Malware analysis 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785 Malicious activity

Add for printing

File name:	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785
Full analysis:	https://app.any.run/tasks/e5600f51-cb5d-4e2b-b30c-2fc990fe88b8
Verdict:	Malicious activity
Analysis date:	October 30, 2023, 08:29:52
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	87DCFCAEAE896A3268509C61711D0267
SHA1:	773A476992EA0C4B2E6DFEC231C30FFE6B14BA92
SHA256:	19F64A283D0437166EA8FBBF8AF32DF1323DAE92E2F91FEF6009DCD6677933B7
SSDEEP:	98304:WwLes1QpJI8aWss8awiuJbe9a/bEWix+MlFzIDwvCL1uiJsKikP4YQnqJzZ3bnYF:TyHXPToPlCIWiq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft .NET Framework 4.5.2 (4.5.51209)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 2472)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 960)
  - ugin.exe (PID: 2616)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - atud.exe (PID: 3156)
  - iTopPatch-3.4-0520.exe (PID: 3076)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - ugin.exe (PID: 3644)
  - atud.exe (PID: 2280)
- Loads dropped or rewritten executable
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - unpr.exe (PID: 4028)
  - atud.exe (PID: 3156)
  - aud.exe (PID: 2632)
  - aud.exe (PID: 2808)
  - iTopVPN.exe (PID: 3424)
  - unpr.exe (PID: 3828)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - iTopVPN.exe (PID: 2380)
  - unpr.exe (PID: 3436)
  - iTopVPN.exe (PID: 3640)
  - iTopVPNMini.exe (PID: 3372)
  - iTopVPN.exe (PID: 3656)
  - aud.exe (PID: 2740)
  - atud.exe (PID: 2280)
  - aud.exe (PID: 852)
- Application was dropped or rewritten from another process
  - ugin.exe (PID: 4068)
  - ugin.exe (PID: 2616)
  - icop32.exe (PID: 2488)
  - ugin.exe (PID: 3508)
  - iTopVPN.exe (PID: 2936)
  - unpr.exe (PID: 4028)
  - iTopVPN.exe (PID: 3424)
  - ugin.exe (PID: 3276)
  - ugin.exe (PID: 2392)
  - atud.exe (PID: 3156)
  - aud.exe (PID: 2808)
  - aud.exe (PID: 2632)
  - iTopPatch-3.4-0520.exe (PID: 3076)
  - unpr.exe (PID: 3828)
  - iTopVPN.exe (PID: 2380)
  - ugin.exe (PID: 3644)
  - ugin.exe (PID: 2828)
  - ullc.exe (PID: 2924)
  - icop32.exe (PID: 1992)
  - unpr.exe (PID: 3436)
  - iTopVPN.exe (PID: 3640)
  - ugin.exe (PID: 1052)
  - iTopVPNMini.exe (PID: 3372)
  - ugin.exe (PID: 1228)
  - iTopVPN.exe (PID: 3656)
  - aud.exe (PID: 2740)
  - aud.exe (PID: 1836)
  - atud.exe (PID: 2280)
  - itophalwp23.exe (PID: 3716)
  - aud.exe (PID: 852)
- Application was injected by another process
  - explorer.exe (PID: 1400)
- Runs injected code in another process
  - icop32.exe (PID: 2488)
- Steals credentials from Web Browsers
  - iTopVPN.exe (PID: 3640)
- Actions looks like stealing of personal data
  - iTopVPN.exe (PID: 3640)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
- Process drops legitimate windows executable
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
- Reads the Internet Settings
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 2616)
  - iTopVPN.exe (PID: 3424)
  - atud.exe (PID: 3156)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - ugin.exe (PID: 3644)
  - iTopVPN.exe (PID: 3640)
  - ugin.exe (PID: 1052)
  - atud.exe (PID: 2280)
- Uses TASKKILL.EXE to kill process
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
- Drops a system driver (possible attempt to evade defenses)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 2616)
  - ugin.exe (PID: 3644)
- Searches for installed software
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - iTopVPN.exe (PID: 3640)
  - itophalwp23.exe (PID: 3716)
- Process drops SQLite DLL files
  - iTopPatch-3.4-0520.tmp (PID: 3056)
- Starts CMD.EXE for commands execution
  - ugin.exe (PID: 3644)
  - iTopVPN.exe (PID: 3640)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3792)
  - cmd.exe (PID: 1836)
  - cmd.exe (PID: 3284)
- Process uses IPCONFIG to clear DNS cache
  - cmd.exe (PID: 3552)
  - cmd.exe (PID: 2996)
  - cmd.exe (PID: 1852)
  - cmd.exe (PID: 3148)
  - cmd.exe (PID: 2668)
- The process verifies whether the antivirus software is installed
  - iTopVPN.exe (PID: 3640)
- Checks for external IP
  - itophalwp23.exe (PID: 3716)
- Connects to unusual port
  - iTopVPN.exe (PID: 3640)
INFO
- Create files in a temporary directory
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 2472)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 960)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - icop32.exe (PID: 2488)
  - explorer.exe (PID: 1400)
  - iTopPatch-3.4-0520.exe (PID: 3076)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - SecEdit.exe (PID: 2608)
  - SecEdit.exe (PID: 1368)
  - iTopVPN.exe (PID: 3640)
- Checks supported languages
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 2472)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 1556)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe (PID: 960)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 3760)
  - ugin.exe (PID: 4068)
  - ugin.exe (PID: 2616)
  - ugin.exe (PID: 3508)
  - icop32.exe (PID: 2488)
  - unpr.exe (PID: 4028)
  - iTopVPN.exe (PID: 2936)
  - ugin.exe (PID: 3276)
  - ugin.exe (PID: 2392)
  - aud.exe (PID: 2808)
  - atud.exe (PID: 3156)
  - aud.exe (PID: 2632)
  - iTopVPN.exe (PID: 3424)
  - iTopPatch-3.4-0520.exe (PID: 3076)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - unpr.exe (PID: 3828)
  - ugin.exe (PID: 3644)
  - ugin.exe (PID: 604)
  - ugin.exe (PID: 2828)
  - iTopVPN.exe (PID: 2380)
  - icop32.exe (PID: 1992)
  - ullc.exe (PID: 2924)
  - unpr.exe (PID: 3436)
  - ugin.exe (PID: 1052)
  - iTopVPNMini.exe (PID: 3372)
  - iTopVPN.exe (PID: 3640)
  - ugin.exe (PID: 1228)
  - iTopVPN.exe (PID: 3656)
  - atud.exe (PID: 2280)
  - aud.exe (PID: 2740)
  - aud.exe (PID: 1836)
  - aud.exe (PID: 852)
  - wmpnscfg.exe (PID: 1840)
  - itophalwp23.exe (PID: 3716)
  - wmpnscfg.exe (PID: 2796)
- Reads the computer name
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 1556)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 3760)
  - ugin.exe (PID: 4068)
  - ugin.exe (PID: 2616)
  - unpr.exe (PID: 4028)
  - iTopVPN.exe (PID: 2936)
  - ugin.exe (PID: 3508)
  - ugin.exe (PID: 3276)
  - iTopVPN.exe (PID: 3424)
  - ugin.exe (PID: 2392)
  - aud.exe (PID: 2808)
  - atud.exe (PID: 3156)
  - aud.exe (PID: 2632)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - unpr.exe (PID: 3828)
  - ugin.exe (PID: 3644)
  - iTopVPN.exe (PID: 2380)
  - ugin.exe (PID: 604)
  - ugin.exe (PID: 2828)
  - unpr.exe (PID: 3436)
  - iTopVPN.exe (PID: 3640)
  - ugin.exe (PID: 1228)
  - ugin.exe (PID: 1052)
  - iTopVPN.exe (PID: 3656)
  - aud.exe (PID: 2740)
  - iTopVPNMini.exe (PID: 3372)
  - aud.exe (PID: 1836)
  - atud.exe (PID: 2280)
  - aud.exe (PID: 852)
  - itophalwp23.exe (PID: 3716)
  - wmpnscfg.exe (PID: 1840)
  - wmpnscfg.exe (PID: 2796)
- Application was dropped or rewritten from another process
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 1556)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 3760)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - ugin.exe (PID: 604)
- Creates files in the program directory
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - ugin.exe (PID: 2616)
  - unpr.exe (PID: 4028)
  - ugin.exe (PID: 3276)
  - iTopVPN.exe (PID: 3424)
  - atud.exe (PID: 3156)
  - aud.exe (PID: 2632)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - ugin.exe (PID: 3644)
  - iTopVPN.exe (PID: 3640)
  - iTopVPNMini.exe (PID: 3372)
  - atud.exe (PID: 2280)
  - itophalwp23.exe (PID: 3716)
- Reads the machine GUID from the registry
  - unpr.exe (PID: 4028)
  - icop32.exe (PID: 2488)
  - iTopVPN.exe (PID: 3424)
  - aud.exe (PID: 2632)
  - aud.exe (PID: 2808)
  - atud.exe (PID: 3156)
  - unpr.exe (PID: 3828)
  - icop32.exe (PID: 1992)
  - iTopVPN.exe (PID: 2380)
  - unpr.exe (PID: 3436)
  - iTopVPN.exe (PID: 3640)
  - iTopVPNMini.exe (PID: 3372)
  - aud.exe (PID: 2740)
  - atud.exe (PID: 2280)
  - aud.exe (PID: 852)
  - wmpnscfg.exe (PID: 2796)
  - wmpnscfg.exe (PID: 1840)
- Creates files or folders in the user directory
  - explorer.exe (PID: 1400)
  - 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp (PID: 604)
  - iTopVPN.exe (PID: 3424)
  - ugin.exe (PID: 604)
  - iTopPatch-3.4-0520.tmp (PID: 3056)
  - iTopVPN.exe (PID: 2380)
  - iTopVPN.exe (PID: 3640)
  - atud.exe (PID: 2280)
- Application launched itself
  - msedge.exe (PID: 3928)
  - msedge.exe (PID: 3292)
  - msedge.exe (PID: 2600)
  - iexplore.exe (PID: 2264)
  - chrome.exe (PID: 3312)
- Manual execution by a user
  - msedge.exe (PID: 3292)
  - iexplore.exe (PID: 2264)
  - wmpnscfg.exe (PID: 1840)
  - wmpnscfg.exe (PID: 2796)
  - chrome.exe (PID: 3312)
- Checks proxy server information
  - iTopVPN.exe (PID: 3640)
- Drops the executable file immediately after the start
  - msedge.exe (PID: 3292)
- Process checks are UAC notifies on
  - iTopVPN.exe (PID: 3640)
- Process checks Internet Explorer phishing filters
  - iTopVPN.exe (PID: 3640)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable Delphi generic (57.2)
.exe	\|	Win32 Executable (generic) (18.2)
.exe	\|	Win16/32 Executable Delphi generic (8.3)
.exe	\|	Generic Win/DOS Executable (8)
.exe	\|	DOS Executable Generic (8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:10:13 10:19:32+02:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	65024
InitializedDataSize:	138752
UninitializedDataSize:	-
EntryPoint:	0x113bc
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.1.523
ProductVersionNumber:	1.0.1.523
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	iTop Inc.
FileDescription:	iTop VPN
FileVersion:	1.0.1.523
LegalCopyright:	© iTop Inc. All rights reserved.
ProductName:	iTop VPN
ProductVersion:	1.0.1.523

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

183

Monitored processes

118

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

520

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1332,i,10849068136645475844,7543115056569291174,131072 /prefetch:3

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

560

ping 111.90.143.72 /n 1

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ping.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll

604

"C:\Users\admin\AppData\Local\Temp\is-1TGAD.tmp\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp" /SL5="$140220,8301037,204800,C:\Users\admin\Downloads\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe" /SPAWNWND=$150216 /NOTIFYWND=$110168

C:\Users\admin\AppData\Local\Temp\is-1TGAD.tmp\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp

—

9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-1tgad.tmp\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

604

"C:\Users\admin\AppData\Local\Temp\is-51TF3.tmp\ugin.exe" /kill /UPGRADE

C:\Users\admin\AppData\Local\Temp\is-51TF3.tmp\ugin.exe

—

iTopPatch-3.4-0520.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

3.4.0.442

Modules

Images
c:\users\admin\appdata\local\temp\is-51tf3.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

852

"C:\Program Files\iTop VPN\aud.exe" /itop /dayuser

C:\Program Files\iTop VPN\aud.exe

iTopVPN.exe

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

3.0.0.2400

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

916

cmd.exe /c ping 172.105.255.229 /n 1

C:\Windows\System32\cmd.exe

—

iTopVPN.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\usp10.dll

960

"C:\Users\admin\Downloads\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe" /SPAWNWND=$150216 /NOTIFYWND=$110168

C:\Users\admin\Downloads\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe

9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp

User:

admin

Company:

iTop Inc.

Integrity Level:

HIGH

Description:

iTop VPN

Exit code:

Version:

1.0.1.523

Modules

Images
c:\users\admin\downloads\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

1024

ping 5.180.77.220 /n 1

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\ping.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll

1040

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2120 --field-trial-handle=1156,i,9958866487237555047,13170576781540431369,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1044

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1296,i,16093151201601747203,9621239227502998993,131072 /prefetch:8

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

39 787

Read events

39 371

Write events

382

Delete events

Modification events


(PID) Process:	(1400) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D0000000002000000000010660000000100002000000048832D3FD0459F35F292D4F0571B992C6EB9F500D4ED7BC3B99927FC5331D217000000000E80000000020000200000003EFBFF3AEC091353AF9E58D48DF2D06E9D1BDED94E4937159293C20E513DDF0F3000000087034FE3522EDDAC6E83C331CAE7E3CB92B187260C4DAD8D1C31F9039AB30BE9E56E6C6EE2A54DD7C0FCB3257D6FF55F4000000040B806FFF8B32ABD66EABA7F35A86503B0F300E1B9A976FC4B3F6328F133A31ACB461ADFC86BE84974CB3AD9119C225504F24589D1CDC1655DA54BABE9CEF265
(PID) Process:	(604) 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(604) 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(604) 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(604) 9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1400) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1400) explorer.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2616) ugin.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2616) ugin.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2616) ugin.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

121

Suspicious files

243

Text files

292

Unknown types

Dropped files

PID	Process	Filename		Type
960	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.exe	C:\Users\admin\AppData\Local\Temp\is-1TGAD.tmp\9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp		executable
		MD5:755C10F113E9F1C0502247EC315B71EE	SHA256:EA6EAE4FCCD328E44C0460116921D5C18B9060CA2C1633C2644E86CB95B966D3
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Users\admin\AppData\Local\Temp\is-VFUSG.tmp\RdZone.dll		executable
		MD5:B8BC31BFD10B0548546B27D9A8B5CFB2	SHA256:F86B2656471CAE0C9221EF2FC950FE9C6B955E7063C50726B404F68CCF85DB4D
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Users\admin\AppData\Local\Temp\is-VFUSG.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\unins000.exe		executable
		MD5:755C10F113E9F1C0502247EC315B71EE	SHA256:EA6EAE4FCCD328E44C0460116921D5C18B9060CA2C1633C2644E86CB95B966D3
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\iTopVPN.exe		executable
		MD5:AA66838F7248162777D9F66FF599DB39	SHA256:DBD5AE6690256D3E6E06970AA5408B6113D94CF7F20479C9D4AD90CA821B95F6
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\libssl-1_1.dll		executable
		MD5:2E13693945236594078A2E7C4FD029BE	SHA256:E9CEDB410DF5A475A08B2F17EC5EA5615D02FF4F1A1E045F53053A73DA9A2474
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\is-JDQB4.tmp		executable
		MD5:755C10F113E9F1C0502247EC315B71EE	SHA256:EA6EAE4FCCD328E44C0460116921D5C18B9060CA2C1633C2644E86CB95B966D3
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\fsocks.dll		executable
		MD5:856A0F1E6C41751C7030729CFD21AC3B	SHA256:41DF9D12CA6D962F44B174FF713B39DCF1A37AC89587E21E07E729022A4A90DC
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\ugin.exe		executable
		MD5:D865C97A33D657371C5A3EBB82BC2218	SHA256:235ECA218D3ECDCE6083ACDD59C9C7AA663B04F495D85700C9FC05EF64B4BBFC
604	9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785.tmp	C:\Program Files\iTop VPN\is-OFVFJ.tmp		executable
		MD5:D865C97A33D657371C5A3EBB82BC2218	SHA256:235ECA218D3ECDCE6083ACDD59C9C7AA663B04F495D85700C9FC05EF64B4BBFC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

524

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3716	itophalwp23.exe	GET	200	34.117.59.81:80	http://ipinfo.io/	unknown	binary	254 b	unknown
2264	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D	unknown	binary	471 b	unknown
2264	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1088	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4028	unpr.exe	34.201.182.119:443	stats.itopvpn.com	AMAZON-AES	US	unknown
3424	iTopVPN.exe	152.199.23.214:443	update.itopvpn.com	EDGECAST	US	unknown
2632	aud.exe	34.201.182.119:443	stats.itopvpn.com	AMAZON-AES	US	unknown
2808	aud.exe	34.201.182.119:443	stats.itopvpn.com	AMAZON-AES	US	unknown
3424	iTopVPN.exe	76.223.44.67:443	api.itopvpn.com	AMAZON-02	US	unknown
3156	atud.exe	152.199.23.214:443	update.itopvpn.com	EDGECAST	US	unknown

DNS requests

Domain	IP	Reputation
stats.itopvpn.com	34.201.182.119 54.164.131.172	unknown
update.itopvpn.com	152.199.23.214	unknown
api.itopvpn.com	76.223.44.67 13.248.190.80	unknown
config.edge.skype.com	13.107.42.16	whitelisted
nav-edge.smartscreen.microsoft.com	20.31.251.109	whitelisted
goto.itopvpn.com	54.235.204.43 44.217.43.213	unknown
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
data-edge.smartscreen.microsoft.com	20.103.180.120	whitelisted
www.itopvpn.com	34.231.235.17 54.204.128.205	unknown
fonts.googleapis.com	142.250.184.202	whitelisted

Threats

PID	Process	Class	Message
3716	itophalwp23.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3716	itophalwp23.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ipinfo.io
4	System	Generic Protocol Command Decode	SURICATA UDPv4 invalid checksum
3292	msedge.exe	Generic Protocol Command Decode	SURICATA UDPv4 invalid checksum
3292	msedge.exe	Generic Protocol Command Decode	SURICATA UDPv4 invalid checksum

Add for printing

Process	Message
unpr.exe	Win32MinorVersion: 1
unpr.exe	[unpr.exe]: Lanague: en-US
unpr.exe	[unpr.exe]: Result Language: en-US
unpr.exe	[unpr.exe]: TfrmUnistallPromote.WebNavigateMSG 1
unpr.exe	[unpr.exe]: LangID: 1033
explorer.exe	vItemVerbs.Item(i)Add &to "iTopVPN.rar"
explorer.exe	vItemVerbs.Item(i)Run as &administrator
explorer.exe	vItemVerbs.Item(i)Compress and email...
explorer.exe	vItemVerbs.Item(i)Share with Skype
explorer.exe	vItemVerbs.Item(i)Edit with &Notepad++

General Info

9adbff74059387c54963afcc93a158783a434ef3445fbcfb6198c6f9edbbe785

87DCFCAEAE896A3268509C61711D0267

773A476992EA0C4B2E6DFEC231C30FFE6B14BA92

19F64A283D0437166EA8FBBF8AF32DF1323DAE92E2F91FEF6009DCD6677933B7

98304:WwLes1QpJI8aWss8awiuJbe9a/bEWix+MlFzIDwvCL1uiJsKikP4YQnqJzZ3bnYF:TyHXPToPlCIWiq

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

Application was injected by another process

Runs injected code in another process

Steals credentials from Web Browsers

Actions looks like stealing of personal data

SUSPICIOUS

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Reads the Internet Settings

Uses TASKKILL.EXE to kill process

Drops a system driver (possible attempt to evade defenses)

Searches for installed software

Process drops SQLite DLL files

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Process uses IPCONFIG to clear DNS cache

The process verifies whether the antivirus software is installed

Checks for external IP

Connects to unusual port

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Application was dropped or rewritten from another process

Creates files in the program directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Application launched itself

Manual execution by a user

Checks proxy server information

Drops the executable file immediately after the start

Process checks are UAC notifies on

Process checks Internet Explorer phishing filters

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files