URL:

update.downloaditop.com/dl/action-center/iTopF540-20240322.exe

Full analysis: https://app.any.run/tasks/b5c3b759-aadf-4c1c-9d92-dc764e720865
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 05, 2024, 14:39:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
Indicators:
MD5:

171C7696D23BD6937954C6DE6809FFC0

SHA1:

28AC93115A2B436B31B79E4DF1D3F628FB04F434

SHA256:

274063EFE7FBBEE1959160C41F19A726954A631A6096F7A80A5033A96F8BADEE

SSDEEP:

3:AClEKRRKgK/uxLbKGR2V9Cn:AClEyKmFRy9Cn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iTopF540-20240322.exe (PID: 3324)
      • iTopF540-20240322.exe (PID: 2072)
      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.exe (PID: 3556)
      • ugin.exe (PID: 268)
      • iTopF540-20240322.tmp (PID: 448)
      • iTopDownloader.exe (PID: 3968)
      • iTopDataRecovery.exe (PID: 2644)
      • iTopDataRecovery.tmp (PID: 2904)
      • atud.exe (PID: 2924)
      • Autoupdate.exe (PID: 764)

    • Application was injected by another process

      • explorer.exe (PID: 1164)

    • Runs injected code in another process

      • icop32.exe (PID: 1732)
      • ICONPIN32.exe (PID: 2940)

    • Steals credentials from Web Browsers

      • iTopVPN.exe (PID: 3832)

    • Actions looks like stealing of personal data

      • iTopVPN.exe (PID: 3832)

  • SUSPICIOUS

    • Checks for external IP

      • ugin.exe (PID: 1900)
      • Setup.exe (PID: 2320)
      • unpr.exe (PID: 2764)
      • UninstallInfo.exe (PID: 3284)

    • Reads the Internet Settings

      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.tmp (PID: 448)
      • ugin.exe (PID: 268)
      • Setup.exe (PID: 2320)
      • iTopVPN.exe (PID: 3832)
      • iTopDataRecovery.tmp (PID: 2904)
      • iTopDownloader.exe (PID: 3968)
      • IdrInit.exe (PID: 2332)
      • iTopDataRecovery.exe (PID: 128)
      • atud.exe (PID: 2924)
      • Autoupdate.exe (PID: 764)

    • Reads security settings of Internet Explorer

      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.tmp (PID: 448)
      • ugin.exe (PID: 268)
      • Setup.exe (PID: 2320)
      • iTopVPN.exe (PID: 3832)
      • iTopDownloader.exe (PID: 3968)
      • iTopDataRecovery.tmp (PID: 2904)
      • IdrInit.exe (PID: 2332)
      • iTopDataRecovery.exe (PID: 128)
      • atud.exe (PID: 2924)
      • Autoupdate.exe (PID: 764)

    • Process drops legitimate windows executable

      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.tmp (PID: 448)
      • iTopDataRecovery.tmp (PID: 2904)

    • Reads the Windows owner or organization settings

      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.tmp (PID: 448)
      • iTopDataRecovery.tmp (PID: 2904)

    • Process drops SQLite DLL files

      • iTopF540-20240322.tmp (PID: 448)
      • iTopDataRecovery.tmp (PID: 2904)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 268)
      • iTopVPN.exe (PID: 3832)
      • iTopDataRecovery.tmp (PID: 2904)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 572)
      • cmd.exe (PID: 3988)
      • cmd.exe (PID: 2268)
      • cmd.exe (PID: 3912)
      • cmd.exe (PID: 1808)
      • cmd.exe (PID: 3392)
      • cmd.exe (PID: 3672)
      • cmd.exe (PID: 2972)
      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 3224)
      • cmd.exe (PID: 3124)

    • Uses TASKKILL.EXE to kill process

      • iTopF540-20240322.tmp (PID: 448)

    • Application launched itself

      • ugin.exe (PID: 268)

    • Non-standard symbols in registry

      • explorer.exe (PID: 1164)
      • iTopVPN.exe (PID: 3832)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 2328)

    • Searches for installed software

      • iTopVPN.exe (PID: 3832)
      • onlinesr_en.exe (PID: 2740)
      • itopeasterp24.exe (PID: 1504)

    • Process requests binary or script from the Internet

      • iTopDownloader.exe (PID: 3968)
      • Autoupdate.exe (PID: 764)

    • The process verifies whether the antivirus software is installed

      • iTopVPN.exe (PID: 3832)

    • Connects to unusual port

      • iTopVPN.exe (PID: 3832)

    • Executes as Windows Service

      • IDRService.exe (PID: 2004)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2648)

    • Checks supported languages

      • iTopF540-20240322.exe (PID: 2072)
      • iTopF540-20240322.tmp (PID: 2156)
      • iTopF540-20240322.exe (PID: 3324)
      • Setup.exe (PID: 2320)
      • iTopF540-20240322.tmp (PID: 2060)
      • ugin.exe (PID: 1900)
      • iTopF540-20240322.tmp (PID: 448)
      • ugin.exe (PID: 296)
      • iTopF540-20240322.exe (PID: 3556)
      • ugin.exe (PID: 2516)
      • ugin.exe (PID: 3336)
      • ullc.exe (PID: 2024)
      • ugin.exe (PID: 268)
      • iTopVPN.exe (PID: 1392)
      • icop32.exe (PID: 1732)
      • ugin.exe (PID: 3084)
      • ugin.exe (PID: 2768)
      • unpr.exe (PID: 2764)
      • iTopDownloader.exe (PID: 3968)
      • iTopVPN.exe (PID: 3832)
      • iTopVPN.exe (PID: 3880)
      • ugin.exe (PID: 3596)
      • atud.exe (PID: 2924)
      • aud.exe (PID: 3876)
      • aud.exe (PID: 3872)
      • iTopVPNMini.exe (PID: 3164)
      • iTopDataRecovery.exe (PID: 2644)
      • iTopDataRecovery.tmp (PID: 2904)
      • IdrInit.exe (PID: 2332)
      • iTopInsur.exe (PID: 3980)
      • LocalLang.exe (PID: 3420)
      • iTopInsur.exe (PID: 3948)
      • UninstallInfo.exe (PID: 3284)
      • ICONPIN32.exe (PID: 2940)
      • IDRService.exe (PID: 2004)
      • AUpdate.exe (PID: 3152)
      • iTopDataRecovery.exe (PID: 128)
      • Autoupdate.exe (PID: 764)
      • AUpdate.exe (PID: 3100)
      • onlinesr_en.exe (PID: 2740)
      • itopeasterp24.exe (PID: 1504)
      • Newfts.exe (PID: 3988)
      • onlinesr_en.exe (PID: 3180)
      • itopeasterp24.exe (PID: 3084)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1164)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2648)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2648)

    • Reads the computer name

      • iTopF540-20240322.tmp (PID: 2156)
      • ugin.exe (PID: 1900)
      • Setup.exe (PID: 2320)
      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.tmp (PID: 448)
      • ugin.exe (PID: 296)
      • ugin.exe (PID: 2516)
      • ugin.exe (PID: 268)
      • ugin.exe (PID: 3336)
      • iTopVPN.exe (PID: 1392)
      • ugin.exe (PID: 2768)
      • ugin.exe (PID: 3084)
      • ugin.exe (PID: 3596)
      • iTopDownloader.exe (PID: 3968)
      • iTopVPN.exe (PID: 3880)
      • unpr.exe (PID: 2764)
      • iTopVPN.exe (PID: 3832)
      • aud.exe (PID: 3872)
      • atud.exe (PID: 2924)
      • aud.exe (PID: 3876)
      • iTopVPNMini.exe (PID: 3164)
      • iTopDataRecovery.tmp (PID: 2904)
      • IdrInit.exe (PID: 2332)
      • iTopInsur.exe (PID: 3980)
      • iTopInsur.exe (PID: 3948)
      • UninstallInfo.exe (PID: 3284)
      • AUpdate.exe (PID: 3100)
      • AUpdate.exe (PID: 3152)
      • IDRService.exe (PID: 2004)
      • iTopDataRecovery.exe (PID: 128)
      • Autoupdate.exe (PID: 764)
      • Newfts.exe (PID: 3988)
      • onlinesr_en.exe (PID: 2740)
      • itopeasterp24.exe (PID: 1504)
      • itopeasterp24.exe (PID: 3084)
      • onlinesr_en.exe (PID: 3180)

    • Create files in a temporary directory

      • iTopF540-20240322.exe (PID: 2072)
      • iTopF540-20240322.exe (PID: 3324)
      • iTopF540-20240322.tmp (PID: 2060)
      • iTopF540-20240322.exe (PID: 3556)
      • iTopF540-20240322.tmp (PID: 448)
      • Setup.exe (PID: 2320)
      • explorer.exe (PID: 1164)
      • icop32.exe (PID: 1732)
      • iTopDataRecovery.exe (PID: 2644)
      • iTopDataRecovery.tmp (PID: 2904)
      • SecEdit.exe (PID: 748)
      • iTopVPN.exe (PID: 3832)
      • SecEdit.exe (PID: 2240)
      • ICONPIN32.exe (PID: 2940)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 4004)

    • Creates files in the program directory

      • ugin.exe (PID: 1900)
      • iTopF540-20240322.tmp (PID: 448)
      • Setup.exe (PID: 2320)
      • iTopVPN.exe (PID: 1392)
      • ugin.exe (PID: 268)
      • unpr.exe (PID: 2764)
      • ugin.exe (PID: 3596)
      • iTopDownloader.exe (PID: 3968)
      • iTopVPN.exe (PID: 3832)
      • atud.exe (PID: 2924)
      • iTopDataRecovery.tmp (PID: 2904)
      • UninstallInfo.exe (PID: 3284)
      • iTopInsur.exe (PID: 3948)
      • AUpdate.exe (PID: 3100)
      • IDRService.exe (PID: 2004)
      • iTopDataRecovery.exe (PID: 128)
      • Autoupdate.exe (PID: 764)
      • onlinesr_en.exe (PID: 2740)

    • Reads the machine GUID from the registry

      • ugin.exe (PID: 1900)
      • Setup.exe (PID: 2320)
      • ugin.exe (PID: 268)
      • icop32.exe (PID: 1732)
      • iTopDownloader.exe (PID: 3968)
      • unpr.exe (PID: 2764)
      • iTopVPN.exe (PID: 3832)
      • aud.exe (PID: 3872)
      • iTopVPNMini.exe (PID: 3164)
      • atud.exe (PID: 2924)
      • aud.exe (PID: 3876)
      • ICONPIN32.exe (PID: 2940)
      • AUpdate.exe (PID: 3152)
      • AUpdate.exe (PID: 3100)
      • Autoupdate.exe (PID: 764)

    • Creates files or folders in the user directory

      • ugin.exe (PID: 1900)
      • iTopF540-20240322.tmp (PID: 448)
      • iTopVPN.exe (PID: 1392)
      • explorer.exe (PID: 1164)
      • iTopVPN.exe (PID: 3832)
      • iTopVPNMini.exe (PID: 3164)
      • atud.exe (PID: 2924)
      • iTopDataRecovery.tmp (PID: 2904)
      • iTopInsur.exe (PID: 3948)
      • Autoupdate.exe (PID: 764)

    • Creates a software uninstall entry

      • iTopF540-20240322.tmp (PID: 448)
      • iTopDataRecovery.tmp (PID: 2904)

    • Process checks whether UAC notifications are on

      • iTopVPN.exe (PID: 3832)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
76
Malicious processes
17
Suspicious processes
4

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe itopf540-20240322.exe no specs itopf540-20240322.tmp no specs itopf540-20240322.exe itopf540-20240322.tmp no specs ugin.exe setup.exe itopf540-20240322.exe no specs itopf540-20240322.tmp no specs ugin.exe no specs taskkill.exe no specs ugin.exe no specs ugin.exe no specs ullc.exe ugin.exe itopvpn.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs icop32.exe ugin.exe no specs ugin.exe no specs unpr.exe ugin.exe no specs itopdownloader.exe itopvpn.exe itopvpn.exe atud.exe aud.exe aud.exe cmd.exe no specs ipconfig.exe no specs itopvpnmini.exe itopdatarecovery.exe no specs itopdatarecovery.tmp cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs secedit.exe no specs secedit.exe no specs locallang.exe itopinsur.exe idrinit.exe itopinsur.exe uninstallinfo.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs iconpin32.exe sc.exe no specs idrservice.exe itopdatarecovery.exe autoupdate.exe aupdate.exe aupdate.exe newfts.exe onlinesr_en.exe itopeasterp24.exe onlinesr_en.exe itopeasterp24.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Program Files\iTop Data Recovery\iTopDataRecovery.exe" C:\Program Files\iTop Data Recovery\iTopDataRecovery.exe
iTopDataRecovery.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Data Recovery
Version:
4.2.0.662
Modules
Images
c:\program files\itop data recovery\itopdatarecovery.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\itop data recovery\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
268"C:\Program Files\iTop VPN\ugin.exe" /init /ver 5.4.0.5166 /force /f /drvrestore /inspkg "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iTopF540-20240322.exe" /PINTOTASKBAR /insthandle 1769906C:\Program Files\iTop VPN\ugin.exe
iTopF540-20240322.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
5.0.0.5132
Modules
Images
c:\program files\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
296"C:\Users\admin\AppData\Local\Temp\is-VGQI0.tmp\ugin.exe" /killC:\Users\admin\AppData\Local\Temp\is-VGQI0.tmp\ugin.exeiTopF540-20240322.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
5.0.0.5132
Modules
Images
c:\users\admin\appdata\local\temp\is-vgqi0.tmp\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
448"C:\Users\admin\AppData\Local\Temp\is-IFGAQ.tmp\iTopF540-20240322.tmp" /SL5="$C0162,38307672,141312,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iTopF540-20240322.exe" /sp- /verysilent /norestart /Installer /silenthide /insthandle=1769906 /DIR="C:\Program Files\iTop VPN" /quicklaunchiconC:\Users\admin\AppData\Local\Temp\is-IFGAQ.tmp\iTopF540-20240322.tmpiTopF540-20240322.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ifgaq.tmp\itopf540-20240322.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
572cmd.exe /c sc stop windivertC:\Windows\System32\cmd.exeugin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1060
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
748secedit /export /cfg C:\Users\admin\AppData\Local\Temp\5578.inf /log C:\Users\admin\AppData\Local\Temp\713.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\scecli.dll
c:\windows\system32\user32.dll
764"C:\Program Files\iTop Data Recovery\Autoupdate.exe" /auto /startC:\Program Files\iTop Data Recovery\Autoupdate.exe
iTopDataRecovery.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Data Recovery Updater
Exit code:
0
Version:
4.0.0.851
Modules
Images
c:\program files\itop data recovery\autoupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
996sc description iTopDataRecoveryService4 "iTop Data Recovery Service"C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1164C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1308sc stop iTopDataRecoveryService4C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
68 207
Read events
67 573
Write events
581
Delete events
53

Modification events

(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
359277808
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31098727
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
659280308
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31098727
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2648) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
280
Suspicious files
39
Text files
364
Unknown types
56

Dropped files

PID
Process
Filename
Type
4004iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\iTopF540-20240322[1].exeexecutable
MD5:
SHA256:
4004iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iTopF540-20240322.exe.ygwddy5.partial
MD5:
SHA256:
2648iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC21AB95343B98014.TMPbinary
MD5:
SHA256:
2648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5311F5DD-F35A-11EE-AE0A-12A9866C77DE}.datbinary
MD5:
SHA256:
2648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iTopF540-20240322.exe.ygwddy5.partial:Zone.Identifiertext
MD5:
SHA256:
2648iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\iTopF540-20240322.exe
MD5:
SHA256:
2072iTopF540-20240322.exeC:\Users\admin\AppData\Local\Temp\is-B38MT.tmp\iTopF540-20240322.tmpexecutable
MD5:
SHA256:
3324iTopF540-20240322.exeC:\Users\admin\AppData\Local\Temp\is-TIROV.tmp\iTopF540-20240322.tmpexecutable
MD5:
SHA256:
2060iTopF540-20240322.tmpC:\Users\admin\AppData\Local\Temp\is-4DMRI.tmp\_isetup\_shfoldr.dllexecutable
MD5:
SHA256:
2060iTopF540-20240322.tmpC:\Users\admin\AppData\Local\Temp\is-4DMRI.tmp\iTopInstaller.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
514
DNS requests
29
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2648
iexplore.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?008206919ad039a2
unknown
unknown
1900
ugin.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
unknown
2648
iexplore.exe
GET
304
88.221.110.91:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a0c79e91eb4e7878
unknown
unknown
4004
iexplore.exe
GET
200
152.199.23.214:80
http://update.downloaditop.com/dl/action-center/iTopF540-20240322.exe
unknown
unknown
2648
iexplore.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d3d5c9f69e71937c
unknown
unknown
2648
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2320
Setup.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/
unknown
unknown
2320
Setup.exe
GET
200
152.199.20.140:80
http://update.iobit.com/dl/img/inst/img_screenshot_idr.png
unknown
unknown
2320
Setup.exe
GET
200
152.199.20.140:80
http://update.iobit.com/infofiles/ac/appver-ac.upt
unknown
unknown
2320
Setup.exe
GET
200
152.199.20.140:80
http://update.iobit.com/dl/img/inst/logo_idr.png
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
4004
iexplore.exe
152.199.23.214:80
update.downloaditop.com
EDGECAST
US
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
1900
ugin.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
1900
ugin.exe
152.199.23.214:443
update.downloaditop.com
EDGECAST
US
unknown
2648
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
2648
iexplore.exe
2.16.100.168:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2648
iexplore.exe
88.221.110.91:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2648
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
update.downloaditop.com
  • 152.199.23.214
unknown
ip-api.com
  • 208.95.112.1
shared
update.itopvpn.com
  • 152.199.23.214
unknown
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ctldl.windowsupdate.com
  • 2.16.100.168
  • 88.221.110.91
  • 173.222.108.210
  • 173.222.108.147
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
update.iobit.com
  • 152.199.20.140
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.211.9.234
whitelisted

Threats

PID
Process
Class
Message
4004
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1900
ugin.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1900
ugin.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1900
ugin.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2320
Setup.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2320
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2320
Setup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2320
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2320
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2320
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
time1
Setup.exe
time4
Setup.exe
time3
Setup.exe
doFinshedEvent_Freeware 0
Setup.exe
CheckLastRecVer
Setup.exe
chk_os_ver 110;100;63;62;61
Setup.exe
Chk_ver_min
Setup.exe
Chk_ver_min
Setup.exe
IsNeedRecommend=false
Setup.exe
Chk_ver_max
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
update.downloaditop.com/dl/action-center/iTopF540-20240322.exe