f58808918d45f2ebaec1e47e430a5493d0a01b19f6f7cd

SHA512
c56a77ad1e7ddb43f0c3da92c12ed401d0ec61f5fa57db7a723e86589bab506672de6b09dafa7bbb2b39a63f94703b6d66e924028ee144f94129f4c0561d16a4

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\ASC.exe

Filesize
10.3MB

MD5
ffdf9f22011ac25b64eb1887ada65518

SHA1
bf7a8aba1246b25ca9b652ad5cb53bdf4e678624

SHA256
ce70cd780f5a5f08f7f58808918d45f2ebaec1e47e430a5493d0a01b19f6f7cd

SHA512
c56a77ad1e7ddb43f0c3da92c12ed401d0ec61f5fa57db7a723e86589bab506672de6b09dafa7bbb2b39a63f94703b6d66e924028ee144f94129f4c0561d16a4

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\ASC.exe

Filesize
10.3MB

MD5
ffdf9f22011ac25b64eb1887ada65518

SHA1
bf7a8aba1246b25ca9b652ad5cb53bdf4e678624

SHA256
ce70cd780f5a5f08f7f58808918d45f2ebaec1e47e430a5493d0a01b19f6f7cd

SHA512
c56a77ad1e7ddb43f0c3da92c12ed401d0ec61f5fa57db7a723e86589bab506672de6b09dafa7bbb2b39a63f94703b6d66e924028ee144f94129f4c0561d16a4

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\ASCInit.exe

Filesize
697KB

MD5
df0bed89f3935b1164f50223a584f539

SHA1
ebf75d0c28b6e976ff0bcf2b82cf47154e6afc01

SHA256
ca1349d1b689161ed9bc22c314c351b49e640d34f5885974fc705ab29ed63da9

SHA512
e968582cc233b7553129db2223c0e3caf78c70a309a77a368fe47b290478d2cd42f4d5d91686fd74f397b926a6ad2d4de5378d324f34df95d847c29ba295f002

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\HardwareLib.dll

Filesize
186KB

MD5
d36e4ca83428e7231419de843e28e2b8

SHA1
b1e83397cbd5e56397d499e8ae5d7da3e334c560

SHA256
0dbdf4fae32fc394b5135e4ddfad46fbc1901e7088b512ede49bc8ee60ca757d

SHA512
2bead4b2da5150f573db7b0f7f8e1640c75f1cb83c5239e29707fca007f6112e1a5ac3df9b78eadbd2bd03885e8b5ea550c3018784ea93ad27e7d166aa50f9ce

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\OFCommon.dll

Filesize
825KB

MD5
cd64a781f610ddc9db06de5dfb02308c

SHA1
95ec05ff1d0627925fb5b7c888ab8fbef91d6e4a

SHA256
bdbb3238c1d00a340a0df60f7285c554ad36da3405582a47443f4bbbce4e047b

SHA512
066b6cbb61385f42248a5786653a74315303a185d2e408995b6b6553864a0fb7431a098552e834c3eada31c9a4250723b1698907e0101f327b29fb6e67026fb6

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\Register.exe

Filesize
2.8MB

MD5
0a851cb1ba4aa3f12825e3e31df6d75d

SHA1
695b130a472ec9edcdefde20b73638e082f24443

SHA256
16af2329ca6d3e7fc474d6749a9800e4f85c23a85ac9c25e3bb4c7781a8d92f1

SHA512
eca9d54f28885ed0235875bb77095274b6028e5b86e7b4d77a426e70794aa3e99d60d3aa50b0c7b0cb4f8acd1fa509a1d2a6136ac73249d99663c522e71e04e7

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\madbasic_.bpl

Filesize
205KB

MD5
118d01291fe0f6f9e191dc43bf2eb0e6

SHA1
9e66be00c9e4675e22d907107175dc8a2ac64621

SHA256
44af308bac61e9ab0ded3ac567d7f90c186eaae3b4e7e0c5b079c611681139f9

SHA512
b9f28448fd94d562c26e6aede961e252bf6fbaf8b95b1c804076394fab2a79c635af467a010326c64110d06e116d8f908b93da586b6dfa56ea5f4ca593883415

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\madbasic_.bpl

Filesize
205KB

MD5
118d01291fe0f6f9e191dc43bf2eb0e6

SHA1
9e66be00c9e4675e22d907107175dc8a2ac64621

SHA256
44af308bac61e9ab0ded3ac567d7f90c186eaae3b4e7e0c5b079c611681139f9

SHA512
b9f28448fd94d562c26e6aede961e252bf6fbaf8b95b1c804076394fab2a79c635af467a010326c64110d06e116d8f908b93da586b6dfa56ea5f4ca593883415

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\maddisAsm_.bpl

Filesize
58KB

MD5
f385cdbcfe747006d30a7b5a10e6659c

SHA1
d60d0794f8d09b7f3ec299f5f01dee0e82a181fc

SHA256
b1fe3bec41e2bda7b30d8b44c802b0bb98a2a57838fb07adfe4b6f98520afa95

SHA512
41e4f5446e6eeb5a87b0e19fb6cbdc0a5dd38ecfc7bfd7e969acb45c1cdf2b4d0abc1172f43d1c87f50350367a48e4e54c5d2af2492674ddd9dbbe6f62654fb2

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\maddisAsm_.bpl

Filesize
58KB

MD5
f385cdbcfe747006d30a7b5a10e6659c

SHA1
d60d0794f8d09b7f3ec299f5f01dee0e82a181fc

SHA256
b1fe3bec41e2bda7b30d8b44c802b0bb98a2a57838fb07adfe4b6f98520afa95

SHA512
41e4f5446e6eeb5a87b0e19fb6cbdc0a5dd38ecfc7bfd7e969acb45c1cdf2b4d0abc1172f43d1c87f50350367a48e4e54c5d2af2492674ddd9dbbe6f62654fb2

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\madexcept_.bpl

Filesize
419KB

MD5
e4dcf5ca70ce7c50a41df7905faf3a11

SHA1
cc1a0b8a18deae0f2d1a207d4ab04c766959cce0

SHA256
c7e0b5293c08d9277ab21232adde89f5fa6b264948f92ff078c41586dce853bb

SHA512
75330f6965393faa060f746dca08e102a4363d005e4d2b5cac8d0ecf9da318b2971dc048b3881fd83ea1d484b8ad78147a4b4b0aa0df7059c08608a498bf8c19

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\madexcept_.bpl

Filesize
419KB

MD5
e4dcf5ca70ce7c50a41df7905faf3a11

SHA1
cc1a0b8a18deae0f2d1a207d4ab04c766959cce0

SHA256
c7e0b5293c08d9277ab21232adde89f5fa6b264948f92ff078c41586dce853bb

SHA512
75330f6965393faa060f746dca08e102a4363d005e4d2b5cac8d0ecf9da318b2971dc048b3881fd83ea1d484b8ad78147a4b4b0aa0df7059c08608a498bf8c19

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\rtl120.bpl

Filesize
1.1MB

MD5
866fff3729a6fafb8e9e6efadcc32b11

SHA1
620738e1b58a250281bebe2e0edd7adb0264144d

SHA256
6ca51e4bd13cda4547493ed2907422f3c729ca86b1e3507bcfd0f55bf45d3c4f

SHA512
bbbc2536fe2c9280ef76d54295cddd12c6d8a836354a0c466b720977116025a03f2a0af8ba65d4342f67dffa3975d45b3d3b44814c8695f0e6381d4f400365a6

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\rtl120.bpl

Filesize
1.1MB

MD5
866fff3729a6fafb8e9e6efadcc32b11

SHA1
620738e1b58a250281bebe2e0edd7adb0264144d

SHA256
6ca51e4bd13cda4547493ed2907422f3c729ca86b1e3507bcfd0f55bf45d3c4f

SHA512
bbbc2536fe2c9280ef76d54295cddd12c6d8a836354a0c466b720977116025a03f2a0af8ba65d4342f67dffa3975d45b3d3b44814c8695f0e6381d4f400365a6

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\vcl120.bpl

Filesize
1.9MB

MD5
5f8789273cce227f42ffac6bdcbef0ec

SHA1
aec918df12b1a49de8c7a6cb78851614bcda996a

SHA256
308fb9b5a2f71cacf4630d1aff156b74df163bd7a6ecaf5d8145172b6ca295f7

SHA512
2affa60ad03a5a3bf2a59e0a1858a53a89768f7667ce01453d1baef84336477842caca752a34c1c3c9b4ee3457e2af0502a9a3b50a3553a199a2610eca23bf58

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\vcl120.bpl

Filesize
1.9MB

MD5
5f8789273cce227f42ffac6bdcbef0ec

SHA1
aec918df12b1a49de8c7a6cb78851614bcda996a

SHA256
308fb9b5a2f71cacf4630d1aff156b74df163bd7a6ecaf5d8145172b6ca295f7

SHA512
2affa60ad03a5a3bf2a59e0a1858a53a89768f7667ce01453d1baef84336477842caca752a34c1c3c9b4ee3457e2af0502a9a3b50a3553a199a2610eca23bf58

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\vclx120.bpl

Filesize
220KB

MD5
c9c17bc11045e31a953390e66ca7ceba

SHA1
f5d31708852ffc17578cd77da344fa211bf775ed

SHA256
d9db0ff0992034f50ab33285b9e73e3232d6a9fe808d444695e37200df1a50a7

SHA512
47f872420ea0db3a9dccbc226e156bc2be1b04debf39e75f07e111e857d2bea716f5681af93c33ac7c3f43a58441f31caf7c4c38c8685a4dcbc9d5613de288bd

Download Submit
\Program Files (x86)\Advanced SystemCare Pro\webres.dll

Filesize
880KB

MD5
981391696b41beb20d7280a43ef3145e

SHA1
3ed4a8cda7f167d0501321c6c48aff85d95fcfca

SHA256
7bc78a954a978596a90ae7c273e57a0b5b0668ae38294bbd144128e707c7ce27

SHA512
146d70ede0f84d4a956f6fec39c94b7d5d7627754c3f654975951364143c63d2ff61134c00247d9336a3409f1a880c70a3a5bacccb94f3776f5a5440bef0d674

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\Aero.dll

Filesize
6KB

MD5
243bf44688b131c3171f2827a93e39dc

SHA1
07e9c7bd16ae47953e42c06ae2606de188386f35

SHA256
04a577df50431eb0ff6fb103566402bf66c50415bcc1f8a86b9c235053131455

SHA512
a1a8c21d38c54a43d1c6c394f481dfbddcb359c617e9928ecca8f84d47354616a78d20735a1fe7bebd21626c21cf96d0e1a69e3e98f6b35f2a774cc0244f9516

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\BrandingURL.dll

Filesize
4KB

MD5
71c46b663baa92ad941388d082af97e7

SHA1
5a9fcce065366a526d75cc5ded9aade7cadd6421

SHA256
bb2b9c272b8b66bc1b414675c2acba7afad03fff66a63babee3ee57ed163d19e

SHA512
5965bd3f5369b9a1ed641c479f7b8a14af27700d0c27d482aa8eb62acc42f7b702b5947d82f9791b29bcba4d46e1409244f0a8ddce4ec75022b5e27f6d671bce

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\LangDLL.dll

Filesize
5KB

MD5
40eaa85160444940ff71d7aec7c6aa39

SHA1
62b0c779f32af751f3ef00833d3f5c75ed9f081d

SHA256
b4e00150349af7a646a84792b565a0c81f080a838a6e0da69e5cf8f4cdc560a3

SHA512
6d9e04dae68f9fd78a4f20a1d3fd34a9b92cf78b554d1e3e8e7fc3b2881d4659e49346f707cab43fd72c001ac192516deea7ef458ecab6b9f74b16ec05382ab4

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\System.dll

Filesize
11KB

MD5
8571f5fc7f75b0ee8d99849a147e0a67

SHA1
0881a57ef76dae56454d3af836f0f8da8e583d49

SHA256
6c84f2582301ac235aa5ad222c7138f44f262d7a03dcab2a293f0f2a5e32c002

SHA512
e1e5854e9378f0c9d8590b66c10e23b56977ba367d724e272f5714b16845369d53a4bab29f0d41a9bb383032f7fb4ea3d814bf13b7fbb29a04f5876c14d61e76

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\ToolTips.dll

Filesize
4KB

MD5
9a0da2692764bb842411a8b9687ebbb7

SHA1
5c3a459faa08a704bdf162476897ad4580ae39bd

SHA256
28aeaa48c929188a0d169887cc3f16370741467ae49e1db59763f030710a6bbb

SHA512
814d686617df4fe9f50a93dac9428babff3a14836aa27b4666976379ec3fafcab65fd82d8886998fa65e7b59dc192ca067cf8b4cdeb8ef551812912d80dab8ed

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\nsDialogs.dll

Filesize
9KB

MD5
2d4e6314e1291e211f3326b9e9a7be8c

SHA1
67236ee783506c854a40229f311eec7f8a74d218

SHA256
01c37f54c7019f09734ce28ac929d2f1f3da1ae469282a6df1d34b69b8ff9280

SHA512
6063b3f82376cacf95bcc70061cb29bd2c4261959cfa1063426f4b4617e399d263f4ad63551ec64187ec04b847304bfd1cbbbc6825c810cecdff5b17f0b64fd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1315.tmp\nsProcess.dll

Filesize
4KB

MD5
faa7f034b38e729a983965c04cc70fc1

SHA1
df8bda55b498976ea47d25d8a77539b049dab55e

SHA256
579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

SHA512
7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

Download Submit
memory/468-179-0x00000000038A0000-0x0000000003978000-memory.dmp

Filesize
864KB

Download
memory/564-191-0x0000000000130000-0x0000000000233000-memory.dmp

Filesize
1.0MB

Download
memory/564-194-0x0000000007A90000-0x0000000007BA4000-memory.dmp

Filesize
1.1MB

Download
memory/564-192-0x0000000000740000-0x000000000097E000-memory.dmp

Filesize
2.2MB

Download
memory/564-196-0x000000000B640000-0x000000000B718000-memory.dmp

Filesize
864KB

Download
memory/564-195-0x0000000009A60000-0x0000000009C37000-memory.dmp

Filesize
1.8MB

Download
memory/564-193-0x0000000074691000-0x0000000074693000-memory.dmp

Filesize
8KB

Download
memory/860-154-0x0000000003720000-0x00000000037F8000-memory.dmp

Filesize
864KB

Download
memory/896-143-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

Filesize
8KB

Download
memory/912-184-0x0000000004490000-0x0000000004568000-memory.dmp

Filesize
864KB

Download
memory/1008-129-0x0000000000550000-0x000000000065A000-memory.dmp

Filesize
1.0MB

Download
memory/1008-130-0x0000000000660000-0x00000000006EC000-memory.dmp

Filesize
560KB

Download
memory/1044-189-0x0000000004450000-0x0000000004528000-memory.dmp

Filesize
864KB

Download
memory/1216-63-0x0000000074E60000-0x0000000074E6A000-memory.dmp

Filesize
40KB

Download
memory/1216-60-0x0000000074E60000-0x0000000074E6A000-memory.dmp

Filesize
40KB

Download
memory/1216-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1760-126-0x0000000003A90000-0x0000000003B68000-memory.dmp

Filesize
864KB

Download
memory/1832-203-0x0000000000770000-0x0000000000873000-memory.dmp

Filesize
1.0MB

Download
memory/1832-204-0x0000000004FE0000-0x00000000050B8000-memory.dmp

Filesize
864KB

Download
memory/1896-200-0x00000000090E0000-0x00000000091B8000-memory.dmp

Filesize
864KB

Download