URL:

https://www.iobit.com/en/advanceduninstaller.php

Full analysis: https://app.any.run/tasks/8a4bf620-205a-4a99-910a-e4cf93150b52
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 21, 2023, 18:14:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
Indicators:
SHA1:

69AF3B0EE94DFB8AB33DD0A38E9493FE3F4E85F8

SHA256:

404EC4C9964602D2831A63EDB745E12BA56ECEC06AFFDF1FE70DBCA32587FCD7

SSDEEP:

3:N8DSLgz1EoYTXLnV:2OLghPYTXLV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • iushrun.exe (PID: 1276)
      • CrRestore.exe (PID: 2080)
      • AutoUpdate.exe (PID: 3348)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • UninstallMonitor.exe (PID: 2096)
      • ugin.exe (PID: 2576)
      • IObitDownloader.exe (PID: 3320)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • Autoupdate.exe (PID: 3276)
      • atud.exe (PID: 3700)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCInit.exe (PID: 2472)
      • Monitor.exe (PID: 2736)
      • AutoUpdate.exe (PID: 3716)
      • ASCSetup.exe.tmp (PID: 1416)

    • Registers / Runs the DLL via REGSVR32.EXE

      • iush.exe (PID: 1904)
      • IObitUninstaler.exe (PID: 2540)
      • ASCInit.exe (PID: 2472)

    • Steals credentials from Web Browsers

      • IObitUninstaler.exe (PID: 2540)
      • smBootTimebase.exe (PID: 2936)
      • iTopVPN.exe (PID: 3280)

    • Actions looks like stealing of personal data

      • IObitUninstaler.exe (PID: 2540)
      • smBootTimebase.exe (PID: 2936)
      • iTopVPN.exe (PID: 3280)

    • Application was injected by another process

      • explorer.exe (PID: 1388)

    • Runs injected code in another process

      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)

    • Creates a writable file in the system directory

      • smBootTimebase.exe (PID: 2936)

  • SUSPICIOUS

    • Reads the Internet Settings

      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • Setup.exe (PID: 1808)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • DSPut.exe (PID: 328)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 2576)
      • IdrInit.exe (PID: 2544)
      • iTopDataRecovery.exe (PID: 3204)
      • iTopVPN.exe (PID: 3280)
      • Autoupdate.exe (PID: 3276)
      • atud.exe (PID: 3700)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • iTopVPNMini.exe (PID: 2308)

    • Reads the Windows owner or organization settings

      • iobituninstaller.tmp (PID: 2088)
      • iobituninstaller.tmp (PID: 908)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Process drops SQLite DLL files

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Drops a system driver (possible attempt to evade defenses)

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 2576)
      • ASCSetup.exe.tmp (PID: 1416)
      • Monitor.exe (PID: 2736)

    • Executes as Windows Service

      • IUService.exe (PID: 1936)
      • IDRService.exe (PID: 2056)
      • ASCService.exe (PID: 1808)

    • Searches for installed software

      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • UninstallMonitor.exe (PID: 2548)
      • IObitDownloader.exe (PID: 3320)
      • iTopVPN.exe (PID: 3280)
      • itopbfp23.exe (PID: 2028)
      • ASCSetup.exe.tmp (PID: 1416)
      • smBootTimebase.exe (PID: 2936)

    • Starts itself from another location

      • uninstall.exe (PID: 3916)

    • Process requests binary or script from the Internet

      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • Autoupdate.exe (PID: 3276)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 3748)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 3748)

    • Reads Microsoft Outlook installation path

      • IObitUninstaler.exe (PID: 2540)

    • The process verifies whether the antivirus software is installed

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)

    • Process drops legitimate windows executable

      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Uses TASKKILL.EXE to kill process

      • iTopSetup.exe.tmp (PID: 4028)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopVPN.exe (PID: 3280)
      • ASCInit.exe (PID: 2472)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 3252)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 1344)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 1416)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 2756)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 3064)

    • Application launched itself

      • ugin.exe (PID: 2576)
      • RealTimeProtector.exe (PID: 3008)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 844)

    • Checks for external IP

      • UninstallInfo.exe (PID: 536)
      • unpr.exe (PID: 2548)
      • itopbfp23.exe (PID: 2028)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ASCInit.exe (PID: 2472)

    • Connects to unusual port

      • iTopVPN.exe (PID: 3280)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3484)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4000)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 4000)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AUpdate.exe (PID: 2964)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)
      • AUpdate.exe (PID: 1812)
      • iTopVPN.exe (PID: 3280)
      • unpr.exe (PID: 2548)
      • AUpdate.exe (PID: 1944)
      • aud.exe (PID: 1752)
      • atud.exe (PID: 3700)
      • aud.exe (PID: 908)
      • iTopVPNMini.exe (PID: 2308)
      • Autoupdate.exe (PID: 3276)
      • itopbfp23.exe (PID: 2028)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3484)

    • Create files in a temporary directory

      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • Setup.exe (PID: 1808)
      • iushrun.exe (PID: 1276)
      • iobituninstaller.tmp (PID: 2088)
      • IObitUninstaler.exe (PID: 2540)
      • uninstall.exe (PID: 3916)
      • Un_A.exe (PID: 3748)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • icop32.exe (PID: 2332)
      • explorer.exe (PID: 1388)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • ICONPIN32.exe (PID: 1032)
      • SecEdit.exe (PID: 556)
      • SecEdit.exe (PID: 1828)
      • iTopVPN.exe (PID: 3280)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCSetup.exe.tmp (PID: 1416)

    • Reads the Internet Settings

      • explorer.exe (PID: 1388)

    • Reads the computer name

      • wmpnscfg.exe (PID: 4000)
      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.tmp (PID: 908)
      • Setup.exe (PID: 1808)
      • iushrun.exe (PID: 1276)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • IUService.exe (PID: 1936)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AUpdate.exe (PID: 2964)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • uninstall.exe (PID: 3916)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 4048)
      • ugin.exe (PID: 1628)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 1528)
      • ugin.exe (PID: 2576)
      • iTopVPN.exe (PID: 1728)
      • Un_A.exe (PID: 3748)
      • ugin.exe (PID: 1116)
      • iTopInsur.exe (PID: 2624)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • ugin.exe (PID: 644)
      • AUpdate.exe (PID: 1812)
      • unpr.exe (PID: 2548)
      • ugin.exe (PID: 3896)
      • iTopVPN.exe (PID: 3280)
      • AUpdate.exe (PID: 1944)
      • aud.exe (PID: 1752)
      • aud.exe (PID: 908)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • atud.exe (PID: 3700)
      • iTopVPNMini.exe (PID: 2308)
      • iTopVPN.exe (PID: 2620)
      • itopbfp23.exe (PID: 3784)
      • ASCUpgrade.exe (PID: 3736)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCUpgrade.exe (PID: 2364)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)
      • smBootTimebase.exe (PID: 2936)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 3484)

    • Checks supported languages

      • wmpnscfg.exe (PID: 4000)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.tmp (PID: 908)
      • Setup.exe (PID: 1808)
      • iobituninstaller.exe (PID: 1840)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AUpdate.exe (PID: 2964)
      • IUService.exe (PID: 1936)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • uninstall.exe (PID: 3916)
      • Un_A.exe (PID: 3748)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 4048)
      • ugin.exe (PID: 1628)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iush.exe (PID: 3064)
      • ugin.exe (PID: 1528)
      • ugin.exe (PID: 2576)
      • iTopVPN.exe (PID: 1728)
      • ullc.exe (PID: 1184)
      • icop32.exe (PID: 2332)
      • ugin.exe (PID: 1116)
      • iTopInsur.exe (PID: 2624)
      • LocalLang.exe (PID: 2300)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • AUpdate.exe (PID: 1944)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 644)
      • unpr.exe (PID: 2548)
      • ugin.exe (PID: 3896)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • aud.exe (PID: 1752)
      • aud.exe (PID: 908)
      • iTopVPNMini.exe (PID: 2308)
      • Newfts.exe (PID: 3008)
      • ICONPIN32.exe (PID: 1032)
      • itopbfp23.exe (PID: 3784)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCUpgrade.exe (PID: 3736)
      • ASCUpgrade.exe (PID: 2364)
      • ASCInit.exe (PID: 2472)
      • LocalLang.exe (PID: 2500)
      • smBootTimebase.exe (PID: 2936)
      • itopbfp23.exe (PID: 2028)
      • ASCService.exe (PID: 1808)
      • iTopVPN.exe (PID: 2620)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 1808)
      • iush.exe (PID: 1904)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • UninstallMonitor.exe (PID: 2096)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • AutoUpdate.exe (PID: 3348)
      • ugin.exe (PID: 4048)
      • iTopVPN.exe (PID: 1728)
      • IObitDownloader.exe (PID: 3320)
      • explorer.exe (PID: 1388)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • Autoupdate.exe (PID: 3276)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • iTopVPNMini.exe (PID: 2308)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)

    • Creates files in the program directory

      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 1528)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 3896)
      • unpr.exe (PID: 2548)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)
      • smBootTimebase.exe (PID: 2936)

    • Checks proxy server information

      • DSPut.exe (PID: 328)
      • AUpdate.exe (PID: 2964)

    • Reads Microsoft Office registry keys

      • IObitUninstaler.exe (PID: 2540)

    • Process checks are UAC notifies on

      • iTopVPN.exe (PID: 3280)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 3280)

    • Creates a software uninstall entry

      • ASCSetup.exe.tmp (PID: 1416)

    • Dropped object may contain TOR URL's

      • ASCSetup.exe.tmp (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
132
Malicious processes
34
Suspicious processes
7

Behavior graph

Click at the process to see the details
start inject iexplore.exe iexplore.exe wmpnscfg.exe no specs iobituninstaller.exe no specs iobituninstaller.tmp no specs iobituninstaller.exe iobituninstaller.tmp no specs setup.exe iobituninstaller.exe no specs iobituninstaller.tmp no specs iushrun.exe iush.exe regsvr32.exe regsvr32.exe iuservice.exe dsput.exe crrestore.exe no specs uninstallpromote.exe iobituninstaler.exe uninstallmonitor.exe regsvr32.exe aupdate.exe autoupdate.exe iobitdownloader.exe iush.exe uninstallmonitor.exe no specs uninstall.exe no specs un_a.exe no specs itopsetup.exe.exe no specs itopsetup.exe.tmp no specs ugin.exe no specs taskkill.exe no specs ugin.exe no specs itop data recovery_setup_iu.exe no specs itop data recovery_setup_iu.tmp ugin.exe no specs ullc.exe itopvpn.exe ugin.exe cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs icop32.exe ugin.exe no specs locallang.exe itopinsur.exe idrinit.exe itopinsur.exe uninstallinfo.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs iconpin32.exe cmd.exe no specs sc.exe no specs idrservice.exe explorer.exe itopdatarecovery.exe autoupdate.exe aupdate.exe aupdate.exe ugin.exe no specs unpr.exe itopvpn.exe ugin.exe no specs atud.exe aud.exe aud.exe cmd.exe no specs ipconfig.exe no specs itopvpnmini.exe newfts.exe itopbfp23.exe secedit.exe no specs secedit.exe no specs itopvpn.exe itopbfp23.exe ascsetup.exe.exe no specs ascsetup.exe.tmp no specs ascupgrade.exe no specs ascupgrade.exe locallang.exe no specs ascinit.exe ascservice.exe cmd.exe no specs smboottimebase.exe no specs sc.exe no specs uninstallinfo.exe no specs regsvr32.exe no specs browsercleaner.exe no specs privacyshield.exe no specs smboottime.exe no specs SPPSurrogate no specs setup.exe no specs ppuninstaller.exe no specs realtimeprotector.exe no specs diskdefrag.exe no specs realtimeprotector.exe no specs ugin.exe no specs browserprotect.exe no specs asc.exe no specs smboottime.exe no specs monitor.exe no specs realtimeprotector.exe no specs productstat3.exe no specs productstat3.exe no specs ascfeature.exe no specs asctray.exe no specs ascfeature.exe no specs autoupdate.exe no specs ascver.exe no specs smboottime.exe no specs ugin.exe no specs productstat3.exe no specs display.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280sc delete iTopDataRecoveryService3C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
316sc start iTopDataRecoveryService4C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
328"C:\Program Files\IObit\IObit Uninstaller\DSPut.exe" /Now /update /W3sidmVyc2lvbiI6IjAuMC4wLjAiLCJzaG93IjowLCJjbGljayI6MCwibGFzdCI6MH1dC:\Program Files\IObit\IObit Uninstaller\DSPut.exe
iush.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Data Statistics Program
Exit code:
0
Version:
13.0.0.1
Modules
Images
c:\program files\iobit\iobit uninstaller\dsput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iobit\iobit uninstaller\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
536"C:\Program Files\iTop Data Recovery\UninstallInfo.exe" /install idr4C:\Program Files\iTop Data Recovery\UninstallInfo.exe
iTop Data Recovery_Setup_IU.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
UninstallInfo
Exit code:
0
Version:
1.0.0.349
Modules
Images
c:\program files\itop data recovery\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
556secedit /export /cfg C:\Users\admin\AppData\Local\Temp\8798.inf /log C:\Users\admin\AppData\Local\Temp\2003.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\scecli.dll
c:\windows\system32\user32.dll
600"C:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exe" /sp- /verysilent /suppressmsgboxes /insur=iu_inwC:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exeIObitDownloader.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Data Recovery
Exit code:
0
Version:
4.1.0.565
Modules
Images
c:\programdata\iobit\iobit uninstaller\downloader\itop data recovery_setup_iu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
644"C:\Program Files\iTop VPN\ugin.exe" /setlan "English"C:\Program Files\iTop VPN\ugin.exeiTopSetup.exe.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
5.0.0.4908
Modules
Images
c:\program files\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
756"C:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exe" /RunCurUsC:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exeASCService.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Real-time Protector
Exit code:
0
Version:
17.0.0.273
844cmd.exe /c ipconfig /flushdnsC:\Windows\System32\cmd.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
908"C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmp" /SL5="$A0210,27932468,139264,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\iobituninstaller.exe" /SPAWNWND=$50238 /NOTIFYWND=$4021E C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmpiobituninstaller.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4cn35.tmp\iobituninstaller.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
215 629
Read events
214 591
Write events
877
Delete events
161

Modification events

(PID) Process:(3416) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE}
Operation:delete keyName:(default)
Value:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
720
Suspicious files
311
Text files
1 034
Unknown types
0

Dropped files

PID
Process
Filename
Type
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:FAFF8C0C8FA33E28365D35200AFE11E0
SHA256:9F73EA14F5003868487BE322592AB40DE8AACAA6DDD584ADB7540C6C7B8E9DDE
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:B6BB28CFD8FF79BBC3E2D149A23D107E
SHA256:453ACE10C2D37DE41E7AEB89E96FF59A9984158C9D3D27F5B5A263E84129FB67
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:BA36985A524B3CBFD6697E8A900BFF9C
SHA256:29AFF869EC1BEBFEE85D5F3A0EE6DF976B25720AA2F451FD623DA2BEDF88C0D3
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:C4CCDAFBF1B75575E074C4788AC6D2DE
SHA256:A89B5DD6EAB99AE00E53A4AD87C8211BFAE50B251BBECD73D93F573729BBE6CA
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:D537584C1272D11FACC570BE776E3D8A
SHA256:69FEC4DD561F2A437024ADF65615537A0EA86EDF4ACF23F9CA51922D44133232
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:AF793D2F1E1B91187A379C826B6A24F7
SHA256:069BE5D32AA114243AD5F7FD2994C056AE0877FF364857BAB0766E11316B0A26
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:1EFEC96242ABF78389A900A490DF2A3D
SHA256:B4BD0C161AB3DA1586DA1B87466677F1D18A27425A0B6004C8C139F9C9BD6B21
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_B0E62F3370DEB32FD1A99D49E8486B4Cbinary
MD5:FBDE5A811B50E9F5531483C51E714259
SHA256:7D7B2D475CBC16A659695ED3DC64A6B02502D12CEC561E6D616A9083C9C9509E
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:FF13DDBE63DDAA1D6AF2D009637BD98C
SHA256:2E663929757E5FE764F29577628657C07D35DA944D1FB7A6575744CEC7F1AE4F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
146
TCP/UDP connections
574
DNS requests
82
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1808
Setup.exe
GET
152.199.20.140:80
http://update.iobit.com/dl/iu/file/installer/installer.zlb
unknown
unknown
3124
iexplore.exe
GET
200
67.27.235.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d1270903ad75d1e2
unknown
compressed
4.66 Kb
unknown
3124
iexplore.exe
GET
200
108.138.2.195:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3124
iexplore.exe
GET
200
18.65.41.80:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.51 Kb
unknown
3124
iexplore.exe
GET
200
18.238.246.206:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAMpJs%2BO%2FhUI93RIOUqmQvI%3D
unknown
binary
471 b
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3124
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
3124
iexplore.exe
GET
200
54.230.153.187:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
binary
1.39 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
3124
iexplore.exe
52.6.162.138:443
www.iobit.com
AMAZON-AES
US
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3124
iexplore.exe
67.27.235.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
3124
iexplore.exe
108.138.2.195:80
o.ss2.us
AMAZON-02
US
unknown
3124
iexplore.exe
18.65.41.80:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
54.230.153.187:80
ocsp.rootca1.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
18.238.246.206:80
ocsp.r2m01.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
www.iobit.com
  • 52.6.162.138
  • 54.145.102.116
  • 54.159.249.19
whitelisted
ctldl.windowsupdate.com
  • 67.27.235.254
  • 8.241.9.254
  • 67.27.159.254
  • 8.248.139.254
  • 67.27.233.254
whitelisted
o.ss2.us
  • 108.138.2.195
  • 108.138.2.10
  • 108.138.2.107
  • 108.138.2.173
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.65.41.80
whitelisted
ocsp.rootca1.amazontrust.com
  • 54.230.153.187
shared
ocsp.r2m01.amazontrust.com
  • 18.238.246.206
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted
codes.iobit.com
  • 152.199.20.140
whitelisted
kit.fontawesome.com
  • 172.64.147.188
  • 104.18.40.68
whitelisted
www.googletagmanager.com
  • 172.217.16.136
whitelisted

Threats

PID
Process
Class
Message
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
OpenKeyReadOnly error
Setup.exe
Install un13 : NotInstall
Setup.exe
Result: 1
Setup.exe
NowVer: 13.2.0.3
Setup.exe
LanID=1033
Setup.exe
TFrmWizard.FormCreate
Setup.exe
ALangID=1033
Setup.exe
LanID=1033
Setup.exe
time1
Setup.exe
time3
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.iobit.com/en/advanceduninstaller.php