File name:

2f2739e012ca64ce526f13cdaa2a9c28f8418372

Full analysis: https://app.any.run/tasks/9c3f2b0c-f30b-4074-b393-7296aa017d54
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2025, 09:47:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
delphi
inno
installer
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

AB952C671EA2AE88B46F70E3491F8709

SHA1:

2F2739E012CA64CE526F13CDAA2A9C28F8418372

SHA256:

CCC66207292DCE3646F2F5197CC55503978C928F77A83114FB0457029645606B

SSDEEP:

98304:XMM2uaOvfAK6Zis5aEla0OOaaKcnayckc/7z9vRQh2YEs0mx4MDkkwS2GfG0cDeh:9QYDe61CPwDv3uF0jibjzLQDM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • ICONPIN64.exe (PID: 7376)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)
      • AutoUpdate.exe (PID: 3868)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.exe (PID: 3676)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)
      • 2711FDB859001D6EAC0BF0E328A77CC2.exe (PID: 3308)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)

    • Process requests binary or script from the Internet

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)

    • Potential Corporate Privacy Violation

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)

    • Reads the Windows owner or organization settings

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Reads security settings of Internet Explorer

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 3968)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • iScrInit.exe (PID: 7576)
      • iScrInit.exe (PID: 3180)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.tmp (PID: 5740)

    • Process drops legitimate windows executable

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)

    • Process drops SQLite DLL files

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Searches for installed software

      • Gpucheck.exe (PID: 8068)
      • iScrInit.exe (PID: 7576)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • iScrInit.exe (PID: 5728)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrInit.exe (PID: 4220)
      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iTopDownloader.exe (PID: 6184)
      • iScrRec.exe (PID: 7560)
      • graphics-check.exe (PID: 7912)
      • iScrExtDown.exe (PID: 7248)
      • Gpucheck.exe (PID: 6892)
      • iScrInit.exe (PID: 3180)
      • iScrRecExt.exe (PID: 1812)
      • iScrVoiceCapture.exe (PID: 1072)
      • iScrInit.exe (PID: 4560)
      • iScrFileMover.exe (PID: 7292)
      • iScrFileMover.exe (PID: 2560)
      • Gpifcoll.exe (PID: 3976)

    • The process drops C-runtime libraries

      • ISR_Setup.tmp (PID: 4944)

    • Uses TASKKILL.EXE to kill process

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Reads the date of Windows installation

      • iScrRec.exe (PID: 7560)

    • Drops a system driver (possible attempt to evade defenses)

      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)

    • Stops a currently running service

      • sc.exe (PID: 7988)
      • sc.exe (PID: 7528)

    • Application launched itself

      • ugin.exe (PID: 2600)
      • iTopVPN.exe (PID: 5756)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 2600)
      • iTopVPN.exe (PID: 1312)

    • Windows service management via SC.EXE

      • sc.exe (PID: 240)
      • sc.exe (PID: 4944)
      • sc.exe (PID: 968)
      • sc.exe (PID: 2040)
      • sc.exe (PID: 7864)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • unpr.exe (PID: 7216)
      • iTopVPN.exe (PID: 1312)

    • There is functionality for taking screenshot (YARA)

      • iScrRec.exe (PID: 7560)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 5952)

    • Connects to unusual port

      • iTopVPN.exe (PID: 1312)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6820)

  • INFO

    • Reads the machine GUID from the registry

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • Gpucheck.exe (PID: 8068)
      • iScrInit.exe (PID: 7576)
      • iScrInit.exe (PID: 5728)
      • iScrRec.exe (PID: 7560)
      • AUpdate.exe (PID: 4920)
      • AutoUpdate.exe (PID: 3868)
      • Gpifcoll.exe (PID: 3976)

    • Checks supported languages

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrInit.exe (PID: 7408)
      • ISR_Setup.tmp (PID: 4944)
      • ISR_Setup.exe (PID: 6880)
      • iScrInit.exe (PID: 8000)
      • iScrInit.exe (PID: 7268)
      • iScrInit.exe (PID: 2660)
      • iScrInit.exe (PID: 7576)
      • Gpucheck.exe (PID: 8068)
      • LocalLang.exe (PID: 2064)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • iScrMagnifier.exe (PID: 4408)
      • ICONPIN64.exe (PID: 7376)
      • UninstallInfo.exe (PID: 240)
      • iScrInit.exe (PID: 5728)
      • AutoUpdate.exe (PID: 3868)
      • iScrExtDown.exe (PID: 1532)
      • iScrInit.exe (PID: 4220)
      • iScrRec.exe (PID: 7560)
      • iTopDownloader.exe (PID: 6184)
      • AutoUpdate.exe (PID: 4284)
      • iScrExtDown.exe (PID: 7248)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrRecExt.exe (PID: 1812)
      • iScrInit.exe (PID: 3180)
      • AUpdate.exe (PID: 6404)
      • AUpdate.exe (PID: 4920)
      • iScrInit.exe (PID: 4560)
      • AutoUpdate.exe (PID: 1300)
      • iScrVoiceCapture.exe (PID: 1072)
      • iScrFileMover.exe (PID: 7292)
      • iScrFileMover.exe (PID: 2560)
      • Gpifcoll.exe (PID: 3976)
      • iTopSetup.exe (PID: 3676)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 6592)

    • Reads the computer name

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrInit.exe (PID: 7408)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7268)
      • iScrInit.exe (PID: 2660)
      • iScrInit.exe (PID: 7576)
      • Gpucheck.exe (PID: 8068)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • UninstallInfo.exe (PID: 240)
      • iScrInit.exe (PID: 5728)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrInit.exe (PID: 4220)
      • iScrRec.exe (PID: 7560)
      • iTopDownloader.exe (PID: 6184)
      • iScrExtDown.exe (PID: 7248)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrInit.exe (PID: 8000)
      • iScrRecExt.exe (PID: 1812)
      • iScrInit.exe (PID: 3180)
      • iScrVoiceCapture.exe (PID: 1072)
      • AUpdate.exe (PID: 6404)
      • iScrInit.exe (PID: 4560)
      • iScrFileMover.exe (PID: 7292)
      • Gpifcoll.exe (PID: 3976)
      • iScrFileMover.exe (PID: 2560)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 6592)

    • The sample compiled with english language support

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • AutoUpdate.exe (PID: 3868)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)

    • Creates files in the program directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • LocalLang.exe (PID: 2064)
      • iScrInit.exe (PID: 7576)
      • UninstallInfo.exe (PID: 240)
      • AutoUpdate.exe (PID: 3868)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)
      • iScrRec.exe (PID: 7560)
      • AUpdate.exe (PID: 6404)

    • Create files in a temporary directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • ISR_Setup.exe (PID: 6880)
      • explorer.exe (PID: 5492)
      • iScrRec.exe (PID: 7560)
      • Gpifcoll.exe (PID: 3976)
      • iTopSetup.exe (PID: 3676)
      • iTopSetup.tmp (PID: 5740)

    • Creates files or folders in the user directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • Gpucheck.exe (PID: 8068)
      • iScrInit.exe (PID: 7576)
      • ISR_Setup.tmp (PID: 4944)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • explorer.exe (PID: 5492)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrVoiceCapture.exe (PID: 1072)
      • iScrFileMover.exe (PID: 2560)
      • iScrFileMover.exe (PID: 7292)
      • Gpifcoll.exe (PID: 3976)
      • iScrRecExt.exe (PID: 1812)
      • ugin.exe (PID: 6592)

    • Process checks computer location settings

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7576)
      • iScrInit.exe (PID: 3968)
      • iScrInit.exe (PID: 5728)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • iScrInit.exe (PID: 3180)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.tmp (PID: 5740)

    • Compiled with Borland Delphi (YARA)

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • slui.exe (PID: 7348)
      • ISR_Setup.tmp (PID: 4944)
      • ISR_Setup.exe (PID: 6880)
      • iScrRec.exe (PID: 7560)
      • iScrExtDown.exe (PID: 1532)
      • iScrRecExt.exe (PID: 1812)

    • Detects InnoSetup installer (YARA)

      • ISR_Setup.tmp (PID: 4944)
      • ISR_Setup.exe (PID: 6880)

    • Creates a software uninstall entry

      • ISR_Setup.tmp (PID: 4944)

    • Checks proxy server information

      • slui.exe (PID: 7348)
      • iScrRec.exe (PID: 7560)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Reads the software policy settings

      • slui.exe (PID: 7348)
      • iScrRec.exe (PID: 7560)
      • AutoUpdate.exe (PID: 3868)

    • Manual execution by a user

      • iTopVPN.exe (PID: 5756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (45.2)
.exe | Win32 EXE PECompact compressed (generic) (43.6)
.exe | Win32 Executable (generic) (4.7)
.exe | Win16/32 Executable Delphi generic (2.1)
.exe | Generic Win/DOS Executable (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:17 05:08:19+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2899456
InitializedDataSize: 4158464
UninitializedDataSize: -
EntryPoint: 0x2c55b4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.6.0.59
ProductVersionNumber: 5.6.0.59
FileFlagsMask: 0x003f
FileFlags: Pre-release
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: -
FileDescription: iTop Screen Recorder
FileVersion: 5.6.0.59
InternalName: -
LegalCopyright: © iTop Inc. All rights reserved.
LegalTrademarks: iTop Inc.
OriginalFileName: -
ProductName: iTop Screen Recorder
ProductVersion: 5.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
97
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe isr_setup.exe isr_setup.tmp iscrinit.exe no specs iscrinit.exe no specs iscrinit.exe no specs iscrinit.exe no specs slui.exe locallang.exe no specs conhost.exe no specs iscrinit.exe gpucheck.exe iscrmagnifier.exe no specs taskkill.exe no specs conhost.exe no specs iscrgpurecording.exe no specs iscrinit.exe no specs iconpin64.exe no specs conhost.exe no specs uninstallinfo.exe iscrinit.exe autoupdate.exe iscrextdown.exe iscrinit.exe no specs iscrrec.exe itopdownloader.exe autoupdate.exe no specs iscrextdown.exe no specs gpucheck.exe no specs graphics-check.exe no specs iscrrecext.exe no specs autoupdate.exe no specs iscrinit.exe no specs iscrvoicecapture.exe no specs aupdate.exe aupdate.exe iscrinit.exe no specs iscrfilemover.exe no specs iscrfilemover.exe no specs gpifcoll.exe itopsetup.exe itopsetup.tmp ugin.exe no specs iscrpaint.exe no specs taskkill.exe no specs conhost.exe no specs ugin.exe no specs ugin.exe no specs ullc.exe no specs conhost.exe no specs itopvpn.exe ugin.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs icop64.exe no specs conhost.exe no specs ugin.exe ugin.exe no specs itopvpn.exe no specs unpr.exe itopvpn.exe ugin.exe no specs svchost.exe itopvpn.exe atud.exe aud.exe aud.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs 2711fdb859001d6eac0bf0e328a77cc2.exe 2711fdb859001d6eac0bf0e328a77cc2.tmp itopvpnmini.exe secedit.exe no specs conhost.exe no specs secedit.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs explorer.exe 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files\iTop Screen Recorder\UninstallInfo.exe" /install isr5C:\Program Files\iTop Screen Recorder\UninstallInfo.exe
ISR_Setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
UninstallInfo
Exit code:
0
Version:
1.0.0.357
Modules
Images
c:\program files\itop screen recorder\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
240sc delete windivertC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
668"C:\Program Files (x86)\iTop VPN\aud.exe" /u https://stats.itopvpn.com/active_month.php /a itop6 /p itopf /v 6.5.0.6176 /t 10 /d 7 / /userC:\Program Files (x86)\iTop VPN\aud.exe
iTopVPN.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5378
Modules
Images
c:\program files (x86)\itop vpn\aud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLocalLang.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968sc start MpsSvcC:\Windows\SysWOW64\sc.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1056
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1072"C:\Program Files\iTop Screen Recorder\iScrVoiceCapture.exe" /hwnd "656172" /speak "" /mic "" /aec "0" /filter "-1" /recordtype "1"C:\Program Files\iTop Screen Recorder\iScrVoiceCapture.exeiScrRec.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Screen Recorder Voice Capture
Exit code:
0
Version:
5.2.0.35
Modules
Images
c:\program files\itop screen recorder\iscrvoicecapture.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\iTop VPN\ugin.exe" /InitTop /ver 6.5.0.6176 /installC:\Program Files (x86)\iTop VPN\ugin.exeiTopSetup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.6166
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1244ipconfig /flushdnsC:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1300"C:\Program Files\iTop Screen Recorder\AutoUpdate.exe" /auto /startC:\Program Files\iTop Screen Recorder\AutoUpdate.exeiScrRec.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Screen Recorder Updater
Exit code:
0
Version:
5.0.0.839
Modules
Images
c:\program files\itop screen recorder\autoupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
37 652
Read events
37 394
Write events
223
Delete events
35

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F0062000000000000000000000001000000FFFFFFFFFFFF0000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000802D2
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisibleOnAnyMonitor
Value:
1
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:aff
Value:
1
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:aff_param
Value:
a_aid=ptseo_blog1575&chan=israff&data1=israff&data2=israff
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:insur
Value:
ptseo_blog1575
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000050304
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000050304
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000203A6
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
Executable files
588
Suspicious files
77
Text files
1 839
Unknown types
61

Dropped files

PID
Process
Filename
Type
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe
MD5:
SHA256:
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop\itoppromotion.initext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop Screen Recorder\Downloader\dl-info-isrnew.upttext
MD5:BED818385F838339EA705FD4CEAEE2D5
SHA256:4EE813FD76499327FB6658B5E0630B142166598E8D9240EC733CAA0EF6412440
4944ISR_Setup.tmpC:\Users\admin\AppData\Local\Temp\is-D9J66.tmp\Inno_English.lngtext
MD5:524B7877C76E16D30FD0FE02C2944A28
SHA256:5E11AE4DD2586E690E90B07F9A9FE40843837853DE0A27500DCFDD27945CDE53
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Roaming\iTop Screen Recorder\Main.initext
MD5:FC9AF3BE206ADA4C02EE4D18D8021374
SHA256:2C88DC7CE8C569C66A63823B0E75CDCE9DE6D93B874E75825D927605293788C0
6880ISR_Setup.exeC:\Users\admin\AppData\Local\Temp\is-FM63H.tmp\ISR_Setup.tmpexecutable
MD5:43739A671575987B28A73EDA813D1315
SHA256:C385B622E1410A6FFCDDDDC5C2C6B095261326236F6ED55A154220D8FD1B5C48
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Local\Temp\appver-ac.iniini
MD5:771CAE47F7DAEB56695DC26B056DBD02
SHA256:5A929179BDBF923B4E063D413D29957913C1E572E8BDEC8FD6B1E3F62B284375
4944ISR_Setup.tmpC:\Users\admin\AppData\Local\Temp\is-D9J66.tmp\CheckDiskInfo.dllexecutable
MD5:C95DAE85F733228B21FE3A1160766913
SHA256:5FAD776C61179D101D1DD48BF30221DB1466D9A683D569382C2C04DDDB55C398
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Local\Temp\libcrypto-1_1.dllexecutable
MD5:E9888362828D6B6F6E13E6CFA5A36419
SHA256:37CC65DA464443F780BA555ED3C86F5F1003CCBE790F85F3A612C62741C9FA92
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Local\Temp\Installerupt45818.4079932176.zlbskn
MD5:A9DBA00591F76FFD53A16E5A8C1DFE6B
SHA256:D75D5005CC919B268F4DFE702F2CFA1BC64BE3BAC44E9F75293C1D9A362E3B02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
290
DNS requests
48
Threats
62

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
5496
MoUsoCoreWorker.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
200
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/dl-info.upt
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
2.16.168.120:80
http://download.itopupdate.com/dl/isr/v5/isr560_20250429.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7708
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
864
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
2.16.168.122:80
update.itopupdate.com
Akamai International B.V.
RU
suspicious
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
2.16.168.117:443
update.iobit.com
Akamai International B.V.
RU
whitelisted
864
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.209.214.100
  • 2.23.246.101
whitelisted
update.itopupdate.com
  • 2.16.168.122
  • 2.16.168.109
  • 23.48.23.49
  • 23.48.23.5
unknown
update.iobit.com
  • 2.16.168.117
  • 2.16.168.109
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.128
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
stats.reportcpanel.com
  • 52.1.130.89
  • 52.204.188.16
unknown
download.itopupdate.com
  • 2.16.168.120
  • 2.16.168.100
  • 23.48.23.26
  • 23.48.23.41
  • 23.48.23.23
unknown

Threats

PID
Process
Class
Message
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2f2739e012ca64ce526f13cdaa2a9c28f8418372