File name:

2f2739e012ca64ce526f13cdaa2a9c28f8418372

Full analysis: https://app.any.run/tasks/9c3f2b0c-f30b-4074-b393-7296aa017d54
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 10, 2025, 09:47:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
delphi
inno
installer
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

AB952C671EA2AE88B46F70E3491F8709

SHA1:

2F2739E012CA64CE526F13CDAA2A9C28F8418372

SHA256:

CCC66207292DCE3646F2F5197CC55503978C928F77A83114FB0457029645606B

SSDEEP:

98304:XMM2uaOvfAK6Zis5aEla0OOaaKcnayckc/7z9vRQh2YEs0mx4MDkkwS2GfG0cDeh:9QYDe61CPwDv3uF0jibjzLQDM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs injected code in another process

      • ICONPIN64.exe (PID: 7376)

    • Application was injected by another process

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)
      • AutoUpdate.exe (PID: 3868)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.exe (PID: 3676)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)
      • 2711FDB859001D6EAC0BF0E328A77CC2.exe (PID: 3308)

    • Process requests binary or script from the Internet

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)

    • Potential Corporate Privacy Violation

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)

    • Reads security settings of Internet Explorer

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7576)
      • iScrInit.exe (PID: 3968)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • iScrInit.exe (PID: 3180)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.tmp (PID: 5740)

    • Reads the Windows owner or organization settings

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Process drops SQLite DLL files

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Process drops legitimate windows executable

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)

    • Searches for installed software

      • iScrInit.exe (PID: 7576)
      • Gpucheck.exe (PID: 8068)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • iScrInit.exe (PID: 5728)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrInit.exe (PID: 4220)
      • iScrRec.exe (PID: 7560)
      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iTopDownloader.exe (PID: 6184)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrExtDown.exe (PID: 7248)
      • iScrRecExt.exe (PID: 1812)
      • iScrVoiceCapture.exe (PID: 1072)
      • iScrInit.exe (PID: 3180)
      • iScrFileMover.exe (PID: 7292)
      • iScrInit.exe (PID: 4560)
      • iScrFileMover.exe (PID: 2560)
      • Gpifcoll.exe (PID: 3976)

    • The process drops C-runtime libraries

      • ISR_Setup.tmp (PID: 4944)

    • Uses TASKKILL.EXE to kill process

      • ISR_Setup.tmp (PID: 4944)
      • iTopSetup.tmp (PID: 5740)

    • Reads the date of Windows installation

      • iScrRec.exe (PID: 7560)

    • Drops a system driver (possible attempt to evade defenses)

      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)

    • Starts CMD.EXE for commands execution

      • ugin.exe (PID: 2600)
      • iTopVPN.exe (PID: 1312)

    • Stops a currently running service

      • sc.exe (PID: 7988)
      • sc.exe (PID: 7528)

    • Windows service management via SC.EXE

      • sc.exe (PID: 240)
      • sc.exe (PID: 4944)
      • sc.exe (PID: 7864)
      • sc.exe (PID: 2040)
      • sc.exe (PID: 968)

    • Application launched itself

      • ugin.exe (PID: 2600)
      • iTopVPN.exe (PID: 5756)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • iTopVPN.exe (PID: 1312)
      • unpr.exe (PID: 7216)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 6820)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 5952)

    • There is functionality for taking screenshot (YARA)

      • iScrRec.exe (PID: 7560)

    • Connects to unusual port

      • iTopVPN.exe (PID: 1312)

  • INFO

    • Reads the computer name

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7408)
      • iScrInit.exe (PID: 2660)
      • iScrInit.exe (PID: 8000)
      • iScrInit.exe (PID: 7268)
      • iScrInit.exe (PID: 7576)
      • Gpucheck.exe (PID: 8068)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • UninstallInfo.exe (PID: 240)
      • iScrInit.exe (PID: 5728)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrInit.exe (PID: 4220)
      • iScrRec.exe (PID: 7560)
      • iTopDownloader.exe (PID: 6184)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrExtDown.exe (PID: 7248)
      • iScrInit.exe (PID: 3180)
      • iScrVoiceCapture.exe (PID: 1072)
      • AUpdate.exe (PID: 6404)
      • iScrRecExt.exe (PID: 1812)
      • iScrInit.exe (PID: 4560)
      • iScrFileMover.exe (PID: 2560)
      • iScrFileMover.exe (PID: 7292)
      • Gpifcoll.exe (PID: 3976)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 6592)

    • Checks supported languages

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7408)
      • iScrInit.exe (PID: 2660)
      • iScrInit.exe (PID: 8000)
      • iScrInit.exe (PID: 7268)
      • iScrInit.exe (PID: 7576)
      • LocalLang.exe (PID: 2064)
      • Gpucheck.exe (PID: 8068)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • iScrInit.exe (PID: 3968)
      • ICONPIN64.exe (PID: 7376)
      • iScrExtDown.exe (PID: 1532)
      • iScrInit.exe (PID: 4220)
      • AutoUpdate.exe (PID: 3868)
      • UninstallInfo.exe (PID: 240)
      • iScrInit.exe (PID: 5728)
      • iScrRec.exe (PID: 7560)
      • iTopDownloader.exe (PID: 6184)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrExtDown.exe (PID: 7248)
      • AutoUpdate.exe (PID: 4284)
      • iScrVoiceCapture.exe (PID: 1072)
      • AutoUpdate.exe (PID: 1300)
      • iScrInit.exe (PID: 3180)
      • AUpdate.exe (PID: 6404)
      • AUpdate.exe (PID: 4920)
      • iScrRecExt.exe (PID: 1812)
      • iScrInit.exe (PID: 4560)
      • iScrFileMover.exe (PID: 7292)
      • iScrFileMover.exe (PID: 2560)
      • Gpifcoll.exe (PID: 3976)
      • iTopSetup.tmp (PID: 5740)
      • iTopSetup.exe (PID: 3676)
      • ugin.exe (PID: 6592)

    • The sample compiled with english language support

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • AutoUpdate.exe (PID: 3868)
      • iTopSetup.tmp (PID: 5740)
      • ugin.exe (PID: 2600)
      • 2711FDB859001D6EAC0BF0E328A77CC2.tmp (PID: 5164)

    • Reads the machine GUID from the registry

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • iScrInit.exe (PID: 7576)
      • Gpucheck.exe (PID: 8068)
      • iScrInit.exe (PID: 5728)
      • iScrRec.exe (PID: 7560)
      • AUpdate.exe (PID: 4920)
      • AutoUpdate.exe (PID: 3868)
      • Gpifcoll.exe (PID: 3976)

    • Create files in a temporary directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)
      • explorer.exe (PID: 5492)
      • iScrRec.exe (PID: 7560)
      • iTopSetup.exe (PID: 3676)
      • iTopSetup.tmp (PID: 5740)
      • Gpifcoll.exe (PID: 3976)

    • Creates files in the program directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • LocalLang.exe (PID: 2064)
      • iScrInit.exe (PID: 7576)
      • UninstallInfo.exe (PID: 240)
      • AutoUpdate.exe (PID: 3868)
      • iScrExtDown.exe (PID: 1532)
      • iTopDownloader.exe (PID: 6184)
      • iScrRec.exe (PID: 7560)
      • AUpdate.exe (PID: 6404)

    • Creates files or folders in the user directory

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • Gpucheck.exe (PID: 8068)
      • iScrInit.exe (PID: 7576)
      • iScrMagnifier.exe (PID: 4408)
      • iScrGPURecording.exe (PID: 2908)
      • explorer.exe (PID: 5492)
      • iScrExtDown.exe (PID: 1532)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • Gpucheck.exe (PID: 6892)
      • graphics-check.exe (PID: 7912)
      • iScrVoiceCapture.exe (PID: 1072)
      • iScrFileMover.exe (PID: 7292)
      • iScrFileMover.exe (PID: 2560)
      • Gpifcoll.exe (PID: 3976)
      • iScrRecExt.exe (PID: 1812)
      • ugin.exe (PID: 6592)

    • Compiled with Borland Delphi (YARA)

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)
      • slui.exe (PID: 7348)
      • iScrExtDown.exe (PID: 1532)
      • iScrRec.exe (PID: 7560)
      • iScrRecExt.exe (PID: 1812)

    • Process checks computer location settings

      • 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe (PID: 7316)
      • ISR_Setup.tmp (PID: 4944)
      • iScrInit.exe (PID: 7576)
      • iScrInit.exe (PID: 3968)
      • iScrInit.exe (PID: 5728)
      • AutoUpdate.exe (PID: 3868)
      • iScrRec.exe (PID: 7560)
      • iScrInit.exe (PID: 3180)
      • iTopDownloader.exe (PID: 6184)
      • iTopSetup.tmp (PID: 5740)

    • Detects InnoSetup installer (YARA)

      • ISR_Setup.exe (PID: 6880)
      • ISR_Setup.tmp (PID: 4944)

    • Creates a software uninstall entry

      • ISR_Setup.tmp (PID: 4944)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Reads the software policy settings

      • slui.exe (PID: 7348)
      • iScrRec.exe (PID: 7560)
      • AutoUpdate.exe (PID: 3868)

    • Checks proxy server information

      • slui.exe (PID: 7348)
      • iScrRec.exe (PID: 7560)

    • Manual execution by a user

      • iTopVPN.exe (PID: 5756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (45.2)
.exe | Win32 EXE PECompact compressed (generic) (43.6)
.exe | Win32 Executable (generic) (4.7)
.exe | Win16/32 Executable Delphi generic (2.1)
.exe | Generic Win/DOS Executable (2.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:17 05:08:19+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2899456
InitializedDataSize: 4158464
UninitializedDataSize: -
EntryPoint: 0x2c55b4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.6.0.59
ProductVersionNumber: 5.6.0.59
FileFlagsMask: 0x003f
FileFlags: Pre-release
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: -
FileDescription: iTop Screen Recorder
FileVersion: 5.6.0.59
InternalName: -
LegalCopyright: © iTop Inc. All rights reserved.
LegalTrademarks: iTop Inc.
OriginalFileName: -
ProductName: iTop Screen Recorder
ProductVersion: 5.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
97
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe isr_setup.exe isr_setup.tmp iscrinit.exe no specs iscrinit.exe no specs iscrinit.exe no specs iscrinit.exe no specs slui.exe locallang.exe no specs conhost.exe no specs iscrinit.exe gpucheck.exe iscrmagnifier.exe no specs taskkill.exe no specs conhost.exe no specs iscrgpurecording.exe no specs iscrinit.exe no specs iconpin64.exe no specs conhost.exe no specs uninstallinfo.exe iscrinit.exe autoupdate.exe iscrextdown.exe iscrinit.exe no specs iscrrec.exe itopdownloader.exe autoupdate.exe no specs iscrextdown.exe no specs gpucheck.exe no specs graphics-check.exe no specs iscrrecext.exe no specs autoupdate.exe no specs iscrinit.exe no specs iscrvoicecapture.exe no specs aupdate.exe aupdate.exe iscrinit.exe no specs iscrfilemover.exe no specs iscrfilemover.exe no specs gpifcoll.exe itopsetup.exe itopsetup.tmp ugin.exe no specs iscrpaint.exe no specs taskkill.exe no specs conhost.exe no specs ugin.exe no specs ugin.exe no specs ullc.exe no specs conhost.exe no specs itopvpn.exe ugin.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs icop64.exe no specs conhost.exe no specs ugin.exe ugin.exe no specs itopvpn.exe no specs unpr.exe itopvpn.exe ugin.exe no specs svchost.exe itopvpn.exe atud.exe aud.exe aud.exe cmd.exe no specs conhost.exe no specs ipconfig.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs 2711fdb859001d6eac0bf0e328a77cc2.exe 2711fdb859001d6eac0bf0e328a77cc2.tmp itopvpnmini.exe secedit.exe no specs conhost.exe no specs secedit.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs explorer.exe 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Program Files\iTop Screen Recorder\UninstallInfo.exe" /install isr5C:\Program Files\iTop Screen Recorder\UninstallInfo.exe
ISR_Setup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
UninstallInfo
Exit code:
0
Version:
1.0.0.357
Modules
Images
c:\program files\itop screen recorder\uninstallinfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
240sc delete windivertC:\Windows\SysWOW64\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
668"C:\Program Files (x86)\iTop VPN\aud.exe" /u https://stats.itopvpn.com/active_month.php /a itop6 /p itopf /v 6.5.0.6176 /t 10 /d 7 / /userC:\Program Files (x86)\iTop VPN\aud.exe
iTopVPN.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.5378
Modules
Images
c:\program files (x86)\itop vpn\aud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeLocalLang.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968sc start MpsSvcC:\Windows\SysWOW64\sc.exeiTopVPN.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
1056
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1072"C:\Program Files\iTop Screen Recorder\iScrVoiceCapture.exe" /hwnd "656172" /speak "" /mic "" /aec "0" /filter "-1" /recordtype "1"C:\Program Files\iTop Screen Recorder\iScrVoiceCapture.exeiScrRec.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Screen Recorder Voice Capture
Exit code:
0
Version:
5.2.0.35
Modules
Images
c:\program files\itop screen recorder\iscrvoicecapture.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\iTop VPN\ugin.exe" /InitTop /ver 6.5.0.6176 /installC:\Program Files (x86)\iTop VPN\ugin.exeiTopSetup.tmp
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop VPN
Exit code:
0
Version:
6.0.0.6166
Modules
Images
c:\program files (x86)\itop vpn\ugin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1244ipconfig /flushdnsC:\Windows\SysWOW64\ipconfig.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1300"C:\Program Files\iTop Screen Recorder\AutoUpdate.exe" /auto /startC:\Program Files\iTop Screen Recorder\AutoUpdate.exeiScrRec.exe
User:
admin
Company:
iTop Inc.
Integrity Level:
HIGH
Description:
iTop Screen Recorder Updater
Exit code:
0
Version:
5.0.0.839
Modules
Images
c:\program files\itop screen recorder\autoupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
37 652
Read events
37 394
Write events
223
Delete events
35

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F0062000000000000000000000001000000FFFFFFFFFFFF0000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000802D2
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisible
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search
Operation:writeName:TraySearchBoxVisibleOnAnyMonitor
Value:
1
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:aff
Value:
1
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:aff_param
Value:
a_aid=ptseo_blog1575&chan=israff&data1=israff&data2=israff
(PID) Process:(7316) 2f2739e012ca64ce526f13cdaa2a9c28f8418372.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\iTop Screen Recorder
Operation:writeName:insur
Value:
ptseo_blog1575
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000050304
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:0000000000050304
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000203A6
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
Executable files
588
Suspicious files
77
Text files
1 839
Unknown types
61

Dropped files

PID
Process
Filename
Type
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop Screen Recorder\Downloader\ISR_Setup.exe
MD5:
SHA256:
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Local\Temp\appver-ac.iniini
MD5:771CAE47F7DAEB56695DC26B056DBD02
SHA256:5A929179BDBF923B4E063D413D29957913C1E572E8BDEC8FD6B1E3F62B284375
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\Users\admin\AppData\Local\Temp\Installerupt45818.4080009838.initext
MD5:ECF7281BCC598FE04BD03398B4554EAF
SHA256:74576D126B5C2B013231D9AEBA1326B24DB81F561A32EB46044158BBA8A317CC
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop\itoppromotion.initext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6880ISR_Setup.exeC:\Users\admin\AppData\Local\Temp\is-FM63H.tmp\ISR_Setup.tmpexecutable
MD5:43739A671575987B28A73EDA813D1315
SHA256:C385B622E1410A6FFCDDDDC5C2C6B095261326236F6ED55A154220D8FD1B5C48
4944ISR_Setup.tmpC:\Program Files\iTop Screen Recorder\unins000.exeexecutable
MD5:43739A671575987B28A73EDA813D1315
SHA256:C385B622E1410A6FFCDDDDC5C2C6B095261326236F6ED55A154220D8FD1B5C48
4944ISR_Setup.tmpC:\Users\admin\AppData\Local\Temp\is-D9J66.tmp\CheckDiskInfo.dllexecutable
MD5:C95DAE85F733228B21FE3A1160766913
SHA256:5FAD776C61179D101D1DD48BF30221DB1466D9A683D569382C2C04DDDB55C398
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
73162f2739e012ca64ce526f13cdaa2a9c28f8418372.exeC:\ProgramData\iTop Screen Recorder\Downloader\dl-info-isrnew.upttext
MD5:BED818385F838339EA705FD4CEAEE2D5
SHA256:4EE813FD76499327FB6658B5E0630B142166598E8D9240EC733CAA0EF6412440
4944ISR_Setup.tmpC:\Program Files\iTop Screen Recorder\is-ED92Q.tmpexecutable
MD5:43739A671575987B28A73EDA813D1315
SHA256:C385B622E1410A6FFCDDDDC5C2C6B095261326236F6ED55A154220D8FD1B5C48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
290
DNS requests
48
Threats
62

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
5496
MoUsoCoreWorker.exe
GET
200
23.209.214.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
206
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/installer.zlb
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
200
2.16.168.122:80
http://update.itopupdate.com/infofiles/isr/rmd/dl-info.upt
unknown
unknown
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
GET
2.16.168.120:80
http://download.itopupdate.com/dl/isr/v5/isr560_20250429.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
7708
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.209.214.100:80
www.microsoft.com
PT. Telekomunikasi Selular
ID
whitelisted
864
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
2.16.168.122:80
update.itopupdate.com
Akamai International B.V.
RU
suspicious
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
2.16.168.117:443
update.iobit.com
Akamai International B.V.
RU
whitelisted
864
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.209.214.100
  • 2.23.246.101
whitelisted
update.itopupdate.com
  • 2.16.168.122
  • 2.16.168.109
  • 23.48.23.49
  • 23.48.23.5
unknown
update.iobit.com
  • 2.16.168.117
  • 2.16.168.109
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.128
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
stats.reportcpanel.com
  • 52.1.130.89
  • 52.204.188.16
unknown
download.itopupdate.com
  • 2.16.168.120
  • 2.16.168.100
  • 23.48.23.26
  • 23.48.23.41
  • 23.48.23.23
unknown

Threats

PID
Process
Class
Message
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7316
2f2739e012ca64ce526f13cdaa2a9c28f8418372.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2f2739e012ca64ce526f13cdaa2a9c28f8418372