Malware analysis https://www.iobit.com/index.php Malicious activity

Add for printing

URL:	https://www.iobit.com/index.php
Full analysis:	https://app.any.run/tasks/f279c683-6578-4fec-8f3d-7755b8dd25cb
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 05, 2025, 19:26:57
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi inno installer stealer arch-doc cpuz tool arch-scr arch-html antivm psexec susp-lnk
Indicators:
MD5:	363FFB90112C407CE6AFAB48DE808CC0
SHA1:	6AFAF969F927EF88A1FBB8AF73F5215EC5EBF860
SHA256:	C9064EEC8AA9CA21CBE65CE677870D79AD718845655193B347F0DAD7EB854947
SSDEEP:	3:N8DSLgzbbHn:2OLgfbHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - smBootTime.exe (PID: 2112)
  - ASCService.exe (PID: 8100)
  - ASC.exe (PID: 5564)
  - AutoCare.exe (PID: 3048)
- Steals credentials from Web Browsers
  - smBootTime.exe (PID: 2112)
  - ASC.exe (PID: 5564)
  - AutoCare.exe (PID: 3048)
- Registers / Runs the DLL via REGSVR32.EXE
  - ASCInit.exe (PID: 5476)
- Application was injected by another process
  - explorer.exe (PID: 4772)
- Changes the autorun value in the registry
  - ASCInit.exe (PID: 5476)
- Runs injected code in another process
  - ICONPIN64.exe (PID: 7132)
- Scans artifacts that could help determine the target
  - AutoCare.exe (PID: 3048)
- MYDOOM has been detected
  - ASC.exe (PID: 5564)
SUSPICIOUS
- Executable content was dropped or overwritten
  - advanced-systemcare-setup.exe (PID: 4680)
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.exe (PID: 7400)
  - advanced-systemcare-setup.exe (PID: 1332)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCInit.exe (PID: 5476)
  - Monitor.exe (PID: 5132)
- Reads security settings of Internet Explorer
  - advanced-systemcare-setup.tmp (PID: 3572)
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCInit.exe (PID: 5476)
  - AutoUpdate.exe (PID: 8044)
  - Setup.exe (PID: 4188)
  - Monitor.exe (PID: 5132)
  - ASCVER.exe (PID: 2508)
  - ASC.exe (PID: 5564)
  - AutoUpdate.exe (PID: 7820)
  - AppsChecker.exe (PID: 8036)
  - IObitLiveUpdate.exe (PID: 7636)
  - AutoCare.exe (PID: 3048)
- Reads the Windows owner or organization settings
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - smBootTime.exe (PID: 2112)
  - smBootTime.exe (PID: 3852)
  - smBootTime.exe (PID: 7308)
  - ASC.exe (PID: 5564)
  - smBootTime.exe (PID: 1740)
  - AutoCare.exe (PID: 3048)
- Process drops legitimate windows executable
  - advanced-systemcare-setup.tmp (PID: 1056)
- Drops 7-zip archiver for unpacking
  - advanced-systemcare-setup.tmp (PID: 1056)
- Process drops SQLite DLL files
  - advanced-systemcare-setup.tmp (PID: 1056)
- Drops a system driver (possible attempt to evade defenses)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - Monitor.exe (PID: 5132)
- Executes as Windows Service
  - ASCService.exe (PID: 8100)
- Searches for installed software
  - advanced-systemcare-setup.tmp (PID: 1056)
  - smBootTime.exe (PID: 2112)
  - PrivacyShield.exe (PID: 2592)
  - UninstallInfo.exe (PID: 5460)
  - ASCService.exe (PID: 8100)
  - AutoUpdate.exe (PID: 8044)
  - smBootTime.exe (PID: 3852)
  - smBootTime.exe (PID: 7308)
  - Display.exe (PID: 3956)
  - Setup.exe (PID: 4188)
  - BrowserProtect.exe (PID: 1300)
  - Monitor.exe (PID: 5132)
  - smBootTime.exe (PID: 1740)
  - ASC.exe (PID: 5564)
  - AutoUpdate.exe (PID: 7820)
  - IObitLiveUpdate.exe (PID: 7636)
  - Register.exe (PID: 7280)
  - Reminder.exe (PID: 6220)
  - AutoCare.exe (PID: 3048)
- Starts CMD.EXE for commands execution
  - ASCInit.exe (PID: 5476)
  - AppsChecker.exe (PID: 8036)
- Windows service management via SC.EXE
  - sc.exe (PID: 7440)
  - sc.exe (PID: 6472)
  - sc.exe (PID: 4552)
  - sc.exe (PID: 6648)
  - sc.exe (PID: 6312)
  - sc.exe (PID: 5184)
  - sc.exe (PID: 7700)
- Likely accesses (executes) a file from the Public directory
  - ICONPIN64.exe (PID: 7132)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 3940)
- Application launched itself
  - RealTimeProtector.exe (PID: 5712)
- Read disk information to detect sandboxing environments
  - Monitor.exe (PID: 5132)
  - AutoCare.exe (PID: 3048)
- Adds/modifies Windows certificates
  - ASCVER.exe (PID: 2508)
- Checks for Java to be installed
  - ASC.exe (PID: 5564)
  - AutoCare.exe (PID: 3048)
- Manipulates environment variables
  - powershell.exe (PID: 8104)
- Starts application with an unusual extension
  - powershell.exe (PID: 8104)
- The process verifies whether the antivirus software is installed
  - ASC.exe (PID: 5564)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 4540)
- Check the default browser
  - ASC.exe (PID: 5564)
- There is functionality for taking screenshot (YARA)
  - ASC.exe (PID: 5564)
  - Monitor.exe (PID: 5132)
- There is functionality for VM detection VirtualBox (YARA)
  - Monitor.exe (PID: 5132)
- Reads Microsoft Outlook installation path
  - ASC.exe (PID: 5564)
- Suspicious use of NETSH.EXE
  - ASC.exe (PID: 5564)
  - AutoCare.exe (PID: 3048)
- PSEXEC has been detected
  - AutoCare.exe (PID: 3048)
- Checks for the .NET to be installed
  - AutoCare.exe (PID: 3048)
- Reads the date of Windows installation
  - AutoCare.exe (PID: 3048)
- Read startup parameters
  - AutoCare.exe (PID: 3048)
- Starts application from unusual location
  - ASC.exe (PID: 5564)
- Reads the history of recent RDP connections
  - AutoCare.exe (PID: 3048)
- Creates file in the systems drive root
  - ASC.exe (PID: 5564)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 7568)
  - advanced-systemcare-setup.exe (PID: 4680)
  - advanced-systemcare-setup.exe (PID: 7400)
  - advanced-systemcare-setup.tmp (PID: 4916)
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.tmp (PID: 3572)
  - advanced-systemcare-setup.exe (PID: 1332)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCUpgrade.exe (PID: 700)
  - ASCUpgrade.exe (PID: 2232)
  - ASCInit.exe (PID: 5476)
  - LocalLang.exe (PID: 3740)
  - ASCService.exe (PID: 8100)
  - smBootTimeBase.exe (PID: 1632)
  - smBootTime.exe (PID: 2112)
  - UninstallInfo.exe (PID: 5460)
  - ICONPIN64.exe (PID: 7132)
  - PrivacyShield.exe (PID: 2592)
  - BrowserCleaner.exe (PID: 2108)
  - smBootTime.exe (PID: 3852)
  - AutoUpdate.exe (PID: 8044)
  - smBootTime.exe (PID: 7308)
  - RealTimeProtector.exe (PID: 5712)
  - DiskDefrag.exe (PID: 984)
  - RealTimeProtector.exe (PID: 4160)
  - RealTimeProtector.exe (PID: 4012)
  - Display.exe (PID: 3956)
  - BrowserProtect.exe (PID: 1300)
  - Monitor.exe (PID: 5132)
  - ASC.exe (PID: 5564)
  - smBootTime.exe (PID: 1740)
  - ASCTray.exe (PID: 5928)
  - ProductStat3.exe (PID: 4112)
  - ASCFeature.exe (PID: 5712)
  - ASCVER.exe (PID: 2508)
  - ProductStat3.exe (PID: 5300)
  - ASCFeature.exe (PID: 2228)
  - asrft.exe (PID: 3880)
  - AutoUpdate.exe (PID: 7820)
  - ProductStat3.exe (PID: 3652)
  - ProductStat3.exe (PID: 3768)
  - AppsChecker.exe (PID: 8036)
  - AutoSweep.exe (PID: 1040)
  - chcp.com (PID: 4012)
  - ProductStat3.exe (PID: 6172)
  - AutoCare.exe (PID: 6508)
  - IObitLiveUpdate.exe (PID: 7636)
  - ProductStat3.exe (PID: 2228)
  - Register.exe (PID: 7280)
  - StartupInfo.exe (PID: 7520)
  - sdproxy.exe (PID: 4844)
  - AppsChecker.exe (PID: 4796)
  - MonitorDisk.exe (PID: 7500)
  - AutoCare.exe (PID: 3048)
  - ProductStat3.exe (PID: 5724)
  - Reminder.exe (PID: 6220)
  - ProductStat3.exe (PID: 5744)
  - ProductStat3.exe (PID: 1056)
- Application launched itself
  - msedge.exe (PID: 7008)
  - msedge.exe (PID: 1568)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7008)
- Reads the computer name
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.tmp (PID: 3572)
  - identity_helper.exe (PID: 7568)
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCUpgrade.exe (PID: 2232)
  - ASCUpgrade.exe (PID: 700)
  - ASCInit.exe (PID: 5476)
  - smBootTimeBase.exe (PID: 1632)
  - smBootTime.exe (PID: 2112)
  - PrivacyShield.exe (PID: 2592)
  - UninstallInfo.exe (PID: 5460)
  - AutoUpdate.exe (PID: 8044)
  - smBootTime.exe (PID: 3852)
  - ASCService.exe (PID: 8100)
  - smBootTime.exe (PID: 7308)
  - RealTimeProtector.exe (PID: 5712)
  - RealTimeProtector.exe (PID: 4160)
  - RealTimeProtector.exe (PID: 4012)
  - BrowserProtect.exe (PID: 1300)
  - ASC.exe (PID: 5564)
  - Monitor.exe (PID: 5132)
  - ProductStat3.exe (PID: 6172)
  - smBootTime.exe (PID: 1740)
  - ASCTray.exe (PID: 5928)
  - ProductStat3.exe (PID: 4112)
  - asrft.exe (PID: 3880)
  - AutoUpdate.exe (PID: 7820)
  - ASCFeature.exe (PID: 2228)
  - ASCVER.exe (PID: 2508)
  - ProductStat3.exe (PID: 3652)
  - ProductStat3.exe (PID: 5724)
  - ProductStat3.exe (PID: 3768)
  - AppsChecker.exe (PID: 8036)
  - AutoCare.exe (PID: 6508)
  - IObitLiveUpdate.exe (PID: 7636)
  - Register.exe (PID: 7280)
  - MonitorDisk.exe (PID: 7500)
  - AutoCare.exe (PID: 3048)
  - Reminder.exe (PID: 6220)
  - ProductStat3.exe (PID: 1056)
  - ProductStat3.exe (PID: 5744)
- The sample compiled with english language support
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCInit.exe (PID: 5476)
  - Monitor.exe (PID: 5132)
- Process checks computer location settings
  - advanced-systemcare-setup.tmp (PID: 3572)
  - advanced-systemcare-setup.tmp (PID: 4916)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCInit.exe (PID: 5476)
  - Setup.exe (PID: 4188)
  - ASC.exe (PID: 5564)
  - AppsChecker.exe (PID: 8036)
  - IObitLiveUpdate.exe (PID: 7636)
- Reads Environment values
  - identity_helper.exe (PID: 7568)
  - AutoCare.exe (PID: 3048)
- Create files in a temporary directory
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.exe (PID: 4680)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - advanced-systemcare-setup.exe (PID: 1332)
  - advanced-systemcare-setup.exe (PID: 7400)
  - advanced-systemcare-setup.tmp (PID: 4916)
  - powershell.exe (PID: 8104)
  - IObitLiveUpdate.exe (PID: 7636)
  - ASC.exe (PID: 5564)
  - sdproxy.exe (PID: 4844)
  - SecEdit.exe (PID: 4312)
  - SecEdit.exe (PID: 7180)
  - AutoCare.exe (PID: 3048)
- Reads the machine GUID from the registry
  - Setup.exe (PID: 4188)
  - smBootTime.exe (PID: 2112)
  - UninstallInfo.exe (PID: 5460)
  - AutoUpdate.exe (PID: 8044)
  - Monitor.exe (PID: 5132)
  - ASC.exe (PID: 5564)
  - smBootTime.exe (PID: 1740)
  - ASCTray.exe (PID: 5928)
  - ASCVER.exe (PID: 2508)
  - asrft.exe (PID: 3880)
  - ASCFeature.exe (PID: 2228)
  - IObitLiveUpdate.exe (PID: 7636)
  - AutoUpdate.exe (PID: 7820)
  - AutoCare.exe (PID: 3048)
- Compiled with Borland Delphi (YARA)
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - advanced-systemcare-setup.exe (PID: 1332)
  - ASCService.exe (PID: 8100)
  - ASC.exe (PID: 5564)
  - Monitor.exe (PID: 5132)
  - ASCTray.exe (PID: 5928)
- Creates files or folders in the user directory
  - advanced-systemcare-setup.tmp (PID: 4916)
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCService.exe (PID: 8100)
  - ASCInit.exe (PID: 5476)
  - explorer.exe (PID: 4772)
  - BrowserCleaner.exe (PID: 2108)
  - smBootTime.exe (PID: 2112)
  - Display.exe (PID: 3956)
  - ASC.exe (PID: 5564)
  - ASCTray.exe (PID: 5928)
  - ASCFeature.exe (PID: 5712)
  - UninstallInfo.exe (PID: 5460)
  - AppsChecker.exe (PID: 8036)
- Creates files in the program directory
  - Setup.exe (PID: 4188)
  - advanced-systemcare-setup.tmp (PID: 1056)
  - ASCInit.exe (PID: 5476)
  - smBootTimeBase.exe (PID: 1632)
  - smBootTime.exe (PID: 2112)
  - PrivacyShield.exe (PID: 2592)
  - ASCService.exe (PID: 8100)
  - AutoUpdate.exe (PID: 8044)
  - Display.exe (PID: 3956)
  - BrowserProtect.exe (PID: 1300)
  - ASC.exe (PID: 5564)
  - ProductStat3.exe (PID: 6172)
  - UninstallInfo.exe (PID: 5460)
  - ASCVER.exe (PID: 2508)
  - smBootTime.exe (PID: 3852)
  - AutoUpdate.exe (PID: 7820)
  - AutoSweep.exe (PID: 1040)
  - AutoCare.exe (PID: 6508)
  - IObitLiveUpdate.exe (PID: 7636)
  - StartupInfo.exe (PID: 7520)
  - AutoCare.exe (PID: 3048)
  - AppsChecker.exe (PID: 8036)
- The sample compiled with french language support
  - advanced-systemcare-setup.tmp (PID: 1056)
- Detects InnoSetup installer (YARA)
  - advanced-systemcare-setup.exe (PID: 1332)
  - advanced-systemcare-setup.tmp (PID: 1056)
- The sample compiled with chinese language support
  - advanced-systemcare-setup.tmp (PID: 1056)
- Checks proxy server information
  - slui.exe (PID: 4160)
  - AutoUpdate.exe (PID: 8044)
  - AutoUpdate.exe (PID: 7820)
  - ASC.exe (PID: 5564)
  - AutoCare.exe (PID: 3048)
- Creates a software uninstall entry
  - advanced-systemcare-setup.tmp (PID: 1056)
- Launching a file from a Registry key
  - ASCInit.exe (PID: 5476)
- Reads the software policy settings
  - slui.exe (PID: 4160)
  - powershell.exe (PID: 8104)
  - ASCVER.exe (PID: 2508)
- CPUZ mutex has been found
  - Monitor.exe (PID: 5132)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 8104)
- Changes the display of characters in the console
  - powershell.exe (PID: 8104)
- Reads Microsoft Office registry keys
  - ASC.exe (PID: 5564)
- Reads mouse settings
  - ASC.exe (PID: 5564)
- Disables trace logs
  - netsh.exe (PID: 3052)
  - netsh.exe (PID: 6840)
  - netsh.exe (PID: 8164)
  - netsh.exe (PID: 7524)
  - AutoCare.exe (PID: 3048)
- Reads the time zone
  - AutoCare.exe (PID: 3048)
- Checks transactions between databases Windows and Oracle
  - AutoCare.exe (PID: 3048)
- Reads Windows Product ID
  - AutoCare.exe (PID: 3048)
- Reads product name
  - AutoCare.exe (PID: 3048)
- Process checks the number of cached credentials
  - AutoCare.exe (PID: 3048)
- Process checks whether UAC notifications are on
  - AutoCare.exe (PID: 3048)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

289

Monitored processes

137

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

516

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7320,i,13478366279488901813,13415001152560791905,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

700

"C:\Users\admin\AppData\Local\Temp\is-MVE7A.tmp\ASCUpgrade.exe" /upgrade "c:\program files (x86)\iobit\advanced systemcare"

C:\Users\admin\AppData\Local\Temp\is-MVE7A.tmp\ASCUpgrade.exe

—

advanced-systemcare-setup.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Upgrader

Exit code:

Version:

14.2.0.53

Modules

Images
c:\users\admin\appdata\local\temp\is-mve7a.tmp\ascupgrade.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

984

"C:\Program Files (x86)\IObit\Advanced SystemCare\DiskDefrag.exe" /install

C:\Program Files (x86)\IObit\Advanced SystemCare\DiskDefrag.exe

—

advanced-systemcare-setup.tmp

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Advanced SystemCare Disk Defrag

Exit code:

Version:

1.0.0.11

Modules

Images
c:\program files (x86)\iobit\advanced systemcare\diskdefrag.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

1040

"C:\Program Files (x86)\IObit\Advanced SystemCare\AutoSweep.exe" /SvcAutoClean

C:\Program Files (x86)\IObit\Advanced SystemCare\AutoSweep.exe

—

ASCService.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Auto Sweep

Exit code:

Version:

16.0.0.82

Modules

Images
c:\program files (x86)\iobit\advanced systemcare\autosweep.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1056

"C:\Users\admin\AppData\Local\Temp\is-HJA82.tmp\advanced-systemcare-setup.tmp" /SL5="$7025E,58860006,139264,C:\Users\admin\Downloads\advanced-systemcare-setup.exe" /VerySilent /DIR="C:\Program Files (x86)\IObit\Advanced SystemCare\" /UNINSTALL /INSTALLER /NORESTART /TASKS="desktopicon" /CreateTaskbar

C:\Users\admin\AppData\Local\Temp\is-HJA82.tmp\advanced-systemcare-setup.tmp

advanced-systemcare-setup.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-hja82.tmp\advanced-systemcare-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1056

"C:\Program Files (x86)\IObit\Advanced SystemCare\ProductStat3.exe" /statcom /stflag 1118 /appid "asc18" /pd "asc" /url "https://stats.iobit.com/usage_v2.php?action=insert" /user 0 /insur "other" /type 1 /pr "iobit" /ver "18.4.0.247"

C:\Program Files (x86)\IObit\Advanced SystemCare\ProductStat3.exe

—

ASC.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

IObit stat Component

Exit code:

Version:

3.0.0.6398

Modules

Images
c:\program files (x86)\iobit\advanced systemcare\productstat3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1136

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1300

"C:\Program Files (x86)\IObit\Advanced SystemCare\BrowserProtect.exe" /TurnOn

C:\Program Files (x86)\IObit\Advanced SystemCare\BrowserProtect.exe

Setup.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Browser Protector

Exit code:

Version:

18.0.0.280

Modules

Images
c:\program files (x86)\iobit\advanced systemcare\browserprotect.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1332

"C:\Users\admin\Downloads\advanced-systemcare-setup.exe" /VerySilent /DIR="C:\Program Files (x86)\IObit\Advanced SystemCare\" /UNINSTALL /INSTALLER /NORESTART /TASKS="desktopicon" /CreateTaskbar

C:\Users\admin\Downloads\advanced-systemcare-setup.exe

Setup.exe

User:

admin

Company:

IObit

Integrity Level:

HIGH

Description:

Advanced SystemCare

Exit code:

Version:

18.4.0.247

Modules

Images
c:\users\admin\downloads\advanced-systemcare-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

1472

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6828,i,13478366279488901813,13415001152560791905,262144 --variations-seed-version --mojo-platform-channel-handle=7088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

531 570

Read events

531 361

Write events

192

Delete events

Modification events


(PID) Process:	(1728) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1728) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1728) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7008) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(7008) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(7008) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(7008) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(7008) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(1728) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(1728) iexplore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1

Add for printing

Executable files

285

Suspicious files

394

Text files

684

Unknown types

186

Dropped files

PID	Process	Filename		Type
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF18d3f5.TMP		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF18d3f5.TMP		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF18d3f5.TMP		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF18d414.TMP		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF18d423.TMP		—
		MD5:—	SHA256:—
7008	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

218

DNS requests

150

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
436	svchost.exe	GET	200	2.22.98.7:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3000	msedge.exe	GET	200	150.171.28.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:jN6OhNplwTT3hDDJc0pfu6ZwLVAZmyI2aYnCUQKdRPo&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
5876	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7648	svchost.exe	GET	206	151.101.206.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1754976396&P2=404&P3=2&P4=JEq1ysb71666Wh2%2bWGMViFGChI3x%2bXkHGnc%2bvUf7AmAwI%2by2U1hg6ZTDlh0gXAdddUYLuBBW52Or7bMcVYrEsw%3d%3d	unknown	—	—	whitelisted
7648	svchost.exe	GET	206	151.101.206.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1754976396&P2=404&P3=2&P4=JEq1ysb71666Wh2%2bWGMViFGChI3x%2bXkHGnc%2bvUf7AmAwI%2by2U1hg6ZTDlh0gXAdddUYLuBBW52Or7bMcVYrEsw%3d%3d	unknown	—	—	whitelisted
7008	msedge.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	96.16.53.133:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5876	SIHClient.exe	GET	200	173.223.117.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7008	msedge.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEA5GibtScxO5s5CqaFARGvg%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3160	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3000	msedge.exe	150.171.28.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3000	msedge.exe	54.146.80.149:443	www.iobit.com	AMAZON-AES	US	whitelisted
3000	msedge.exe	52.123.240.21:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3000	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3000	msedge.exe	2.16.106.218:443	copilot.microsoft.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 13.71.55.58	whitelisted
google.com	142.251.36.46	whitelisted
www.iobit.com	54.146.80.149	whitelisted
edge.microsoft.com	150.171.28.11	whitelisted
config.edge.skype.com	52.123.240.21	whitelisted
copilot.microsoft.com	2.16.106.218	whitelisted
www.bing.com	2.16.106.200	whitelisted
fonts.googleapis.com	142.251.39.106	whitelisted
fonts.gstatic.com	142.251.36.35	whitelisted
www.googletagmanager.com	142.251.39.104	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Setup.exe	********** FLanguageName: English
Setup.exe	GetDownloadPath: 2
Setup.exe	CheckDiskSpace: 1
Setup.exe	CheckDiskSpace: 2
Setup.exe	CheckDiskSpace: 3
Setup.exe	CheckDiskSpace: 4
Setup.exe	CheckDiskSpace: 5
Setup.exe	GetDownloadPath: 3
Setup.exe	CheckDiskSpace: 2
Setup.exe	CheckDiskSpace: 3

General Info

https://www.iobit.com/index.php

363FFB90112C407CE6AFAB48DE808CC0

6AFAF969F927EF88A1FBB8AF73F5215EC5EBF860

C9064EEC8AA9CA21CBE65CE677870D79AD718845655193B347F0DAD7EB854947

3:N8DSLgzbbHn:2OLgfbHn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Steals credentials from Web Browsers

Registers / Runs the DLL via REGSVR32.EXE

Application was injected by another process

Changes the autorun value in the registry

Runs injected code in another process

Scans artifacts that could help determine the target

MYDOOM has been detected

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Process drops SQLite DLL files

Drops a system driver (possible attempt to evade defenses)

Executes as Windows Service

Searches for installed software

Starts CMD.EXE for commands execution

Windows service management via SC.EXE

Likely accesses (executes) a file from the Public directory

Creates/Modifies COM task schedule object

Application launched itself

Read disk information to detect sandboxing environments

Adds/modifies Windows certificates

Checks for Java to be installed

Manipulates environment variables

Starts application with an unusual extension

The process verifies whether the antivirus software is installed

Starts POWERSHELL.EXE for commands execution

Check the default browser

There is functionality for taking screenshot (YARA)

There is functionality for VM detection VirtualBox (YARA)

Reads Microsoft Outlook installation path

Suspicious use of NETSH.EXE

PSEXEC has been detected

Checks for the .NET to be installed

Reads the date of Windows installation

Read startup parameters

Starts application from unusual location

Reads the history of recent RDP connections

Creates file in the systems drive root

INFO

Checks supported languages

Application launched itself

Executable content was dropped or overwritten

Reads the computer name

The sample compiled with english language support

Process checks computer location settings

Reads Environment values

Create files in a temporary directory

Reads the machine GUID from the registry

Compiled with Borland Delphi (YARA)

Creates files or folders in the user directory

Creates files in the program directory

The sample compiled with french language support

Detects InnoSetup installer (YARA)

The sample compiled with chinese language support

Checks proxy server information

Creates a software uninstall entry

Launching a file from a Registry key

Reads the software policy settings

CPUZ mutex has been found

Reads security settings of Internet Explorer

Changes the display of characters in the console

Reads Microsoft Office registry keys

Reads mouse settings

Disables trace logs