Malware analysis http://jp.iobit.com/ Malicious activity

Add for printing

URL:	http://jp.iobit.com/
Full analysis:	https://app.any.run/tasks/a7ec1467-35b0-47de-a36a-4ecabdc53a57
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	April 19, 2021, 02:06:17
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware trojan
Indicators:
MD5:	3A86EB9F9B03E17B9A0F15CEBCB76E18
SHA1:	D2419CE08B676A76ACFC4346F4E2CD9615C75695
SHA256:	3B731E819051CA9072A04275C80BFDFD5845D902222F2A2574464C68FDC917D7
SSDEEP:	3:N1KUhA3:CUh4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.74)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - advanced-systemcare-setup.exe (PID: 2224)
  - advanced-systemcare-setup.exe (PID: 1140)
  - Setup.exe (PID: 3208)
  - advanced-systemcare-setup.exe (PID: 3896)
  - LocalLang.exe (PID: 3516)
  - ASCInit.exe (PID: 1792)
  - Register.exe (PID: 3620)
  - ASCService.exe (PID: 620)
  - RealTimeProtector.exe (PID: 2480)
  - UninstallInfo.exe (PID: 3948)
  - RealTimeProtector.exe (PID: 1572)
  - RealTimeProtector.exe (PID: 2544)
  - DiskDefrag.exe (PID: 2700)
  - PPUninstaller.exe (PID: 1372)
  - smBootTime.exe (PID: 3300)
  - smBootTime.exe (PID: 1776)
  - BrowserCleaner.exe (PID: 3632)
  - PrivacyShield.exe (PID: 3152)
  - smBootTimebase.exe (PID: 1328)
  - smBootTime.exe (PID: 4092)
  - Display.exe (PID: 1284)
  - BrowserProtect.exe (PID: 3016)
  - ASC.exe (PID: 3108)
  - Monitor.exe (PID: 1440)
  - smBootTime.exe (PID: 3440)
  - ASCTray.exe (PID: 2796)
  - ASCFeature.exe (PID: 3444)
  - AutoUpdate.exe (PID: 2980)
  - ASCFeature.exe (PID: 928)
  - ASCVER.exe (PID: 2788)
  - AutoSweep.exe (PID: 2304)
  - ActionCenterDownloader.exe (PID: 2860)
  - AutoCare.exe (PID: 3816)
  - startupInfo.exe (PID: 3796)
  - IObitLiveUpdate.exe (PID: 3416)
  - LocalLang.exe (PID: 912)
  - iScrInit.exe (PID: 3156)
  - iScrInit.exe (PID: 2580)
  - register.exe (PID: 3328)
  - GpuCheck.exe (PID: 3360)
  - iScrInit.exe (PID: 2992)
  - smBootTime.exe (PID: 2852)
  - smBootTime.exe (PID: 2476)
  - UninstallInfo.exe (PID: 2652)
  - ISS_Setup.exe (PID: 872)
  - smBootTime.exe (PID: 3484)
  - iSsInit.exe (PID: 3116)
  - LocalLang.exe (PID: 1904)
  - iSsInit.exe (PID: 1948)
  - iScrRec.exe (PID: 2500)
  - UninstallInfo.exe (PID: 4056)
  - smBootTime.exe (PID: 3932)
  - smBootTime.exe (PID: 3724)
  - smBootTime.exe (PID: 1488)
  - GpuCheck.exe (PID: 1708)
  - get-graphics-offsets32.exe (PID: 3472)
  - AutoUpdate.exe (PID: 1388)
  - iScrInit.exe (PID: 3380)
  - AUpdate.exe (PID: 2468)
  - iScrInit.exe (PID: 1012)
  - MonitorDisk.exe (PID: 1780)
  - AutoCare.exe (PID: 3508)
  - sdproxy.exe (PID: 2732)
  - AutoUpdate.exe (PID: 3916)
- Drops executable file immediately after starts
  - advanced-systemcare-setup.exe (PID: 2224)
  - advanced-systemcare-setup.exe (PID: 1140)
  - advanced-systemcare-setup.exe (PID: 3896)
  - ISRSetup.exe (PID: 3088)
  - ISRSetup.tmp (PID: 3376)
- Actions looks like stealing of personal data
  - advanced-systemcare-setup.tmp (PID: 1928)
  - smBootTimebase.exe (PID: 1328)
  - ASCService.exe (PID: 620)
  - PPUninstaller.exe (PID: 1372)
  - ASC.exe (PID: 3108)
  - AutoCare.exe (PID: 3508)
- Loads dropped or rewritten executable
  - ASCInit.exe (PID: 1792)
  - Register.exe (PID: 3620)
  - RealTimeProtector.exe (PID: 2480)
  - PPUninstaller.exe (PID: 1372)
  - smBootTime.exe (PID: 3300)
  - UninstallInfo.exe (PID: 3948)
  - RealTimeProtector.exe (PID: 1572)
  - ASCService.exe (PID: 620)
  - RealTimeProtector.exe (PID: 2544)
  - smBootTime.exe (PID: 1776)
  - smBootTimebase.exe (PID: 1328)
  - BrowserCleaner.exe (PID: 3632)
  - regsvr32.exe (PID: 1972)
  - PrivacyShield.exe (PID: 3152)
  - Setup.exe (PID: 3208)
  - smBootTime.exe (PID: 4092)
  - Display.exe (PID: 1284)
  - BrowserProtect.exe (PID: 3016)
  - Monitor.exe (PID: 1440)
  - ASC.exe (PID: 3108)
  - smBootTime.exe (PID: 3440)
  - ASCTray.exe (PID: 2796)
  - ASCFeature.exe (PID: 928)
  - ASCFeature.exe (PID: 3444)
  - AutoUpdate.exe (PID: 2980)
  - ASCVER.exe (PID: 2788)
  - AutoSweep.exe (PID: 2304)
  - AutoCare.exe (PID: 3816)
  - IObitLiveUpdate.exe (PID: 3416)
  - startupInfo.exe (PID: 3796)
  - iScrInit.exe (PID: 3156)
  - register.exe (PID: 3328)
  - iScrInit.exe (PID: 2580)
  - iScrInit.exe (PID: 2992)
  - smBootTime.exe (PID: 2476)
  - smBootTime.exe (PID: 3484)
  - smBootTime.exe (PID: 2852)
  - svchost.exe (PID: 884)
  - UninstallInfo.exe (PID: 2652)
  - UninstallInfo.exe (PID: 4056)
  - iScrRec.exe (PID: 2500)
  - smBootTime.exe (PID: 3932)
  - smBootTime.exe (PID: 3724)
  - smBootTime.exe (PID: 1488)
  - GpuCheck.exe (PID: 3360)
  - AUpdate.exe (PID: 2468)
  - iScrInit.exe (PID: 3380)
  - AutoUpdate.exe (PID: 1388)
  - MonitorDisk.exe (PID: 1780)
  - AutoCare.exe (PID: 3508)
- Loads the Task Scheduler COM API
  - ASCInit.exe (PID: 1792)
  - smBootTime.exe (PID: 3300)
  - smBootTimebase.exe (PID: 1328)
  - Setup.exe (PID: 3208)
  - ASC.exe (PID: 3108)
  - smBootTime.exe (PID: 3440)
  - iScrInit.exe (PID: 2580)
  - smBootTime.exe (PID: 3484)
  - smBootTime.exe (PID: 2852)
  - smBootTime.exe (PID: 2476)
  - iSsInit.exe (PID: 1948)
  - iScrRec.exe (PID: 2500)
  - smBootTime.exe (PID: 3932)
  - smBootTime.exe (PID: 3724)
  - smBootTime.exe (PID: 1488)
  - schtasks.exe (PID: 3672)
  - schtasks.exe (PID: 3280)
  - iScrInit.exe (PID: 3380)
  - iScrInit.exe (PID: 1012)
- Steals credentials from Web Browsers
  - ASCService.exe (PID: 620)
  - PPUninstaller.exe (PID: 1372)
  - ASC.exe (PID: 3108)
  - AutoCare.exe (PID: 3508)
- Registers / Runs the DLL via REGSVR32.EXE
  - ASCInit.exe (PID: 1792)
- Changes the autorun value in the registry
  - ASCInit.exe (PID: 1792)
- Changes settings of System certificates
  - ASCVER.exe (PID: 2788)
  - AutoUpdate.exe (PID: 2980)
- Connects to CnC server
  - ASC.exe (PID: 3108)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 2152)
  - cmd.exe (PID: 2352)
SUSPICIOUS
- Executable content was dropped or overwritten
  - advanced-systemcare-setup.exe (PID: 1140)
  - firefox.exe (PID: 2928)
  - advanced-systemcare-setup.exe (PID: 2224)
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.exe (PID: 3896)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ASCInit.exe (PID: 1792)
  - Monitor.exe (PID: 1440)
  - AutoUpdate.exe (PID: 2980)
  - ISRSetup.exe (PID: 3088)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.exe (PID: 872)
  - ISS_Setup.tmp (PID: 2148)
- Reads the Windows organization settings
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
  - AutoCare.exe (PID: 3508)
- Drops a file that was compiled in debug mode
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - Monitor.exe (PID: 1440)
  - AutoUpdate.exe (PID: 2980)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
- Drops a file with too old compile date
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
- Reads Windows owner or organization settings
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
  - AutoCare.exe (PID: 3508)
- Drops a file with a compile date too recent
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - AutoUpdate.exe (PID: 2980)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
  - UninstallInfo.exe (PID: 4056)
- Creates files in the user directory
  - advanced-systemcare-setup.tmp (PID: 1928)
  - ASCUpgrade.exe (PID: 3880)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ASCInit.exe (PID: 1792)
  - ASCService.exe (PID: 620)
  - BrowserCleaner.exe (PID: 3632)
  - ASC.exe (PID: 3108)
  - ASCTray.exe (PID: 2796)
  - PPUninstaller.exe (PID: 1372)
  - ISRSetup.tmp (PID: 3376)
  - iScrInit.exe (PID: 2580)
  - GpuCheck.exe (PID: 3360)
  - ISS_Setup.tmp (PID: 2148)
  - iScrRec.exe (PID: 2500)
- Creates files in the program directory
  - Setup.exe (PID: 3208)
  - ASCInit.exe (PID: 1792)
  - ASCService.exe (PID: 620)
  - smBootTimebase.exe (PID: 1328)
  - smBootTime.exe (PID: 3300)
  - UninstallInfo.exe (PID: 3948)
  - PrivacyShield.exe (PID: 3152)
  - Display.exe (PID: 1284)
  - Monitor.exe (PID: 1440)
  - AutoUpdate.exe (PID: 2980)
  - ASCVER.exe (PID: 2788)
  - AutoSweep.exe (PID: 2304)
  - ActionCenterDownloader.exe (PID: 2860)
  - AutoCare.exe (PID: 3816)
  - IObitLiveUpdate.exe (PID: 3416)
  - startupInfo.exe (PID: 3796)
  - ASC.exe (PID: 3108)
  - BrowserProtect.exe (PID: 3016)
  - UninstallInfo.exe (PID: 2652)
  - UninstallInfo.exe (PID: 4056)
  - AutoUpdate.exe (PID: 1388)
  - AutoCare.exe (PID: 3508)
  - AutoUpdate.exe (PID: 3916)
- Creates a directory in Program Files
  - Setup.exe (PID: 3208)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ASCInit.exe (PID: 1792)
  - ASCService.exe (PID: 620)
  - ASC.exe (PID: 3108)
  - AutoUpdate.exe (PID: 2980)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
  - iScrRec.exe (PID: 2500)
  - AutoUpdate.exe (PID: 1388)
- Executed as Windows Service
  - ASCService.exe (PID: 620)
- Removes files from Windows directory
  - ASCService.exe (PID: 620)
  - smBootTimebase.exe (PID: 1328)
- Creates files in the Windows directory
  - smBootTimebase.exe (PID: 1328)
  - svchost.exe (PID: 884)
  - ASCService.exe (PID: 620)
  - Monitor.exe (PID: 1440)
  - ASC.exe (PID: 3108)
- Starts CMD.EXE for commands execution
  - ASCInit.exe (PID: 1792)
  - iScrRec.exe (PID: 2500)
- Starts SC.EXE for service management
  - cmd.exe (PID: 2160)
- Application launched itself
  - RealTimeProtector.exe (PID: 2480)
- Searches for installed software
  - ASCService.exe (PID: 620)
  - smBootTimebase.exe (PID: 1328)
  - PPUninstaller.exe (PID: 1372)
  - ASC.exe (PID: 3108)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 1972)
- Executed via COM
  - DllHost.exe (PID: 2436)
- Starts Internet Explorer
  - Setup.exe (PID: 3208)
- Low-level read access rights to disk partition
  - ASC.exe (PID: 3108)
  - Monitor.exe (PID: 1440)
- Reads Environment values
  - Monitor.exe (PID: 1440)
- Adds / modifies Windows certificates
  - ASCVER.exe (PID: 2788)
  - AutoUpdate.exe (PID: 2980)
- Reads CPU info
  - ASC.exe (PID: 3108)
- Reads default file associations for system extensions
  - ASC.exe (PID: 3108)
- Uses NETSH.EXE for network configuration
  - ASC.exe (PID: 3108)
  - AutoCare.exe (PID: 3508)
- Reads the time zone
  - AutoCare.exe (PID: 3508)
- Check for Java to be installed
  - AutoCare.exe (PID: 3508)
INFO
- Application launched itself
  - firefox.exe (PID: 2928)
  - firefox.exe (PID: 2008)
  - iexplore.exe (PID: 2276)
- Reads CPU info
  - firefox.exe (PID: 2928)
- Creates files in the program directory
  - firefox.exe (PID: 2928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
- Reads settings of System Certificates
  - firefox.exe (PID: 2928)
  - iexplore.exe (PID: 1336)
  - AutoUpdate.exe (PID: 2980)
  - iexplore.exe (PID: 2276)
- Application was dropped or rewritten from another process
  - advanced-systemcare-setup.tmp (PID: 3988)
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ASCUpgrade.exe (PID: 3880)
  - ASCUpgrade.exe (PID: 3656)
  - ISRSetup.tmp (PID: 3376)
  - iScrInit.exe (PID: 2960)
  - iScrInit.exe (PID: 3164)
  - iScrInit.exe (PID: 3532)
  - ISS_Setup.tmp (PID: 2148)
- Loads dropped or rewritten executable
  - advanced-systemcare-setup.tmp (PID: 1928)
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
- Creates files in the user directory
  - firefox.exe (PID: 2928)
  - iexplore.exe (PID: 1336)
  - iexplore.exe (PID: 2276)
- Creates a software uninstall entry
  - advanced-systemcare-setup.tmp (PID: 2124)
  - ISRSetup.tmp (PID: 3376)
  - ISS_Setup.tmp (PID: 2148)
- Dropped object may contain Bitcoin addresses
  - advanced-systemcare-setup.tmp (PID: 2124)
  - AutoUpdate.exe (PID: 2980)
  - ASC.exe (PID: 3108)
  - ISRSetup.tmp (PID: 3376)
  - iexplore.exe (PID: 2276)
  - ISS_Setup.tmp (PID: 2148)
  - sdproxy.exe (PID: 2732)
- Changes internet zones settings
  - iexplore.exe (PID: 2276)
- Changes settings of System certificates
  - iexplore.exe (PID: 1336)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 1336)
- Reads internet explorer settings
  - iexplore.exe (PID: 1336)
- Reads Microsoft Office registry keys
  - ASC.exe (PID: 3108)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

153

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

620

"C:\Program Files\IObit\Advanced SystemCare\ASCService.exe"

C:\Program Files\IObit\Advanced SystemCare\ASCService.exe

services.exe

User:

SYSTEM

Company:

IObit

Integrity Level:

SYSTEM

Description:

Advanced SystemCare Service

Exit code:

Version:

14.3.1.180

Modules

Images
c:\program files\iobit\advanced systemcare\ascservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

872

"C:\Program Files\iFun\iFun Screen Recorder\ISS_Setup.exe" /sp- /verysilent /NORESTART /insur=isr /Dir="C:\Program Files\iFun\iFun Screenshot\"

C:\Program Files\iFun\iFun Screen Recorder\ISS_Setup.exe

ISRSetup.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

iFun Screenshot

Exit code:

Version:

1.0.0.995

Modules

Images
c:\program files\ifun\ifun screen recorder\iss_setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

884

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

912

"C:\Program Files\iFun\iFun Screen Recorder\LocalLang.exe"

C:\Program Files\iFun\iFun Screen Recorder\LocalLang.exe

—

ISRSetup.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Check Language

Exit code:

Version:

1.0.0.15

Modules

Images
c:\program files\ifun\ifun screen recorder\locallang.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll

928

"C:\Program Files\IObit\Advanced SystemCare\ASCFeature.exe" /asc /user

C:\Program Files\IObit\Advanced SystemCare\ASCFeature.exe

—

ASC.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

IObit ASCFeature

Exit code:

Version:

14.0.0.2

Modules

Images
c:\program files\iobit\advanced systemcare\ascfeature.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iobit\advanced systemcare\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

952

netsh int tcp show global

C:\Windows\system32\netsh.exe

—

AutoCare.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll

1012

"C:\Program Files\iFun\iFun Screen Recorder\iScrInit.exe" /AutoupdateUac

C:\Program Files\iFun\iFun Screen Recorder\iScrInit.exe

—

AutoUpdate.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

iFun Screen Recorderr Ini

Exit code:

Version:

1.0.0.127

Modules

Images
c:\program files\ifun\ifun screen recorder\iscrinit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1140

"C:\Users\admin\Downloads\advanced-systemcare-setup.exe"

C:\Users\admin\Downloads\advanced-systemcare-setup.exe

firefox.exe

User:

admin

Company:

IObit

Integrity Level:

MEDIUM

Description:

Advanced SystemCare

Exit code:

Version:

14.3.0.240

Modules

Images
c:\users\admin\downloads\advanced-systemcare-setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1284

"C:\Program Files\IObit\Advanced SystemCare\Display.exe" /service

C:\Program Files\IObit\Advanced SystemCare\Display.exe

—

ASCService.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Display

Exit code:

Version:

14.0.0.154

Modules

Images
c:\program files\iobit\advanced systemcare\display.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iobit\advanced systemcare\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1328

"C:\Program Files\IObit\Advanced SystemCare\smBootTimebase.exe" /boottime

C:\Program Files\IObit\Advanced SystemCare\smBootTimebase.exe

ASCService.exe

User:

SYSTEM

Company:

IObit

Integrity Level:

SYSTEM

Description:

Startup Information

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\iobit\advanced systemcare\smboottimebase.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

Add for printing

Total events

35 216

Read events

33 787

Write events

1 427

Delete events

Modification events


(PID) Process:	(2928) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 4C682E0701000000
(PID) Process:	(2008) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: C18F290701000000
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 1
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@%SystemRoot%\system32\p2pcollab.dll,-8042
Value: Peer to Peer Trust
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@%SystemRoot%\system32\qagentrt.dll,-10
Value: System Health Authentication
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@%SystemRoot%\system32\dnsapi.dll,-103
Value: Domain Name System (DNS) Server Trust
(PID) Process:	(2928) firefox.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\fveui.dll,-843
Value: BitLocker Drive Encryption

Add for printing

Executable files

244

Suspicious files

204

Text files

2 831

Unknown types

182

Dropped files

PID	Process	Filename		Type
2928	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js		—
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		—
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp		—
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin		binary
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore		binary
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js		text
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin		binary
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\283709D9E453AFEF352E05E13477CA2A22778E38		der
		MD5:—	SHA256:—
2928	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4		jsonlz4
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

121

TCP/UDP connections

170

DNS requests

127

Threats

101

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1336	iexplore.exe	GET	—	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D	US	—	—	whitelisted
2928	firefox.exe	GET	—	34.107.221.82:80	http://detectportal.firefox.com/success.txt	US	—	—	whitelisted
3208	Setup.exe	GET	—	152.199.20.140:80	http://update.iobit.com/infofiles/installer/freewaret.upt	US	—	—	whitelisted
1336	iexplore.exe	GET	—	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAyeHSBed1wI7JWUZaE45DQ%3D	US	—	—	whitelisted
3948	UninstallInfo.exe	GET	—	52.3.174.214:80	http://stats.iobit.com/install.php?operate=1&user=1&app=asc14&ver=14.3.0.240&pr=iobit&system=61&type=1&lang=en-US&geo=1033&insur=other	US	—	—	suspicious
1336	iexplore.exe	GET	—	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D	US	—	—	whitelisted
2928	firefox.exe	POST	—	93.184.220.29:80	http://ocsp.digicert.com/	US	—	—	whitelisted
2928	firefox.exe	POST	200	93.184.220.29:80	http://ocsp.digicert.com/	US	der	471 b	whitelisted
2928	firefox.exe	GET	301	52.194.47.5:80	http://jp.iobit.com/	US	html	229 b	unknown
2928	firefox.exe	POST	200	142.250.186.67:80	http://ocsp.pki.goog/gts1o1core	US	der	471 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2928	firefox.exe	34.107.221.82:80	detectportal.firefox.com	—	US	whitelisted
2928	firefox.exe	52.194.47.5:80	jp.iobit.com	—	US	unknown
2928	firefox.exe	34.212.89.14:443	search.services.mozilla.com	Amazon.com, Inc.	US	unknown
2928	firefox.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2928	firefox.exe	143.204.209.27:443	snippets.cdn.mozilla.net	—	US	unknown
2928	firefox.exe	172.217.18.74:443	safebrowsing.googleapis.com	Google Inc.	US	whitelisted
2928	firefox.exe	13.224.194.127:80	ocsp.sca1b.amazontrust.com	—	US	whitelisted
2928	firefox.exe	216.58.214.202:443	fonts.googleapis.com	Google Inc.	US	whitelisted
2928	firefox.exe	152.195.53.24:443	purchase.iobit.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
2928	firefox.exe	142.250.186.67:80	ocsp.pki.goog	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
jp.iobit.com	52.194.47.5 52.68.228.96	unknown
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	whitelisted
jp-iobit-com.ap-northeast-1.elasticbeanstalk.com	52.68.228.96 52.194.47.5	unknown
search.services.mozilla.com	34.212.89.14 34.215.134.158 54.189.17.190	whitelisted
search.r53-2.services.mozilla.com	54.189.17.190 34.215.134.158 34.212.89.14	whitelisted
push.services.mozilla.com	52.13.70.243	whitelisted
autopush.prod.mozaws.net	52.13.70.243	whitelisted
snippets.cdn.mozilla.net	143.204.209.27 143.204.209.4 143.204.209.46 143.204.209.9	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted

Threats

PID	Process	Class	Message
1060	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .cloud TLD
1060	svchost.exe	Potentially Bad Traffic	ET INFO Observed DNS Query to .cloud TLD
3208	Setup.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3208	Setup.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.AdvancedSystemCare
3208	Setup.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3948	UninstallInfo.exe	Misc activity	ADWARE [PTsecurity] PUP.Optional.AdvancedSystemCare
3108	ASC.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3108	ASC.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2980	AutoUpdate.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
3108	ASC.exe	Potentially Bad Traffic	ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

Add for printing

Process	Message
ASCService.exe	TAdvancedSystemCareService.ServiceCreate
ASCService.exe	GetServiceController
ASCService.exe	GetNTControlsAccepted
smBootTimebase.exe	IME14 JPN Setup:C:\PROGRA~1\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /JPN /Log
smBootTimebase.exe	IME14 KOR Setup:C:\PROGRA~1\COMMON~1\MICROS~1\IME14\SHARED\IMEKLMG.EXE /SetPreload /KOR /Log
ASCService.exe	Initialize_FP :part_stop
ASCService.exe	Initialize_FP :GetSystemInfo
ASCService.exe	Initialize_FP :part_init
ASCService.exe	Initialize_FP :part_start
ASCService.exe	Initialize_FP :init_con_port

General Info

http://jp.iobit.com/

3A86EB9F9B03E17B9A0F15CEBCB76E18

D2419CE08B676A76ACFC4346F4E2CD9615C75695

3B731E819051CA9072A04275C80BFDFD5845D902222F2A2574464C68FDC917D7

3:N1KUhA3:CUh4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Drops executable file immediately after starts

Actions looks like stealing of personal data

Loads dropped or rewritten executable

Loads the Task Scheduler COM API

Steals credentials from Web Browsers

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Changes settings of System certificates

Connects to CnC server

Uses Task Scheduler to run other applications

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows organization settings

Drops a file that was compiled in debug mode

Drops a file with too old compile date

Reads Windows owner or organization settings

Drops a file with a compile date too recent

Creates files in the user directory

Creates files in the program directory

Creates a directory in Program Files

Executed as Windows Service

Removes files from Windows directory

Creates files in the Windows directory

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Application launched itself

Searches for installed software

Creates/Modifies COM task schedule object

Executed via COM

Starts Internet Explorer

Low-level read access rights to disk partition

Reads Environment values

Adds / modifies Windows certificates

Reads CPU info

Reads default file associations for system extensions

Uses NETSH.EXE for network configuration

Reads the time zone

Check for Java to be installed

INFO

Application launched itself

Reads CPU info

Creates files in the program directory

Reads settings of System Certificates

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Creates files in the user directory

Creates a software uninstall entry

Dropped object may contain Bitcoin addresses

Changes internet zones settings

Changes settings of System certificates

Adds / modifies Windows certificates

Reads internet explorer settings

Reads Microsoft Office registry keys

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information