Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Analysis ID:	1430189
MD5:	6e2e6f5d50fa7adf690c2a6a797d7690
SHA1:	13f112a469215d6c16438d8316f1f17cf3e9d1ee
SHA256:	09fa2acfa64fadc5a44bc21df7d761cad7002a6dbe481b2348d30dda3415b831
Tags:	exe
Infos:

Detection

Score:	69
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code references suspicious native API functions

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Yara detected Generic Downloader

Abnormal high CPU Usage

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate network shares

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to load drivers

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

EXE planting / hijacking vulnerabilities found

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Spawns drivers

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	ReversingLabs: Detection: 24%
Source: C:\ProgramData\TSR7Settings\uninstasr.exe	ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Virustotal: Detection: 14%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\TSR7Settings\uninstasr.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Joe Sandbox ML: detected

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

EXE: wscript.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

EXE: wscript.exe

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: asrdmon.pdb source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, asrdmon.sys.14.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/AnyOS.AnyCPU.Release/System.Security.Cryptography.Primitives/net46\System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdb source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/net46\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Encoding/net46\System.Security.Cryptography.Encoding.pdb source: System.Security.Cryptography.Encoding.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdbD source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb M>M 0M_CorDllMainmscoree.dll source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdbP source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\_projects\DriverScanner2\InfExtractor\obj\Release\InfExtractor.pdb source: InfExtractor.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdb source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr

Spreading

Contains functionality to enumerate network shares

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042F152 __EH_prolog3,NetUserEnum,	7_2_0042F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042F687 __EH_prolog3,NetUserEnum,	7_2_0042F687
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042F152 __EH_prolog3,NetUserEnum,	8_2_0042F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042F687 __EH_prolog3,NetUserEnum,	8_2_0042F687
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055F152 __EH_prolog3,NetUserEnum,	14_2_0055F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055F687 __EH_prolog3,NetUserEnum,	14_2_0055F687

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	7_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435810 FindFirstFileW,	7_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042B5DA _memset,FindFirstFileW,	7_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	7_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	7_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	8_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435810 FindFirstFileW,	8_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042B5DA _memset,FindFirstFileW,	8_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	8_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	8_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00549489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00549489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_00565580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B96E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	14_2_005B96E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565810 FindFirstFileW,	14_2_00565810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BA850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_005BA850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055B5DA _memset,FindFirstFileW,	14_2_0055B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	14_2_0055BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00557E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	14_2_00557E12

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004889E0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_004889E0

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match

File source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe, type: DROPPED

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00422253 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z,__EH_prolog3_catch,URLDownloadToFileW,URLDownloadToFileW,URLDownloadToFileW,

7_2_00422253

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/EULA.phphttp://advancedsystemrepair.com/Privacy-Policy.phpTXThttp://
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Malware.phpWhat
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Privacy-Policy.phphttp://advancedsystemrepair.com/EULA.phphttp://adv
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Review-Apps.phphttp://advancedsystemrepair.com/reviews.php1OnTimerAn
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Support.phphttps://advancedsystemrepair.com/License-Key-Lookup.php:/
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/inapp3_de.phphttp://advancedsystemrepair.com/inapp2_de.phphttp://adv
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/privacypolicy.php
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://asrupdates.com/app_upgrade/asr.php?a=%s&i=%i&r=%i&v=%s&l=%iInstallTime40asrinf%i.iniupdateNot
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/0.db
Source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	String found in binary or memory: http://asrupdates.com/db3/0.dbhttp://asrupdates.com/db3/1.dbhttp://asrupdates.com/db3/2.db.tmpasrupd
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/1.db
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/2.db
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://asrupdates.com/wr/view_d3.php?id=%iVideoLocal
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://qt.digia.com/
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://qt.digia.com/product/licensing
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: uninstasr.exe.0.dr	String found in binary or memory: http://www.advancedsystemrepair.com.
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://www.westcoastlabs.com/about-us/https://advancedsystemrepair.com/ASR-Antimalware-Checkmark-Cer
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3rbr
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/Purchase/ASR-german-Upgrade-m7.php
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/certifications/Proof.phphttps://advancedsystemrepair.com/ASR_DLL_Ex
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/reg-premium-de.phphttps://advancedsystemrepair.com/reg-premium7-de.
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/reg-premium-pro-de.phphttps://advancedsystemrepair.com/reg-premium-
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/thank-you-page-german-t.php?id=%sSelect
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00425E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	7_2_00425E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00426470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	7_2_00426470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	7_2_0042651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004265D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	7_2_004265D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00426682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	7_2_00426682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00425E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	8_2_00425E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00426470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	8_2_00426470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	8_2_0042651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004265D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	8_2_004265D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00426682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	8_2_00426682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B6D40 RegCreateKeyExW,_malloc,_memset,GetProcAddress,NtLoadDriver,	14_2_005B6D40
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00555E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	14_2_00555E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00556470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	14_2_00556470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	14_2_0055651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005565D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	14_2_005565D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00556682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	14_2_00556682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B6DD9 GetProcAddress,NtLoadDriver,	14_2_005B6DD9

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00486A60: DeviceIoControl,

7_2_00486A60

Contains functionality to delete services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00432066 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,__EH_prolog3_catch,OpenSCManagerW,OpenServiceW,QueryServiceStatus,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,DeleteService,

7_2_00432066

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004296B1 CreateEnvironmentBlock,Sleep,GetProcessWindowStation,OpenWindowStationW,SetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,SetProcessWindowStation,ImpersonateLoggedOnUser,_memset,CreateProcessAsUserW,RevertToSelf,CloseHandle,CloseHandle,CloseHandle,SetProcessWindowStation,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,

7_2_004296B1

Contains functionality to load drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 14_2_005B6D40 RegCreateKeyExW,_malloc,_memset,GetProcAddress,NtLoadDriver,

14_2_005B6D40

Creates driver files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\system32\Drivers\asrdmon.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\system32\Drivers\asrdmon.sys

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A8048	7_2_004A8048
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00454034	7_2_00454034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A80E1	7_2_004A80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A4159	7_2_004A4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0047C2D8	7_2_0047C2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0045C680	7_2_0045C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004406A4	7_2_004406A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00478847	7_2_00478847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049CBEF	7_2_0049CBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00460DFF	7_2_00460DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D0C4	7_2_0049D0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D498	7_2_0049D498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004AD697	7_2_004AD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D8A4	7_2_0049D8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00469BA2	7_2_00469BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049DCC4	7_2_0049DCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A9CF6	7_2_004A9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048DD10	7_2_0048DD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004AA0D4	7_2_004AA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A208A	7_2_004A208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00466452	7_2_00466452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A25CE	7_2_004A25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A6614	7_2_004A6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A2B12	7_2_004A2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A6E56	7_2_004A6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00432FE0	7_2_00432FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0043B0C0	7_2_0043B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0047B1C5	7_2_0047B1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0044F1B0	7_2_0044F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A320A	7_2_004A320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A7647	7_2_004A7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004939D1	7_2_004939D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0046FCBB	7_2_0046FCBB
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A8048	8_2_004A8048
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00454034	8_2_00454034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A80E1	8_2_004A80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A4159	8_2_004A4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0047C2D8	8_2_0047C2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0045C680	8_2_0045C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004406A4	8_2_004406A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00478847	8_2_00478847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049CBEF	8_2_0049CBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00460DFF	8_2_00460DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D0C4	8_2_0049D0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D498	8_2_0049D498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004AD697	8_2_004AD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D8A4	8_2_0049D8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00469BA2	8_2_00469BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049DCC4	8_2_0049DCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A9CF6	8_2_004A9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048DD10	8_2_0048DD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004AA0D4	8_2_004AA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A208A	8_2_004A208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00466452	8_2_00466452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A25CE	8_2_004A25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A6614	8_2_004A6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A2B12	8_2_004A2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A6E56	8_2_004A6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00432FE0	8_2_00432FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0043B0C0	8_2_0043B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0047B1C5	8_2_0047B1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0044F1B0	8_2_0044F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A320A	8_2_004A320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A7647	8_2_004A7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004939D1	8_2_004939D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0046FCBB	8_2_0046FCBB
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00584034	14_2_00584034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D80E1	14_2_005D80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D4159	14_2_005D4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005AC2D8	14_2_005AC2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0058C680	14_2_0058C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005706A4	14_2_005706A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005A8847	14_2_005A8847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CCBEF	14_2_005CCBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00590DFF	14_2_00590DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD0C4	14_2_005CD0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD498	14_2_005CD498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005DD697	14_2_005DD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD8A4	14_2_005CD8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00599BA2	14_2_00599BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CDCC4	14_2_005CDCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D9CF6	14_2_005D9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BDD10	14_2_005BDD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005DA0D4	14_2_005DA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D208A	14_2_005D208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00596452	14_2_00596452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D25CE	14_2_005D25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D6614	14_2_005D6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D2B12	14_2_005D2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D6E56	14_2_005D6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00562FE0	14_2_00562FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0056B0C0	14_2_0056B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005AB1C5	14_2_005AB1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0057F1B0	14_2_0057F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D320A	14_2_005D320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D7647	14_2_005D7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C39D1	14_2_005C39D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0059FCBB	14_2_0059FCBB

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048D315 appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BB983 appears 62 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045D4E7 appears 214 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005426B8 appears 34 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BFA8B appears 320 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00412651 appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0041240A appears 36 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045E178 appears 38 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048FABE appears 146 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048F924 appears 120 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00412496 appears 48 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0058D4E7 appears 107 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 004126B8 appears 68 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00431C62 appears 58 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0055A9C5 appears 37 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 004238C6 appears 32 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048B983 appears 124 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00493396 appears 60 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048FA8B appears 640 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0042A9C5 appears 74 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00578526 appears 31 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0056FDC7 appears 40 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045EAFA appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00448526 appears 62 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0043FDC7 appears 80 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00461730 appears 34 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BF924 appears 60 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BFABE appears 73 times

PE file contains executable resources (Code or Archives)

Source: AdvancedSystemRepairPro.exe.0.dr

Static PE information: Resource name: DRV type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, 00000000.00000000.2107900510.000000000063C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameASR InstallerX vs SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Binary or memory string: OriginalFilenameASR InstallerX vs SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Spawns drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\asrdmon

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: asrdmon.sys.14.dr	Binary string: \Device\F779F7D853E643089D51EDCDA79805C4
Source: tscmon.exe.0.dr	Binary string: @c:\device\mup\device\lanmanredirector\FopdMonPort\ThumbCacheToDelete\thumbcache_*.db\Microsoft\Windows\ExplorerSoftware\Microsoft\Windows\CurrentVersion\Explorer\UserAssistSYSTEM\CurrentControlSet\Control\SafeBootSOFTWARE\Classes\

Source: classification engine

Classification label: mal69.troj.evad.winEXE@16/36@0/0

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00434FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	7_2_00434FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00418C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	7_2_00418C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	7_2_0042CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00417ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	7_2_00417ED5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00434FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	8_2_00434FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00418C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	8_2_00418C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	8_2_0042CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00417ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	8_2_00417ED5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00564FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	14_2_00564FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00548C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	14_2_00548C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	14_2_0055CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00547ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	14_2_00547ED5

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	7_2_00431E9E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	8_2_00431E9E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	14_2_00561E9E

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00418E4B CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,

7_2_00418E4B

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004198EA __EH_prolog3,CoCreateInstance,CoSetProxyBlanket,

7_2_004198EA

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004340C0 FindResourceExW,LoadResource,LockResource,SizeofResource,FindResourceW,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_memmove_s,_memcpy_s,

7_2_004340C0

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,

7_2_00416215

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00546215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	14_2_00546215

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Users\user\AppData\Local\Temp\pctskbr5.vbs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS weekly2(c_on INTEGER, c_type INTEGER, c_count INTEGER, c_bytes INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS saved_results3(c_id INTEGER PRIMARY KEY, c_file TEXT, c_name TEXT, c_source INTEGER, c_mid INTEGER, c_severity INTEGER, c_size INTEGER, c_title TEXT, c_b64 INTEGER, c_iscookie INTEGER, c_tracetype INTEGER, c_mcategory TEXT, mdata1 TEXT, mdata2 INTEGER, c_section INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select * from saved_results3 WHERE c_section = 100;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: insert into exclusions(c_name, c_path, c_time) values (?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: insert into weekly2(c_on, c_type, c_count, c_bytes) values (?, ?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS system_fixes(time_on INTEGER, fix_type INTEGER, fix_data1 TEXT, fix_data2 TEXT, fix_data3 TEXT);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT malware_data FROM autoclean;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select host_key from cookies;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT url FROM urls;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM moz_historyvisits;
Source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, AdvancedSystemRepairPro.exe, 00000009.00000002.2508574530.00000000011FA000.00000002.00000001.01000000.0000000A.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT url FROM moz_places;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM urls;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM moz_places;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS exclusions(c_name TEXT, c_path TEXT, c_time INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS realtime(c_id INTEGER PRIMARY KEY, c_file TEXT UNIQUE, c_name TEXT, c_source INTEGER, c_mid INTEGER, c_severity INTEGER, c_size INTEGER, c_title TEXT, c_b64 INTEGER, c_iscookie INTEGER, c_tracetype INTEGER, c_mcategory TEXT, mdata1 TEXT, mdata2 INTEGER);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT OR REPLACE INTO autoclean(malware_data, mdata1) values (?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: insert into saved_results3(c_file, c_name, c_source, c_mid, c_severity, c_size, c_title, c_b64, c_iscookie, c_tracetype, c_mcategory, mdata1, mdata2, c_section) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: select * from exclusions;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS autoclean(malware_data TEXT PRIMARY KEY, mdata1 INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO system_fixes(time_on, fix_type, fix_data1, fix_data2, fix_data3) values (?, ?, ?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS system_boots(time_on INTEGER PRIMARY KEY, duration INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO system_boots(time_on, duration) values (?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select host from moz_cookies;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT c_type, c_count, c_bytes FROM weekly2;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select * from saved_results3 WHERE c_section != 100;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: UPDATE exclusions SET c_time = ? WHERE c_name = ? AND c_path = ?;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT date_created, origin_url, username_value, password_value, times_used FROM logins;

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Virustotal: Detection: 14%

Source: tscmon.exe	String found in binary or memory: -install
Source: tscmon.exe	String found in binary or memory: -install
Source: tscmon.exe	String found in binary or memory: -install
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	String found in binary or memory: ampru.batdel /F~ DPIUNAWARESoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\asrscan.sysadrsj3.tmpadrsjr3.tmp\dsutil.zip/\pcw.pack\pcw.dll -install yes\lang.datDisplayNameAdvanced System Repair, Inc.PublisherInstallLocationVersionMajorVersionMinor1.8.2.3uninst01.exe\asr\Uninstall Advanced System Repair Pro.lnk.lnkbsskbr4.vpct-removeitmsiexec.exe,\s3.dllvector<T> too longCHoverButton

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes
Source: unknown	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe" /minimize
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static file information: File size 20872232 > 1048576

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13e600

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: More than 200 imports for USER32.dll

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: asrdmon.pdb source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, asrdmon.sys.14.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/AnyOS.AnyCPU.Release/System.Security.Cryptography.Primitives/net46\System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdb source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/net46\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Encoding/net46\System.Security.Cryptography.Encoding.pdb source: System.Security.Cryptography.Encoding.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdbD source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb M>M 0M_CorDllMainmscoree.dll source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdbP source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\_projects\DriverScanner2\InfExtractor\obj\Release\InfExtractor.pdb source: InfExtractor.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdb source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: Newtonsoft.Json.dll.0.dr

Static PE information: 0xA9EED2CD [Wed May 5 16:43:57 2060 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004271B8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetFileAttributesW,CreateDirectoryW,GetLastError,

7_2_004271B8

PE file contains sections with non-standard names

Source: 7z.dll.0.dr

Static PE information: section name: .sxdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048F969 push ecx; ret	7_2_0048F97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048FB63 push ecx; ret	7_2_0048FB76
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048F969 push ecx; ret	8_2_0048F97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048FB63 push ecx; ret	8_2_0048FB76
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BF969 push ecx; ret	14_2_005BF97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BFB63 push ecx; ret	14_2_005BFB76

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\ZetaLongPaths.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	File created: C:\Windows\System32\drivers\asrdmon.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\ProgramData\TSR7Settings\uninstasr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\InfExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\SevenZipSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Experimental.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\ProgramData\TSR7Settings\uninstasr.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\System32\drivers\asrdmon.sys

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\asrdmon

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Advanced System Repair Pro.lnk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Uninstall Advanced System Repair Pro.lnk	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,

7_2_00416215

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to enumerate running services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	7_2_0042DAAF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	8_2_0042DAAF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	14_2_0055DAAF

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\ZetaLongPaths.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\asrdmon.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\InfExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\SevenZipSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Experimental.IO.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 5.0 %
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 3.5 %
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 6.2 %

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	7_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435810 FindFirstFileW,	7_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042B5DA _memset,FindFirstFileW,	7_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	7_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	7_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	8_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435810 FindFirstFileW,	8_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042B5DA _memset,FindFirstFileW,	8_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	8_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	8_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00549489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00549489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_00565580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B96E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	14_2_005B96E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565810 FindFirstFileW,	14_2_00565810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BA850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_005BA850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055B5DA _memset,FindFirstFileW,	14_2_0055B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	14_2_0055BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00557E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	14_2_00557E12

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004889E0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_004889E0

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: wscript.exe, 00000005.00000002.2298849403.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(n
Source: wscript.exe, 00000006.00000002.2360871256.00000000027D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\shareddlls\|c:\program files\vmware\vmware tools\unzip.exe
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: vmciW
Source: AdvancedSystemRepairPro.exe, 00000009.00000002.2509142178.0000000001380000.00000008.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: .?AVQEmulationPaintuser@@

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0048C06D

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004271B8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetFileAttributesW,CreateDirectoryW,GetLastError,

7_2_004271B8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004A4E7B GetProcessHeap,

7_2_004A4E7B

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00490053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00490053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0048C06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048B8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0048B8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048B98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0048B98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00497A08 SetUnhandledExceptionFilter,	7_2_00497A08
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00490053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00490053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0048C06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048B8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0048B8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048B98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0048B98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00497A08 SetUnhandledExceptionFilter,	8_2_00497A08
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C0053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_005C0053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BC06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_005BC06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BB8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_005BB8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BB98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_005BB98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C7A08 SetUnhandledExceptionFilter,	14_2_005C7A08

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: SevenZipSharp.dll.0.dr, SevenZipExtractor.cs	Reference to suspicious API methods: SevenZipLibraryManager.LoadLibrary(this, _format)
Source: SevenZipSharp.dll.0.dr, SevenZipLibraryManager.cs	Reference to suspicious API methods: NativeMethods.GetProcAddress(_modulePtr, "GetHandlerProperty")
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr, Installer.cs	Reference to suspicious API methods: NativeMethods.FindResourceEx(intPtr, new IntPtr(10), new IntPtr(errorNumber), (ushort)num)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00418CB5 __EH_prolog3_catch_GS,AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityW,LocalFree,LocalFree,FreeSid,

7_2_00418CB5

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_00418CB5

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_0049C054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_0049C4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_0049C5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	7_2_004A0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_0049C654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_004A0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_0049C6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_004A0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_0049C89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_0049C95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_0049C9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_0049C9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	7_2_00491348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	7_2_0049E2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_0049724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_0049B78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_0048FC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_0049BDFC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	8_2_0049C054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	8_2_0049C4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	8_2_0049C5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	8_2_004A0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	8_2_0049C654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	8_2_004A0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	8_2_0049C6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_004A0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	8_2_0049C89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0049C95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0049C9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	8_2_0049C9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	8_2_00491348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	8_2_0049E2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	8_2_0049724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_0049B78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	8_2_0048FC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	8_2_0049BDFC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	14_2_005CC054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	14_2_005CC4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_005CC5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	14_2_005CC654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	14_2_005D0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	14_2_005D0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_005CC6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_005D0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_005CC89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_005CC95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_005CC9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	14_2_005CC9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	14_2_005C1348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	14_2_005CE2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	14_2_005C724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_005CB78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	14_2_005BFC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	14_2_005CBDFC

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00498036 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00498036

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_0042D6A7 __EH_prolog3,LocalAlloc,LocalFree,LocalFree,LookupAccountNameW,ConvertSidToStringSidW,LocalFree,

7_2_0042D6A7

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00498FEA __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

7_2_00498FEA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	ReversingLabs: Detection: 24%
Source: C:\ProgramData\TSR7Settings\uninstasr.exe	ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Virustotal: Detection: 14%			Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\TSR7Settings\uninstasr.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Joe Sandbox ML: detected

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

EXE: wscript.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

EXE: wscript.exe

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: asrdmon.pdb source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, asrdmon.sys.14.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/AnyOS.AnyCPU.Release/System.Security.Cryptography.Primitives/net46\System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdb source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/net46\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Encoding/net46\System.Security.Cryptography.Encoding.pdb source: System.Security.Cryptography.Encoding.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdbD source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb M>M 0M_CorDllMainmscoree.dll source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdbP source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\_projects\DriverScanner2\InfExtractor\obj\Release\InfExtractor.pdb source: InfExtractor.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdb source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr

Spreading

Contains functionality to enumerate network shares

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042F152 __EH_prolog3,NetUserEnum,	7_2_0042F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042F687 __EH_prolog3,NetUserEnum,	7_2_0042F687
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042F152 __EH_prolog3,NetUserEnum,	8_2_0042F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042F687 __EH_prolog3,NetUserEnum,	8_2_0042F687
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055F152 __EH_prolog3,NetUserEnum,	14_2_0055F152
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055F687 __EH_prolog3,NetUserEnum,	14_2_0055F687

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	7_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435810 FindFirstFileW,	7_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042B5DA _memset,FindFirstFileW,	7_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	7_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	7_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	8_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435810 FindFirstFileW,	8_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042B5DA _memset,FindFirstFileW,	8_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	8_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	8_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00549489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00549489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_00565580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B96E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	14_2_005B96E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565810 FindFirstFileW,	14_2_00565810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BA850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_005BA850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055B5DA _memset,FindFirstFileW,	14_2_0055B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	14_2_0055BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00557E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	14_2_00557E12

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004889E0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_004889E0

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match

File source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe, type: DROPPED

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00422253 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z,__EH_prolog3_catch,URLDownloadToFileW,URLDownloadToFileW,URLDownloadToFileW,

7_2_00422253

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/EULA.phphttp://advancedsystemrepair.com/Privacy-Policy.phpTXThttp://
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Malware.phpWhat
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Privacy-Policy.phphttp://advancedsystemrepair.com/EULA.phphttp://adv
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Review-Apps.phphttp://advancedsystemrepair.com/reviews.php1OnTimerAn
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/Support.phphttps://advancedsystemrepair.com/License-Key-Lookup.php:/
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/inapp3_de.phphttp://advancedsystemrepair.com/inapp2_de.phphttp://adv
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://advancedsystemrepair.com/privacypolicy.php
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://asrupdates.com/app_upgrade/asr.php?a=%s&i=%i&r=%i&v=%s&l=%iInstallTime40asrinf%i.iniupdateNot
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/0.db
Source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	String found in binary or memory: http://asrupdates.com/db3/0.dbhttp://asrupdates.com/db3/1.dbhttp://asrupdates.com/db3/2.db.tmpasrupd
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/1.db
Source: tscmon.exe	String found in binary or memory: http://asrupdates.com/db3/2.db
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://asrupdates.com/wr/view_d3.php?id=%iVideoLocal
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://qt.digia.com/
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://qt.digia.com/product/licensing
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://s.symcd.com06
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: uninstasr.exe.0.dr	String found in binary or memory: http://www.advancedsystemrepair.com.
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: http://www.westcoastlabs.com/about-us/https://advancedsystemrepair.com/ASR-Antimalware-Checkmark-Cer
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, uninstasr.exe.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3rbr
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/Purchase/ASR-german-Upgrade-m7.php
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/certifications/Proof.phphttps://advancedsystemrepair.com/ASR_DLL_Ex
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/reg-premium-de.phphttps://advancedsystemrepair.com/reg-premium7-de.
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/reg-premium-pro-de.phphttps://advancedsystemrepair.com/reg-premium-
Source: AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://advancedsystemrepair.com/thank-you-page-german-t.php?id=%sSelect
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, asrdmon.sys.14.dr, tscmon.exe.0.dr, InfExtractor.dll.0.dr, Microsoft.Deployment.WindowsInstaller.dll.0.dr, AdvancedSystemRepairPro.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"	Jump to behavior

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00425E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	7_2_00425E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00426470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	7_2_00426470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	7_2_0042651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004265D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	7_2_004265D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00426682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	7_2_00426682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00425E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	8_2_00425E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00426470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	8_2_00426470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	8_2_0042651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004265D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	8_2_004265D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00426682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	8_2_00426682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B6D40 RegCreateKeyExW,_malloc,_memset,GetProcAddress,NtLoadDriver,	14_2_005B6D40
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00555E22 GetFileAttributesW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,CreateFileW,GetLastError,ImpersonateLoggedOnUser,RevertToSelf,GetProcAddress,NtQueryInformationFile,CloseHandle,DeleteFileW,SetFileAttributesW,DeleteFileW,ImpersonateLoggedOnUser,RevertToSelf,	14_2_00555E22
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00556470 RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlNtStatusToDosError,SetLastError,	14_2_00556470
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055651D RtlInitUnicodeString,NtCreateFile,NtQueryInformationFile,NtSetInformationFile,RtlNtStatusToDosError,SetLastError,CloseHandle,	14_2_0055651D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005565D2 RtlInitUnicodeString,NtCreateFile,NtSetInformationFile,CloseHandle,RtlNtStatusToDosError,SetLastError,RtlNtStatusToDosError,SetLastError,	14_2_005565D2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00556682 RtlInitUnicodeString,NtCreateFile,RtlNtStatusToDosError,SetLastError,	14_2_00556682
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B6DD9 GetProcAddress,NtLoadDriver,	14_2_005B6DD9

Contains functionality to communicate with device drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00486A60: DeviceIoControl,

7_2_00486A60

Contains functionality to delete services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_00432066

Contains functionality to launch a process as a different user

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_004296B1

Contains functionality to load drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 14_2_005B6D40 RegCreateKeyExW,_malloc,_memset,GetProcAddress,NtLoadDriver,

14_2_005B6D40

Creates driver files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys

Jump to behavior

Creates files inside the driver directory

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\system32\Drivers\asrdmon.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\system32\Drivers\asrdmon.sys

Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A8048	7_2_004A8048
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00454034	7_2_00454034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A80E1	7_2_004A80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A4159	7_2_004A4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0047C2D8	7_2_0047C2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0045C680	7_2_0045C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004406A4	7_2_004406A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00478847	7_2_00478847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049CBEF	7_2_0049CBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00460DFF	7_2_00460DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D0C4	7_2_0049D0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D498	7_2_0049D498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004AD697	7_2_004AD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049D8A4	7_2_0049D8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00469BA2	7_2_00469BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0049DCC4	7_2_0049DCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A9CF6	7_2_004A9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048DD10	7_2_0048DD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004AA0D4	7_2_004AA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A208A	7_2_004A208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00466452	7_2_00466452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A25CE	7_2_004A25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A6614	7_2_004A6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A2B12	7_2_004A2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A6E56	7_2_004A6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00432FE0	7_2_00432FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0043B0C0	7_2_0043B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0047B1C5	7_2_0047B1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0044F1B0	7_2_0044F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A320A	7_2_004A320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004A7647	7_2_004A7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004939D1	7_2_004939D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0046FCBB	7_2_0046FCBB
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A8048	8_2_004A8048
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00454034	8_2_00454034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A80E1	8_2_004A80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A4159	8_2_004A4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0047C2D8	8_2_0047C2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0045C680	8_2_0045C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004406A4	8_2_004406A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00478847	8_2_00478847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049CBEF	8_2_0049CBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00460DFF	8_2_00460DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D0C4	8_2_0049D0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D498	8_2_0049D498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004AD697	8_2_004AD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049D8A4	8_2_0049D8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00469BA2	8_2_00469BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0049DCC4	8_2_0049DCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A9CF6	8_2_004A9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048DD10	8_2_0048DD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004AA0D4	8_2_004AA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A208A	8_2_004A208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00466452	8_2_00466452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A25CE	8_2_004A25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A6614	8_2_004A6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A2B12	8_2_004A2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A6E56	8_2_004A6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00432FE0	8_2_00432FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0043B0C0	8_2_0043B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0047B1C5	8_2_0047B1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0044F1B0	8_2_0044F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A320A	8_2_004A320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004A7647	8_2_004A7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004939D1	8_2_004939D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0046FCBB	8_2_0046FCBB
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00584034	14_2_00584034
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D80E1	14_2_005D80E1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D4159	14_2_005D4159
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005AC2D8	14_2_005AC2D8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0058C680	14_2_0058C680
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005706A4	14_2_005706A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005A8847	14_2_005A8847
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CCBEF	14_2_005CCBEF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00590DFF	14_2_00590DFF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD0C4	14_2_005CD0C4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD498	14_2_005CD498
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005DD697	14_2_005DD697
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CD8A4	14_2_005CD8A4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00599BA2	14_2_00599BA2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005CDCC4	14_2_005CDCC4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D9CF6	14_2_005D9CF6
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BDD10	14_2_005BDD10
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005DA0D4	14_2_005DA0D4
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D208A	14_2_005D208A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00596452	14_2_00596452
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D25CE	14_2_005D25CE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D6614	14_2_005D6614
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D2B12	14_2_005D2B12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D6E56	14_2_005D6E56
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00562FE0	14_2_00562FE0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0056B0C0	14_2_0056B0C0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005AB1C5	14_2_005AB1C5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0057F1B0	14_2_0057F1B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D320A	14_2_005D320A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005D7647	14_2_005D7647
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C39D1	14_2_005C39D1
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0059FCBB	14_2_0059FCBB

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048D315 appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BB983 appears 62 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045D4E7 appears 214 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005426B8 appears 34 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BFA8B appears 320 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00412651 appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0041240A appears 36 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045E178 appears 38 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048FABE appears 146 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048F924 appears 120 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00412496 appears 48 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0058D4E7 appears 107 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 004126B8 appears 68 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00431C62 appears 58 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0055A9C5 appears 37 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 004238C6 appears 32 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048B983 appears 124 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00493396 appears 60 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0048FA8B appears 640 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0042A9C5 appears 74 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00578526 appears 31 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0056FDC7 appears 40 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0045EAFA appears 42 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00448526 appears 62 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 0043FDC7 appears 80 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 00461730 appears 34 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BF924 appears 60 times
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: String function: 005BFABE appears 73 times

PE file contains executable resources (Code or Archives)

Source: AdvancedSystemRepairPro.exe.0.dr

Static PE information: Resource name: DRV type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe, 00000000.00000000.2107900510.000000000063C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameASR InstallerX vs SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Binary or memory string: OriginalFilenameASR InstallerX vs SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Spawns drivers

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\asrdmon

Jump to behavior

Uses 32bit PE files

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: asrdmon.sys.14.dr	Binary string: \Device\F779F7D853E643089D51EDCDA79805C4
Source: tscmon.exe.0.dr	Binary string: @c:\device\mup\device\lanmanredirector\FopdMonPort\ThumbCacheToDelete\thumbcache_*.db\Microsoft\Windows\ExplorerSoftware\Microsoft\Windows\CurrentVersion\Explorer\UserAssistSYSTEM\CurrentControlSet\Control\SafeBootSOFTWARE\Classes\

Source: classification engine

Classification label: mal69.troj.evad.winEXE@16/36@0/0

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00434FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	7_2_00434FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00418C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	7_2_00418C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	7_2_0042CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00417ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	7_2_00417ED5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00434FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	8_2_00434FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00418C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	8_2_00418C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	8_2_0042CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00417ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	8_2_00417ED5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00564FC0 CloseHandle,GetCurrentProcess,OpenProcessToken,_realloc,_memset,GetTokenInformation,AdjustTokenPrivileges,_realloc,FindCloseChangeNotification,	14_2_00564FC0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00548C1C RegOpenKeyExW,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,CloseHandle,	14_2_00548C1C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055CF14 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetCurrentProcessId,OpenProcess,CloseHandle,CloseHandle,OpenProcessToken,CloseHandle,LookupPrivilegeValueW,AdjustTokenPrivileges,	14_2_0055CF14
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00547ED5 _memset,GetCurrentProcess,OpenProcessToken,GetTokenInformation,AdjustTokenPrivileges,CloseHandle,	14_2_00547ED5

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	7_2_00431E9E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	8_2_00431E9E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __EH_prolog3,GetModuleFileNameW,OpenSCManagerW,CreateServiceW,	14_2_00561E9E

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00418E4B CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,Process32NextW,

7_2_00418E4B

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004198EA __EH_prolog3,CoCreateInstance,CoSetProxyBlanket,

7_2_004198EA

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_004340C0

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,

7_2_00416215

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00546215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,	14_2_00546215

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\Users\user\AppData\Local\Temp\pctskbr5.vbs

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	7_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	8_2_00416215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -install	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -remove	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: -debug	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: tscmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: \asrscan.sys	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: 389992	14_2_00546215
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Command line argument: asrdmon	14_2_00546215

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS weekly2(c_on INTEGER, c_type INTEGER, c_count INTEGER, c_bytes INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS saved_results3(c_id INTEGER PRIMARY KEY, c_file TEXT, c_name TEXT, c_source INTEGER, c_mid INTEGER, c_severity INTEGER, c_size INTEGER, c_title TEXT, c_b64 INTEGER, c_iscookie INTEGER, c_tracetype INTEGER, c_mcategory TEXT, mdata1 TEXT, mdata2 INTEGER, c_section INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select * from saved_results3 WHERE c_section = 100;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: insert into exclusions(c_name, c_path, c_time) values (?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: insert into weekly2(c_on, c_type, c_count, c_bytes) values (?, ?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS system_fixes(time_on INTEGER, fix_type INTEGER, fix_data1 TEXT, fix_data2 TEXT, fix_data3 TEXT);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT malware_data FROM autoclean;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select host_key from cookies;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT url FROM urls;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM moz_historyvisits;
Source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, AdvancedSystemRepairPro.exe, 00000009.00000002.2508574530.00000000011FA000.00000002.00000001.01000000.0000000A.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT url FROM moz_places;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM urls;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT COUNT(*) FROM moz_places;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS exclusions(c_name TEXT, c_path TEXT, c_time INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS realtime(c_id INTEGER PRIMARY KEY, c_file TEXT UNIQUE, c_name TEXT, c_source INTEGER, c_mid INTEGER, c_severity INTEGER, c_size INTEGER, c_title TEXT, c_b64 INTEGER, c_iscookie INTEGER, c_tracetype INTEGER, c_mcategory TEXT, mdata1 TEXT, mdata2 INTEGER);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT OR REPLACE INTO autoclean(malware_data, mdata1) values (?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: insert into saved_results3(c_file, c_name, c_source, c_mid, c_severity, c_size, c_title, c_b64, c_iscookie, c_tracetype, c_mcategory, mdata1, mdata2, c_section) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: select * from exclusions;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS autoclean(malware_data TEXT PRIMARY KEY, mdata1 INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO system_fixes(time_on, fix_type, fix_data1, fix_data2, fix_data3) values (?, ?, ?, ?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS system_boots(time_on INTEGER PRIMARY KEY, duration INTEGER);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: INSERT INTO system_boots(time_on, duration) values (?, ?);
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select host from moz_cookies;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT c_type, c_count, c_bytes FROM weekly2;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: select * from saved_results3 WHERE c_section != 100;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: tscmon.exe, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr	Binary or memory string: UPDATE exclusions SET c_time = ? WHERE c_name = ? AND c_path = ?;
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: SELECT date_created, origin_url, username_value, password_value, times_used FROM logins;

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Virustotal: Detection: 14%

Source: tscmon.exe	String found in binary or memory: -install
Source: tscmon.exe	String found in binary or memory: -install
Source: tscmon.exe	String found in binary or memory: -install
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	String found in binary or memory: ampru.batdel /F~ DPIUNAWARESoftware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\asrscan.sysadrsj3.tmpadrsjr3.tmp\dsutil.zip/\pcw.pack\pcw.dll -install yes\lang.datDisplayNameAdvanced System Repair, Inc.PublisherInstallLocationVersionMajorVersionMinor1.8.2.3uninst01.exe\asr\Uninstall Advanced System Repair Pro.lnk.lnkbsskbr4.vpct-removeitmsiexec.exe,\s3.dllvector<T> too longCHoverButton

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe "C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes
Source: unknown	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe" /minimize
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -remove yes	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr5.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Windows\SysWOW64\wscript.exe wscript.exe //B //T:10 "C:\Users\user\AppData\Local\Temp\pctskbr4.vbs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe "C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe" -install yes	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static file information: File size 20872232 > 1048576

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13e600

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: More than 200 imports for USER32.dll

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: asrdmon.pdb source: tscmon.exe, 0000000E.00000002.2509832271.0000000001395000.00000004.00000020.00020000.00000000.sdmp, asrdmon.sys.14.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: c:\src\wix38\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb8 source: Microsoft.Deployment.WindowsInstaller.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/AnyOS.AnyCPU.Release/System.Security.Cryptography.Primitives/net46\System.Security.Cryptography.Primitives.pdb source: System.Security.Cryptography.Primitives.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdb source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/net46\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.0.dr
Source:	Binary string: D:\A\_work\39\s\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Encoding/net46\System.Security.Cryptography.Encoding.pdb source: System.Security.Cryptography.Encoding.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdbD source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr
Source:	Binary string: C:\dev\BCL\LongPath\Microsoft.Experimental.IO\Microsoft.Experimental.IO\obj\Release\Microsoft.Experimental.IO.pdb M>M 0M_CorDllMainmscoree.dll source: Microsoft.Experimental.IO.dll.0.dr
Source:	Binary string: d:\installdll\bin\i386\opteng.pdbP source: AdvancedSystemRepairPro.exe, 00000009.00000000.2505031205.00000000013A3000.00000002.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr
Source:	Binary string: D:\_projects\DriverScanner2\InfExtractor\obj\Release\InfExtractor.pdb source: InfExtractor.dll.0.dr
Source:	Binary string: d:\_projects\TotalSystemCare2G\PCSetup\res\offline\tscmon.pdb source: tscmon.exe, 00000007.00000000.2413517525.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000007.00000002.2414253738.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000002.2450689049.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 00000008.00000000.2426324245.00000000004B7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000002.2509283601.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe, 0000000E.00000000.2508242224.00000000005E7000.00000002.00000001.01000000.00000009.sdmp, tscmon.exe.0.dr

Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Binary contains a suspicious time stamp

Source: Newtonsoft.Json.dll.0.dr

Static PE information: 0xA9EED2CD [Wed May 5 16:43:57 2060 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004271B8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetFileAttributesW,CreateDirectoryW,GetLastError,

7_2_004271B8

PE file contains sections with non-standard names

Source: 7z.dll.0.dr

Static PE information: section name: .sxdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048F969 push ecx; ret	7_2_0048F97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048FB63 push ecx; ret	7_2_0048FB76
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048F969 push ecx; ret	8_2_0048F97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048FB63 push ecx; ret	8_2_0048FB76
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BF969 push ecx; ret	14_2_005BF97C
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BFB63 push ecx; ret	14_2_005BFB76

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\ZetaLongPaths.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	File created: C:\Windows\System32\drivers\asrdmon.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\ProgramData\TSR7Settings\uninstasr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\InfExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\SevenZipSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Experimental.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

File created: C:\ProgramData\TSR7Settings\uninstasr.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

File created: C:\Windows\System32\drivers\asrdmon.sys

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	Jump to behavior

Boot Survival

Creates or modifies windows services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\asrdmon

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Advanced System Repair Pro.lnk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Uninstall Advanced System Repair Pro.lnk	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00416215 __EH_prolog3_catch,GetCommandLineW,CommandLineToArgvW,CoInitialize,SetConsoleCtrlHandler,StartServiceCtrlDispatcherW,

7_2_00416215

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to enumerate running services

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	7_2_0042DAAF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	8_2_0042DAAF
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __ehhandler$?_Initialize@SchedulerPolicy@Concurrency@@AAEXIPAPAD@Z,__EH_prolog3_catch,OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,_malloc,EnumServicesStatusExW,OpenServiceW,QueryServiceConfigW,QueryServiceConfigW,_malloc,QueryServiceConfigW,	14_2_0055DAAF

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\ZetaLongPaths.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\asrdmon.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\InfExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\SevenZipSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Experimental.IO.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 5.0 %
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 3.5 %
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API coverage: 6.2 %

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	7_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00435810 FindFirstFileW,	7_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	7_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042B5DA _memset,FindFirstFileW,	7_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	7_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	7_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00419489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	8_2_00419489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_00435580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_004896E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	8_2_004896E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00435810 FindFirstFileW,	8_2_00435810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048A850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	8_2_0048A850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042B5DA _memset,FindFirstFileW,	8_2_0042B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0042BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	8_2_0042BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00427E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	8_2_00427E12
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00549489 __EH_prolog3_GS,FindFirstFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,PathFileExistsW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00549489
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565580 FindResourceW,_memcpy_s,FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_00565580
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005B96E0 DeleteFileW,_memset,FindFirstFileW,FindClose,	14_2_005B96E0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00565810 FindFirstFileW,	14_2_00565810
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BA850 FindFirstFileW,FindFirstFileW,FindClose,FindNextFileW,	14_2_005BA850
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055B5DA _memset,FindFirstFileW,	14_2_0055B5DA
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_0055BC41 __EH_prolog3_catch,_memset,FindFirstFileW,FindNextFileW,	14_2_0055BC41
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_00557E12 FindFirstFileW,UuidFromStringW,FindNextFileW,FindClose,	14_2_00557E12

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004889E0 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,QueryDosDeviceW,

7_2_004889E0

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: wscript.exe, 00000005.00000002.2298849403.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(n
Source: wscript.exe, 00000006.00000002.2360871256.00000000027D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\shareddlls\|c:\program files\vmware\vmware tools\unzip.exe
Source: AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: vmciW
Source: AdvancedSystemRepairPro.exe, 00000009.00000002.2509142178.0000000001380000.00000008.00000001.01000000.0000000A.sdmp, AdvancedSystemRepairPro.exe.0.dr	Binary or memory string: .?AVQEmulationPaintuser@@

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_0048C06D

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004271B8 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetFileAttributesW,CreateDirectoryW,GetLastError,

7_2_004271B8

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_004A4E7B GetProcessHeap,

7_2_004A4E7B

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00490053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00490053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0048C06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048B8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0048B8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_0048B98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0048B98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 7_2_00497A08 SetUnhandledExceptionFilter,	7_2_00497A08
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00490053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00490053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048C06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0048C06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048B8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0048B8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_0048B98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0048B98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 8_2_00497A08 SetUnhandledExceptionFilter,	8_2_00497A08
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C0053 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_005C0053
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BC06D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_005BC06D
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BB8F8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_005BB8F8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005BB98E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_005BB98E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: 14_2_005C7A08 SetUnhandledExceptionFilter,	14_2_005C7A08

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: SevenZipSharp.dll.0.dr, SevenZipExtractor.cs	Reference to suspicious API methods: SevenZipLibraryManager.LoadLibrary(this, _format)
Source: SevenZipSharp.dll.0.dr, SevenZipLibraryManager.cs	Reference to suspicious API methods: NativeMethods.GetProcAddress(_modulePtr, "GetHandlerProperty")
Source: Microsoft.Deployment.WindowsInstaller.dll.0.dr, Installer.cs	Reference to suspicious API methods: NativeMethods.FindResourceEx(intPtr, new IntPtr(10), new IntPtr(errorNumber), (ushort)num)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_00418CB5

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_00418CB5

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_0049C054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_0049C4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_0049C5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	7_2_004A0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_0049C654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_004A0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_0049C6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_004A0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_0049C89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_0049C95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_0049C9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_0049C9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	7_2_00491348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	7_2_0049E2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_0049724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_0049B78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_0048FC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_0049BDFC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	8_2_0049C054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	8_2_0049C4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	8_2_0049C5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	8_2_004A0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	8_2_0049C654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	8_2_004A0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	8_2_0049C6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_004A0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	8_2_0049C89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0049C95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	8_2_0049C9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	8_2_0049C9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	8_2_00491348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	8_2_0049E2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	8_2_0049724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	8_2_0049B78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	8_2_0048FC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	8_2_0049BDFC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	14_2_005CC054
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	14_2_005CC4A5
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	14_2_005CC5BC
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	14_2_005CC654
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	14_2_005D0644
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	14_2_005D0610
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	14_2_005CC6C8
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	14_2_005D0783
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	14_2_005CC89A
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_005CC95B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	14_2_005CC9C2
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	14_2_005CC9FE
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	14_2_005C1348
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: GetLocaleInfoA,	14_2_005CE2B0
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	14_2_005C724B
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	14_2_005CB78E
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	14_2_005BFC20
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	14_2_005CBDFC

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_00498036 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00498036

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

Code function: 7_2_0042D6A7 __EH_prolog3,LocalAlloc,LocalFree,LocalFree,LookupAccountNameW,ConvertSidToStringSidW,LocalFree,

7_2_0042D6A7

Source: C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe

7_2_00498FEA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1430189
Product:	CloudBasic
Start time:	09:29:10
Start date:	23.04.2024
Sample:	SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6e2e6f5d50fa7adf690c2a6a797d7690
SHA1:	13f112a469215d6c16438d8316f1f17cf3e9d1ee
SHA256:	09fa2acfa64fadc5a44bc21df7d761cad7002a6dbe481b2348d30dda3415b831
Filetype:	Win32 Executable (generic) a (10002005/4) 98.81%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7-zip.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AE4D9A2D73CC1601B1E397A454323766	AE2B1E3A91ED06B7BE21FD2CB89DE347E1D70A9C	1D52272E21FEA42803218E0754D7B8C91355B008B2D970D704B72230391E8BC5
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FE028F59FC0D258D2CFB193D27785203	A6857E67B19712184DF7B4EC74E15E20C7B23FDE	3E961845DB8AB8B530761FFF69DAA2B64D19AC9AA5DE096E7E5EAFB4D2D149D1
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\7z.exe	PE32 executable (console) Intel 80386, for MS Windows	E6227896B064B1FCF4ADB096CE21120F	4A4DD3AC53C2E60DE6F8B0EB459AB4FF0DD1FB82	02201BA8291AF86BAB92D64761B1180255EFBE5FC31437C682E759497403B224
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\License.txt	ASCII text, with CRLF line terminators	64ED534519ECC3F8866C3CAAEA325C8C	5F15D78AE287B6F09B107E44D8F65696019B14B3	2AF2693D49442D27EE6253E8D9C2CAE233FA9EB8D55CAD3C7A8CA14BE88BE903
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\history.txt	ASCII text, with CRLF line terminators	747DB4ED5E6794CD6B65902BBE9F4436	1DDD3C30F0717C50DCD4695F1E88FAE29CBDEF4E	EB5CF023671CE3862BDCE429B028D01FC88BBC87AD5A68C1DDCEC43DA6689012
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\readme.txt	ASCII text, with CRLF line terminators	082FA0904FE43701A3D569BD3A9862C4	BF82F2E2333F0E5553E7117842B1AE1449E024A3	61CCE9707D744FED203D3FF5F0B1F19A20232561657E1E1EBEEA9D95DB21D4AE
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7-zip.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	4289E488905354E56002E60F211ACE3A	55D34200DF450DE6C789580942E01C82C9022FE7	98E95265740FC49792120AE09819850CB3F74552CC39B87E79B1F0AA7E43C443
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	23A37370F275AA63255DFCC703951C37	79E6CFA11747B633EB3D742D62DBED93A7B5F0D7	15B10608AFFD4442D0E2DDB9B2FEA847CD15D5405928D78AB73D81DAE66DB9E4
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\7z\x64\7z.exe	PE32+ executable (console) x86-64, for MS Windows	F17D0D9999EC81F734AF19D721C8DA96	71411F50FBFBB9F77D61860AAC3B9133D428274F	EB021240D46F6C12E53FCF92F095EE87AAE055A82AE0D986318E8F8B57E463CB
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\AdvancedSystemRepairPro.exe	PE32 executable (GUI) Intel 80386, for MS Windows	E80DF622083CD7283507473E22E1DEB3	A87CE8BE21BDE8110AD20FBD967D8682C7147737	05C2B2D9449A1F98AAB64E35F52CC7D8CCC04EE34D3F32A26FBFB08E5E855011
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\BouncyCastle.Crypto.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3CF6BF0E0A27F3665EDD6362D137E4CC	2016DD5E17331495901299EAE9A5DB48CCC8956F	1985B85BB44BE6C6EAF35E02EF11E23A890E809B8EC2E53210A4AD5A85B26C70
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\InfExtractor.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	86D950FC7CCCF831A6CF5680DE687B7A	BD79A3D23428CBDD87960ABFDD2AB783ABF688D3	7F0F086D0474DB23FF851C98F4005BF09926DE1F41D3E432001BD2DB47FBE8C0
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Deployment.WindowsInstaller.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	147802058B69610761DE96E9988D5710	36112E20A4DF878778A88976B024893B9A2C1728	2A1605E74287C03F95BFD5A0E1F704DED5B9EDACE09DD0D681C5719C555A8E6A
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Microsoft.Experimental.IO.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5140CB353D1D1854314032DECB5271A6	598C5BC56AEA130F857E61B6DE9863B350079531	D15C007057DB61199677D6A77380AF1B91FB57E2C66D505A3F8F95E90977A2F2
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\Newtonsoft.Json.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	8F6875148B45C300B95514CB40703C2E	0015B8E21D84E0F6F174CF71B63651BAD94582DF	EA7FD75E2BB069699D4DA09F3601D70CA8E401F58949178CDBF2C5928720DAA1
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\SevenZipSharp.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	05C9849856ABC683BCBC5C8D7921C146	AD8EC49116B026EEE2DD04D6434EDE7DDCE9734D	49284B31F28D0A62D797CFCF17F464C8C2B22B29D0E8AB7C15C94724D83E595C
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Algorithms.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	4558831716201309F8EECAABE2BC4901	3C25B3FAAA68CB0E291B537A4991CF413EADB6CF	6A0F94D33609622ABD37B85C071CC8F4676AF91923D36B47434222BA8C554ACB
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Encoding.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	5F859D35CA74D84CCE62533E086DC27F	A0F2C03CB813317460133DE80231D7B1FB62DCC5	91C7C02D46F754193B3988C28050135C804E47DC3456D0C3DDE028AC0341FBE2
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.Primitives.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	ECAC83E551B639409899919D47CD7588	62A622557CC0D6FCED9C1A14BE28DBC39E9BD6FC	5A6C8F69A8DEA8A775331273AAAE707EEE2A2743FB1498C3CC4DBAB679125D11
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\System.Security.Cryptography.X509Certificates.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	AD0F84569D2B03838912788A6C3D66B9	E9911B3C59F15474391811E17940FAA6A6C217CE	F415A437F4743355068198B3FC152216526F4AF93F02E50BC52F8B91DC4A402A
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\ZetaLongPaths.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F17E1A6D69FD967BE4EDB14084C378C5	7CF001ECF058D8399DF6B355599D93003E3CED37	D5361BFCA9B5B5862B489E95ED4725E3AD4706EB2320CCAE9A4F2FFC70E28B45
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\asrscan.sys	PE32+ executable (native) x86-64, for MS Windows	B92EA6F1FCA4B8CCAD9887A5C6E1AEF8	81752BA3AB9186CCCBECB696E8D9F6A8E559E0C7	72418E8FF31C3C9DD1399BBD018322B8C850636227CBAE1039F1B3765F3CD53D
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\dsutil.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	EA360C1A843D2A5A7FBE88EC69BEC2DA	4B48A9F408BDDCF6F2A43BC147EC4E915E1EE5D8	531425B13FA2E5553D4E62E2B84928FD993C189A600CEDAC1BDC300050FAEC8F
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\lang.dat	Qt Translation file	85F42BE730E7C168CE000B33F300D327	0B0C22CD21D5F7C734693EB4212ED78C15DF804B	31509A3E8B205FE9459A11EE895766B3159C3049856D57CC1A4F5F61E5073C98
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\pcw.pack	zlib compressed data	63B0DFD62829B0A2AEA60A7D0FBE65D9	85A962B703D3EF0FA897EE701ABD412F7F33BD28	5A9905F05494909024A12FE5AEA7BE588F21EA9033A3F1DE55E48458263B7052
C:\Program Files (x86)\Advanced System Repair Pro 1.8.2.3.0\tscmon.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C9CB53D48CCDA8441189E1E76AD33EB7	0E27881BC6A8DA2131D0663FDDFCE82D96138805	3104F9E1E5BBC4BAC9AFCC33A1BEC85CC3560A3FAD45D0D89DBE45BE787DA808
C:\ProgramData\TSR7Settings\dsutil.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	04A49823F4C9D980289D22E219E8091B	FCF8C259B64FF155B7E9E42F2C51BF5165106C3C	44537DF86432273FA6F34B1548B47CC1970A4CDCCFFBD72B5B554EBE28F417F3
C:\ProgramData\TSR7Settings\s.txt	ASCII text, with CRLF line terminators	62578D77CE8296592F68BA43641CF316	0DEE6A4F87DCB1F75AA04110EE70B86E1C58B3F5	3F67955716210CBCC373489ADD489EF3ED2EAF51EA90B342665FAF68CABD9AD2
C:\ProgramData\TSR7Settings\uninstasr.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6E2E6F5D50FA7ADF690C2A6A797D7690	13F112A469215D6C16438D8316F1F17CF3E9D1EE	09FA2ACFA64FADC5A44BC21DF7D761CAD7002A6DBE481B2348D30DDA3415B831
C:\ProgramData\TSR7Settings\uninstasr.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Public\Desktop\Advanced System Repair Pro.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 06:30:31 2024, mtime=Tue Apr 23 06:30:37 2024, atime=Tue Apr 23 06:30:31 2024, length=19981464, window=hide	797CD1DF7BEDAD143B99AA5E10C964C2	F9B995758992E38EC9D72C9969A27F678E9B7706	8945E8C7A4D2C4BBA5AA0EA054DB89E6ED7B619C2DE889C82D81DC638ADF8D75
C:\Users\user\AppData\Local\Temp\pctskbr4.vbs	ASCII text, with CRLF line terminators	EDA83F8265AB4F2E0C235CE6467F487D	CC5ADF63010791C423521D47E881F4CDA1DB9D77	2B5F4E1A60F5061464A60F1D7521E2CC5419C95BF1F08A68D5052AE5A3143F9A
C:\Users\user\AppData\Local\Temp\pctskbr5.vbs	ASCII text, with CRLF line terminators	98E29C0D7E513BE4495BFACFD9326471	6CAA7E39F91EA1F02B5377FF2821B9C620C57AAB	AC6EEF308F251307BA682E74B031D970712377A998C2CD4AF2E93BEBBB275777
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Advanced System Repair Pro.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Apr 23 06:30:31 2024, mtime=Tue Apr 23 06:30:36 2024, atime=Tue Apr 23 06:30:31 2024, length=19981464, window=hide	7975232556E70FF70EDBE18444A76A1B	EF473DE5FE72032F030DBC4D708BA6D19FD3DD45	919F2A7AA7DA689CF945E1B30FA384A111D4B2BABD951B336625EB7B8351A012
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Advanced System Repair Pro\Uninstall Advanced System Repair Pro.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide	0A604AA9FC43B5F40A5A3A447E9E8C30	76881C71D2627B5DB1A6673AEA5EC1B5FFB54680	1D04E87993DF565A86DDFDC11F78B4061E9BA4ABFAFC253607147C9D303CFFCC
C:\Windows\System32\drivers\asrdmon.sys	PE32+ executable (native) x86-64, for MS Windows	B92EA6F1FCA4B8CCAD9887A5C6E1AEF8	81752BA3AB9186CCCBECB696E8D9F6A8E559E0C7	72418E8FF31C3C9DD1399BBD018322B8C850636227CBAE1039F1B3765F3CD53D

Windows Analysis Report SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Program.Unwanted.4272.4089.31387.exe