URL:

https://www.iobit.com/en/advanceduninstaller.php

Full analysis: https://app.any.run/tasks/8a4bf620-205a-4a99-910a-e4cf93150b52
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 21, 2023, 18:14:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
Indicators:
SHA1:

69AF3B0EE94DFB8AB33DD0A38E9493FE3F4E85F8

SHA256:

404EC4C9964602D2831A63EDB745E12BA56ECEC06AFFDF1FE70DBCA32587FCD7

SSDEEP:

3:N8DSLgz1EoYTXLnV:2OLghPYTXLV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • iushrun.exe (PID: 1276)
      • CrRestore.exe (PID: 2080)
      • iobituninstaller.tmp (PID: 2088)
      • AutoUpdate.exe (PID: 3348)
      • uninstall.exe (PID: 3916)
      • Un_A.exe (PID: 3748)
      • iTopSetup.exe.exe (PID: 3132)
      • IObitDownloader.exe (PID: 3320)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 2576)
      • UninstallMonitor.exe (PID: 2096)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • Autoupdate.exe (PID: 3276)
      • atud.exe (PID: 3700)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCInit.exe (PID: 2472)
      • Monitor.exe (PID: 2736)
      • AutoUpdate.exe (PID: 3716)
      • ASCSetup.exe.tmp (PID: 1416)

    • Registers / Runs the DLL via REGSVR32.EXE

      • iush.exe (PID: 1904)
      • IObitUninstaler.exe (PID: 2540)
      • ASCInit.exe (PID: 2472)

    • Steals credentials from Web Browsers

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)
      • smBootTimebase.exe (PID: 2936)

    • Actions looks like stealing of personal data

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)
      • smBootTimebase.exe (PID: 2936)

    • Runs injected code in another process

      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)

    • Application was injected by another process

      • explorer.exe (PID: 1388)

    • Creates a writable file in the system directory

      • smBootTimebase.exe (PID: 2936)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Reads the Internet Settings

      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • Setup.exe (PID: 1808)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 2576)
      • IdrInit.exe (PID: 2544)
      • iTopDataRecovery.exe (PID: 3204)
      • iTopVPN.exe (PID: 3280)
      • Autoupdate.exe (PID: 3276)
      • iTopVPNMini.exe (PID: 2308)
      • atud.exe (PID: 3700)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)

    • Process drops SQLite DLL files

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Drops a system driver (possible attempt to evade defenses)

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 2576)
      • ASCSetup.exe.tmp (PID: 1416)
      • Monitor.exe (PID: 2736)

    • Executes as Windows Service

      • IUService.exe (PID: 1936)
      • IDRService.exe (PID: 2056)
      • ASCService.exe (PID: 1808)

    • Searches for installed software

      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • itopbfp23.exe (PID: 2028)
      • iTopVPN.exe (PID: 3280)
      • ASCSetup.exe.tmp (PID: 1416)
      • smBootTimebase.exe (PID: 2936)

    • Process requests binary or script from the Internet

      • IObitDownloader.exe (PID: 3320)
      • AutoUpdate.exe (PID: 3348)
      • Autoupdate.exe (PID: 3276)

    • Starts itself from another location

      • uninstall.exe (PID: 3916)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 3748)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 3748)

    • Reads Microsoft Outlook installation path

      • IObitUninstaler.exe (PID: 2540)

    • Process drops legitimate windows executable

      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Uses TASKKILL.EXE to kill process

      • iTopSetup.exe.tmp (PID: 4028)

    • The process verifies whether the antivirus software is installed

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 1344)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 3252)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 1416)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 2756)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 3064)

    • Starts CMD.EXE for commands execution

      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 2576)
      • iTopVPN.exe (PID: 3280)
      • ASCInit.exe (PID: 2472)

    • Application launched itself

      • ugin.exe (PID: 2576)
      • RealTimeProtector.exe (PID: 3008)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 844)

    • Checks for external IP

      • UninstallInfo.exe (PID: 536)
      • unpr.exe (PID: 2548)
      • itopbfp23.exe (PID: 2028)

    • Connects to unusual port

      • iTopVPN.exe (PID: 3280)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ASCInit.exe (PID: 2472)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3484)

    • Reads the Internet Settings

      • explorer.exe (PID: 1388)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 4000)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • iTopVPN.exe (PID: 1728)
      • UninstallMonitor.exe (PID: 2096)
      • ugin.exe (PID: 2576)
      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)
      • AUpdate.exe (PID: 1812)
      • unpr.exe (PID: 2548)
      • AUpdate.exe (PID: 1944)
      • aud.exe (PID: 1752)
      • aud.exe (PID: 908)
      • iTopVPN.exe (PID: 3280)
      • iTopVPNMini.exe (PID: 2308)
      • atud.exe (PID: 3700)
      • Autoupdate.exe (PID: 3276)
      • itopbfp23.exe (PID: 2028)

    • Checks supported languages

      • wmpnscfg.exe (PID: 4000)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • iobituninstaller.tmp (PID: 2088)
      • Setup.exe (PID: 1808)
      • iushrun.exe (PID: 1276)
      • iush.exe (PID: 1904)
      • IUService.exe (PID: 1936)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • iobituninstaller.exe (PID: 3716)
      • UninstallMonitor.exe (PID: 2096)
      • IObitUninstaler.exe (PID: 2540)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • Un_A.exe (PID: 3748)
      • iTopSetup.exe.exe (PID: 3132)
      • uninstall.exe (PID: 3916)
      • ugin.exe (PID: 4048)
      • ugin.exe (PID: 1628)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 1528)
      • ullc.exe (PID: 1184)
      • iTopVPN.exe (PID: 1728)
      • AUpdate.exe (PID: 2964)
      • ugin.exe (PID: 2576)
      • icop32.exe (PID: 2332)
      • ugin.exe (PID: 1116)
      • LocalLang.exe (PID: 2300)
      • iTopInsur.exe (PID: 2624)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • ICONPIN32.exe (PID: 1032)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • AUpdate.exe (PID: 1944)
      • ugin.exe (PID: 644)
      • unpr.exe (PID: 2548)
      • ugin.exe (PID: 3896)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • aud.exe (PID: 908)
      • aud.exe (PID: 1752)
      • iTopVPNMini.exe (PID: 2308)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • iTopVPN.exe (PID: 2620)
      • itopbfp23.exe (PID: 3784)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCUpgrade.exe (PID: 3736)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCUpgrade.exe (PID: 2364)
      • ASCInit.exe (PID: 2472)
      • LocalLang.exe (PID: 2500)
      • smBootTimebase.exe (PID: 2936)
      • ASCService.exe (PID: 1808)

    • Create files in a temporary directory

      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • Setup.exe (PID: 1808)
      • iobituninstaller.exe (PID: 1840)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • iobituninstaller.exe (PID: 3716)
      • IObitUninstaler.exe (PID: 2540)
      • uninstall.exe (PID: 3916)
      • Un_A.exe (PID: 3748)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • icop32.exe (PID: 2332)
      • explorer.exe (PID: 1388)
      • SecEdit.exe (PID: 556)
      • SecEdit.exe (PID: 1828)
      • iTopVPN.exe (PID: 3280)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCSetup.exe.exe (PID: 1088)
      • ICONPIN32.exe (PID: 1032)

    • Reads the computer name

      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • Setup.exe (PID: 1808)
      • iush.exe (PID: 1904)
      • iushrun.exe (PID: 1276)
      • IUService.exe (PID: 1936)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • wmpnscfg.exe (PID: 4000)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 4048)
      • ugin.exe (PID: 1628)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 1528)
      • ugin.exe (PID: 2576)
      • iTopVPN.exe (PID: 1728)
      • AUpdate.exe (PID: 2964)
      • ugin.exe (PID: 1116)
      • iTopInsur.exe (PID: 2624)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 644)
      • unpr.exe (PID: 2548)
      • ugin.exe (PID: 3896)
      • iTopVPN.exe (PID: 3280)
      • AUpdate.exe (PID: 1944)
      • aud.exe (PID: 1752)
      • atud.exe (PID: 3700)
      • aud.exe (PID: 908)
      • iTopVPNMini.exe (PID: 2308)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • iTopVPN.exe (PID: 2620)
      • ASCUpgrade.exe (PID: 2364)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCUpgrade.exe (PID: 3736)
      • itopbfp23.exe (PID: 3784)
      • ASCInit.exe (PID: 2472)
      • smBootTimebase.exe (PID: 2936)
      • ASCService.exe (PID: 1808)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 1808)
      • iush.exe (PID: 1904)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • UninstallMonitor.exe (PID: 2096)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • ugin.exe (PID: 4048)
      • iTopVPN.exe (PID: 1728)
      • explorer.exe (PID: 1388)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • iTopSetup.exe.tmp (PID: 4028)
      • Autoupdate.exe (PID: 3276)
      • atud.exe (PID: 3700)
      • iTopVPN.exe (PID: 3280)
      • iTopVPNMini.exe (PID: 2308)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)

    • Creates files in the program directory

      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • iushrun.exe (PID: 1276)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • DSPut.exe (PID: 328)
      • IObitUninstaler.exe (PID: 2540)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 1528)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 3896)
      • unpr.exe (PID: 2548)
      • Autoupdate.exe (PID: 3276)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • smBootTimebase.exe (PID: 2936)
      • ASCService.exe (PID: 1808)

    • Checks proxy server information

      • DSPut.exe (PID: 328)
      • AUpdate.exe (PID: 2964)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 3484)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3484)

    • Reads Microsoft Office registry keys

      • IObitUninstaler.exe (PID: 2540)

    • Process checks are UAC notifies on

      • iTopVPN.exe (PID: 3280)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 3280)

    • Creates a software uninstall entry

      • ASCSetup.exe.tmp (PID: 1416)

    • Dropped object may contain TOR URL's

      • ASCSetup.exe.tmp (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
132
Malicious processes
34
Suspicious processes
7

Behavior graph

Click at the process to see the details
start inject iexplore.exe iexplore.exe wmpnscfg.exe no specs iobituninstaller.exe no specs iobituninstaller.tmp no specs iobituninstaller.exe iobituninstaller.tmp no specs setup.exe iobituninstaller.exe no specs iobituninstaller.tmp no specs iushrun.exe iush.exe regsvr32.exe regsvr32.exe iuservice.exe dsput.exe crrestore.exe no specs uninstallpromote.exe iobituninstaler.exe uninstallmonitor.exe regsvr32.exe aupdate.exe autoupdate.exe iobitdownloader.exe iush.exe uninstallmonitor.exe no specs uninstall.exe no specs un_a.exe no specs itopsetup.exe.exe no specs itopsetup.exe.tmp no specs ugin.exe no specs taskkill.exe no specs ugin.exe no specs itop data recovery_setup_iu.exe no specs itop data recovery_setup_iu.tmp ugin.exe no specs ullc.exe itopvpn.exe ugin.exe cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs icop32.exe ugin.exe no specs locallang.exe itopinsur.exe idrinit.exe itopinsur.exe uninstallinfo.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs iconpin32.exe cmd.exe no specs sc.exe no specs idrservice.exe explorer.exe itopdatarecovery.exe autoupdate.exe aupdate.exe aupdate.exe ugin.exe no specs unpr.exe itopvpn.exe ugin.exe no specs atud.exe aud.exe aud.exe cmd.exe no specs ipconfig.exe no specs itopvpnmini.exe newfts.exe itopbfp23.exe secedit.exe no specs secedit.exe no specs itopvpn.exe itopbfp23.exe ascsetup.exe.exe no specs ascsetup.exe.tmp no specs ascupgrade.exe no specs ascupgrade.exe locallang.exe no specs ascinit.exe ascservice.exe cmd.exe no specs smboottimebase.exe no specs sc.exe no specs uninstallinfo.exe no specs regsvr32.exe no specs browsercleaner.exe no specs privacyshield.exe no specs smboottime.exe no specs SPPSurrogate no specs setup.exe no specs ppuninstaller.exe no specs realtimeprotector.exe no specs diskdefrag.exe no specs realtimeprotector.exe no specs ugin.exe no specs browserprotect.exe no specs asc.exe no specs smboottime.exe no specs monitor.exe no specs realtimeprotector.exe no specs productstat3.exe no specs productstat3.exe no specs ascfeature.exe no specs asctray.exe no specs ascfeature.exe no specs autoupdate.exe no specs ascver.exe no specs smboottime.exe no specs ugin.exe no specs productstat3.exe no specs display.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280sc delete iTopDataRecoveryService3C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
316sc start iTopDataRecoveryService4C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
328"C:\Program Files\IObit\IObit Uninstaller\DSPut.exe" /Now /update /W3sidmVyc2lvbiI6IjAuMC4wLjAiLCJzaG93IjowLCJjbGljayI6MCwibGFzdCI6MH1dC:\Program Files\IObit\IObit Uninstaller\DSPut.exe
iush.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Data Statistics Program
Exit code:
0
Version:
13.0.0.1
Modules
Images
c:\program files\iobit\iobit uninstaller\dsput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iobit\iobit uninstaller\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
536"C:\Program Files\iTop Data Recovery\UninstallInfo.exe" /install idr4C:\Program Files\iTop Data Recovery\UninstallInfo.exe
iTop Data Recovery_Setup_IU.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
UninstallInfo
Exit code:
0
Version:
1.0.0.349
Modules
Images
c:\program files\itop data recovery\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
556secedit /export /cfg C:\Users\admin\AppData\Local\Temp\8798.inf /log C:\Users\admin\AppData\Local\Temp\2003.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\scecli.dll
c:\windows\system32\user32.dll
600"C:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exe" /sp- /verysilent /suppressmsgboxes /insur=iu_inwC:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exeIObitDownloader.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Data Recovery
Exit code:
0
Version:
4.1.0.565
Modules
Images
c:\programdata\iobit\iobit uninstaller\downloader\itop data recovery_setup_iu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
644"C:\Program Files\iTop VPN\ugin.exe" /setlan "English"C:\Program Files\iTop VPN\ugin.exeiTopSetup.exe.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
5.0.0.4908
Modules
Images
c:\program files\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
756"C:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exe" /RunCurUsC:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exeASCService.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Real-time Protector
Exit code:
0
Version:
17.0.0.273
844cmd.exe /c ipconfig /flushdnsC:\Windows\System32\cmd.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
908"C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmp" /SL5="$A0210,27932468,139264,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\iobituninstaller.exe" /SPAWNWND=$50238 /NOTIFYWND=$4021E C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmpiobituninstaller.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4cn35.tmp\iobituninstaller.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
215 629
Read events
214 591
Write events
877
Delete events
161

Modification events

(PID) Process:(3416) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE}
Operation:delete keyName:(default)
Value:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
720
Suspicious files
311
Text files
1 034
Unknown types
0

Dropped files

PID
Process
Filename
Type
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:F12B83514E07BB842EE76066F857487B
SHA256:247FA0403608CA7B5099F53DA07E8E7BB22558E4386E876930317509DB0A1207
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:FAFF8C0C8FA33E28365D35200AFE11E0
SHA256:9F73EA14F5003868487BE322592AB40DE8AACAA6DDD584ADB7540C6C7B8E9DDE
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:1737B189D4AA1A2118C1ADE7CE27647F
SHA256:B3F4D3173C820058469834A47F47DA194DA1B2C6565E2AC99C44DF904F366988
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:B6BB28CFD8FF79BBC3E2D149A23D107E
SHA256:453ACE10C2D37DE41E7AEB89E96FF59A9984158C9D3D27F5B5A263E84129FB67
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:BA36985A524B3CBFD6697E8A900BFF9C
SHA256:29AFF869EC1BEBFEE85D5F3A0EE6DF976B25720AA2F451FD623DA2BEDF88C0D3
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:1EFEC96242ABF78389A900A490DF2A3D
SHA256:B4BD0C161AB3DA1586DA1B87466677F1D18A27425A0B6004C8C139F9C9BD6B21
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_B0E62F3370DEB32FD1A99D49E8486B4Cbinary
MD5:FBDE5A811B50E9F5531483C51E714259
SHA256:7D7B2D475CBC16A659695ED3DC64A6B02502D12CEC561E6D616A9083C9C9509E
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:A1BFF9D5135E2BB1A9485B92BD28B2EA
SHA256:69D4BB79AEF363FA8A5C67AAB27AB3E123A371677DA336F08F08FDA34333B10D
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:FF13DDBE63DDAA1D6AF2D009637BD98C
SHA256:2E663929757E5FE764F29577628657C07D35DA944D1FB7A6575744CEC7F1AE4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
146
TCP/UDP connections
574
DNS requests
82
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1808
Setup.exe
GET
152.199.20.140:80
http://update.iobit.com/dl/iu/file/installer/installer.zlb
US
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
binary
724 b
unknown
3124
iexplore.exe
GET
200
18.238.246.206:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAMpJs%2BO%2FhUI93RIOUqmQvI%3D
US
binary
471 b
unknown
3124
iexplore.exe
GET
200
67.27.235.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?822bc3f82f78ba1a
US
compressed
4.66 Kb
unknown
3124
iexplore.exe
GET
200
67.27.235.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1270903ad75d1e2
US
compressed
4.66 Kb
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEDBPk217SOCuEsxRjJqpuUQ%3D
US
binary
471 b
unknown
3124
iexplore.exe
GET
200
18.65.41.80:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
binary
1.51 Kb
unknown
3124
iexplore.exe
GET
200
54.230.153.187:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
US
binary
1.39 Kb
unknown
3124
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
binary
471 b
unknown
3124
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
3124
iexplore.exe
52.6.162.138:443
www.iobit.com
AMAZON-AES
US
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3124
iexplore.exe
67.27.235.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
3124
iexplore.exe
108.138.2.195:80
o.ss2.us
AMAZON-02
US
unknown
3124
iexplore.exe
18.65.41.80:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
54.230.153.187:80
ocsp.rootca1.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
18.238.246.206:80
ocsp.r2m01.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
www.iobit.com
  • 52.6.162.138
  • 54.145.102.116
  • 54.159.249.19
whitelisted
ctldl.windowsupdate.com
  • 67.27.235.254
  • 8.241.9.254
  • 67.27.159.254
  • 8.248.139.254
  • 67.27.233.254
whitelisted
o.ss2.us
  • 108.138.2.195
  • 108.138.2.10
  • 108.138.2.107
  • 108.138.2.173
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.65.41.80
whitelisted
ocsp.rootca1.amazontrust.com
  • 54.230.153.187
shared
ocsp.r2m01.amazontrust.com
  • 18.238.246.206
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted
codes.iobit.com
  • 152.199.20.140
whitelisted
kit.fontawesome.com
  • 172.64.147.188
  • 104.18.40.68
whitelisted
www.googletagmanager.com
  • 172.217.16.136
whitelisted

Threats

PID
Process
Class
Message
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
OpenKeyReadOnly error
Setup.exe
Install un13 : NotInstall
Setup.exe
Result: 1
Setup.exe
NowVer: 13.2.0.3
Setup.exe
LanID=1033
Setup.exe
TFrmWizard.FormCreate
Setup.exe
ALangID=1033
Setup.exe
LanID=1033
Setup.exe
time1
Setup.exe
time3
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.iobit.com/en/advanceduninstaller.php