URL:

https://www.iobit.com/en/advanceduninstaller.php

Full analysis: https://app.any.run/tasks/8a4bf620-205a-4a99-910a-e4cf93150b52
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 21, 2023, 18:14:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
Indicators:
SHA1:

69AF3B0EE94DFB8AB33DD0A38E9493FE3F4E85F8

SHA256:

404EC4C9964602D2831A63EDB745E12BA56ECEC06AFFDF1FE70DBCA32587FCD7

SSDEEP:

3:N8DSLgz1EoYTXLnV:2OLghPYTXLV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • iushrun.exe (PID: 1276)
      • CrRestore.exe (PID: 2080)
      • iobituninstaller.tmp (PID: 2088)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • AutoUpdate.exe (PID: 3348)
      • iTopSetup.exe.exe (PID: 3132)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • UninstallMonitor.exe (PID: 2096)
      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • Autoupdate.exe (PID: 3276)
      • ASCSetup.exe.exe (PID: 1088)
      • atud.exe (PID: 3700)
      • ASCInit.exe (PID: 2472)
      • Monitor.exe (PID: 2736)
      • AutoUpdate.exe (PID: 3716)
      • ASCSetup.exe.tmp (PID: 1416)

    • Registers / Runs the DLL via REGSVR32.EXE

      • iush.exe (PID: 1904)
      • IObitUninstaler.exe (PID: 2540)
      • ASCInit.exe (PID: 2472)

    • Steals credentials from Web Browsers

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)
      • smBootTimebase.exe (PID: 2936)

    • Actions looks like stealing of personal data

      • IObitUninstaler.exe (PID: 2540)
      • smBootTimebase.exe (PID: 2936)
      • iTopVPN.exe (PID: 3280)

    • Application was injected by another process

      • explorer.exe (PID: 1388)

    • Runs injected code in another process

      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)

    • Creates a writable file in the system directory

      • smBootTimebase.exe (PID: 2936)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Reads the Internet Settings

      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • Setup.exe (PID: 1808)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 2576)
      • IdrInit.exe (PID: 2544)
      • iTopDataRecovery.exe (PID: 3204)
      • iTopVPN.exe (PID: 3280)
      • Autoupdate.exe (PID: 3276)
      • iTopVPNMini.exe (PID: 2308)
      • atud.exe (PID: 3700)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)

    • Process drops SQLite DLL files

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Drops a system driver (possible attempt to evade defenses)

      • iobituninstaller.tmp (PID: 2088)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 2576)
      • ASCSetup.exe.tmp (PID: 1416)
      • Monitor.exe (PID: 2736)

    • Executes as Windows Service

      • IUService.exe (PID: 1936)
      • IDRService.exe (PID: 2056)
      • ASCService.exe (PID: 1808)

    • Searches for installed software

      • iush.exe (PID: 1904)
      • CrRestore.exe (PID: 2080)
      • IObitUninstaler.exe (PID: 2540)
      • DSPut.exe (PID: 328)
      • UninstallMonitor.exe (PID: 2096)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • iTopVPN.exe (PID: 3280)
      • itopbfp23.exe (PID: 2028)
      • ASCSetup.exe.tmp (PID: 1416)
      • smBootTimebase.exe (PID: 2936)

    • Process requests binary or script from the Internet

      • IObitDownloader.exe (PID: 3320)
      • AutoUpdate.exe (PID: 3348)
      • Autoupdate.exe (PID: 3276)

    • The process creates files with name similar to system file names

      • Un_A.exe (PID: 3748)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Un_A.exe (PID: 3748)

    • Starts itself from another location

      • uninstall.exe (PID: 3916)

    • Reads Microsoft Outlook installation path

      • IObitUninstaler.exe (PID: 2540)

    • The process verifies whether the antivirus software is installed

      • IObitUninstaler.exe (PID: 2540)
      • iTopVPN.exe (PID: 3280)

    • Process drops legitimate windows executable

      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ASCSetup.exe.tmp (PID: 1416)

    • Uses TASKKILL.EXE to kill process

      • iTopSetup.exe.tmp (PID: 4028)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopVPN.exe (PID: 3280)
      • ASCInit.exe (PID: 2472)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 3252)
      • cmd.exe (PID: 1344)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 2396)
      • cmd.exe (PID: 1416)
      • cmd.exe (PID: 3728)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 2756)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 3064)

    • Application launched itself

      • ugin.exe (PID: 2576)
      • RealTimeProtector.exe (PID: 3008)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 844)

    • Checks for external IP

      • itopbfp23.exe (PID: 2028)
      • UninstallInfo.exe (PID: 536)
      • unpr.exe (PID: 2548)

    • Connects to unusual port

      • iTopVPN.exe (PID: 3280)

    • Write to the desktop.ini file (may be used to cloak folders)

      • ASCInit.exe (PID: 2472)

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 3484)

    • Application launched itself

      • iexplore.exe (PID: 3484)

    • Reads the computer name

      • wmpnscfg.exe (PID: 4000)
      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.tmp (PID: 908)
      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • iush.exe (PID: 1904)
      • IUService.exe (PID: 1936)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • DSPut.exe (PID: 328)
      • UninstallMonitor.exe (PID: 2096)
      • AUpdate.exe (PID: 2964)
      • AutoUpdate.exe (PID: 3348)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • UninstallMonitor.exe (PID: 2548)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • ugin.exe (PID: 4048)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 1528)
      • ugin.exe (PID: 1628)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • ugin.exe (PID: 1116)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • iTopInsur.exe (PID: 2624)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 644)
      • unpr.exe (PID: 2548)
      • iTopVPN.exe (PID: 3280)
      • ugin.exe (PID: 3896)
      • AUpdate.exe (PID: 1944)
      • aud.exe (PID: 1752)
      • atud.exe (PID: 3700)
      • aud.exe (PID: 908)
      • iTopVPNMini.exe (PID: 2308)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • iTopVPN.exe (PID: 2620)
      • itopbfp23.exe (PID: 3784)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCUpgrade.exe (PID: 3736)
      • ASCUpgrade.exe (PID: 2364)
      • ASCService.exe (PID: 1808)
      • smBootTimebase.exe (PID: 2936)
      • ASCInit.exe (PID: 2472)

    • Checks supported languages

      • wmpnscfg.exe (PID: 4000)
      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 2068)
      • iobituninstaller.exe (PID: 1840)
      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • iush.exe (PID: 1904)
      • IUService.exe (PID: 1936)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • UninstallMonitor.exe (PID: 2096)
      • AUpdate.exe (PID: 2964)
      • AutoUpdate.exe (PID: 3348)
      • UninstallMonitor.exe (PID: 2548)
      • iush.exe (PID: 3064)
      • IObitDownloader.exe (PID: 3320)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • ugin.exe (PID: 4048)
      • ugin.exe (PID: 1628)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • ugin.exe (PID: 1528)
      • ullc.exe (PID: 1184)
      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iTopVPN.exe (PID: 1728)
      • icop32.exe (PID: 2332)
      • ugin.exe (PID: 1116)
      • LocalLang.exe (PID: 2300)
      • iTopInsur.exe (PID: 2624)
      • IdrInit.exe (PID: 2544)
      • iTopInsur.exe (PID: 3800)
      • UninstallInfo.exe (PID: 536)
      • ICONPIN32.exe (PID: 1032)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • AUpdate.exe (PID: 1944)
      • unpr.exe (PID: 2548)
      • ugin.exe (PID: 3896)
      • iTopVPN.exe (PID: 3280)
      • ugin.exe (PID: 644)
      • aud.exe (PID: 1752)
      • aud.exe (PID: 908)
      • iTopVPNMini.exe (PID: 2308)
      • atud.exe (PID: 3700)
      • Newfts.exe (PID: 3008)
      • itopbfp23.exe (PID: 2028)
      • iTopVPN.exe (PID: 2620)
      • itopbfp23.exe (PID: 3784)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCUpgrade.exe (PID: 3736)
      • ASCUpgrade.exe (PID: 2364)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)
      • smBootTimebase.exe (PID: 2936)
      • LocalLang.exe (PID: 2500)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 4000)

    • Reads the Internet Settings

      • explorer.exe (PID: 1388)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 4000)
      • iush.exe (PID: 1904)
      • DSPut.exe (PID: 328)
      • UninstallMonitor.exe (PID: 2096)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • icop32.exe (PID: 2332)
      • ICONPIN32.exe (PID: 1032)
      • AUpdate.exe (PID: 1812)
      • unpr.exe (PID: 2548)
      • AUpdate.exe (PID: 1944)
      • iTopVPN.exe (PID: 3280)
      • aud.exe (PID: 1752)
      • aud.exe (PID: 908)
      • atud.exe (PID: 3700)
      • iTopVPNMini.exe (PID: 2308)
      • Autoupdate.exe (PID: 3276)
      • itopbfp23.exe (PID: 2028)

    • The process uses the downloaded file

      • iexplore.exe (PID: 3484)

    • Create files in a temporary directory

      • iobituninstaller.exe (PID: 3716)
      • iobituninstaller.exe (PID: 1756)
      • iobituninstaller.tmp (PID: 908)
      • iobituninstaller.exe (PID: 1840)
      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iushrun.exe (PID: 1276)
      • IObitUninstaler.exe (PID: 2540)
      • Un_A.exe (PID: 3748)
      • uninstall.exe (PID: 3916)
      • iTopSetup.exe.exe (PID: 3132)
      • iTopSetup.exe.tmp (PID: 4028)
      • iTop Data Recovery_Setup_IU.exe (PID: 600)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • icop32.exe (PID: 2332)
      • explorer.exe (PID: 1388)
      • ICONPIN32.exe (PID: 1032)
      • iTopVPN.exe (PID: 3280)
      • SecEdit.exe (PID: 556)
      • SecEdit.exe (PID: 1828)
      • ASCSetup.exe.exe (PID: 1088)
      • ASCSetup.exe.tmp (PID: 1416)

    • Creates files in the program directory

      • Setup.exe (PID: 1808)
      • iobituninstaller.tmp (PID: 2088)
      • iush.exe (PID: 1904)
      • iushrun.exe (PID: 1276)
      • DSPut.exe (PID: 328)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • iTopSetup.exe.tmp (PID: 4028)
      • ugin.exe (PID: 1528)
      • iTopVPN.exe (PID: 1728)
      • ugin.exe (PID: 2576)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • UninstallInfo.exe (PID: 536)
      • IDRService.exe (PID: 2056)
      • iTopDataRecovery.exe (PID: 3204)
      • Autoupdate.exe (PID: 3276)
      • AUpdate.exe (PID: 1812)
      • ugin.exe (PID: 3896)
      • unpr.exe (PID: 2548)
      • iTopVPN.exe (PID: 3280)
      • atud.exe (PID: 3700)
      • itopbfp23.exe (PID: 2028)
      • Newfts.exe (PID: 3008)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)
      • smBootTimebase.exe (PID: 2936)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 1808)
      • iush.exe (PID: 1904)
      • CrRestore.exe (PID: 2080)
      • UninstallPromote.exe (PID: 3780)
      • IObitUninstaler.exe (PID: 2540)
      • AUpdate.exe (PID: 2964)
      • UninstallMonitor.exe (PID: 2096)
      • AutoUpdate.exe (PID: 3348)
      • IObitDownloader.exe (PID: 3320)
      • ugin.exe (PID: 4048)
      • iTopVPN.exe (PID: 1728)
      • explorer.exe (PID: 1388)
      • iTop Data Recovery_Setup_IU.tmp (PID: 3708)
      • iTopInsur.exe (PID: 2624)
      • Autoupdate.exe (PID: 3276)
      • iTopVPN.exe (PID: 3280)
      • iTopSetup.exe.tmp (PID: 4028)
      • atud.exe (PID: 3700)
      • iTopVPNMini.exe (PID: 2308)
      • ASCSetup.exe.tmp (PID: 1416)
      • ASCInit.exe (PID: 2472)
      • ASCService.exe (PID: 1808)

    • Checks proxy server information

      • DSPut.exe (PID: 328)
      • AUpdate.exe (PID: 2964)

    • Reads Microsoft Office registry keys

      • IObitUninstaler.exe (PID: 2540)

    • Process checks are UAC notifies on

      • iTopVPN.exe (PID: 3280)

    • Process checks Internet Explorer phishing filters

      • iTopVPN.exe (PID: 3280)

    • Dropped object may contain TOR URL's

      • ASCSetup.exe.tmp (PID: 1416)

    • Creates a software uninstall entry

      • ASCSetup.exe.tmp (PID: 1416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
132
Malicious processes
34
Suspicious processes
7

Behavior graph

Click at the process to see the details
start inject iexplore.exe iexplore.exe wmpnscfg.exe no specs iobituninstaller.exe no specs iobituninstaller.tmp no specs iobituninstaller.exe iobituninstaller.tmp no specs setup.exe iobituninstaller.exe no specs iobituninstaller.tmp no specs iushrun.exe iush.exe regsvr32.exe regsvr32.exe iuservice.exe dsput.exe crrestore.exe no specs uninstallpromote.exe iobituninstaler.exe uninstallmonitor.exe regsvr32.exe aupdate.exe autoupdate.exe iobitdownloader.exe iush.exe uninstallmonitor.exe no specs uninstall.exe no specs un_a.exe no specs itopsetup.exe.exe no specs itopsetup.exe.tmp no specs ugin.exe no specs taskkill.exe no specs ugin.exe no specs itop data recovery_setup_iu.exe no specs itop data recovery_setup_iu.tmp ugin.exe no specs ullc.exe itopvpn.exe ugin.exe cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs icop32.exe ugin.exe no specs locallang.exe itopinsur.exe idrinit.exe itopinsur.exe uninstallinfo.exe cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs iconpin32.exe cmd.exe no specs sc.exe no specs idrservice.exe explorer.exe itopdatarecovery.exe autoupdate.exe aupdate.exe aupdate.exe ugin.exe no specs unpr.exe itopvpn.exe ugin.exe no specs atud.exe aud.exe aud.exe cmd.exe no specs ipconfig.exe no specs itopvpnmini.exe newfts.exe itopbfp23.exe secedit.exe no specs secedit.exe no specs itopvpn.exe itopbfp23.exe ascsetup.exe.exe no specs ascsetup.exe.tmp no specs ascupgrade.exe no specs ascupgrade.exe locallang.exe no specs ascinit.exe ascservice.exe cmd.exe no specs smboottimebase.exe no specs sc.exe no specs uninstallinfo.exe no specs regsvr32.exe no specs browsercleaner.exe no specs privacyshield.exe no specs smboottime.exe no specs SPPSurrogate no specs setup.exe no specs ppuninstaller.exe no specs realtimeprotector.exe no specs diskdefrag.exe no specs realtimeprotector.exe no specs ugin.exe no specs browserprotect.exe no specs asc.exe no specs smboottime.exe no specs monitor.exe no specs realtimeprotector.exe no specs productstat3.exe no specs productstat3.exe no specs ascfeature.exe no specs asctray.exe no specs ascfeature.exe no specs autoupdate.exe no specs ascver.exe no specs smboottime.exe no specs ugin.exe no specs productstat3.exe no specs display.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
280sc delete iTopDataRecoveryService3C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
316sc start iTopDataRecoveryService4C:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
328"C:\Program Files\IObit\IObit Uninstaller\DSPut.exe" /Now /update /W3sidmVyc2lvbiI6IjAuMC4wLjAiLCJzaG93IjowLCJjbGljayI6MCwibGFzdCI6MH1dC:\Program Files\IObit\IObit Uninstaller\DSPut.exe
iush.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Data Statistics Program
Exit code:
0
Version:
13.0.0.1
Modules
Images
c:\program files\iobit\iobit uninstaller\dsput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iobit\iobit uninstaller\rtl120.bpl
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
536"C:\Program Files\iTop Data Recovery\UninstallInfo.exe" /install idr4C:\Program Files\iTop Data Recovery\UninstallInfo.exe
iTop Data Recovery_Setup_IU.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
UninstallInfo
Exit code:
0
Version:
1.0.0.349
Modules
Images
c:\program files\itop data recovery\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
556secedit /export /cfg C:\Users\admin\AppData\Local\Temp\8798.inf /log C:\Users\admin\AppData\Local\Temp\2003.logC:\Windows\System32\SecEdit.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Security Configuration Editor Command Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\secedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\scecli.dll
c:\windows\system32\user32.dll
600"C:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exe" /sp- /verysilent /suppressmsgboxes /insur=iu_inwC:\ProgramData\IObit\IObit Uninstaller\Downloader\iTop Data Recovery_Setup_IU.exeIObitDownloader.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Data Recovery
Exit code:
0
Version:
4.1.0.565
Modules
Images
c:\programdata\iobit\iobit uninstaller\downloader\itop data recovery_setup_iu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
644"C:\Program Files\iTop VPN\ugin.exe" /setlan "English"C:\Program Files\iTop VPN\ugin.exeiTopSetup.exe.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
5.0.0.4908
Modules
Images
c:\program files\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
756"C:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exe" /RunCurUsC:\Program Files\IObit\Advanced SystemCare\RealTimeProtector.exeASCService.exe
User:
admin
Company:
IObit
Integrity Level:
HIGH
Description:
Real-time Protector
Exit code:
0
Version:
17.0.0.273
844cmd.exe /c ipconfig /flushdnsC:\Windows\System32\cmd.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
908"C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmp" /SL5="$A0210,27932468,139264,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\iobituninstaller.exe" /SPAWNWND=$50238 /NOTIFYWND=$4021E C:\Users\admin\AppData\Local\Temp\is-4CN35.tmp\iobituninstaller.tmpiobituninstaller.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-4cn35.tmp\iobituninstaller.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
215 629
Read events
214 591
Write events
877
Delete events
161

Modification events

(PID) Process:(3416) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE}
Operation:delete keyName:(default)
Value:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3484) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
720
Suspicious files
311
Text files
1 034
Unknown types
0

Dropped files

PID
Process
Filename
Type
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:1EFEC96242ABF78389A900A490DF2A3D
SHA256:B4BD0C161AB3DA1586DA1B87466677F1D18A27425A0B6004C8C139F9C9BD6B21
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:1737B189D4AA1A2118C1ADE7CE27647F
SHA256:B3F4D3173C820058469834A47F47DA194DA1B2C6565E2AC99C44DF904F366988
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:FF13DDBE63DDAA1D6AF2D009637BD98C
SHA256:2E663929757E5FE764F29577628657C07D35DA944D1FB7A6575744CEC7F1AE4F
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8binary
MD5:BA36985A524B3CBFD6697E8A900BFF9C
SHA256:29AFF869EC1BEBFEE85D5F3A0EE6DF976B25720AA2F451FD623DA2BEDF88C0D3
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:F12B83514E07BB842EE76066F857487B
SHA256:247FA0403608CA7B5099F53DA07E8E7BB22558E4386E876930317509DB0A1207
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:FAFF8C0C8FA33E28365D35200AFE11E0
SHA256:9F73EA14F5003868487BE322592AB40DE8AACAA6DDD584ADB7540C6C7B8E9DDE
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:D537584C1272D11FACC570BE776E3D8A
SHA256:69FEC4DD561F2A437024ADF65615537A0EA86EDF4ACF23F9CA51922D44133232
3124iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\mobile[1].csstext
MD5:1D5912AE635B4E841A1274C144A9DACB
SHA256:BCCF05002A9728518248465B643B6F7E5ED1EE42058A9CF2B4F1819AE6328104
3124iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\css3-mediaqueries[1].jstext
MD5:A7E2BAD3D394AE6FC2598B534A1FE9BA
SHA256:5A12A7344931EA52B5BA05528465B784EA92D35A78A569832BB4E2D9D3D0902D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
146
TCP/UDP connections
574
DNS requests
82
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
iexplore.exe
GET
200
18.65.41.80:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.51 Kb
unknown
3124
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
binary
471 b
unknown
3124
iexplore.exe
GET
200
18.238.246.206:80
http://ocsp.r2m01.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBShdVEFnSEQ0gG5CBtzM48cPMe9XwQUgbgOY4qJEhjl%2Bjs7UJWf5uWQE4UCEAMpJs%2BO%2FhUI93RIOUqmQvI%3D
unknown
binary
471 b
unknown
3124
iexplore.exe
GET
200
108.138.2.195:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
3124
iexplore.exe
GET
200
54.230.153.187:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
binary
1.39 Kb
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDmzKJl66ZMrRKtZxoAGQQd
unknown
binary
472 b
unknown
3124
iexplore.exe
GET
200
142.250.181.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQChuVoVf7HVAxLxWCb2kXo7
unknown
binary
472 b
unknown
3124
iexplore.exe
GET
200
67.27.235.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?822bc3f82f78ba1a
unknown
compressed
4.66 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
3124
iexplore.exe
52.6.162.138:443
www.iobit.com
AMAZON-AES
US
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3124
iexplore.exe
67.27.235.254:80
ctldl.windowsupdate.com
LEVEL3
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
3124
iexplore.exe
108.138.2.195:80
o.ss2.us
AMAZON-02
US
unknown
3124
iexplore.exe
18.65.41.80:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
54.230.153.187:80
ocsp.rootca1.amazontrust.com
AMAZON-02
US
unknown
3124
iexplore.exe
18.238.246.206:80
ocsp.r2m01.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
www.iobit.com
  • 52.6.162.138
  • 54.145.102.116
  • 54.159.249.19
whitelisted
ctldl.windowsupdate.com
  • 67.27.235.254
  • 8.241.9.254
  • 67.27.159.254
  • 8.248.139.254
  • 67.27.233.254
whitelisted
o.ss2.us
  • 108.138.2.195
  • 108.138.2.10
  • 108.138.2.107
  • 108.138.2.173
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.65.41.80
whitelisted
ocsp.rootca1.amazontrust.com
  • 54.230.153.187
shared
ocsp.r2m01.amazontrust.com
  • 18.238.246.206
whitelisted
fonts.googleapis.com
  • 172.217.16.202
whitelisted
codes.iobit.com
  • 152.199.20.140
whitelisted
kit.fontawesome.com
  • 172.64.147.188
  • 104.18.40.68
whitelisted
www.googletagmanager.com
  • 172.217.16.136
whitelisted

Threats

PID
Process
Class
Message
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1808
Setup.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
Setup.exe
OpenKeyReadOnly error
Setup.exe
Install un13 : NotInstall
Setup.exe
Result: 1
Setup.exe
NowVer: 13.2.0.3
Setup.exe
LanID=1033
Setup.exe
TFrmWizard.FormCreate
Setup.exe
ALangID=1033
Setup.exe
LanID=1033
Setup.exe
time1
Setup.exe
time3
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.iobit.com/en/advanceduninstaller.php