URL:

https://www.iobit.com/downloadcenter.php?product=software-updater

Full analysis: https://app.any.run/tasks/5f8c32d5-dca4-41f6-9c9c-ca9ebe3248bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 09, 2021, 15:13:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

B22FD54C5541656F58D2BA8E9C1AF49A

SHA1:

6B6ABA69CBBEA9B6D5B57A446C917EACA511C9E2

SHA256:

13ACCDB0C57AADD1FD21C06381287DCF42C35D536561475841806029387C5786

SSDEEP:

3:N8DSLgzMHfXLVN4GYNIVyg:2OLgIjVHYNIVyg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • iobit-software-updater-setup.exe (PID: 1356)
      • iobit-software-updater-setup.exe (PID: 2872)
      • SUInitrun.exe (PID: 2084)
      • LocalLang.exe (PID: 2368)
      • SUInit.exe (PID: 2360)
      • iobit-software-updater-setup.exe (PID: 2196)
      • Setup.exe (PID: 3288)
      • ICONPIN32.exe (PID: 3456)
      • UninstallPromote.exe (PID: 2864)
      • IObitDownloader.exe (PID: 1200)
      • SoftwareUpdater.exe (PID: 2892)
      • SUFeature.exe (PID: 1544)
      • SUFeature.exe (PID: 3892)
      • CareScan.exe (PID: 1396)
      • AutoUpdate.exe (PID: 3392)
      • iTopSetup.exe (PID: 756)
      • ugin.exe (PID: 2400)
      • ugin.exe (PID: 3020)
      • ugin.exe (PID: 2644)
      • unpr.exe (PID: 2168)
      • iTopVPN.exe (PID: 1232)
      • iTopVPN.exe (PID: 2664)
      • icop32.exe (PID: 3884)
      • ugin.exe (PID: 1252)
      • ugin.exe (PID: 3480)
      • atud.exe (PID: 1576)
      • aud.exe (PID: 1024)
      • aud.exe (PID: 3096)
      • iTopVPNMini.exe (PID: 3652)
      • itopverl.exe (PID: 1132)
      • iScrInit.exe (PID: 3428)
      • iScrInit.exe (PID: 3396)
      • iScrInit.exe (PID: 1984)
      • GpuCheck.exe (PID: 3720)
      • LocalLang.exe (PID: 3196)
      • ISS_Setup.exe (PID: 2824)
      • UninstallInfo.exe (PID: 2136)
      • iScrInit.exe (PID: 4088)
      • iSsInit.exe (PID: 3688)
      • iSsInit.exe (PID: 3000)
      • iScrRec.exe (PID: 3976)
      • LocalLang.exe (PID: 1248)
      • UninstallInfo.exe (PID: 3212)
      • AutoUpdate.exe (PID: 3028)
      • get-graphics-offsets32.exe (PID: 3056)
      • GpuCheck.exe (PID: 1776)
      • AUpdate.exe (PID: 2184)
      • iScrInit.exe (PID: 4000)
      • iScrInit.exe (PID: 1648)

    • Drops executable file immediately after starts

      • iobit-software-updater-setup.exe (PID: 1356)
      • iobit-software-updater-setup.exe (PID: 2872)
      • iobit-software-updater-setup.exe (PID: 2196)
      • iTopSetup.exe (PID: 756)
      • iTopSetup.tmp (PID: 3696)
      • ugin.exe (PID: 3020)
      • ISRSetup.exe (PID: 2060)
      • ISS_Setup.exe (PID: 2824)
      • ISS_Setup.tmp (PID: 3804)

    • Actions looks like stealing of personal data

      • iobit-software-updater-setup.tmp (PID: 1012)
      • SUInit.exe (PID: 2360)
      • CareScan.exe (PID: 1396)

    • Loads the Task Scheduler COM API

      • SUInit.exe (PID: 2360)
      • SoftwareUpdater.exe (PID: 2892)
      • schtasks.exe (PID: 3060)
      • iTopVPN.exe (PID: 1232)
      • iTopVPN.exe (PID: 2664)
      • iScrInit.exe (PID: 1984)
      • iSsInit.exe (PID: 3000)
      • iScrRec.exe (PID: 3976)
      • schtasks.exe (PID: 4032)
      • schtasks.exe (PID: 3308)
      • iScrInit.exe (PID: 1648)
      • iScrInit.exe (PID: 4000)

    • Runs injected code in another process

      • ICONPIN32.exe (PID: 3456)

    • Loads dropped or rewritten executable

      • UninstallPromote.exe (PID: 2864)
      • explorer.exe (PID: 1784)
      • SUInit.exe (PID: 2360)
      • SoftwareUpdater.exe (PID: 2892)
      • CareScan.exe (PID: 1396)
      • SUFeature.exe (PID: 1544)
      • AutoUpdate.exe (PID: 3392)
      • SUFeature.exe (PID: 3892)
      • unpr.exe (PID: 2168)
      • iTopVPN.exe (PID: 2664)
      • atud.exe (PID: 1576)
      • aud.exe (PID: 1024)
      • aud.exe (PID: 3096)
      • iScrInit.exe (PID: 1984)
      • iScrInit.exe (PID: 4088)
      • iScrInit.exe (PID: 3396)
      • iScrInit.exe (PID: 3428)
      • UninstallInfo.exe (PID: 2136)
      • iScrRec.exe (PID: 3976)
      • GpuCheck.exe (PID: 3720)
      • UninstallInfo.exe (PID: 3212)
      • iScrInit.exe (PID: 1648)
      • AUpdate.exe (PID: 2184)
      • AutoUpdate.exe (PID: 3028)
      • iScrInit.exe (PID: 4000)

    • Application was injected by another process

      • explorer.exe (PID: 1784)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3012)
      • cmd.exe (PID: 2980)
      • cmd.exe (PID: 2440)

    • Steals credentials from Web Browsers

      • CareScan.exe (PID: 1396)

    • Changes settings of System certificates

      • atud.exe (PID: 1576)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 1988)
      • iobit-software-updater-setup.tmp (PID: 1012)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • atud.exe (PID: 1576)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1988)
      • iobit-software-updater-setup.exe (PID: 1356)
      • iobit-software-updater-setup.exe (PID: 2872)
      • iobit-software-updater-setup.tmp (PID: 1012)
      • iobit-software-updater-setup.exe (PID: 2196)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • IObitDownloader.exe (PID: 1200)
      • iTopSetup.exe (PID: 756)
      • iTopSetup.tmp (PID: 3696)
      • ugin.exe (PID: 3020)
      • ISRSetup.exe (PID: 2060)
      • ISRSetup.tmp (PID: 2576)
      • atud.exe (PID: 1576)
      • ISS_Setup.exe (PID: 2824)
      • ISS_Setup.tmp (PID: 3804)

    • Reads Windows owner or organization settings

      • iobit-software-updater-setup.tmp (PID: 1012)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Reads the Windows organization settings

      • iobit-software-updater-setup.tmp (PID: 1012)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Creates files in the user directory

      • Setup.exe (PID: 984)
      • SUInit.exe (PID: 2360)
      • explorer.exe (PID: 1784)
      • AutoUpdate.exe (PID: 3392)
      • SoftwareUpdater.exe (PID: 2892)
      • iTopVPN.exe (PID: 2664)
      • CareScan.exe (PID: 1396)
      • ISRSetup.tmp (PID: 2576)
      • iScrInit.exe (PID: 1984)
      • GpuCheck.exe (PID: 3720)
      • iScrInit.exe (PID: 4088)
      • ISS_Setup.tmp (PID: 3804)
      • iScrRec.exe (PID: 3976)

    • Uses TASKKILL.EXE to kill process

      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)

    • Creates a directory in Program Files

      • iobit-software-updater-setup.tmp (PID: 3192)
      • SUInit.exe (PID: 2360)
      • SoftwareUpdater.exe (PID: 2892)
      • AutoUpdate.exe (PID: 3392)
      • iTopSetup.tmp (PID: 3696)
      • IObitDownloader.exe (PID: 1200)
      • atud.exe (PID: 1576)
      • iTopVPN.exe (PID: 2664)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)
      • iScrRec.exe (PID: 3976)
      • AutoUpdate.exe (PID: 3028)

    • Creates files in the program directory

      • SUInitrun.exe (PID: 2084)
      • UninstallPromote.exe (PID: 2864)
      • IObitDownloader.exe (PID: 1200)
      • SoftwareUpdater.exe (PID: 2892)
      • CareScan.exe (PID: 1396)
      • AutoUpdate.exe (PID: 3392)
      • ugin.exe (PID: 2400)
      • ugin.exe (PID: 3020)
      • ugin.exe (PID: 2644)
      • unpr.exe (PID: 2168)
      • iTopVPN.exe (PID: 1232)
      • ugin.exe (PID: 1252)
      • iTopVPN.exe (PID: 2664)
      • ugin.exe (PID: 3480)
      • atud.exe (PID: 1576)
      • itopverl.exe (PID: 1132)
      • LocalLang.exe (PID: 3196)
      • iScrInit.exe (PID: 1984)
      • UninstallInfo.exe (PID: 2136)
      • UninstallInfo.exe (PID: 3212)
      • iScrRec.exe (PID: 3976)
      • AutoUpdate.exe (PID: 3028)

    • Drops a file that was compiled in debug mode

      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ugin.exe (PID: 3020)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Searches for installed software

      • iobit-software-updater-setup.tmp (PID: 3192)
      • SoftwareUpdater.exe (PID: 2892)
      • CareScan.exe (PID: 1396)

    • Executed via COM

      • DllHost.exe (PID: 2756)

    • Starts CMD.EXE for commands execution

      • SoftwareUpdater.exe (PID: 2892)
      • iTopVPN.exe (PID: 2664)
      • iScrRec.exe (PID: 3976)

    • Reads Microsoft Outlook installation path

      • CareScan.exe (PID: 1396)

    • Drops a file with too old compile date

      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Adds / modifies Windows certificates

      • atud.exe (PID: 1576)

    • Executed via Task Scheduler

      • AutoUpdate.exe (PID: 3028)
      • iScrInit.exe (PID: 1648)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 1988)

    • Reads the hosts file

      • chrome.exe (PID: 1988)
      • chrome.exe (PID: 3700)

    • Creates files in the user directory

      • chrome.exe (PID: 1988)

    • Application was dropped or rewritten from another process

      • iobit-software-updater-setup.tmp (PID: 2464)
      • iobit-software-updater-setup.tmp (PID: 1012)
      • Setup.exe (PID: 984)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ugin.exe (PID: 3432)
      • ISRSetup.tmp (PID: 2576)
      • iScrInit.exe (PID: 3552)
      • iScrInit.exe (PID: 1820)
      • iScrInit.exe (PID: 184)
      • ISS_Setup.tmp (PID: 3804)

    • Creates files in the program directory

      • Setup.exe (PID: 984)
      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ISS_Setup.tmp (PID: 3804)
      • ISRSetup.tmp (PID: 2576)

    • Creates a software uninstall entry

      • iobit-software-updater-setup.tmp (PID: 3192)
      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Dropped object may contain Bitcoin addresses

      • iobit-software-updater-setup.tmp (PID: 3192)
      • SoftwareUpdater.exe (PID: 2892)
      • AutoUpdate.exe (PID: 3392)
      • ugin.exe (PID: 3020)
      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)

    • Loads dropped or rewritten executable

      • iTopSetup.tmp (PID: 3696)
      • ISRSetup.tmp (PID: 2576)
      • ISS_Setup.tmp (PID: 3804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
127
Malicious processes
21
Suspicious processes
15

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start inject download and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iobit-software-updater-setup.exe iobit-software-updater-setup.tmp no specs iobit-software-updater-setup.exe iobit-software-updater-setup.tmp setup.exe iobit-software-updater-setup.exe iobit-software-updater-setup.tmp suinitrun.exe no specs taskkill.exe no specs taskkill.exe no specs locallang.exe no specs suinit.exe setup.exe no specs SPPSurrogate no specs iconpin32.exe no specs explorer.exe uninstallpromote.exe iobitdownloader.exe softwareupdater.exe cmd.exe no specs schtasks.exe no specs sufeature.exe no specs sufeature.exe carescan.exe autoupdate.exe itopsetup.exe itopsetup.tmp ugin.exe no specs taskkill.exe no specs ugin.exe no specs ugin.exe icop32.exe no specs ugin.exe no specs unpr.exe itopvpn.exe no specs itopvpn.exe ugin.exe no specs ugin.exe no specs atud.exe aud.exe aud.exe isrsetup.exe isrsetup.tmp itopvpnmini.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs itopverl.exe ping.exe no specs ping.exe no specs iscrinit.exe no specs iscrinit.exe no specs iscrinit.exe no specs cmd.exe no specs ping.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs locallang.exe no specs iscrinit.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs iscrinit.exe no specs iscrinit.exe no specs cmd.exe no specs cmd.exe no specs gpucheck.exe ping.exe no specs ping.exe no specs iscrinit.exe no specs cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs uninstallinfo.exe iss_setup.exe iss_setup.tmp cmd.exe no specs cmd.exe no specs ping.exe no specs ping.exe no specs cmd.exe no specs ping.exe no specs locallang.exe no specs issinit.exe no specs issinit.exe no specs uninstallinfo.exe iscrrec.exe gpucheck.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs get-graphics-offsets32.exe no specs schtasks.exe no specs autoupdate.exe iscrinit.exe no specs aupdate.exe iscrinit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116ping 45.148.136.136 /n 1C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
120"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,7183177122906949040,1990645197909653849,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15461518474342210813 --mojo-platform-channel-handle=2996 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
184"C:\Users\admin\AppData\Local\Temp\is-EO8RI.tmp\iScrInit.exe" /DeleteAllFile /Reinstall=1 /installdir="C:\Program Files\iFun\iFun Screen Recorder"C:\Users\admin\AppData\Local\Temp\is-EO8RI.tmp\iScrInit.exeISRSetup.tmp
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
iFun Screen Recorderr Ini
Exit code:
0
Version:
1.0.0.174
Modules
Images
c:\users\admin\appdata\local\temp\is-eo8ri.tmp\iscrinit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
348"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,7183177122906949040,1990645197909653849,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11446601443510757393 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,7183177122906949040,1990645197909653849,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17427488588959281973 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3072 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
632cmd.exe /c ping 45.83.27.131 /n 1C:\Windows\system32\cmd.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
656"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2000 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
756"C:\ProgramData\IObit\Software Updater\Download\isu4\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /NORESTART /insur=isu_inbC:\ProgramData\IObit\Software Updater\Download\isu4\iTopSetup.exe
IObitDownloader.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
1.3.0.967
Modules
Images
c:\programdata\iobit\software updater\download\isu4\itopsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
956ping 45.148.136.124 /n 1C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
984"C:\Users\admin\AppData\Local\Temp\is-82IPP.tmp\Setup.exe" "C:\Users\admin\Downloads\iobit-software-updater-setup.exe"C:\Users\admin\AppData\Local\Temp\is-82IPP.tmp\Setup.exe
iobit-software-updater-setup.tmp
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
IObit Software Updater
Exit code:
0
Version:
1.0.0.410
Modules
Images
c:\users\admin\appdata\local\temp\is-82ipp.tmp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
23 430
Read events
22 246
Write events
1 147
Delete events
37

Modification events

(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3252-13245750958665039
Value:
0
(PID) Process:(1988) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(1988) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1988-13267725253704000
Value:
259
Executable files
175
Suspicious files
199
Text files
595
Unknown types
27

Dropped files

PID
Process
Filename
Type
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60C0DAC6-7C4.pma
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\feb5eb7a-4fd2-494d-a694-5fad93bbc187.tmp
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFf049a.TMPtext
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RFf04f8.TMPtext
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RFf0537.TMPtext
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
1988chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RFf06fc.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
261
DNS requests
49
Threats
31

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3700
chrome.exe
GET
301
199.232.194.154:80
http://download.cnet.com/Advanced-SystemCare-Free/3000-2086_4-10407614.html?part=dl-&subj=dl&tag=button
US
whitelisted
1200
IObitDownloader.exe
GET
152.199.20.140:80
http://update.iobit.com/infofiles/su3/freeware-isu3.upt
US
whitelisted
3392
AutoUpdate.exe
GET
152.199.20.140:80
http://update.iobit.com/infofiles/su4/update.upt
US
whitelisted
984
Setup.exe
GET
152.199.20.140:80
http://update.iobit.com/infofiles/su4/update.upt
US
whitelisted
984
Setup.exe
GET
206
152.199.20.140:80
http://update.iobit.com/infofiles/su4/update.upt
US
text
1.13 Kb
whitelisted
2864
UninstallPromote.exe
GET
200
3.224.216.27:80
http://stats.iobit.com/install.php?operate=1&user=1&app=su4&ver=4.1.0.142&pr=iobit&system=61&type=1&lang=en-US&geo=1033&insur=other
US
text
19 b
suspicious
984
Setup.exe
GET
206
152.199.20.140:80
http://update.iobit.com/infofiles/su4/update.upt
US
text
1.13 Kb
whitelisted
1200
IObitDownloader.exe
GET
206
152.199.20.140:80
http://update.iobit.com/infofiles/su3/freeware-isu3.upt
US
text
1.69 Kb
whitelisted
984
Setup.exe
GET
206
152.199.20.140:80
http://update.iobit.com/infofiles/su4/update.upt
US
text
1.13 Kb
whitelisted
1200
IObitDownloader.exe
GET
206
152.199.20.140:80
http://update.iobit.com/infofiles/su3/freeware-isu3.upt
US
binary
1.69 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3700
chrome.exe
142.250.185.138:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3700
chrome.exe
142.250.186.68:443
www.google.com
Google Inc.
US
whitelisted
3700
chrome.exe
172.217.18.99:443
www.google.com.ua
Google Inc.
US
whitelisted
3700
chrome.exe
142.250.185.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3700
chrome.exe
142.250.185.131:443
www.gstatic.com
Google Inc.
US
whitelisted
3700
chrome.exe
172.217.18.110:443
apis.google.com
Google Inc.
US
whitelisted
3700
chrome.exe
142.250.184.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3700
chrome.exe
216.58.212.174:443
ogs.google.com.ua
Google Inc.
US
whitelisted
3700
chrome.exe
172.217.16.131:443
id.google.com.ua
Google Inc.
US
whitelisted
3700
chrome.exe
142.250.201.206:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.iobit.com
  • 152.195.53.24
whitelisted
accounts.google.com
  • 172.217.20.13
shared
iobit-software-updater.en.softonic.com
  • 35.227.233.104
malicious
safebrowsing.googleapis.com
  • 142.250.185.138
whitelisted
www.google.com
  • 142.250.186.68
malicious
www.google.com.ua
  • 172.217.18.99
whitelisted
fonts.googleapis.com
  • 142.250.185.234
whitelisted
www.gstatic.com
  • 142.250.185.131
whitelisted
fonts.gstatic.com
  • 172.217.18.99
  • 142.250.184.195
whitelisted
ssl.gstatic.com
  • 142.250.184.195
whitelisted

Threats

PID
Process
Class
Message
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
984
Setup.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1200
IObitDownloader.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1200
IObitDownloader.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1200
IObitDownloader.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3392
AutoUpdate.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.iobit.com/downloadcenter.php?product=software-updater