File name:	advanced-systemcare-setup.exe
Full analysis:	https://app.any.run/tasks/9bda7e1f-5fce-4a86-8f90-34a41658b790
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 23, 2024, 23:27:54
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	3B685BF27639F62D06B7370677E50EFF
SHA1:	4B2C198A1747B36F551690009305A5FE3B71BBE6
SHA256:	448A0C53C5DC0DFB69BA17AA5579B85394ED392BA324B300477D81A1916EF989
SSDEEP:	393216:1GEJB1uHQV2aDBxeUkhFLLZT7BMegUxqE06zU2wi45g+GCkMwl6X:nfgHG2a9xeUYMe1xAIAZECHWi

.exe	\|	Win32 Executable (generic) (42.6)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.9)
.exe	\|	DOS Executable Generic (18.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2015:07:16 13:24:20+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	65024
InitializedDataSize:	71168
UninitializedDataSize:	-
EntryPoint:	0x113bc
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	15.6.0.274
ProductVersionNumber:	15.6.0.274
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	IObit
FileDescription:	Advanced SystemCare
FileVersion:	15.6.0.274
LegalCopyright:	© IObit. All rights reserved.
ProductName:	Advanced SystemCare
ProductVersion:	15.6.0


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000602E4
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4692) advanced-systemcare-setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4692) advanced-systemcare-setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4692) advanced-systemcare-setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4692) advanced-systemcare-setup.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A4
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008017C
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000008017C
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000503A4
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000602E4
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
4692	advanced-systemcare-setup.tmp	C:\Users\admin\AppData\Local\Temp\Setup Log 2024-08-23 #001.txt		text
		MD5:B6BBC888572EC091B81D966E7FA83A46	SHA256:98020930C6AE27AFD1298018FC39FDB073A97B4013B9B3A1CDFFB7175B26AD53
4552	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6616	Setup.exe	C:\Users\admin\AppData\Local\Temp\ZLB2DCF.tmp		binary
		MD5:8FB7288870AE2ACB5CDC3DB5A4062094	SHA256:7C5CF7BC56CFD6C333C503B80BC56CD12E370FF97559C1DA19C176A2E33391D3
4692	advanced-systemcare-setup.tmp	C:\Users\admin\AppData\Local\Temp\is-KORS1.tmp\Installer\Setup.exe		executable
		MD5:53F3C0DD002321F88A7962A683BE94D8	SHA256:2AEC783B0034007FEA160603710FF74BA7C871DBF199DF7B63DE02FEAD5701CC
4692	advanced-systemcare-setup.tmp	C:\Users\admin\AppData\Local\Temp\is-KORS1.tmp\Setup.exe		executable
		MD5:53F3C0DD002321F88A7962A683BE94D8	SHA256:2AEC783B0034007FEA160603710FF74BA7C871DBF199DF7B63DE02FEAD5701CC
6616	Setup.exe	C:\ProgramData\IObit\ASCDownloader\ASCInstaller_Downloader.log		text
		MD5:C217F558C7AF8FA1B6EBE1F63B4E9CF2	SHA256:70316140673AD3C27731DA672CCBFE000BE8E1D294298C9A48BF0B47C4E4550B
4692	advanced-systemcare-setup.tmp	C:\Users\admin\AppData\Local\Temp\is-KORS1.tmp\Installer\Rinside.dat		text
		MD5:3115E02FD135942A8EB97EBFFE751BEB	SHA256:A9161FFE6690069E1267C6FDAD055FC0112144273B66A8BDC59862941279B21B
6616	Setup.exe	C:\ProgramData\IObit\iobitpromotion.ini		text
		MD5:F3B25701FE362EC84616A93A45CE9998	SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
7088	advanced-systemcare-setup.exe	C:\Users\admin\AppData\Local\Temp\is-EC8T0.tmp\advanced-systemcare-setup.tmp		executable
		MD5:4100108C68330E46BB48ACC5089E139F	SHA256:902757DCAB1AB2D599232478E2386B9AE1157E1BC2C677FBE879472863DAE3CD
1488	advanced-systemcare-setup.exe	C:\Users\admin\AppData\Local\Temp\is-A4EJ9.tmp\advanced-systemcare-setup.tmp		executable
		MD5:4100108C68330E46BB48ACC5089E139F	SHA256:902757DCAB1AB2D599232478E2386B9AE1157E1BC2C677FBE879472863DAE3CD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6616	Setup.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/installer/asc/installer.zlb	unknown	—	—	whitelisted
6616	Setup.exe	GET	—	152.199.20.140:80	http://update.iobit.com/infofiles/installer/asc/installer.zlb	unknown	—	—	whitelisted
6616	Setup.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/installer/asc/installer.zlb	unknown	—	—	whitelisted
6616	Setup.exe	GET	200	152.199.20.140:80	http://update.iobit.com/infofiles/ac/appver-ac.upt	unknown	—	—	whitelisted
6616	Setup.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/installer/asc/installer.zlb	unknown	—	—	whitelisted
6616	Setup.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/installer/asc/installer.zlb	unknown	—	—	whitelisted
5104	IObitLiveUpdate.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/iobitliveupdate/update.ept	unknown	—	—	whitelisted
5104	IObitLiveUpdate.exe	GET	206	152.199.20.140:80	http://update.iobit.com/infofiles/iobitliveupdate/update.ept	unknown	—	—	whitelisted
7084	UninstallInfo.exe	GET	200	52.2.4.227:80	http://stats.iobit.com/install.php?operate=1&user=1&app=asc15&ver=15.6.0.274&pr=iobit&system=100&type=1&lang=en-US&geo=1033&insur=other	unknown	—	—	unknown
5104	IObitLiveUpdate.exe	GET	—	152.199.20.140:80	http://update.iobit.com/infofiles/iobitliveupdate/update.ept	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
6616	Setup.exe	152.199.20.140:80	update.iobit.com	EDGECAST	US	unknown
6616	Setup.exe	52.2.70.45:80	ascstats.iobit.com	AMAZON-AES	US	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
7084	UninstallInfo.exe	52.2.4.227:80	stats.iobit.com	AMAZON-AES	US	unknown
5104	IObitLiveUpdate.exe	152.199.20.140:80	update.iobit.com	EDGECAST	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
update.iobit.com	152.199.20.140	whitelisted
ascstats.iobit.com	52.2.70.45 52.86.31.74 54.174.45.118	whitelisted
stats.iobit.com	52.2.4.227 52.86.185.198 54.198.88.35	unknown

PID	Process	Class	Message
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
6616	Setup.exe	Potentially Bad Traffic	ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)

Process	Message
Setup.exe	C:\Users\admin\AppData\Roaming\IObit\Advanced SystemCare\
Setup.exe	********** FLanguageName: English
Setup.exe	GetDownloadPath: 2
Setup.exe	CheckDiskSpace: 1
Setup.exe	CheckDiskSpace: 2
Setup.exe	CheckDiskSpace: 3
Setup.exe	CheckDiskSpace: 4
Setup.exe	CheckDiskSpace: 5
Setup.exe	GetDownloadPath: 3
Setup.exe	CheckDiskSpace: 2

General Info

advanced-systemcare-setup.exe

3B685BF27639F62D06B7370677E50EFF

4B2C198A1747B36F551690009305A5FE3B71BBE6

448A0C53C5DC0DFB69BA17AA5579B85394ED392BA324B300477D81A1916EF989

393216:1GEJB1uHQV2aDBxeUkhFLLZT7BMegUxqE06zU2wi45g+GCkMwl6X:nfgHG2a9xeUYMe1xAIAZECHWi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Registers / Runs the DLL via REGSVR32.EXE

Application was injected by another process

Changes the autorun value in the registry

Runs injected code in another process

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Reads the Windows owner or organization settings

Process drops SQLite DLL files

Searches for installed software

Drops a system driver (possible attempt to evade defenses)

Application launched itself

Executes as Windows Service

Starts CMD.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Creates/Modifies COM task schedule object

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Create files in a temporary directory

Creates files or folders in the user directory

Creates files in the program directory

Creates a software uninstall entry

Reads the machine GUID from the registry

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections